Security
Security
Posted By Irfad

Installing OpenVPN Server with Shorewall in Ubuntu – Part 1


Hello everyone. I couldn’t post anything recently as I got stuck with some projects. Today I’ll be covering OpenVPN installation with Shorewall in Ubuntu 12.04. This is something new I tried and it worked for me :D.

On the first part I’ll go through the basic installation and getting a user connected to the server. I’m not going to describe each step of installing OpenVPN as it’s pretty straight forward and you can find enough details on the internet. Then on the second part I’ll be describing on how to manage the routing and port forwarding capabilities for connected OpenVPN clients in detail. Let’s get started.

Installing OpenVPN

[box]sudo su
apt-get update && apt-get upgrade
apt-get install openvpn
sudo su
apt-get update && apt-get upgrade
apt-get install openvpn
cd /etc/openvpn[/box]

Now we need to copy example easy-rsa to openvpn directory

[box]mkdir easy-rsa
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/[/box]

Edit vars
[box]nano easy-rsa/vars[/box]

Change export EASY_RSA=”`pwd`” to export EASY_RSA=”/etc/openvpn/easy-rsa”
[box]. ./easy-rsa/vars
./easy-rsa/clean-all
cd easy-rsa
ln -s openssl-1.0.0.cnf openssl.cnf
cd ..[/box]

Build CA
[box]./easy-rsa/build-ca[/box]

Build server cert
[box]./easy-rsa/build-key-server server[/box]

Build client cert
[box]./easy-rsa/build-key g33k-client[/box]

Build Diffie-Hellman parameters
[box]./easy-rsa/build-dh[/box]

Edit OpenVPN server config file and paste the following
[box]nano openvpn.conf[/box]

<–COPY BELOW TEXT–>
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push “redirect-gateway def1″
push “dhcp-option DNS 8.8.8.8″
push “dhcp-option DNS 8.8.4.4″
log-append /var/log/openvpn
comp-lzo
client-config-dir /etc/openvpn/ccd
<–COPY ABOVE TEXT–>

Next we need create Client config directory to push static IP address VPN clients. This is required if we’re doing the port forwarding.
[box]mkdir /etc/openvpn/ccd[/box]

Under ccd you should create a file with the name that exactly matched client cert name that we created earlier
[box]nano /etc/openvpm/ccd/g33k-client[/box]

and add below contents
[box]ifconfig-push 10.8.0.17 10.8.0.18[/box]

Note: .17 will be the client address and .18 will be the server address. Also make sure to use IPs in /30 subnet.

Now start OpenVPN
[box]/etc/init.d/openvpn start[/box]

Client Configurations

Configuring OpenVPN on server is done. Simply copy ca.crt, g33k-client.crt and g33k-client.key from /etc/openvpn/easy-rsa/keys to C:Program filesOpenVPNConfig. You can use WinSCP to copy the files.

Now create a file named g33k-client.ovpn under C:Program filesOpenVPNConfig and copy below content. Remember to change the server IP address

<–COPY BELOW TEXT–>
dev tun
client
proto udp
remote <SERVER IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert g33k-client.crt
key g33k-client.key
comp-lzo
verb 3
<–COPY ABOVE TEXT–>

OpenVPN part is done. You should be able to connect successfully if you’ve configured it correctly. Still you won’t be able access internet through VPN because server doesn’t know how to route your connection. We’ll cover this in Part 2.


View Comments
View Comments
There are currently no comments.

This site uses Akismet to reduce spam. Learn how your comment data is processed.