VPN server configuration

Revision as of 18:24, 15 August 2015 by WikiFreak (talk | contribs) (Created page with "Category:Linux link=VPN|64px|caption|VPN introduction VPN introduction File:Ssl certificate icon.jpg|link=VPN certificates ma...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


VPN introduction VPN introduction


VPN certificates management VPN certificates management


VPN server configuration VPN server configuration


VPN security VPN security


VPN remote networks access VPN remote networks access


Generic setup

Prepare files

You can use an existing example or start from scratch, as you like. If you want to reuse one of the OpenVPN examples:

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn/
gzip -d server.conf.gz


Security algorithms and hash

Depending on your server and distribution you might not always have the same encryption and|or hash algorithms available. Choose your algorithms!


Cryptographic algorithms

openvpn --show-ciphers

Search for: AES-128-CBC, AES-256-CBC


Hash algorithms

openvpn --show-digests

Search for: MD5


Handshake algorithms

openvpn --show-tls


IPv4 configuration

This is how you configuration should look like (more or less, depending on your settings):


##################################################
# OpenVPN 2.0 config file                        #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz      #
# version 1.2 - June 2013 - Guillaume Diaz       #
#                           conf update + chroot #
##################################################


# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
local 192.168.1.2

# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
proto udp
port 8080


# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem

# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0

# Crypto settings
cipher AES-128-CBC
auth MD5

# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/



# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
# Maintain a record of client <-> virtual IP address associations in this file.  
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like) 
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo



# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100

# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
#  Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level
script-security 2


# Push routes to the client
#  >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
#  >> Set the VPN server as global gateway
push "redirect-gateway def1"

### Set the VPN server to act as a gateway for remote network
### You must set 1 'push route <network> <mask>' per target network(s)
#  >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
push "route 192.168.1.0 255.255.255.0"
# Server as DNS server
;push "dhcp-option WINS 192.168.1.21"
;push "dhcp-option DNS 192.168.1.21"
# Use alternate DNS server (OpenDNS + Google)
push "dhcp-option DNS 208.67.222.222" 
push "dhcp-option DNS 8.8.8.8"
# >> Force windows clients to use the pushed DNS
push "register-dns"



# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log

# Log in a dedicated file instead of /var/log/messages
log         /etc/openvpn/openvpn.log
log-append  /etc/openvpn/openvpn.log

# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6

# Silence repeating messages.  
# At most xx sequential same messages will be output to the log file.
mute 10


You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.

Be careful when you choose the port number! Common open ports:

  • 80 (http)
  • 443 (HTTPS)
  • 8080 (Proxy / JEE servers)


More details

Push network information

You can push network information such as:

  • route(s). The VPN route is mandatory. Then you can also push a reference to the remote server so the VPN server act as a "gateway".
  • DNS


IPv4

### Push network settings to the client
#  >> VPN route. required to allow connections
push "route 192.168.12.0 255.255.255.0"
#  >> Set the VPN server as global gateway
push "redirect-gateway def1"


### Set the VPN server to act as a gateway for remote network
### You must set 1 'push route <network> <mask>' per target network(s)
#  >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
push "route 192.168.1.0 255.255.255.0"
# >> Remote DNS server
push "dhcp-option WINS 192.168.1.21"
push "dhcp-option DNS 192.168.1.21"
#  >> set alternate / failover DNS servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# >> Force windows clients to use the pushed DNS
push "register-dns"


[!] Reminder: for every network that you want to make it accessible through your VPN you must push a new route to it.

Source: http://blog.remibergsma.com/2013/01/13/howto-connect-to-hosts-on-a-remote-network-using-openvpn-and-some-routing/