Configiration of OpenVPN
-
Install OpenVPN
sudo apt install openvpn -y
-
Make a CA Directory
make-cadir ~/openvpn-ca
-
Create Certificate Authority (CA)
- Install easy-rsa
sudo apt install easy-rsa -y
- Initialize RSA
./easyrsa init-pki
- Create CA
./easyrsa build-ca nopass
- Install easy-rsa
-
Generate certificate for server
- Generate server key and sign the key
./easyrsa gen-req server nopass
./easyrsa sign-req server server
- Generate DH
./easyrsa gen-dh
- Generate TLS authentication
openvpn --genkey --secret ta.key
- Generate server key and sign the key
-
Generate Certificate for Client
- Generate client key and sign the key
./easyrsa gen-req clientname nopass
./easyrsa sign-req client clientname
- Generate client key and sign the key
-
Edit the configuration of Server
- Copy the config sample file from /usr/share/doc/openvpn/examples/sample-config-files/server.conf to /etc/openvpn/server
- Copy the files (ca.crt, server.crt, server.key, dh.pem, ta.key) to /etc/openvpn
-
Start the OpenVPN service on server
sudo systemctl start openvpn@server
-
Edit the configuration of Client
- Copy the config sample file from /usr/share/doc/openvpn/examples/sample-config-files (change the extension name to ovpn if on windows)
- change the server IP in the conf file
- Copy the files (ca.crt, client.crt, client.key, ta.key) to client device
-
Windows OpenVPN client connection
- import the ovpn file and connect
Route all the traffic from the client go though the server (IPv4 and IPv6)
- Enable IP forwarding
- Edit the server.conf
- /etc/sysctl.conf
- enable
net.ipv4.ip_forward = 1
(IPv4) net.ipv6.conf.all.forwarding = 1
(IPv6)- Apply
sudo sysctl -p
- Enable NAT
- iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
- ip6tables -t nat -A POSTROUTING -s 2001:db8:0:123::/64 -o eth0 -j MASQUERADE
- Config the network (server.conf)
- server 10.8.0.0 255.255.255.0
- server-ipv6 2001:db8:0:123::/64
- Push the default gateway to client (server.conf)
- edit the /etc/openvpn/server.conf
- enable
push "redirect-gateway def1 bypass-dhcp"
(IPv4) push "route-ipv6 2000::/3"
(Ipv6)push "redirect-gateway ipv6"
(Ipv6)
- Add proto (server.conf)
proto udp6
- Restart openvpn@server
- Edit the client configuration
- add
remote your_server_ipv4_address 1194
- add
remote your_server_ipv6_address 1194
- add