VPN Setup

Posted on Fri 26 February 2016 in posts

Used the following tutorial for generating keys: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04

To set up a new client

go to /etc/openvpn/easy-rsa run command ./build-key clientname to generate keys then just copy the keys and make a config on the client

files necessary for client

client.crt client.key ca.crt ta.key

Command on server to make fowarding work:

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s4 -j MASQUERADE

Server Configuration

port 1194
proto udp
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/servername-cr.crt
key /etc/openvpn/servername-cr.key  # This file should be kept secret
dh /etc/openvpn/01.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
fragment 1464 # may not be needed

Client Configuration

client
dev tun

proto udp

fragment 1464
mssfix 1464

remote ma.com 1194
resolv-retry infinite
nobind

persist-key
persist-tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/carbon-fr-cl.crt
key /etc/openvpn/carbon-fr-cl.key

remote-cert-tls server
tls-auth /etc/openvpn/ta.key 1

comp-lzo
verb 3
script-security 2

# from update-resolv-conf aur
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

iptables Configuration

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping 
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Allow vpn traffic
-A INPUT -p udp --dport 1194 -j ACCEPT
-A OUTPUT -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT


-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT

# Allow forwarding traffic only from the VPN.
-A FORWARD -i tun0 -o enp0s4 -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP


COMMIT

Previous Post Next Post