references:
http://networklessons.com/linux/openvpn-server-usernamepassword-authentication/

1. Install OpenVPN: use package manager:

Ubuntu:

  apt-get install openvpn udev lzop

CentOS:

  yum install openvpn udev lzop

2. generic key files:

2.1 Move eazy-rsa to /etc/openvpn

  cp -r /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/

2.2 CA certificate:

  cd /etc/openvpn/easy-rsa/2.0
  source vars
  # if openssl.cnf not found: cp openssl-1.0.0.cnf openssl.cnf
  ./clean-all
  ./build-ca

2.3 Generate server keypair

  ./build-key-server server

2.4 Generate client keypair

  ./build-key-server client1

2.5 Generate Diffie-Hellman key

  ./build-dh

3. Configuration

3.1 Server side configuration:

local 
port 
proto 
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server 10.8.1.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
duplicate-cn
keepalive 20 120
comp-lzo
max-clients 50
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20

3.2 Client site configuration:

client
dev tun
proto udp
remote 163.43.141.40 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
redirect-gateway
keepalive 20 60
#tls-auth ta.key 1
comp-lzo
verb 3
mute 20
route-method exe
route-delay 2

4. iptables configureation:

#!/bin/sh
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j SNAT --to-source 
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
/sbin/iptables -I INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -I FORWARD -s 10.8.0.0/16 -j ACCEPT
/sbin/iptables -I INPUT -i lo -j ACCEPT
/sbin/iptables -I INPUT -i tun0 -j ACCEPT
/sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

5. Change sysctl.conf:

  net.ipv4.ip_forward = 1
  net.ipv4.conf.all.send_redirects = 0
  net.ipv4.conf.default.send_redirects = 0
  net.ipv4.conf.all.accept_redirects = 0
  net.ipv4.conf.default.accept_redirects = 0
  sysctl -p

6. Restart network

  /etc/init.d/openvpn restart
  /etc/init.d/networking restart

7. Add new client key.

  source vars
  ./build-key client2

Advertisements