(memorize PEM passphrase !)
root@raspberrypi:/etc/openvpn/easy-rsa# cd /keys
3DES crypt for each client generated:
root@raspberrypi:~# root@raspberrypi:/etc/openvpn/easy-rsa/keys# openssl rsa -in client1.key -des3 -out client1.3des.key
--------------------------- Step 2 --------------------------
Security - exchange Diffie-Hellman keys (public-private)
cd /etc/openvpn/easy-rsa
root@raspberrypi:/etc/openvpn/easy-rsa# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
....................................
HMAC (Hash-based Message Authentication Code):
# openvpn --genkey --secret keys/ta.key
--------------------------- Step 3 --------------------
Server configuration
# nano /etc/openvpn/server.conf
local 192.168.0.125 # IP local of your RPi server
dev tun # type de VPN, tun (tunnel IP) or tap (tunnel Ethernet/bridge)
proto tcp # protocol in use : tcp or udp
port 1194 # deafault port UDP OpenVPN
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server_name.crt # your server RPi name
key /etc/openvpn/easy-rsa/keys/mamayzon.key # idem
dh /etc/openvpn/easy-rsa/keys/dh2048.pem # or 1024 bits, change here
server 10.8.0.0 255.255.255.0 # virtual network
ifconfig 10.8.0.1 10.8.0.2 # server and exit point
push "redirect-gateway def1"
push "route 10.8.0.1 255.255.255.255" # route to server VPN
push "route 10.8.0.0 255.255.255.0" # route to sub-network VPN
push "route 192.168.0.125 255.255.255.0" #network local
#push "dhcp-option DNS 192.168.0.1" # DNS
# DNS Google 8.8.8.8 or OpenDNS 208.67.222.222
# ------------------------------------------------------------
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
root@raspberrypi:/etc/openvpn/easy-rsa# nano /etc/sysctl.conf
Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
root@raspberrypi:/etc/openvpn/easy-rsa# sysctl -p
kernel.printk = 3 4 1 3
net.ipv4.ip_forward = 1
vm.swappiness = 1
vm.min_free_kbytes = 8192
root@raspberrypi:/etc/openvpn/easy-rsa# nano /etc/firewall-openvpn-rules.sh
#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.125 # your Rpi server IP
# chmod 700 /etc/firewall-openvpn-rules.sh
# chown root /etc/firewall-openvpn-rules.sh
# nano /etc/network/interface
auto lo
iface lo inet loopback
auto eth0
allow-hotplug eth0
iface eth0 inet static
pre-up /etc/firewall-openvpn-rules.sh
address 192.168.0.125 # your Rpi server IP here
netmask 255.255.255.0
gateway 192.168.0.1
auto wlan0
allow-hotplug wlan0
iface wlan0 inet manual
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
auto wlan1
allow-hotplug wlan1
iface wlan1 inet manual
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
# reboot
------------------------ STEP 4 ----------------------------
Client configuration
# sudo -s
# nano /etc/openvpn/easy-rsa/keys/Default.txt
client
dev tun
proto udp
remote XX.XX.XX.XX 1194 //=>your public IP (external)
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
bash script to generate configurationclient file
# nano /etc/openvpn/easy-rsa/keys/MakeOpenVPN.sh
-----------------------------------------------------------------------------------------
#!/bin/bash
# Default Variable Declarations
DEFAULT="default.txt"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".3des.key"
CA="ca.crt"
TA="ta.key"
#Ask for a Client name
echo "Please enter an existing Client Name:"
read NAME
#1st Verify that client’s Public Key Exists
if [ ! -f $NAME$CRT ]; then
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
exit
fi
echo "Client’s cert found: $NAME$CR"
#Then, verify that there is a private key for that client
if [ ! -f $NAME$KEY ]; then
echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY"
exit
fi
echo "Client’s Private Key found: $NAME$KEY"
#Confirm the CA public key exists
if [ ! -f $CA ]; then
echo "[ERROR]: CA Public Key not found: $CA"
exit
fi
echo "CA public Key found: $CA"
#Confirm the tls-auth ta key file exists
if [ ! -f $TA ]; then
echo "[ERROR]: tls-auth Key not found: $TA"
exit
fi
echo "tls-auth Private Key found: $TA"
#Ready to make a new .opvn file - Start by populating with the default file
cat $DEFAULT > $NAME$FILEEXT
#Now, append the CA Public Cert
echo "" >> $NAME$FILEEXT
cat $CA >> $NAME$FILEEXT
echo "" >> $NAME$FILEEXT
#Next append the client Public Cert
echo "" >> $NAME$FILEEXT
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT
echo "" >> $NAME$FILEEXT
#Then, append the client Private Key
echo "" >> $NAME$FILEEXT
cat $NAME$KEY >> $NAME$FILEEXT
echo "" >> $NAME$FILEEXT
#Finally, append the TA Private Key
echo "" >> $NAME$FILEEXT
cat $TA >> $NAME$FILEEXT
echo "" >> $NAME$FILEEXT
echo "Done! $NAME$FILEEXT Successfully Created."
#Script written by Eric Jodoin
---------------------------------------------------------------------------------------
# cd /etc/openvpn/easy-rsa/keys
root@raspberrypi:/etc/openvpn/easy-rsa/keys# chmod 700 MakeOpenVPN.sh
for each client:
root@raspberrypi:/etc/openvpn/easy-rsa/keys# ./MakeOpenVPN.sh
Copy client file to home:
# cp *.ovpn /home/pi
Tuto en français
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Android
OpenVPN Connect
Windows official OpenVPN client
https://openvpn.net/index.php/open-source/downloads.html
www.mxor.com