User Tools

Site Tools


openvpn

This is an old revision of the document!


Waltrough for an openvpn installation for easyGateway

Tested only on a netgate SG-4860-1U

  1. Install mandadory packages
    apt-get update
    apt-get install openvpn curl jq vim --no-install-recommends 
  2. Debian jessie (8) and stretch (9) repository have an old easy-rsa version (2.2) and we need at least 3.0.4, so we use github release.
    wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
    tar -xvzf EasyRSA-3.0.4.tgz
    rm EasyRSA-3.0.4.tgz
    mv EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
  3. Generate a 2048 RSA public and private key for centrale, with server5 (use sub ca), and add them in
    vim /etc/openvpn/server/port_number.key
    vim /etc/openvpn/server/port_number.crt
    chmod 660 port_number.key port_number.crt #both files must belong to root:root
  4. Generate diffie hellman file
    openssl dhparam -out /etc/openvpn/server/dh.pem 2048
  5. Generate additonal key for tls-auth mode
    openvpn --genkey --secret /etc/openvpn/server/ta.key
  6. Add root ca and sub ca in ca.crt file (root ca first!)
    vim /etc/openvpn/server/ca.crt
  7. Add openvpn server configuration file (the file is normally stored in git)
    cp /home/acdsn/git/fw-rules/port_number/server.conf
  8. Edit init.d file, replace *.conf (3 occurences) by server.conf and launch openvnp
    vim /etc/init.d/openvpn
    systemctl daemon-reload
    /etc/init.d/openvpn start #check with ps -Af | grep openvpn
  9. Add file for CRL download
    touch /etc/openvpn/server/ca_crl.pem
    chmod 666 ca_crl.pem
  10. Add client directories (as acdsn)
    mkdir /etc/acdsn/conf.d/client
    mkdir /etc/acdsn/conf.d/spool/client
  11. If necessary, generate a organisation token with easygateway-web
  12. Edit acdsn crontab and add (git pull of easygateway-scripts is maybe necessary):
    @daily /usr/bin/curl https://www.easygateway.co/ca_crl.pem -o /etc/openvpn/server/ca_crl.pem 
    */5 * * * * /bin/bash /home/acdsn/git/easygateway-scripts/minicentral/sync_eG/sync.sh -t 30 -p ORG_TOKEN -mCc
  13. Update fw-rules and pull the new configuration.
    1. create a new interface
    2. create a new network (by default, use 192.168.60.0
    3. add the new network in rules 1 and 6)
    4. add masquerade in epilog
      #iptables -t nat -A POSTROUTING -o lan1 -j MASQUERADE
      #iptables -t nat -A POSTROUTING -o lan2 -j MASQUERADE
      #iptables -t nat -A POSTROUTING -o lan3 -j MASQUERADE
      #iptables -t nat -A POSTROUTING -o lan4 -j MASQUERADE
      #iptables -t nat -A POSTROUTING -o lan5 -j MASQUERADE
    5. git pull
    6. Uncomment lan specified in epilog, when vpn is necessary
    7. reload
      /home/acdsn/git/fw-rules/port_number/port_number.fw reload
  14. Make a try!
    1. get config file from easygateway-web
    2. connect to centrale with tunnelblick
    3. try ping or vnc over vpn
  15. Monit openvpn?
openvpn.1525098934.txt.gz · Last modified: 2018/04/30 14:35 by kroduit