User Tools

Site Tools


openvpn

This is an old revision of the document!


Waltrough for an openvpn installation for easyGateway

Tested only on a netgate SG-4860-1U

  1. Install mandadory packages
    apt-get update
    apt-get install openvpn openssl curl jq vim --no-install-recommends 
  2. Debian jessie (8) and stretch (9) repository have an old easy-rsa version (2.2) and we need at least 3.0.4, so we use github release.
We don't use the git clone version because we would need to use the build.sh script with the –version=3.0.4 version to generate the final version
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
tar -xvzf EasyRSA-3.0.4.tgz
rm EasyRSA-3.0.4.tgz
mv EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
  1. Generate a 2048 RSA public and private key for centrale, with server5 (use sub ca), and add them in
    vim /etc/openvpn/server/port_number.key
    vim /etc/openvpn/server/port_number.crt
    chmod 660 port_number.key port_number.crt #both files must belong to root:root
  2. Generate diffie hellman file
    openssl dhparam -out /etc/openvpn/server/dh.pem 2048
  3. Generate additonal key for tls-auth mode
    openvpn --genkey --secret /etc/openvpn/server/ta.key
  4. Add root ca and sub ca in ca.crt file (root ca first!)
    vim /etc/openvpn/server/ca.crt
  5. Add openvpn server configuration file (the file is normally stored in git)
    cp /home/acdsn/git/fw-rules/port_number/server.conf
  6. Edit init.d file, replace *.conf (3 occurences) by server.conf and launch openvnp
    vim /etc/init.d/openvpn
    systemctl daemon-reload
    /etc/init.d/openvpn start #check with ps -Af | grep openvpn
  7. Add file for CRL download
    touch /etc/openvpn/server/ca_crl.pem
    chmod 666 ca_crl.pem
  8. Add client directories (as acdsn)
    mkdir /etc/acdsn/conf.d/client
    mkdir /etc/acdsn/conf.d/spool/client
  9. If necessary, generate a organisation token with easygateway-web
  10. Edit acdsn crontab and add (git pull of easygateway-scripts is maybe necessary):
    @daily /usr/bin/curl https://www.easygateway.co/ca_crl.pem -o /etc/openvpn/server/ca_crl.pem 
    */5 * * * * /bin/bash /home/acdsn/git/easygateway-scripts/minicentral/sync_eG/sync.sh -t 30 -p ORG_TOKEN -mCc
  11. Update fw-rules and pull the new configuration.
    1. create a new interface
    2. create a new network (by default, use 192.168.60.0
    3. add the new network in rules 1 and 6)
    4. add masquerade in epilog
      #iptables -t nat -A POSTROUTING -o lan1 -j MASQUERADE
      #iptables -t nat -A POSTROUTING -o lan2 -j MASQUERADE
      #iptables -t nat -A POSTROUTING -o lan3 -j MASQUERADE
      #iptables -t nat -A POSTROUTING -o lan4 -j MASQUERADE
      #iptables -t nat -A POSTROUTING -o lan5 -j MASQUERADE
    5. git pull
    6. Uncomment lan specified in epilog, when vpn is necessary
    7. reload
      /home/acdsn/git/fw-rules/port_number/port_number.fw reload
  12. Make a try!
    1. get config file from easygateway-web
    2. connect to centrale with tunnelblick
    3. try ping or vnc over vpn
  13. Monit openvpn?
openvpn.1560257440.txt.gz · Last modified: 2019/06/11 12:50 by maferreira