openvpn
This is an old revision of the document!
Waltrough for an openvpn installation for easyGateway
Tested only on a netgate SG-4860-1U
- Install mandadory packages
apt-get update apt-get install openvpn openssl curl jq vim --no-install-recommends
- Debian jessie (8) and stretch (9) repository have an old easy-rsa version (2.2) and we need at least 3.0.4, so we use github release.
We don't use the git clone version because we would need to use the build.sh script with the –version=3.0.4 version to generate the final version
wget --no-check-certificate https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz tar -xvzf EasyRSA-3.0.4.tgz rm EasyRSA-3.0.4.tgz mv EasyRSA-3.0.4/ easy-rsa mv easy-rsa /etc/openvpn/easy-rsa/
- Generate a 2048 RSA public and private key for centrale, with server5 (use sub ca), and add them in
vim /etc/openvpn/server/port_number.key vim /etc/openvpn/server/port_number.crt chmod 660 port_number.key port_number.crt #both files must belong to root:root
- Generate diffie hellman file
openssl dhparam -out /etc/openvpn/server/dh.pem 2048
- Generate additonal key for tls-auth mode
openvpn --genkey --secret /etc/openvpn/server/ta.key
- Add root ca and sub ca in ca.crt file (root ca first!)
vim /etc/openvpn/server/ca.crt
- Add openvpn server configuration file (the file is normally stored in git)
cp /home/acdsn/git/fw-rules/port_number/server.conf
- Edit init.d file, replace *.conf (3 occurences) by server.conf and launch openvnp
vim /etc/init.d/openvpn systemctl daemon-reload /etc/init.d/openvpn start #check with ps -Af | grep openvpn
- Add file for CRL download
touch /etc/openvpn/server/ca_crl.pem chmod 666 ca_crl.pem
- Add client directories (as acdsn)
mkdir /etc/acdsn/conf.d/client mkdir /etc/acdsn/conf.d/spool/client
- If necessary, generate a organisation token with easygateway-web
- Edit acdsn crontab and add (git pull of easygateway-scripts is maybe necessary):
@daily /usr/bin/curl https://www.easygateway.co/ca_crl.pem -o /etc/openvpn/server/ca_crl.pem */5 * * * * /bin/bash /home/acdsn/git/easygateway-scripts/minicentral/sync_eG/sync.sh -t 30 -p ORG_TOKEN -mCc
- Update fw-rules and pull the new configuration.
- create a new interface
- create a new network (by default, use 192.168.60.0
- add the new network in rules 1 and 6)
- add masquerade in epilog
#iptables -t nat -A POSTROUTING -o lan1 -j MASQUERADE #iptables -t nat -A POSTROUTING -o lan2 -j MASQUERADE #iptables -t nat -A POSTROUTING -o lan3 -j MASQUERADE #iptables -t nat -A POSTROUTING -o lan4 -j MASQUERADE #iptables -t nat -A POSTROUTING -o lan5 -j MASQUERADE
- git pull
- Uncomment lan specified in epilog, when vpn is necessary
- reload
/home/acdsn/git/fw-rules/port_number/port_number.fw reload
- Make a try!
- get config file from easygateway-web
- connect to centrale with tunnelblick
- try ping or vnc over vpn
- Monit openvpn?
openvpn.1560257720.txt.gz · Last modified: 2019/06/11 12:55 by maferreira