Tutorial on building an OpenVpn server in ubuntu and building an openvpn in ubuntu

Tutorial on building an OpenVpn server in ubuntu and building an openvpn in ubuntu
Reference: OpenVpn For Ubuntu 16.04

Environment Introduction:

Server: Ubuntu 16.04

Client System: Ubuntu 16.04

Version: OpenVPN 2.3.10

Basic Configuration

The core technology of OpenVpn is virtual Nic, followed by SSL protocol implementation.

After the OpenVpn service is installed, a virtual network card named tun0 is displayed on the host. After the client successfully establishes an SSL connection with the server, it will also have a local virtual network card with tun0

The first step to set up the VPN service is to enable the client and server to correctly establish an SSL connection.

Step 1: Install openvpn and easy-rsa

Install openvpn and easy-rsa on the server

$ sudo apt install openvpn easy-rsa

Step 2: Copy the temporary easy-rsa directory to the home directory.

$ make-cadir ~/openvpn-rsa

Step 3: Configure the required variables for certificate generation

Use a text editor to open ~ /Openvpn-rsa/vars, modify the value of the following Variable

(I don't know what the specific meanings of these variables are. You can change them as needed)

export KEY_COUNTRY="CN"export KEY_PROVINCE="GD"export KEY_CITY="ShenZhen"export KEY_ORG="ORG"export KEY_EMAIL="me@myhost.mydomain"export KEY_OU="MyOrganizationalUnit"export KEY_NAME="EasyRSA"

Step 4: Generate a CA certificate

$ cd ~/openvpn-rsa$ source vars$ ./clean-all$ ./build-ca

Step 5: Generate server certificate

$ ./build-key-server server$ ./build-dh$ cd keys/$ sudo cp server.crt server.key ca.crt dh2048.pem /etc/openvpn/

Server refers to the server name, which can be changed here. For convenience, I set it to server

In this process, you can press ENTER or y as prompted to confirm the items that need to be confirmed by the user.

According to some information on the Internet, the server must be consistent with the value of KEY_NAME In The vars file, but it seems unnecessary for the test.

Step 6: Generate client certificate

$ cd ~/openvpn-rsa$ source vars$ ./build-key clietn1

~ The client1.crt and client1.key files are generated in the/openvpn-rsa/keys directory.

Here, you can change client1 to your own name.

Step 7: Configure and start the server

To enable OpenVpn, We need to configure

$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/$ sudo gzip -d /etc/openvpn/server.conf.gz

Use the editor to modify the/etc/openvpn/server. conf file and configure the correct path for the certificate and key.

ca ca.crtcert server.crtkey server.keydh dh2048.pem

You can run the systemctl command to start, close, or view the OpenVpn status.

$ sudo systemctl start/status/stop/restart openvpn@CONFIGFILENAME

In the preceding command, CONFIGFILENAME refers to the configuration file name. The configuration file we are using is server. conf, so replace CONFIGFILENAME with "server ".

After starting the service, we will find a new Nic through ifconfig. The information is as follows:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00            inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1          RX packets:610374 errors:0 dropped:0 overruns:0 frame:0          TX packets:721198 errors:0 dropped:9706 overruns:0 carrier:0          collisions:0 txqueuelen:100           RX bytes:40928674 (40.9 MB)  TX bytes:927687322 (927.6 MB)``

Step 8: Configure the client

We still generate client configurations on the server PC.

$ mkdir ~/openvpn-rsa/clients$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/openvpn-rsa/clients/base.conf

Base. conf is the common configuration file of our client.

Use the editor to modify the client configuration file ~ /Openvpn-rsa/clients/base. conf, configure the correct path of the certificate and key, and the server address.

ca ca.crtcert client.crtkey client.keyremote vpnserver.example.com 1194

Change vpnserver.example.com to the IP address or domain name of the server.

Step 9: Package client configurations

Edit the packaging script ~ /Openvpn-rsa/clients/make_client_tar.sh

#!/bin/bashif [[ $# != "1" ]] ; then    echo usage: $0 clientname    exit 1fiKEY_DIR=~/openvpn-rsa/keysCLIENT=$1mkdir ${CLIENT}cp ${KEY_DIR}/ca.crt ${CLIENT}/ca.crtcp ${KEY_DIR}/${CLIENT}.crt ${CLIENT}/client.crtcp ${KEY_DIR}/${CLIENT}.key ${CLIENT}/client.keycp base.conf ${CLIENT}/client.conftar -cf ${CLIENT}.tar ${CLIENT}rm ${CLIENT} -rf

Modify permissions and run scripts

$ cd ~/openvpn-rsa/clients/$ chmod u+x make_client_tar.sh$ ./make_client_tar.sh client1

The client1.tar package file is generated.

The client certificate will only be used by the client. We also transmit the clietn1.tar certificate to the client through secure channels.

If you only need a diagram, you can use python to create an httpd server, and then the client can download the certificate from the web page.

$ sudo python2.7 -m SimpleHTTPServer 80

Step 10: Start the client

Install openvpn on the client

$ sudo apt-get install openvpn

Download the package and decompress the configuration file.

$ cd /etc/openvpn/$ sudo cp ~/Downloads/client1.tar ./$ sudo tar -xf client1.tar$ sudo mv client1/* ./$ sudo rm client1.tar client1 -rf

The usage of systemctl is the same.

$ sudo systemctl start/status/stop/restart openvpn@CONFIGFILENAME

Replace CONFIGFILENAME with client

After starting the client, you can also find a new Nic through ifconfig. The information is as follows:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00            inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1          RX packets:0 errors:0 dropped:0 overruns:0 frame:0          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:100           RX bytes:0 (0.0 B)  TX bytes:261 (261.0 B)

Step 11: Check whether the connection is successful

We can ping to check whether the server and client are connected.

$ ping -I tun0 10.8.0.1

If ping is enabled, everything is normal.

If you have set up a service locally on the server, you can use tun0 for secure access.

However, we cannot use OpenVpn to access the Internet at this time. ping-I tun0 8.8.8.8 is not available.

Because the data cannot be forwarded after it reaches tun0 on the server, we need other configurations.

Advanced Configuration

Step 1: Enable ip forwarding.

Edit the/etc/sysctl. conf file and remove #

#net.ipv4.ip_forward=1 

Reload Configuration

$ sudo sysctl -p /etc/sysctl.conf

Step 2: Configure NAT through iptables

Create a shell script/etc/openvpn/openvpn_nat.sh to configure NAT

#!/bin/bashiptables -Fiptables -A FORWARD -o eth0 -i tun0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPTiptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTiptables -t nat -F POSTROUTINGiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEiptables-save

Eth0 is the network adapter connecting the server to the Internet.

Set script Permissions

$ sudo chmod u+x /etc/openvpn/openvpn_nat.sh

In/etc/rc. local, set the boot execution script

/etc/openvpn/openvpn_nat.sh

Remarks:

I was planning to configure it in/etc/openvpn/server. conf so that the script will be executed when OpenVpn is started.

up "/etc/openvpn/openvpn_nat.sh"

However, the test showed that the script will be executed when OpenVpn is manually restarted.

However, restarting the server does not execute the script.

Step 3: Modify server configurations

Use the editor to modify the server configuration file/etc/openvpn/server. conf

$ push "redirect-gateway def1 bypass-dhcp"

Direct all clients to the VPN. If this option is not configured, you must manually configure the route table on the client.

Step 4: Enable the OpenVpn server to start up

$ sudo systemctl enable openvpn@server

Step 5: Restart OpenVpn

Run

$ sudo systemctl restart openvpn@server

Run

$ sudo systemctl restart openvpn@client

Step 6: Configure the client DNS Server

Through the above steps, if you can ping 8.8.8.8 through tun0, the NAT settings on the server are successful.

$ ping -I tun0 8.8.8.8

However, if you still cannot ping www.baidu.com, you must specify the default DNS server.

Edit/etc/network/interfaces and add the following content to the file:

dns-nameservers 8.8.8.8 74.82.42.42 8.8.4.4

Reload DNS Configuration

$ sudo systemctl restart networking.service

If yes, the DNS server address will be updated in the/etc/resolv. conf file.

Step 7: Check whether the VPN works properly

Search for IP addresses in Baidu. If the IP address of your server is displayed, the VPN works properly.

TODO

Now, the Network (Wall) can be accessed through the VPN.

However, all the data will pass through the VPN. If you want to access a Chinese website, you can skip the VPN.

How to configure it remains to be studied

If you have any friends, please let us know. Thank you.