Tutorial on building an OpenVpn server in ubuntu and building an openvpn in ubuntu
Reference: OpenVpn For Ubuntu 16.04
Environment Introduction:
Server: Ubuntu 16.04
Client System: Ubuntu 16.04
Version: OpenVPN 2.3.10
Basic Configuration
The core technology of OpenVpn is virtual Nic, followed by SSL protocol implementation.
After the OpenVpn service is installed, a virtual network card named tun0 is displayed on the host. After the client successfully establishes an SSL connection with the server, it will also have a local virtual network card with tun0
The first step to set up the VPN service is to enable the client and server to correctly establish an SSL connection.
Step 1: Install openvpn and easy-rsa
Install openvpn and easy-rsa on the server
$ sudo apt install openvpn easy-rsa
Step 2: Copy the temporary easy-rsa directory to the home directory.
$ make-cadir ~/openvpn-rsa
Step 3: Configure the required variables for certificate generation
Use a text editor to open ~ /Openvpn-rsa/vars, modify the value of the following Variable
(I don't know what the specific meanings of these variables are. You can change them as needed)
export KEY_COUNTRY="CN"export KEY_PROVINCE="GD"export KEY_CITY="ShenZhen"export KEY_ORG="ORG"export KEY_EMAIL="me@myhost.mydomain"export KEY_OU="MyOrganizationalUnit"export KEY_NAME="EasyRSA"
Step 4: Generate a CA certificate
$ cd ~/openvpn-rsa$ source vars$ ./clean-all$ ./build-ca
Step 5: Generate server certificate
$ ./build-key-server server$ ./build-dh$ cd keys/$ sudo cp server.crt server.key ca.crt dh2048.pem /etc/openvpn/
Server refers to the server name, which can be changed here. For convenience, I set it to server
In this process, you can press ENTER or y as prompted to confirm the items that need to be confirmed by the user.
According to some information on the Internet, the server must be consistent with the value of KEY_NAME In The vars file, but it seems unnecessary for the test.
Step 6: Generate client certificate
$ cd ~/openvpn-rsa$ source vars$ ./build-key clietn1
~ The client1.crt and client1.key files are generated in the/openvpn-rsa/keys directory.
Here, you can change client1 to your own name.
Step 7: Configure and start the server
To enable OpenVpn, We need to configure
$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/$ sudo gzip -d /etc/openvpn/server.conf.gz
Use the editor to modify the/etc/openvpn/server. conf file and configure the correct path for the certificate and key.
ca ca.crtcert server.crtkey server.keydh dh2048.pem
You can run the systemctl command to start, close, or view the OpenVpn status.
$ sudo systemctl start/status/stop/restart openvpn@CONFIGFILENAME
In the preceding command, CONFIGFILENAME refers to the configuration file name. The configuration file we are using is server. conf, so replace CONFIGFILENAME with "server ".
After starting the service, we will find a new Nic through ifconfig. The information is as follows:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:610374 errors:0 dropped:0 overruns:0 frame:0 TX packets:721198 errors:0 dropped:9706 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:40928674 (40.9 MB) TX bytes:927687322 (927.6 MB)``
Step 8: Configure the client
We still generate client configurations on the server PC.
$ mkdir ~/openvpn-rsa/clients$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/openvpn-rsa/clients/base.conf
Base. conf is the common configuration file of our client.
Use the editor to modify the client configuration file ~ /Openvpn-rsa/clients/base. conf, configure the correct path of the certificate and key, and the server address.
ca ca.crtcert client.crtkey client.keyremote vpnserver.example.com 1194
Change vpnserver.example.com to the IP address or domain name of the server.
Step 9: Package client configurations
Edit the packaging script ~ /Openvpn-rsa/clients/make_client_tar.sh
#!/bin/bashif [[ $# != "1" ]] ; then echo usage: $0 clientname exit 1fiKEY_DIR=~/openvpn-rsa/keysCLIENT=$1mkdir ${CLIENT}cp ${KEY_DIR}/ca.crt ${CLIENT}/ca.crtcp ${KEY_DIR}/${CLIENT}.crt ${CLIENT}/client.crtcp ${KEY_DIR}/${CLIENT}.key ${CLIENT}/client.keycp base.conf ${CLIENT}/client.conftar -cf ${CLIENT}.tar ${CLIENT}rm ${CLIENT} -rf
Modify permissions and run scripts
$ cd ~/openvpn-rsa/clients/$ chmod u+x make_client_tar.sh$ ./make_client_tar.sh client1
The client1.tar package file is generated.
The client certificate will only be used by the client. We also transmit the clietn1.tar certificate to the client through secure channels.
If you only need a diagram, you can use python to create an httpd server, and then the client can download the certificate from the web page.
$ sudo python2.7 -m SimpleHTTPServer 80
Step 10: Start the client
Install openvpn on the client
$ sudo apt-get install openvpn
Download the package and decompress the configuration file.
$ cd /etc/openvpn/$ sudo cp ~/Downloads/client1.tar ./$ sudo tar -xf client1.tar$ sudo mv client1/* ./$ sudo rm client1.tar client1 -rf
The usage of systemctl is the same.
$ sudo systemctl start/status/stop/restart openvpn@CONFIGFILENAME
Replace CONFIGFILENAME with client
After starting the client, you can also find a new Nic through ifconfig. The information is as follows:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:261 (261.0 B)
Step 11: Check whether the connection is successful
We can ping to check whether the server and client are connected.
$ ping -I tun0 10.8.0.1
If ping is enabled, everything is normal.
If you have set up a service locally on the server, you can use tun0 for secure access.
However, we cannot use OpenVpn to access the Internet at this time. ping-I tun0 8.8.8.8 is not available.
Because the data cannot be forwarded after it reaches tun0 on the server, we need other configurations.
Advanced Configuration
Step 1: Enable ip forwarding.
Edit the/etc/sysctl. conf file and remove #
#net.ipv4.ip_forward=1
Reload Configuration
$ sudo sysctl -p /etc/sysctl.conf
Step 2: Configure NAT through iptables
Create a shell script/etc/openvpn/openvpn_nat.sh to configure NAT
#!/bin/bashiptables -Fiptables -A FORWARD -o eth0 -i tun0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPTiptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTiptables -t nat -F POSTROUTINGiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEiptables-save
Eth0 is the network adapter connecting the server to the Internet.
Set script Permissions
$ sudo chmod u+x /etc/openvpn/openvpn_nat.sh
In/etc/rc. local, set the boot execution script
/etc/openvpn/openvpn_nat.sh
Remarks:
I was planning to configure it in/etc/openvpn/server. conf so that the script will be executed when OpenVpn is started.
up "/etc/openvpn/openvpn_nat.sh"
However, the test showed that the script will be executed when OpenVpn is manually restarted.
However, restarting the server does not execute the script.
Step 3: Modify server configurations
Use the editor to modify the server configuration file/etc/openvpn/server. conf
$ push "redirect-gateway def1 bypass-dhcp"
Direct all clients to the VPN. If this option is not configured, you must manually configure the route table on the client.
Step 4: Enable the OpenVpn server to start up
$ sudo systemctl enable openvpn@server
Step 5: Restart OpenVpn
Run
$ sudo systemctl restart openvpn@server
Run
$ sudo systemctl restart openvpn@client
Step 6: Configure the client DNS Server
Through the above steps, if you can ping 8.8.8.8 through tun0, the NAT settings on the server are successful.
$ ping -I tun0 8.8.8.8
However, if you still cannot ping www.baidu.com, you must specify the default DNS server.
Edit/etc/network/interfaces and add the following content to the file:
dns-nameservers 8.8.8.8 74.82.42.42 8.8.4.4
Reload DNS Configuration
$ sudo systemctl restart networking.service
If yes, the DNS server address will be updated in the/etc/resolv. conf file.
Step 7: Check whether the VPN works properly
Search for IP addresses in Baidu. If the IP address of your server is displayed, the VPN works properly.
TODO
Now, the Network (Wall) can be accessed through the VPN.
However, all the data will pass through the VPN. If you want to access a Chinese website, you can skip the VPN.
How to configure it remains to be studied
If you have any friends, please let us know. Thank you.