|
Here is a quick howto setup OpenVPN on Fedora 19. For the sake of simplicity all steps are performed as root.
Install openvpn and easy-rsa:
1
yum install openvpn easy-rsa
Create the keys/ dir:
1
mkdir /etc/openvpn/keys
Create empty openvpn log files:
1
2
3
4
touch /var/log/openvpn.log
touch /var/log/openvpn-status.log
chown openvpn:openvpn /var/log/openvpn*.log
chmod 640 /var/log/openvpn*.log
If you already have keys then copy them to /etc/openvpn/keys. If not then you will need to generate them. Read /usr/share/doc/easy-rsa-2.2.0/doc/README-2.0 for instructions how to do that.
Also generate the dh and ta keys:
1
2
3
cd /etc/openvpn/keys
openssl dhparam -out dh2048.pem 2048
openvpn --genkey --secret ta.key
Create a configuration called my-vpn.conf which uses TLS. It’s ok to call the config file something else but make sure to replace my-vpn in further steps below with the name you have chosen for your config file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
cat > /etc/openvpn/my-vpn.conf <<EOF
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh2048.pem
server 10.0.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DOMAIN example.org"
push "dhcp-option SEARCH example.org"
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 4
mute 20
EOF
IMPORTANT: change the following settings above for your situation:
– server 10.0.1.0 255.255.255.0
– push “dhcp-option DOMAIN example.org”
– push “dhcp-option SEARCH example.org”
Make sure ipp.txt exists:
1
touch /etc/openvpn/ipp.txt
Set proper ownership of the openvpn directory, config files and keys:
1
2
3
4
5
6
chown -R openvpn:openvpn /etc/openvpn
chmod 750 /etc/openvpn
chmod 750 /etc/openvpn/keys
chmod 640 /etc/openvpn/*.{conf,txt}
chmod 640 /etc/openvpn/keys/*.{crt,pem}
chmod 600 /etc/openvpn/keys/*.key
Reset the SELinux labels:
1
2
restorecon -v -F -R /etc/openvpn
restorecon -v -F /var/log/openvpn*.log
Now setup systemd so openvpn starts at boot. For background information see this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=744244
1
2
3
ln -s /lib/systemd/system/openvpn@.service /etc/systemd/system/multi-user.target.wants/openvpn@my-vpn.service
systemctl enable openvpn@my-vpn.service
systemctl daemon-reload
Start the openvpn my-vpn service:
1
systemctl start openvpn@my-vpn.service
And check if it started ok:
1
systemctl status openvpn@my-vpn.service
Which should say something like this:
1
2
3
4
5
6
7
openvpn@my-vpn.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled)
Active: active (running) since Sat 2013-09-21 15:24:01 CEST; 5s ago
Process: 24620 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)
Main PID: 24627 (openvpn)
CGroup: name=systemd:/system/openvpn@.service/openvpn@my-vpn.service
??24627 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/my-vpn.pid --cd /etc/openvpn/ --config my-vpn.conf...
Next copy your client1.key, client1.crt, ca.crt and ta.key to ~/.cert/ on the client box that will access the OpenVPN server. If your client is also a recent Fedora box and you use NetworkManager then you can create a small config file with the proper settings to access your OpenVPN server and import it in NetworkManager.
The client config VPN for NetworkManager looks like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cat > ~/my-vpn.conf <<EOF
client
remote <your-openvpn-server> 1194
ca /home/<you>/.cert/ca.crt
cert /home/<you>/.cert/client1.crt
key /home/<you>/.cert/client1.key
comp-lzo yes
dev tun
proto udp
tls-auth /home/<you>/.cert/ta.key 1
nobind
auth-nocache
script-security 2
persist-key
persist-tun
EOF
IMPORTANT: replace the entries between < ...> with your settings:
– remote <your-openvpn-server> 1194
– ca /home/<you>/.cert/ca.crt
– cert /home/<you>/.cert/client1.crt
– key /home/<you>/.cert/client1.key
Now import this file into NetworkManager by going to:
1
Settings -> Network -> + -> VPN -> Import from file...
On your OpenVPN server make sure that port 1194 (or whatever port you chose) is open in the firewall.
Finally on your client box click on the NetworkManager icon in the top menu bar and select my-vpn. Enjoy your new secure VPN connection. Comments and enhancements always welcome.
(责任编辑:IT) |
