In the server
# apt-get install openvpn # cd /etc/openvpn # openvpn --genkey --secret static.key # vi /etc/openvpn/tun0.conf # cat /etc/openvpn/tun0.conf dev tun0 proto tcp-server ifconfig 192.168.50.1 192.168.50.2 keepalive 10 60 ping-timer-rem persist-tun persist-key secret /etc/openvpn/static.key
In the client
# apt-get install openvpn # cd /etc/openvpn # scp root@10.13.157.13:/etc/openvpn/static.key . # vi /etc/openvpn/tun0.conf # cat /etc/openvpn/tun0.conf remote 10.13.157.13 dev tun0 proto tcp-client ifconfig 192.168.50.2 192.168.50.1 keepalive 10 60 ping-timer-rem persist-tun persist-key secret /etc/openvpn/static.keyAssuming that the OpenVPN server is at 10.13.157.13
Testing the tunnel
You may find it useful to run the following commands in a screen or another ssh session ( in case you are allergic to screen ).
In the server
# openvpn --config /etc/openvpn/tun0.conf --verb 6
In the client
# openvpn --config /etc/openvpn/tun0.conf --verb 6
still in the client
# ping 192.168.50.1 PING 192.168.50.1 (192.168.50.1) 56(84) bytes of data. 64 bytes from 192.168.50.1: icmp_req=1 ttl=64 time=2.72 ms 64 bytes from 192.168.50.1: icmp_req=2 ttl=64 time=2.94 ms ^C
Forward IP traffic through the OpenVPN tunnel
In the server
# echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf # sysctl -p # iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE
In the client
# route del default gw 192.168.48.1 # route add default gw 192.168.50.1 # ping ipduh.com PING ipduh.com (85.25.242.245) 56(84) bytes of data. 64 bytes from archimedes.ipduh.com (85.25.242.245): icmp_req=1 ttl=55 time=74.7 ms ^Cwhere 192.168.48.1 is the previous LAN default gateway
Make it stick
In the server
# vi /etc/network/if-pre-up.d/ipv4init.sh # cat /etc/network/if-pre-up.d/ipv4init.sh #!/bin/sh /sbin/iptables-restore < /etc/rules.iptables
# iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A FORWARD -s 192.168.50.0/24 -o eth0 -j ACCEPT # iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE # iptables-save > /etc/rules.iptables
Both systems
Set the AUTOSTART parameter in /etc/default/openvpn ... "all" works
/etc/default/openvpn is the configuration file for /etc/init.d/openvpn
# /etc/init.d/openvpn start
In the client
Add a route to the OpenVPN server(s) in /etc/network/interface eg:
up route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.21.241.88and a script that starts the vpn tun and adds the default route in /etc/network/if-up.d/
# cat /etc/network/if-up.d/routes.sh #!/bin/sh /etc/init.d/openvpn start #there is also another script in if-up.d that should start openvpn /sbin/route add default gw 192.168.50.1
To test restart networking
# /etc/init.d/networking restart # ping ipduh.com PING ipduh.com (85.25.242.245) 56(84) bytes of data. 64 bytes from archimedes.ipduh.com (85.25.242.245): icmp_req=1 ttl=55 time=73.4 ms ^C
that's all folks!
OpenVPN ... simple setup that works on wireless community networks ...