There are some good instructions for setting OpenVPN up quickly on ubuntu
here, and I've also
covered it previously on this blog. Because of a
bug I was getting this error from pkitool when building the ca:
The correct version should have a comment that says: easy-rsa version 2.x
The solution was just a symlink, no need to mess with the vars file:
ln -s openssl-1.0.0.cnf openssl.cnf
To route all traffic through the VPN uncomment this line in the server.conf:
push "redirect-gateway def1 bypass-dhcp"
And then you'll want to add a NAT so that traffic comes back to the right clients, this iptables config also allows some services through:
# Generated by iptables-save v1.4.12 on Wed Oct 17 21:32:01 2012
*nat
:PREROUTING ACCEPT [293:18619]
:INPUT ACCEPT [3:148]
:OUTPUT ACCEPT [6:508]
:POSTROUTING ACCEPT [6:508]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Oct 17 21:32:01 2012
# Generated by iptables-save v1.4.12 on Wed Oct 17 21:32:01 2012
*filter
:INPUT DROP [1:42]
:FORWARD ACCEPT [571:142706]
:OUTPUT ACCEPT [589:168958]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth+ -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth+ -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth+ -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth+ -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth+ -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth+ -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -s 10.8.0.0/24 -i eth+ -j ACCEPT
-A INPUT -s 10.8.0.0/24 -i tun0 -j ACCEPT
-A INPUT -j LOG
COMMIT
# Completed on Wed Oct 17 21:32:01 2012
To ssh to the server while the VPN is active, use:
ssh 10.8.0.1
On the client side (a mac), first install
tunnelblick. You can use it to create an example config, which is a directory where you dump the ca and client cert. The most important bit in the config you need to set is:
remote myserver.com 1194
No comments:
Post a Comment