OpenVPN TLS Server Client

Installation:

root@localhost:~# apt-get install openvpn easy-rsa

CA vorbereitung für Verzeichnis /etc/openvpn/easy-rsa:

root@localhost:~# cd /etc/openvpn
root@localhost:~# make-cadir easy-rsa/
root@localhost:~# cd easy-rsa/
root@localhost:~# . ./vars
root@localhost:~# ./clean-all
root@localhost:~# ln -s openssl-1.0.0.cnf openssl.cnf

Erstelle CA und Server Zertifikat

root@localhost:~# ./build-ca
root@localhost:~# ./build-key-server server
root@localhost:~# ./build-dh

Erstelle Client Zertifikat

root@localhost:~# ./build-key clientname

Erstelle client-config-dir Verzeichnis:

root@localhost:~# mkdir /etc/openvpn/ccd

Erstelle Server Konfiguration

root@localhost:~# vi /etc/openvpn/server.conf
port 1194
proto udp
dev tun
 
ca      /etc/openvpn/easy-rsa/keys/ca.crt    # generated keys
cert    /etc/openvpn/easy-rsa/keys/server.crt
key     /etc/openvpn/easy-rsa/keys/server.key  # keep secret
dh      /etc/openvpn/easy-rsa/keys/dh2048.pem
 
server 10.9.8.0 255.255.255.0  # internal tun0 connection IP
ifconfig-pool-persist ipp.txt
 
keepalive 10 120
 
comp-lzo         # Compression - must be turned on at both end
persist-key
persist-tun
 
client-config-dir /etc/openvpn/ccd
 
verb 3  # verbose mode
client-to-client

Starte Dienst

root@localhost:~# systemctl start openvpn@server
root@localhost:~# systemctl enable openvpn@server

Für weitere Client Zertifikate:

root@localhost:~# cd /etc/openvpn/easy-rsa/
root@localhost:~# . ./vars
root@localhost:~# ./build-key clientname2

Installation:

root@localhost:~# apt-get install openvpn

Vorbereitung:

root@localhost:~# mkdir -p /etc/openvpn/easy-rsa/keys

Das ca.crt sowie Client Zertifikat und Private-Key in das Verzeichnis /etc/openvpn/easy-rsa/keys kopieren.

root@localhost:~# chmod 400 /etc/openvpn/easy-rsa/keys/clientname.key

Konfiguration erstellen:

root@localhost:~# vi /etc/openvpn/client.conf
client
dev tun
port 1194
proto udp
 
remote <IP OpenVPN Server> 1194
nobind
 
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/clientname.crt
key /etc/openvpn/easy-rsa/keys/clientname.key
 
comp-lzo
persist-key
persist-tun
 
verb 3

Dienst starten:

root@localhost:~# systemctl start openvpn@client
root@localhost:~# systemctl enable openvpn@client
  • Zuletzt geändert: 2019/06/29 23:36