1 Basic scenario
1.1 server side
OS: Rocky Linux 8.4
OpenVPN version: 2.5.3, openvpn-2.5.3.tar.xz
Virtual IP: 10.8.0.1
Lan IP: 192.168.0.20
router public IP port forward: publicIP:1194/udp ---> 192.168.0.20:1194/udp
Location: Toronto
1.2 client side
OS: Windows 10
OpenVPN version: 2.5.3, Windows 64-bit MSI installer
Virtual IP: 10.8.0.2
Location: Vancouver
The goal is to set up a one-client point-to-point VPN, so a Windows 10 from Vancouver can connect to the server side's network in Toronto.
2 Server-side configuration steps
0) preparation
On router:
set port-forward: WAN:1194/udp ---> 192.168.0.20:1194
On server:
# firewall-cmd --add-port=1194/udp --permanent
# firewall-cmd --add-masquerade --permanent
# firewall-cmd --reload
masquerade's function is enabling SNAT so the source IP 10.0.8.2 will be changed to 192.168.0.20.
1) download the source code
Go to https://openvpn.net, then [Community] [Downloads].
Please differentiate the commercial version "OpenVPN AS" with the community version "OpenVPN". Here we use the community version.
2) compile
tar -xf openvpn-2.5.3.tar.xz
cd openvpn-2.5.3
./configure --prefix=/opt/apps/openvpn
make && make install
3) create a static key file
mkdir /opt/apps/openvpn/conf
cd /opt/apps/openvpn/conf
/opt/apps/openvpn/sbin/openvpn --genkey secret toronto.key
4) create a simple conf file
vim /opt/apps/openvpn/sbin/openvpn/toronto.conf
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret toronto.key
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nobody
daemon
5) start vpn server
cd /opt/apps/openvpn/conf
/opt/apps/openvpn/sbin/openvpn --config toronto.conf
3 Client-side setup
1) download
Go to https://openvpn.net/community-downloads/ to download "OpenVPN-2.5.3-I601-amd64.msi".
2) Install
"Click" "Next".
3) get a copy of toronto.key from server-side
The config dir for Windows is C:\Users\$User\OpenVPN\config, put the key file under this folder.
4) create a config file
The suffix must be .ovpn.
C:\Users\$User\OpenVPN\config\client.ovpn
remote your_domain_name(or public IP)
dev tun
ifconfig 10.8.0.2 18.8.0.1
secret toronto.key
route 192.168.0.0 255.255.255.0
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
5) start client vpn
6) Test
On the client-side, test with "ssh" to 192.168.0.30, a server at the server-side's lan.
4 How about server-side accesses client-side (Optional)
With the above settings, the client-side can access any hosts in the server-side network, 192.168.0.0/24.
However, the server-side cannot access the client-side.
In order to do this, a route entry needs to be added to the service-side's router. For my situation, the router is running openwrt, so below command just works.
root@WRT3200ACM:~# ip route add 10.8.0.0/24 via 192.168.0.20
5 Enhanced server-side
A simple script to start the OpenVPN server.
# ls
conf include lib sbin share start_vpn_server.sh
# cat start_vpn_server.sh
#!/bin/bash
cur_user=$(id -un)
config_file=toronto.conf
self_dir=$(cd $(dirname $0); pwd)
openvpn=$self_dir/sbin/openvpn
work_dir=$self_dir/conf
if [[ $cur_user != root ]]; then
echo "Please run as root or sudo"
exit
fi
# if already running, exit
if ps -ef | grep $openvpn | grep $config_file &> /dev/null; then
echo "already running..."
exit
fi
cd $work_dir
$openvpn --config $config_file
To make sure the process keeps running all the time, a cron job is created.
[root]# crontab -l
* * * * * /opt/apps/openvpn/start_vpn_server.sh
No comments:
Post a Comment