Search the Community

Or anything new will not open, but as a useful tip to create vpn own hands will be useful. The generation of certificates and keys are not considered, the key can be a maximum length of 4096. Configuration for Linux: Settings for OpenVZ host machine. If you do not have access to the hypervisor, you can skip block OpenVZ-HN CTID = 101 $ vzctl set CTID --devnodes net / TUN: rw --save vzctl set $ CTID --devices C: 10: 200: rw --save vzctl set $ CTID --capability net_admin: on --save vzctl Exec $ mkdir -p CTID / dev / net vzctl Exec $ CTID mknod / dev / net / TUN C 10,200 vzctl exec $ CTID chmod 600 / dev / net / tun Proxy, Socks, which help the user to maintain their anonymity online. What is it for a single user - the reasons may be many, at the same time we will not focus. Consider the process of creating OpenVPN-server, which is connected with another OpenVPN-server, wherein the user traffic goes through the first server, then the second and further to have the desired resource. Traffic returns the chain into the same sequence in reverse. Many owners of such a scheme called her «double» (double) OpenVPN. Schematically, such a scheme can be displayed as follows: Client -> OpenVPN-server_1 -> OpenVPN-server_2 -> Internet Return traffic on the reverse pattern: Client <- OpenVPN-server_1 <- OpenVPN-server_2 <- Internet to create such a scheme requires two VPS / VDS (as a rule, VDS is used for large loads (volume of traffic)). At the same time, if it is used with the type of VPS OpenVZ virtualization or other, in which containers of virtual machines share a common nucleus of the host system, you must check with the host, whether to enable the module loading tun for virtual machines. The implementation of the scheme involves the connection setup via the OpenVPN client and OpenVPN-Server 1, between the two OpenVPN-Server, configure NAT on the OpenVPN-Server 2 and the routing configuration on the two OpenVPN-servers. Set on both servers OpenVPN. Let us, for example, the installation process for OS CentOS. In the standard repositories CentOS openvpn package is missing, so connect the appropriate sources (consider arhiterkutu version and OS) rpm -ihv [URL='http://mirror.yandex.ru/epel/6/x86_64/epel-release-6-7.noarch.rpm']http://mirror.yandex...-6-7.noarch.rpm[/URL] rpm -ihv [URL='http://centos.alt.ru/repository/centos/6/x86_64/centalt-release-6-1.noarch.rpm']http://centos.alt.ru...-6-1.noarch.rpm[/URL] Install OpenVPN yum -y install openvpn Check whether the module is loaded tun lsmod | grep tun If the output of the previous command is empty Loading tun module modprobe tun How to organize the automatic download OpenVPN and tun module at startup depends on the operating system, in this case, CentOS chkconfig openvpn on To create a connection between two servers using the settings OpenVPN point-to-point. To do this, OpenVPN-Server 2 /etc/openvpn/server.conf create a configuration file with this content: dev tun proto tcp-server ifconfig 10.0.2.1 10.0.2.2 tls-server comp-lzo daemon ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem tls-auth /etc/openvpn/keys/tls.key 0 cipher AES-256-CBC port 1195 user nobody group nobody max-clients 1 persist-key persist-tun verb 3 status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log script-security system 3 route-up "ip route add 10.0.1.0/24 via 10.0.2.2 dev tun0" Keys and certificates that are located in the / etc / openvpn / keys / create according to the FAQ from the developers of OpenVPN using easy-rsa. The contents of the command route-up depends on the customer's network configuration and connection settings between servers. Turn forwarding packets. To /etc/sysctl.conf net.ipv4.ip_forward value changes from 0 to 1 net.ipv4.ip_forward = 1 Loading variables from the updated kernel sysctl.conf file sysctl -p Also on the second server is configured NAT using iptables: iptables -t nat -A POSTROUTING --src 10.0.1.0/24 -o eth0 -j SNAT --to-source 1.1.1.1, where 1.1.1.1 - external IP server 2. On the first server and install OpenVPN and create a configuration file vi /etc/openvpn/s2s.conf: dev tun0 remote 1.1.1.1 port 1195 proto tcp-client ifconfig 10.0.2.2 10.0.2.1 tls-client comp-lzo daemon script-security system 3 ns-cert-type server ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/s2s.crt key /etc/openvpn/keys/s2s.key dh /etc/openvpn/keys/dh1024.pem tls-auth /etc/openvpn/keys/tls.key 1 cipher AES-256-CBC user nobody group nobody persist-key persist-tun verb 3 route-up "ip route add default via 10.0.2.1 dev tun0 table 10 && ip rule add from 10.0.1.0/24 lookup pref 10 10" mute 10 status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log Also includes the forwarding of packets. Configuring OpenVPN-Server 1 for connecting clients. To do this, create a configuration file /etc/openvpn/server.conf: port 1194 local 2.2.2.2 proto tcp dev tun1 server 10.0.1.0 255.255.255.0 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem tls-auth /etc/openvpn/keys/tls.key 0 cipher AES-256-CBC user nobody group nobody status /var/log/openvpn/openvpnserver-status.log log-append /var/log/openvpn/openvpnserver.log verb 3 max-clients 30 keepalive 10 120 tls-server comp-lzo persist-key persist-tun push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" Certificates and keys for client connections also create according FAQ from the developers OpenVPN using easy-rsa. After the settings on each server run OpenVPN /etc/init.d/openvpn start If the launch fails, look in the error log files and eliminate them. To be able to connect to the client requires the following files: ca.crt client01.crt client01.key dh1024.pem tls.key need to pass them along with the configuration parameters. On the client side in Depending on the OS you need to perform these actions. For OS linux: Install openvpn. Check whether the module is loaded tun. Create a configuration file /etc/openvpn/client01.conf client remote 2.2.2.2 1194 proto tcp dev tun ca ca.crt dh dh1024.pem cert client01.crt key client01.key tls-auth tls.key 1 cipher AES-256-CBC verb 3 mute 20 keepalive 10 120 comp-lzo persist-key persist-tun resolv-retry infinite nobind Copy the files (ca.crt, client01.crt, client01.key, dh1024.pem, tls.key) in the / etc / openvpn /. Zapusit openvpn: /etc/init.d/openvpn start Check to see if the interface tun0. For Windows: Install OpenVPN to windosw ( OpenVPN - Open Source VPN ). Copy the files (ca.crt, client01.crt, client01.key, dh1024.pem, tls.key) in C: \ Program Files \ OpenVPN \ config \ client01. In the same directory create a configuration file client01.ovpn (identical in content with client01.conf for linux). Connect. Once connected, check how is the traffic. Both servers must appear in the track: traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 10.1.0.1 (10.1.0.1) 165.178 ms 329.870 ms 329.807 ms 2 10.2.0.1 (10.2.0.1) 493,908 ms 658.640 ms 824.653 ms Configuration for FreeBSD : ########################### #Server #FREEDBSD - Openvpn config, redirect traffic ########################### dev ovpns2 # - interface name dev-type tun # - type tun / tap (tun faster) tun-ipv6 dev-node / dev / tun2 # - device name writepid /var/run/openvpn_server2.pid # - where to put the process #user nobody # - from any user to run #group nobody # - from a group run script-security 3 daemon # - work as a service keepalive 10 60 # - how to keep the connection if fallen off ping-timer-rem persist-tun persist-key proto tcp-server # - on which protocol to use tcp / udp (here TCP) cipher AES-128-CBC # - any type of encryption that is available to the system (openvpn --show-ciphers) up / usr / local / sbin / ovpn-linkup down / usr / local / sbin / ovpn-linkdown local xxxx # - static external address tls-server # - used tls encryption server 172.172.11.0 255.255.255.0 # - what subnet used inside the tunnel client-config-dir / var / etc / openvpn-csc # - Client Configuration (ccd in Linux) lport # 443 - the port on which the VPN server will be available for a connection management /var/etc/openvpn/server2.sock unix # - process control and monitoring connections max-clients # 2 - the maximum number of clients push "dhcp-option DNS 192.168.1.1" # - dns server sends to the client push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "redirect-gateway def1" # - sends the client the default gateway, which is the server itself client-to-client # - allow communication between clients (for example between two RDP client connection) ca /var/etc/openvpn/server2.ca # - key server cert /var/etc/openvpn/server2.cert # - server certificate key /var/etc/openvpn/server2.key # - key dh /etc/dh-parameters.1024 # - dh comp-lzo # - traffic compression persist-remote-ip float push "route 192.168.1.0 255.255.255.0" # - adds the route in the network where the server itself server-poll-timeout 20 # - connection time (20 seconds if the client does not connect it resets) IMPORTANT: For the initial setup required logs after they can be turned off. With logs: status openvpn-status.log log /var/log/openvpn.log verb 3 mute 20 Without logs: log / dev / null Have fun..