Active Members Fi8sVrs Posted January 18, 2015 Active Members Report Posted January 18, 2015 There are many ways you can go about creating your own Virtual Private Network. Let’s do the easiest one in this tutorial which will be how to use your VPS as your own VPN for your main machines connection. – ro0tedWhat’s used in this tutorial?Digital Oceans CloudDebian Server VPSPutty AIOOpen Puttygen>Click Generate>move your mouse around the blank space.Then copy the public key to the clipboard, save the public/private keyGo to digital ocean control panel click SSH Keys.Copy n paste the public key from Puttygen to Control Panel.Now open Putty.Now once you are in Auth,In RLogin enter Root. Now you can connect to your server without ever entering a key. Minimize this window go to Create Droplet to make your server.Edit yours how you want just make sure you don’t enable Ipv6. Debian is more stable than all of them. Click SSH Key before clicking create droplet. Then go to droplets left side menu.Copy n paste ip in droplets to your putty. Click open. Should work flawlessly. If it does ask for a pass phrase ex: Passphrase for RSA-Key”” that means you put phrase in puttygen. If it says password for root, you did something wrong.If you can set this VPN Server up through this tutorial then just throw your computer away because this is an Automatic Installation for you. There’s really nothing to explain. This script does everything for you. Is it the safest way? Probably not but the more IMPORTANT question should be who do you trust more with your logs?Once signed in.type:sudo apt-get dist-upgradesudo apt-get upgradesudo apt-get updatewget http://git.io/vpn –no-check-certificate -O openvpn-install.sh; chmod +x openvpn-install.sh; mirror:#!/bin/bash# OpenVPN road warrior installer for Debian-based distros# This script will only work on Debian-based systems. It isn't bulletproof but# it will probably work if you simply want to setup a VPN on your Debian/Ubuntu# VPS. It has been designed to be as unobtrusive and universal as possible.if [[ "$USER" != 'root' ]]; then echo "Sorry, you need to run this as root" exitfiif [[ ! -e /dev/net/tun ]]; then echo "TUN/TAP is not available" exitfiif [[ ! -e /etc/debian_version ]]; then echo "Looks like you aren't running this installer on a Debian-based system" exitfinewclient () { # Generates the client.ovpn cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/$1.ovpn sed -i "/ca ca.crt/d" ~/$1.ovpn sed -i "/cert client.crt/d" ~/$1.ovpn sed -i "/key client.key/d" ~/$1.ovpn echo "<ca>" >> ~/$1.ovpn cat /etc/openvpn/easy-rsa/2.0/keys/ca.crt >> ~/$1.ovpn echo "</ca>" >> ~/$1.ovpn echo "<cert>" >> ~/$1.ovpn cat /etc/openvpn/easy-rsa/2.0/keys/$1.crt >> ~/$1.ovpn echo "</cert>" >> ~/$1.ovpn echo "<key>" >> ~/$1.ovpn cat /etc/openvpn/easy-rsa/2.0/keys/$1.key >> ~/$1.ovpn echo "</key>" >> ~/$1.ovpn}# Try to get our IP from the system and fallback to the Internet.# I do this to make the script compatible with NATed servers (lowendspirit.com)# and to avoid getting an IPv6.IP=$(ifconfig | grep 'inet addr:' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d: -f2 | awk '{ print $1}' | head -1)if [[ "$IP" = "" ]]; then IP=$(wget -qO- ipv4.icanhazip.com)fiif [[ -e /etc/openvpn/server.conf ]]; then while : do clear echo "Looks like OpenVPN is already installed" echo "What do you want to do?" echo "" echo "1) Add a cert for a new user" echo "2) Revoke existing user cert" echo "3) Remove OpenVPN" echo "4) Exit" echo "" read -p "Select an option [1-4]: " option case $option in 1) echo "" echo "Tell me a name for the client cert" echo "Please, use one word only, no special characters" read -p "Client name: " -e -i client CLIENT cd /etc/openvpn/easy-rsa/2.0/ source ./vars # build-key for the client export KEY_CN="$CLIENT" export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" $CLIENT # Generate the client.ovpn newclient "$CLIENT" echo "" echo "Client $CLIENT added, certs available at ~/$CLIENT.ovpn" exit ;; 2) echo "" echo "Tell me the existing client name" read -p "Client name: " -e -i client CLIENT cd /etc/openvpn/easy-rsa/2.0/ . /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/revoke-full $CLIENT # If it's the first time revoking a cert, we need to add the crl-verify line if grep -q "crl-verify" "/etc/openvpn/server.conf"; then echo "" echo "Certificate for client $CLIENT revoked" else echo "crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem" >> "/etc/openvpn/server.conf" /etc/init.d/openvpn restart echo "" echo "Certificate for client $CLIENT revoked" fi exit ;; 3) apt-get remove --purge -y openvpn openvpn-blacklist rm -rf /etc/openvpn rm -rf /usr/share/doc/openvpn sed -i '/--dport 53 -j REDIRECT --to-port/d' /etc/rc.local sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0/d' /etc/rc.local echo "" echo "OpenVPN removed!" exit ;; 4) exit;; esac doneelse clear echo 'Welcome to this quick OpenVPN "road warrior" installer' echo "" # OpenVPN setup and first user creation echo "I need to ask you a few questions before starting the setup" echo "You can leave the default options and just press enter if you are ok with them" echo "" echo "First I need to know the IPv4 address of the network interface you want OpenVPN" echo "listening to." read -p "IP address: " -e -i $IP IP echo "" echo "What port do you want for OpenVPN?" read -p "Port: " -e -i 1194 PORT echo "" echo "Do you want OpenVPN to be available at port 53 too?" echo "This can be useful to connect under restrictive networks" read -p "Listen at port 53 [y/n]: " -e -i n ALTPORT echo "" echo "Do you want to enable internal networking for the VPN?" echo "This can allow VPN clients to communicate between them" read -p "Allow internal networking [y/n]: " -e -i n INTERNALNETWORK echo "" echo "What DNS do you want to use with the VPN?" echo " 1) Current system resolvers" echo " 2) OpenDNS" echo " 3) Level 3" echo " 4) NTT" echo " 5) Hurricane Electric" echo " 6) Yandex" read -p "DNS [1-6]: " -e -i 1 DNS echo "" echo "Finally, tell me your name for the client cert" echo "Please, use one word only, no special characters" read -p "Client name: " -e -i client CLIENT echo "" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" read -n1 -r -p "Press any key to continue..." apt-get update apt-get install openvpn iptables openssl -y cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn # easy-rsa isn't available by default for Debian Jessie and newer if [[ ! -d /etc/openvpn/easy-rsa/2.0/ ]]; then wget --no-check-certificate -O ~/easy-rsa.tar.gz https://github.com/OpenVPN/easy-rsa/archive/2.2.2.tar.gz tar xzf ~/easy-rsa.tar.gz -C ~/ mkdir -p /etc/openvpn/easy-rsa/2.0/ cp ~/easy-rsa-2.2.2/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/ rm -rf ~/easy-rsa-2.2.2 rm -rf ~/easy-rsa.tar.gz fi cd /etc/openvpn/easy-rsa/2.0/ # Let's fix one thing first... cp -u -p openssl-1.0.0.cnf openssl.cnf # Fuck you NSA - 1024 bits was the default for Debian Wheezy and older sed -i 's|export KEY_SIZE=1024|export KEY_SIZE=2048|' /etc/openvpn/easy-rsa/2.0/vars # Create the PKI . /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/clean-all # The following lines are from build-ca. I don't use that script directly # because it's interactive and we don't want that. Yes, this could break # the installation script if build-ca changes in the future. export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" --initca $* # Same as the last time, we are going to run build-key-server export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" --server server # Now the client keys. We need to set KEY_CN or the stupid pkitool will cry export KEY_CN="$CLIENT" export EASY_RSA="${EASY_RSA:-.}" "$EASY_RSA/pkitool" $CLIENT # DH params . /etc/openvpn/easy-rsa/2.0/build-dh # Let's configure the server cd /usr/share/doc/openvpn/examples/sample-config-files gunzip -d server.conf.gz cp server.conf /etc/openvpn/ cd /etc/openvpn/easy-rsa/2.0/keys cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn cd /etc/openvpn/ # Set the server configuration sed -i 's|dh dh1024.pem|dh dh2048.pem|' server.conf sed -i 's|;push "redirect-gateway def1 bypass-dhcp"|push "redirect-gateway def1 bypass-dhcp"|' server.conf sed -i "s|port 1194|port $PORT|" server.conf # DNS case $DNS in 1) # Obtain the resolvers from resolv.conf and use them for OpenVPN grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do sed -i "/;push \"dhcp-option DNS 208.67.220.220\"/a\push \"dhcp-option DNS $line\"" server.conf done ;; 2) sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 208.67.222.222"|' server.conf sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 208.67.220.220"|' server.conf ;; 3) sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 4.2.2.2"|' server.conf sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 4.2.2.4"|' server.conf ;; 4) sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 129.250.35.250"|' server.conf sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 129.250.35.251"|' server.conf ;; 5) sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 74.82.42.42"|' server.conf ;; 6) sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 77.88.8.8"|' server.conf sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 77.88.8.1"|' server.conf ;; esac # Listen at port 53 too if user wants that if [[ "$ALTPORT" = 'y' ]]; then iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT sed -i "1 a\iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT" /etc/rc.local fi # Enable net.ipv4.ip_forward for the system sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf # Avoid an unneeded reboot echo 1 > /proc/sys/net/ipv4/ip_forward # Set iptables if [[ "$INTERNALNETWORK" = 'y' ]]; then iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" /etc/rc.local else iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" /etc/rc.local fi # And finally, restart OpenVPN /etc/init.d/openvpn restart # Try to detect a NATed connection and ask about it to potential LowEndSpirit # users EXTERNALIP=$(wget -qO- ipv4.icanhazip.com) if [[ "$IP" != "$EXTERNALIP" ]]; then echo "" echo "Looks like your server is behind a NAT!" echo "" echo "If your server is NATed (LowEndSpirit), I need to know the external IP" echo "If that's not the case, just ignore this and leave the next field blank" read -p "External IP: " -e USEREXTERNALIP if [[ "$USEREXTERNALIP" != "" ]]; then IP=$USEREXTERNALIP fi fi # IP/port set on the default client.conf so we can add further users # without asking for them sed -i "s|remote my-server-1 1194|remote $IP $PORT|" /usr/share/doc/openvpn/examples/sample-config-files/client.conf # Generate the client.ovpn newclient "$CLIENT" echo "" echo "Finished!" echo "" echo "Your client config is available at ~/$CLIENT.ovpn" echo "If you want to add more clients, you simply need to run this script another time!"fito begin auto installertype:./openvpn-install.shNow if your main machines windows open notepad. go back to putty type:cat ro0ted.ovpncopy all of it to clipboard paste it in notepad>File>Save as>WhateverYouNamedTheClient.ovpnCheck if your OpenVPN server is running type:ps ax|grep openvpnYou should see something like this:Traffic forwarding has to be enabled for the VPN connection to work.type:nano /etc/sysctl.confand enable ipv4 forwarding by un-commenting the line “net.ipv4.ip_forward=0? removing the # sign and changing 0 to 1 so it looks like this:net.ipv4.ip_forward=1ctrl + XSelect Yenable masquerading in firewalltype:iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADEGo to Windows Download Openvpn: http://openvpn.net/index.php/open-source/downloads.htmlAfter you install it, transfer the ovpn-client1.tar.gz archive to your PC and unpack it to your OpenVPN GUI’s config folder (usually in “C:\Program Files(x86)\OpenVPN\config\”)Start OpenVPN GUI with right click, Run as Administrator (it works only when you run it as administrator). Right click on its System Tray icon and click connect.Source Quote
deepdns Posted January 18, 2015 Report Posted January 18, 2015 OMG curs intensiv mai sus, postez si eu varianta mea VPN - cheap & easy :- achizitionam un vps preferabil in EU, la cel mai ieftin pret si cat de cat la o firma cunoscuta- activam din panoul OpenVZ : TUN/TAP si PPP- acum pentru distro debian ubuntu si ce mai este derivat din debian avem 4 pasi de urmat in consola #1.apt-get updateapt-get upgrade (optional, daca nu e la zi, sau daca nu vrei sa stricati conf la cele deaja instalate)2.wget http://swupdate.openvpn.org/as/openvpn-as-1.8.4-Ubuntu10.amd_64.deb sau :x64 (64bits) version: http://swupdate.openvpn.org/as/openvpn-as-1.8.4-Ubuntu10.amd_64.debx86 (32bits) version: http://swupdate.openvpn.org/as/openvpn-as-1.8.4-Ubuntu10.i386.deb3.dpkg -i openvpn-as-1.8.4-Ubuntu10.amd_64.deb la instalare va crea userul : openvpn4.schimbam parola la userul creat mai suspasswd openvpn- iar in browser va conectati la el si il configurati cum vreti, apoi tot din browser, intrati cu oserul deaja creat : openvpn si parola care ati setato mai sus si descarcati clientul deaja configurat :https://(1.2.3.4):943/adminThat's all folks, have fun.PS. asta e treaba de 2 minute 1 Quote
