io.kent Posted April 2, 2015 Report Share Posted April 2, 2015 Or anything new will not open, but as a useful tip to create vpn own hands will be useful. The generation of certificates and keys are not considered, the key can be a maximum length of 4096. Configuration for Linux: Settings for OpenVZ host machine. If you do not have access to the hypervisor, you can skip block OpenVZ-HNCTID = 101 $ vzctl set CTID --devnodes net / TUN: rw --save vzctl set $ CTID --devices C: 10: 200: rw --save vzctl set $ CTID --capability net_admin: on --save vzctl Exec $ mkdir -p CTID / dev / net vzctl Exec $ CTID mknod / dev / net / TUN C 10,200 vzctl exec $ CTID chmod 600 / dev / net / tunProxy, Socks, which help the user to maintain their anonymity online. What is it for a single user - the reasons may be many, at the same time we will not focus. Consider the process of creating OpenVPN-server, which is connected with another OpenVPN-server, wherein the user traffic goes through the first server, then the second and further to have the desired resource. Traffic returns the chain into the same sequence in reverse. Many owners of such a scheme called her «double» (double) OpenVPN. Schematically, such a scheme can be displayed as follows: Client -> OpenVPN-server_1 -> OpenVPN-server_2 -> Internet Return traffic on the reverse pattern: Client <- OpenVPN-server_1 <- OpenVPN-server_2 <- Internet to create such a scheme requires two VPS / VDS (as a rule, VDS is used for large loads (volume of traffic)). At the same time, if it is used with the type of VPS OpenVZ virtualization or other, in which containers of virtual machines share a common nucleus of the host system, you must check with the host, whether to enable the module loading tun for virtual machines. The implementation of the scheme involves the connection setup via the OpenVPN client and OpenVPN-Server 1, between the two OpenVPN-Server, configure NAT on the OpenVPN-Server 2 and the routing configuration on the two OpenVPN-servers. Set on both servers OpenVPN. Let us, for example, the installation process for OS CentOS. In the standard repositories CentOS openvpn package is missing, so connect the appropriate sources (consider arhiterkutu version and OS)rpm -ihv [URL='http://mirror.yandex.ru/epel/6/x86_64/epel-release-6-7.noarch.rpm']http://mirror.yandex...-6-7.noarch.rpm[/URL]rpm -ihv [URL='http://centos.alt.ru/repository/centos/6/x86_64/centalt-release-6-1.noarch.rpm']http://centos.alt.ru...-6-1.noarch.rpm[/URL]Install OpenVPNyum -y install openvpnCheck whether the module is loaded tunlsmod | grep tunIf the output of the previous command is empty Loading tun modulemodprobe tunHow to organize the automatic download OpenVPN and tun module at startup depends on the operating system, in this case, CentOSchkconfig openvpn onTo create a connection between two servers using the settings OpenVPN point-to-point. To do this, OpenVPN-Server 2 /etc/openvpn/server.conf create a configuration file with this content:dev tunproto tcp-serverifconfig 10.0.2.1 10.0.2.2tls-servercomp-lzodaemonca /etc/openvpn/keys/ca.crtcert /etc/openvpn/keys/server.crtkey /etc/openvpn/keys/server.keydh /etc/openvpn/keys/dh1024.pemtls-auth /etc/openvpn/keys/tls.key 0cipher AES-256-CBCport 1195user nobodygroup nobodymax-clients 1persist-keypersist-tunverb 3status /var/log/openvpn/openvpn-status.loglog-append /var/log/openvpn/openvpn.logscript-security system 3route-up "ip route add 10.0.1.0/24 via 10.0.2.2 dev tun0"Keys and certificates that are located in the / etc / openvpn / keys / create according to the FAQ from the developers of OpenVPN using easy-rsa. The contents of the command route-up depends on the customer's network configuration and connection settings between servers. Turn forwarding packets. To /etc/sysctl.conf net.ipv4.ip_forward value changes from 0 to 1net.ipv4.ip_forward = 1Loading variables from the updated kernel sysctl.conf filesysctl -pAlso on the second server is configured NAT using iptables:iptables -t nat -A POSTROUTING --src 10.0.1.0/24 -o eth0 -j SNAT --to-source 1.1.1.1,where 1.1.1.1 - external IP server 2. On the first server and install OpenVPN and create a configuration filevi /etc/openvpn/s2s.conf:dev tun0remote 1.1.1.1port 1195proto tcp-clientifconfig 10.0.2.2 10.0.2.1tls-clientcomp-lzodaemonscript-security system 3ns-cert-type serverca /etc/openvpn/keys/ca.crtcert /etc/openvpn/keys/s2s.crtkey /etc/openvpn/keys/s2s.keydh /etc/openvpn/keys/dh1024.pemtls-auth /etc/openvpn/keys/tls.key 1cipher AES-256-CBCuser nobodygroup nobodypersist-keypersist-tunverb 3route-up "ip route add default via 10.0.2.1 dev tun0 table 10 && ip rule add from 10.0.1.0/24 lookup pref 10 10"mute 10status /var/log/openvpn/openvpn-status.loglog-append /var/log/openvpn/openvpn.logAlso includes the forwarding of packets. Configuring OpenVPN-Server 1 for connecting clients. To do this, create a configuration file /etc/openvpn/server.conf:port 1194local 2.2.2.2proto tcpdev tun1server 10.0.1.0 255.255.255.0ca /etc/openvpn/keys/ca.crtcert /etc/openvpn/keys/server.crtkey /etc/openvpn/keys/server.keydh /etc/openvpn/keys/dh1024.pemtls-auth /etc/openvpn/keys/tls.key 0cipher AES-256-CBCuser nobodygroup nobodystatus /var/log/openvpn/openvpnserver-status.loglog-append /var/log/openvpn/openvpnserver.logverb 3max-clients 30keepalive 10 120tls-servercomp-lzopersist-keypersist-tunpush "redirect-gateway def1"push "dhcp-option DNS 8.8.8.8"Certificates and keys for client connections also create according FAQ from the developers OpenVPN using easy-rsa. After the settings on each server run OpenVPN/etc/init.d/openvpn startIf the launch fails, look in the error log files and eliminate them. To be able to connect to the client requires the following files: ca.crt client01.crt client01.key dh1024.pem tls.key need to pass them along with the configuration parameters. On the client side in Depending on the OS you need to perform these actions. For OS linux: Install openvpn. Check whether the module is loaded tun. Create a configuration file /etc/openvpn/client01.confclientremote 2.2.2.2 1194proto tcpdev tunca ca.crtdh dh1024.pemcert client01.crtkey client01.keytls-auth tls.key 1cipher AES-256-CBCverb 3mute 20keepalive 10 120comp-lzopersist-keypersist-tunresolv-retry infinitenobindCopy the files (ca.crt, client01.crt, client01.key, dh1024.pem, tls.key) in the / etc / openvpn /. Zapusit openvpn:/etc/init.d/openvpn startCheck to see if the interface tun0. For Windows: Install OpenVPN to windosw ( OpenVPN - Open Source VPN ). Copy the files (ca.crt, client01.crt, client01.key, dh1024.pem, tls.key) in C: \ Program Files \ OpenVPN \ config \ client01. In the same directory create a configuration file client01.ovpn (identical in content with client01.conf for linux). Connect. Once connected, check how is the traffic. Both servers must appear in the track: traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 10.1.0.1 (10.1.0.1) 165.178 ms 329.870 ms 329.807 ms 2 10.2.0.1 (10.2.0.1) 493,908 ms 658.640 ms 824.653 ms Configuration for FreeBSD :############################Server#FREEDBSD - Openvpn config, redirect traffic###########################dev ovpns2 # - interface namedev-type tun # - type tun / tap (tun faster)tun-ipv6dev-node / dev / tun2 # - device namewritepid /var/run/openvpn_server2.pid # - where to put the process#user nobody # - from any user to run#group nobody # - from a group runscript-security 3daemon # - work as a servicekeepalive 10 60 # - how to keep the connection if fallen offping-timer-rempersist-tunpersist-keyproto tcp-server # - on which protocol to use tcp / udp (here TCP)cipher AES-128-CBC # - any type of encryption that is available to the system (openvpn --show-ciphers)up / usr / local / sbin / ovpn-linkupdown / usr / local / sbin / ovpn-linkdownlocal xxxx # - static external addresstls-server # - used tls encryptionserver 172.172.11.0 255.255.255.0 # - what subnet used inside the tunnelclient-config-dir / var / etc / openvpn-csc # - Client Configuration (ccd in Linux)lport # 443 - the port on which the VPN server will be available for a connectionmanagement /var/etc/openvpn/server2.sock unix # - process control and monitoring connectionsmax-clients # 2 - the maximum number of clientspush "dhcp-option DNS 192.168.1.1" # - dns server sends to the clientpush "dhcp-option DNS 8.8.8.8"push "dhcp-option DNS 8.8.4.4"push "redirect-gateway def1" # - sends the client the default gateway, which is the server itselfclient-to-client # - allow communication between clients (for example between two RDP client connection)ca /var/etc/openvpn/server2.ca # - key servercert /var/etc/openvpn/server2.cert # - server certificatekey /var/etc/openvpn/server2.key # - keydh /etc/dh-parameters.1024 # - dhcomp-lzo # - traffic compressionpersist-remote-ipfloatpush "route 192.168.1.0 255.255.255.0" # - adds the route in the network where the server itselfserver-poll-timeout 20 # - connection time (20 seconds if the client does not connect it resets)IMPORTANT: For the initial setup required logs after they can be turned off. With logs:status openvpn-status.loglog /var/log/openvpn.logverb 3mute 20Without logs:log / dev / nullHave fun.. Quote Link to comment Share on other sites More sharing options...