Welcome to Halil Demirezen's Tips Page
Categories

LinuxNetworkComputer VisionDatabasesProgrammingvmware


VPN: OpenVPN client-to-client vpn configuration [easy-rsa 2] 2017-11-07 21:02:53

Openvpn can be configured in both client-to-site and site-to-site aproach. In this tutorial,
I would like to mention about client-to-site configuration, where each client has it own certificate.


The linux environment it Centos7

$ yum install openvpn
$ yum install easy-rsa
$ ln -s /usr/share/easy-rsa /etc/openvpn/easy-rsa
$ cd /etc/openvpn/easy-rsa/2.0
$ vi vars


you may change

..

export KEY_SIZE=2048
export CA_EXPIRE=3650 # days
export KEY_EXPIRE=3650 # days
export KEY_COUNTRY="TR"
export KEY_PROVINCE="TR"
export KEY_CITY="Istanbul"
export KEY_ORG="Demirezen.net"
export KEY_EMAIL="test@demirezen.net"
export KEY_OU="ItOrganizationUnit"
export KEY_NAME="EasyRSA"
..

or leave as default.

$ source ./vars
$ ./clean-all
$ ./build-ca


you will see ca.crt and ca.key in /etc/openvpn/easy-rsa/2.0/keys directory

$ ./build-key-server myserver


you will see myserver.key in the keys directory as stated above.

$ ./build-dh


this will create diffie-hellman key exchange


now it is time to create a client key and certificate. The command below will create
client1.key and client1.crt under /etc/openvpn/easy-rsa/2.0/keys directory. You may
give those files to the clients who will use them to connect to this server.

$ ./build-key client1



Now it is time to create server side configuration file

$ vi /etc/openvpn/server.conf



local 195.44.33.22

mode server
tls-server
dev tun
port 1194
proto udp


ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/myserver.crt
key /etc/openvpn/easy-rsa/2.0/keys/myserver.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
duplicate-cn


client-to-client
server 192.168.56.0 255.255.255.0
push "route 192.168.50.0 255.255.255.0"
push "route 192.168.40.0 255.255.255.0"
push "route 192.168.30.0 255.255.255.0"
#push "redirect-gateway def1"

#if you comment out the line above with
# commenting the push routing, all the traffic
# will be go through this tunnel, including
# internet traffic.

user nobody
group nobody
keepalive 2 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3


in the configuration above, openvpn server tells the connecting openvpn clients that
they should route their traffic to the openvpn tunnel when accessing 192.168.50.0/24,
192.168.40.0/24, 192.168.30.0/24 networks.

Now it is time to start the vpn server

$ systemctl enable openvpn@server
$ systemctl start openvpn@server


In the client site, either Windows or Linux, the client configuration file will look
like below.

remote 195.44.33.22

port 1194
client

tls-client
proto udp
dev tun
resolv-retry 2

persist-key

persist-tun
nobind

ca ca.crt # this will be the ca.crt file on the server side
cert client1.crt # these certificate and key files are the ones
# created for this client
key client1.key
comp-lzo

verb 3