From Fedora Project Wiki
OpenVPN
For more information, see http://www.openvpn.net/.
Setting up an OpenVPN server
yum install openvpn.$HOSTTYPE
- Copy
/usr/share/openvpn/easy-rsa/2.0
somewhere (like root's home directory withcp -ai /usr/share/openvpn/easy-rsa/2.0 ~/easy-rsa
). cd ~/easy-rsa
- Edit
vars
appropriately. . vars
./clean-all
- Before continuing, make sure the system time is correct. Preferably, set up NTP .
./build-ca
./build-inter $( hostname | cut -d. -f1 )
./build-dh
mkdir /etc/openvpn/keys
cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh1024.pem /etc/openvpn/keys/
cp -ai /usr/share/doc/openvpn-*/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf
- Edit
/etc/openvpn/server.conf
appropriately. chkconfig --level 2345 openvpn on
service openvpn start
- Verify that firewall rules allow traffic in from
tun+
, out from the LAN totun+
, and in from the outside on UDP port 1194.
The following should work (assuming your outside interface is eth1 and your inside interface is eth0):
iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
Or for genfw (my firewall-generation script, not currently available in Fedora), this in /etc/sysconfig/genfw/rules
:
append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
append INPUT -i tun+ -j ACCEPT
append FORWARD -i tun+ -j ACCEPT
append FORWARD -i eth0 -o tun+ -j ACCEPT
append FORWARD -i eth1 -o tun+ -j established
Setting up a Windows OpenVPN client
On the server:
cd easy-rsa
. vars
./build-key
username
On the client:
- Install the OpenVPN GUI or the stand-alone OpenVPN client.
- Copy username.crt, username.key, and ca.crt to
C:\Program Files\OpenVPN\config\
on the client.
- Drop roadwarrior-client.conf into
C:\Program Files\OpenVPN\config\
as whatever.ovpn and edit appropriately.
- Either use the GUI to start the connection, start the OpenVPN service manually, or set the OpenVPN service to start automatically.
Ideally the client should do some verification on the server key with tls-remote
in the whatever.ovpn configuration file.