Linux/OpenVPN: Unterschied zwischen den Versionen
→Android
Thomas (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „=Setup for an OpenVPN server which routes all traffic ("road-warrior")= First install and configure OpenVPN: https://wiki.gentoo.org/wiki/OpenVPN Do not forge…“) |
Thomas (Diskussion | Beiträge) |
||
| (27 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
=Setup for an OpenVPN server which | =Setup for an OpenVPN server which handles ALL traffic= | ||
First install and configure OpenVPN: https://wiki.gentoo.org/wiki/OpenVPN | First install and configure OpenVPN: https://wiki.gentoo.org/wiki/OpenVPN | ||
Do not forget to first setup the key infrastructure: https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts | Do not forget to first setup the key infrastructure: https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts | ||
Add these lines to '''/etc/openvpn/openvpn.conf''' for routing all traffic: | |||
Add these lines to /etc/openvpn/openvpn.conf: | |||
push "dhcp-option DNS 8.8.8.8" | push "dhcp-option DNS 8.8.8.8" | ||
push "redirect-gateway def1" | push "redirect-gateway def1" | ||
Check the necessary kernel options (can be set as M): | Add these lines for user/password authentication in addition to the certificate: | ||
plugin openvpn-plugin-auth-pam.so /etc/pam.d/login | |||
username-as-common-name | |||
Add this line for TLS Authentication (the client then also has to import '''ta.key''' and use direction '''1'''): | |||
tls-auth ta.key 0 | |||
Check the necessary kernel options (can be set as '''M'''odul): | |||
CONFIG_TUN | CONFIG_TUN | ||
CONFIG_IP_NF_CONNTRACK | CONFIG_IP_NF_CONNTRACK | ||
| Zeile 16: | Zeile 21: | ||
CONFIG_IP_NF_NAT | CONFIG_IP_NF_NAT | ||
Allow IP forwarding in '''/etc/sysctl.conf''': | |||
net.ipv4.ip_forward = 1 | net.ipv4.ip_forward = 1 | ||
Check that it is | Check that it is allowed: | ||
cat /proc/sys/net/ipv4/ip_forward | cat /proc/sys/net/ipv4/ip_forward | ||
Allow on the fly: | |||
echo 1 > /proc/sys/net/ipv4/ip_forward | echo 1 > /proc/sys/net/ipv4/ip_forward | ||
Activate IP forwarding/routing (necessary after each reboot, so put it for example in '''/etc/local.d/baselayout1.start'''): | |||
modprobe iptable_nat | modprobe iptable_nat # if compiled as module | ||
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE | iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE | ||
For verifying, list nat rules: | |||
iptables -t nat -v -L -n --line-number | |||
Open port '''12112 UDP''' on your router. | |||
Start OpenVPN: | |||
/etc/init.d/openvpn start | |||
If everything works, add OpenVPN to the default runlevel, so that it starts during boot: | |||
rc-update add openvpn | |||
= Android = | |||
Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn. | |||
Import client '''openvpn.conf'''. Enable '''User/PW + Certificates''' and '''Use default route'''. | |||
Disable '''LZO Compression''', if you disabled it on the server because of simple ChromeOS clients. | |||
If you want to use '''TLA Authentication''' then import also '''ta.key''' and choose TLS direction '''1'''. | |||
= ChromeOS = | |||
== Simple == | |||
Restrictions of simple method: | |||
* no compression | |||
* no tlsauth | |||
* only UDP | |||
On the Linux server: | |||
openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12 | |||
* import '''ca.crt''' and '''client1.p12''' at '''chrome://settings/certificates''' and then use the OpenVPN connection wizard of ChromeOS. | |||
* disable '''comp-lzo''' and '''tlsauth''' and use '''proto udp''' in '''/etc/openvpn/openvpn.conf''' and restart OpenVPN | |||
* use '''servername:12112''' in ChromeOS OpenVPN connection settings | |||
Source: https://www.errietta.me/blog/openvpn-chromebook/ | |||
== Advanced == | |||
For advanced configuration, you also have to import the certificates and then you have to create a '''.onc''' config file and import it at '''chrome://net-internals/#chromeos'''. | |||
Advanced configuration is necessary for LZO compression or TLS Authentication or TCP protocol. | |||
More info: https://darranboyd.wordpress.com/2017/03/24/chromeos-openvpn-tlsauth/ or https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub. | |||
Note: If you want to import multiple config files for multiple connections, the UUIDs in the files must be unique. | |||
Alternative method (did not work for me): https://unfix.org/projects/chromeos-openvpn-onc/ | |||
= WiFi Hotspots = | |||
Some Hotspots (for example Telekom Germany) do not allow '''UDP''' packets. In that case, configure OpenVPN to use '''TCP'''. | |||
= Multiple OpenVPN servers on one machine (Gentoo) = | |||
Create 2 config files '''server1.conf''' and '''server2.conf''' in '''/etc/openvpn''' with the content from above. Then change the following lines: | |||
server1.conf: | |||
port 12112 | |||
proto udp | |||
dev tun0 | |||
server 10.100.0.0 255.255.255.0 | |||
ifconfig-pool-persist ipp.txt | |||
server2.conf: | |||
port 3389 | |||
proto tcp | |||
dev tun1 | |||
server 10.200.0.0 255.255.255.0 | |||
ifconfig-pool-persist ipp2.txt | |||
Open both ports on your router. | |||
Link to OpenRC config: | |||
ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server1 | |||
ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server2 | |||
Create 2 routes: | |||
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE | |||
iptables -t nat -A POSTROUTING -s 10.200.0.0/24 -o eth0 -j MASQUERADE | |||
Start both servers: | |||
/etc/init.d/openvpn.server1 start | |||
/etc/init.d/openvpn.server2 start | |||
Configure autostart: | |||
rc-update add openvpn.server1 | |||
rc-update add openvpn.server2 | |||