cioby23
16-11-2010, 12:43
The virtual rack solution is pretty interesting. We might consider using it. Thanks for the provided info.
How to setup a VPN server?
Razakel
12-11-2010, 15:36
Originally Posted by cioby23
http://www.ovh.co.uk/items/virtual_rack.xml
freshwire
12-11-2010, 14:36
I am just using iPig for VPN. Crappy solution but is so easy to setup and tunnel through SSH (which for me is then tunnelled through HTTP).
cioby23
12-11-2010, 13:38
Hi all,
We have a couple of dedicated server hosted on OVH. All of them have real IP's.
It is possible to move all servers in a private network which can be accessed through a gateway using OpenVPN ?
Many thanks,
We have a couple of dedicated server hosted on OVH. All of them have real IP's.
It is possible to move all servers in a private network which can be accessed through a gateway using OpenVPN ?
Many thanks,
Andy
27-08-2010, 09:06
Ah right. Normally a VPN is for personal use, not public
Thelen
27-08-2010, 07:53
Yup Logmein Hamachi is good, though I didn't know they had public access? I think that is what he means
Andy
26-08-2010, 12:38
Try www.hamachi.cc, works on all platforms, even mobile phones IIRC.
Iray
26-08-2010, 10:44
Myatu and his awesome sauce tutorials. I'm going to try this now.
stoner
26-08-2010, 09:20
Myatu ur like a bucket full of knowledge I just wish I was a sponge and was sat in it so I could soak it all up..
Once again one of your guides that are well explained, you are an asset to this forum
Once again one of your guides that are well explained, you are an asset to this forum
Thelen
26-08-2010, 02:49
On another note, you might find windows to be worth the 15GBP a month for two reasons.
1. OpenVPN maxes out at about 20Mbit even with sub 10ms ping
2. System resource usage is WAY higher, such to the extent you probably won't be able to do more than 50Mbit either which way before timeouts start happening. Windows will happily hum along at 500Mbit.
Aside, good guide though
1. OpenVPN maxes out at about 20Mbit even with sub 10ms ping
2. System resource usage is WAY higher, such to the extent you probably won't be able to do more than 50Mbit either which way before timeouts start happening. Windows will happily hum along at 500Mbit.
Aside, good guide though
olliegooch
26-08-2010, 00:19
Myatu: Bookmarked, great guide
Myatu
26-08-2010, 00:13
It does look a bit difficult at first, but I'll walk you through it (it's Debian/Ubuntu specific)...
Install OpenVPN
This installs OpenVPN from the Debian/Ubuntu package and creates a new system user/group called "openvpn". It's preferable over using "root" (a major security concern) or "nouser"/"nogroup" (insecure as well, but less so than "root").
Shell cut & paste:
Configure Easy-RSA
Easy-RSA is included with OpenVPN, and makes the task of managing security certificates (CSR's, for granting user/client access to the OpenVPN server) easier.
Shell cut & paste:
You're now editing the /etc/openvpn/easy-rsa/vars file - scroll down until you see "export KEY_COUNTRY=" and edit accordingly, for example:
Exit by pressing CTRL+X and answer Y for "Yes, save".
Shell cut & paste (answer any questions with their default):
And in the following shell cut & paste, simply replace the domain name with what you'd like to use instead:
The above actions has created the following files:
dh:
/etc/openvpn/easy-rsa/keys/dh1024.pem
CA public certificate:
/etc/openvpn/easy-rsa/keys/ca.crt
RA Server certificate & key:
/etc/openvpn/easy-rsa/keys/vpn.myserver.com.crt
/etc/openvpn/easy-rsa/keys/vpn.myserver.com.key
(where "vpn.myserver.com" is obviously replaced by the domain you've chosen).
From now on, if you want to add more domains (as in, more OpenVPN servers), simply use:
OpenVPN Server Configuration
Here we assume that we call the server "ra-server" and the configuration's filename reflects that. Of course you can change this as you like, and OpenVPN supports multiple .conf files (let's keep it simple for now and stick to one ).
Edit /etc/openvpn/ra-server.conf by typing
and replace any existing contents with the contents below, paying attention to modify whatever the comments (lines starting with a #) specify:
So in all, 3 lines need to be modified. I'll get to that "crl-verify" line later.
OpenVPN Client Configuration
The first step is to create a CSR on the server, or a "remote client access certificate". You do this with the following steps on the server:
All you need to do is replace
This will generate a file /etc/openvpn/easy-rsa/keys/.p12 , ie. "john-laptop.p12", and is what you will give to the remote VPN user/client (only this file - no other keys/certificates!).
Note: Giving it an "Export" password will cause the remote OpenVPN client to ask for this password (from the user). You can leave this blank if you wish, but you should obviously be aware that this means anyone could potentially use the certificate if it fell in the wrong hands.
Now, the following OpenVPN client configuration, which is used to configure the remote user's client (thus don't do this on the server), is quite generic:
However, where this configuration file is stored, depends on the OS. For example, on Linux it's /etc/openvpn/.vpn.myserver.com.conf and on Windows it's C:\Program Files\OpenVPN\config\.vpn.myserver.com.ovpn .
Obviously you replace the
This directory will also be the one where you store the.p12 file that was generated on the server earlier. For security reasons, on a Linux based system you may wish to use:
Great! At this point, the remote VPN user/client should have full access to the server and have Internet traffic routed through it. If you don't wish to have the latter (traffic routed through the server), remove - or comment - the following line from the server's configuration:
Revoking CSR
If for some reason you need to revoke the CSR (access to the server using that certificate), you do this as following (on the server):
Now make sure that you have uncommented the crl-verify line in your server's configuation (/etc/openvpn/ra-server.conf) by removing the # sign:
That's it!
Again, it looks daunting at first, but if you follow these steps it'll become clear to you why and how. The next time you need to add a user/client, a lot of this can be skipped as well, so making it quite easy to use.
Install OpenVPN
This installs OpenVPN from the Debian/Ubuntu package and creates a new system user/group called "openvpn". It's preferable over using "root" (a major security concern) or "nouser"/"nogroup" (insecure as well, but less so than "root").
Shell cut & paste:
Code:
apt-get install openvpn adduser --system --no-create-home --group openvpn
Easy-RSA is included with OpenVPN, and makes the task of managing security certificates (CSR's, for granting user/client access to the OpenVPN server) easier.
Shell cut & paste:
Code:
mkdir /etc/openvpn/easy-rsa cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa nano vars
Code:
export KEY_COUNTRY="GB" export KEY_PROVINCE="London" export KEY_CITY="Hammersmith" export KEY_ORG="My Company" export KEY_EMAIL="hello@mycomany.internal"
Shell cut & paste (answer any questions with their default):
Code:
source ./vars ./clean-all chmod 700 /etc/openvpn/easy-rsa/keys/ ./build-ca ./build-dh
Code:
./build-key-server vpn.myserver.com
dh:
/etc/openvpn/easy-rsa/keys/dh1024.pem
CA public certificate:
/etc/openvpn/easy-rsa/keys/ca.crt
RA Server certificate & key:
/etc/openvpn/easy-rsa/keys/vpn.myserver.com.crt
/etc/openvpn/easy-rsa/keys/vpn.myserver.com.key
(where "vpn.myserver.com" is obviously replaced by the domain you've chosen).
From now on, if you want to add more domains (as in, more OpenVPN servers), simply use:
Code:
cd /etc/openvpn/easy-rsa source ./vars ./build-key-server
Here we assume that we call the server "ra-server" and the configuration's filename reflects that. Of course you can change this as you like, and OpenVPN supports multiple .conf files (let's keep it simple for now and stick to one ).
Edit /etc/openvpn/ra-server.conf by typing
Code:
nano /etc/openvpn/ra-server.conf
Code:
server 192.168.2.0 255.255.255.0 # YOUR LOCAL SERVER IP HERE: local 91.12.34.56 dev tun proto udp comp-lzo # THESE 2 LINES ARE HELPFUL FOR THOSE WITH MOBILE (G3 / G3.5) BROADBAND: tun-mtu 1500 tun-mtu-extra 32 # ROUTE THE CLIENT'S INTERNET ACCESS THROUGH THIS SERVER: push "redirect-gateway def1 bypass-dns" keepalive 10 60 dh /etc/openvpn/easy-rsa/keys/dh1024.pem ca /etc/openvpn/easy-rsa/keys/ca.crt # ENSURE THE DOMAIN NAME/FILENAME IS CORRECT: cert /etc/openvpn/easy-rsa/keys/vpn.myserver.com.crt key /etc/openvpn/easy-rsa/keys/vpn.myserver.com.key # LEAVE THE FOLLOWING LINE COMMENTED FOR NOW: # crl-verify /etc/openvpn/easy-rsa/keys/crl.pem user openvpn group openvpn persist-key persist-tun
OpenVPN Client Configuration
The first step is to create a CSR on the server, or a "remote client access certificate". You do this with the following steps on the server:
Code:
cd /etc/openvpn/easy-rsa source ./vars ./build-key-pkcs12
This will generate a file /etc/openvpn/easy-rsa/keys/
Note: Giving it an "Export" password will cause the remote OpenVPN client to ask for this password (from the user). You can leave this blank if you wish, but you should obviously be aware that this means anyone could potentially use the certificate if it fell in the wrong hands.
Now, the following OpenVPN client configuration, which is used to configure the remote user's client (thus don't do this on the server), is quite generic:
Code:
client dev tun proto udp # THE IP OF THE REMOTE OPENVPN SERVER: remote 91.12.34.56 # THE CSR FILE: pkcs12.p12 comp-lzo
Obviously you replace the
This directory will also be the one where you store the
Code:
chmod 600.p12
Code:
push "redirect-gateway def1 bypass-dns"
If for some reason you need to revoke the CSR (access to the server using that certificate), you do this as following (on the server):
Code:
cd /etc/openvpn/easy-rsa source ./vars revoke-full
Code:
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
Again, it looks daunting at first, but if you follow these steps it'll become clear to you why and how. The next time you need to add a user/client, a lot of this can be skipped as well, so making it quite easy to use.
Winit
25-08-2010, 22:14
Iray
25-08-2010, 19:44
OpenVPN hardly looks like the easiest!
darkfyre
25-08-2010, 19:22
Iray
25-08-2010, 18:29
In your experience, which VPN server package has been the easiest to setup in Debian?
Really desperate since I am spending alot of time connecting through open wireless connections and do not have an option to tunnel via SSH.
any advice?
Really desperate since I am spending alot of time connecting through open wireless connections and do not have an option to tunnel via SSH.
any advice?