OpenVPN server side
Prev Chapter 7. Configuring openvpn Next

OpenVPN server side

OpenVPN server configuration

Edit /etc/openvpn/server.conf.

Set the ca, cert and key to the generated root certificate, server certificate and server key.

ca keys/ca.crt
cert keys/Server.crt
key keys/Server.key  # This file should be kept secret

Additionally set the path to the key with the Diffie-Hellman parameters:

dh keys/dh1024.pem

Annouce the routes to the client to allow it to reach other private subnets over the openvpn server with the push statement. Remember that these private subnets will also need to know to route the OpenVPN client address pool (10.8.0.0/255.255.255.0) back to the OpenVPN server:

push "route 192.168.10.0 255.255.255.0" 
push "route 192.168.25.0 255.255.255.0" 
push "route 192.168.23.0 255.255.255.0"

Add the routes to the subnets to the OpenVPN server:

route 192.168.25.0 255.255.255.0 vpn_gateway
route 192.168.23.0 255.255.255.0 vpn_gateway

To allow machines in the subnets behind the OpenVPN clients to access the vpn as well you need to define the client-config-dir an add the route as well:

client-config-dir ccd 
route 192.168.25.0 255.255.255.0 
route 192.168.23.0 255.255.255.0

Given your client-names are vpn-client1 and vpn-client2 add a file for each client with the clients name ("vpnclient1" and "vpn-client2") in /etc/openvpn/ccd and add a statement like:

iroute 192.168.23.0 255.255.255.0

for the client providing the 192.168.23.0 subnet

and

iroute 192.168.25.0 255.255.255.0

for the client providing the 192.168.25.0 subnet

If you want to have the clients and subnets behind seeing each other, enable client-to-client.

Backup ovpn20z.lrp.

Configure shorewall on the openvpn server

Add a new zone to /etc/shorewall/zones:

vpn VPN Remote Subnet

Add the tun interface to /etc/shorewall/interfaces:

vpn tun+

Note that we added a wildcard ("+") to the tun interface so the vpn zone applies to all tun interfaces - important if you want to support more than one openvpn client.

You can either open the traffic between the vpn zone and the local net completly with adding

loc vpn ACCEPT 
vpn loc ACCEPT

to /etc/shorewall/policy - or just add the ports you want to open in /etc/shorewall/rules.

As last step add your vpn to the shorewall tunnel defintions (/etc/shorewall/tunnels)

generic:udp:1194 net 0.0.0.0/0

Note: This is very generic definition: Newer shorewall versions support openvpn as tunnel type. The gateway is defined as "0.0.0.0/0" to support clients with dynamic ip addresses.

Starting the OpenVPN server

Manual

To test the server configuration you can manually start the OpenVPN server with the command

# openvpn /etc/openvpn/server.conf

Automatic

After a (re)boot the /etc/init.d/openvpn script starts all tunnels that have a definition file in /etc/openvpn. The definition files are all files with the extension .conf. This means that you should rename or delete any sample configuration files in that directory if you don't want openvpn to attempt to start those tunnels at (re)boot time.

Checking

Check /var/log/openvpn-status for the status of your openvpn tunnels

In case of problems /var/log/daemon.log may give some hints for troubleshooting

Prev Up Next
Generating keys Home OpenVPN clients