Created
May 4, 2011 22:26
-
-
Save eegrok/956175 to your computer and use it in GitHub Desktop.
set up VPN from scratch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #partially from: | |
| #http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html | |
| # in this I refer to the server and the client -- really the only difference here is that the 'server' | |
| # needs to have a publicly accessible IP, and be configured to allow UDP port 1194 to connect inbound | |
| iptables -A INPUT -s <put-client-public-ip-address-here> -p udp -m udp --dport 1194 -j ACCEPT | |
| # other than that, they can communicate both ways, assuming the client firewall is configured to allow it | |
| # (to firewall the client to prevent all server connections, see below) | |
| # don't forget to save your iptables configurations after making them -- https://gist.github.com/958060 | |
| #on server, make sure openvpn is installed (on ubuntu it's simply: aptitude install openvpn) | |
| # to install on rhel5, follow this: https://gist.github.com/957868 | |
| cd /etc/openvpn | |
| #generate a shared key | |
| openvpn --genkey --secret static.key | |
| #you'll need to copy the shared key above to the client /etc/openvpn directory | |
| # the following lines copy server.conf (from https://gist.github.com/956165 ) into /etc/openvpn | |
| wget https://gist.github.com/raw/956165/openvpn-server.conf --no-check-certificate | |
| mv openvpn-server.conf /etc/openvpn/server.conf | |
| #on client, make sure openvpn is installed | |
| cd /etc/openvpn | |
| # the following lines copy client.conf (from https://gist.github.com/956183 ) into /etc/openvpn | |
| wget https://gist.github.com/raw/956183/openvpn-client.conf --no-check-certificate | |
| mv openvpn-client.conf /etc/openvpn/client.conf | |
| #modify client.conf to use the remote server's public ip address (remote line) | |
| #start openvpn to test your config (on server first, then client) | |
| service openvpn start | |
| ping 172.23.0.1 | |
| # then ping 172.23.0.2 from the server | |
| # if your pings aren't working, you may need to make sure they're being allowed by the server firewall | |
| iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 172.23.0.1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| # if still not working, try looking at the stdout for both server / client -- adding the line | |
| verb 6 | |
| # to both configuration files | |
| # make sure your firewall configuration is set up to allow any ports you want to connect, e.g.: | |
| # to allow mysql from the client to the server: | |
| # run this command on the server | |
| iptables -A INPUT -s 172.23.0.2 -p tcp -m tcp --dport 3306 -j ACCEPT | |
| # to set it up so the server can't connect to the client at all, use the following rules | |
| # allow existing connections to send traffic both ways | |
| # run these commands on the client | |
| iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| iptables -A INPUT -s 172.23.0.1 -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment