filler/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Hacky Openvpn

Drop both conf files into /etc/openvpn and /etc/init.d/openvpn should pick up on both and fire them up.  Configure the ip addr of your host you wish to vpn through in the configs on the server lines.
Key difference is the openvpn-split.conf only pushes routes for netblocks you want to route over the vpn.  In the below case, its the two routable /16s.  The openvpn-everything.conf pushes a gateway down to clients, shunting all traffic through the vpn endpoint.  Also push DNS servers if you have records locked up in campus DNS.
You also have to do all the easy-rsa business which is fairly well documented on the web.  Drag the client certs which come from that business over to your vpn client.  I use Tunnelblick in OS X.
Tested using openvpn-2.2.2-1.el5.rf from rpmforge on CentOS 5.8 in a Xen DomU.
Other gotchas:


set packet filter to nat vpn client traffic
/sbin/iptables -t nat -A POSTROUTING -s 10.20.30.0/255.255.255.0 -j SNAT --to-source ip.addr.of.host
/sbin/iptables -t nat -A POSTROUTING -s 10.20.40.0/255.255.255.0 -j SNAT --to-source ip.addr.of.host


set the kernel to forward packets
echo 1 > /proc/sys/net/ipv4/ip_forward


## openvpn-everything.conf
port 11194 # (1194 is the default but on some APN networks this is blocked)
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.20.40.0 255.255.255.0
push "dhcp-option DNS 130.132.1.9"
push "redirect-gateway" # this is key to routing all bits throgh
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
duplicate-cn # (this means several users can use the same key)
local ip.addr.of.host

## openvpn-split.conf
#
# http://openvpn.net/index.php/open-source/documentation/howto.html#quick
#
# http://openvpn.net/index.php/open-source/documentation/howto.html
#

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
# (1194 is the default but on some APN networks this is blocked)
port 21194

# TCP or UDP server?
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.20.30.0 255.255.255.0

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 130.132.0.0 255.255.0.0"
push "route 172.28.0.0 255.255.0.0"
push "dhcp-option DNS 130.132.1.9"

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group users

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
duplicate-cn

# Which local IP address should OpenVPN
# listen on? (optional)
local ip.addr.of.host
	port 11194 # (1194 is the default but on some APN networks this is blocked)
	proto udp
	dev tun
	ca ca.crt
	cert server.crt
	key server.key
	dh dh1024.pem
	server 10.20.40.0 255.255.255.0
	push "dhcp-option DNS 130.132.1.9"
	push "redirect-gateway" # this is key to routing all bits throgh
	ifconfig-pool-persist ipp.txt
	keepalive 10 120
	comp-lzo
	user nobody
	group users
	persist-key
	persist-tun
	status openvpn-status.log
	verb 3
	client-to-client
	duplicate-cn # (this means several users can use the same key)
	local ip.addr.of.host
	#
	# http://openvpn.net/index.php/open-source/documentation/howto.html#quick
	#
	# http://openvpn.net/index.php/open-source/documentation/howto.html
	#

	# Which TCP/UDP port should OpenVPN listen on?
	# If you want to run multiple OpenVPN instances
	# on the same machine, use a different port
	# number for each one. You will need to
	# open up this port on your firewall.
	# (1194 is the default but on some APN networks this is blocked)
	port 21194

	# TCP or UDP server?
	proto udp

	# "dev tun" will create a routed IP tunnel,
	# "dev tap" will create an ethernet tunnel.
	# Use "dev tap0" if you are ethernet bridging
	# and have precreated a tap0 virtual interface
	# and bridged it with your ethernet interface.
	# If you want to control access policies
	# over the VPN, you must create firewall
	# rules for the the TUN/TAP interface.
	# On non-Windows systems, you can give
	# an explicit unit number, such as tun0.
	# On Windows, use "dev-node" for this.
	# On most systems, the VPN will not function
	# unless you partially or fully disable
	# the firewall for the TUN/TAP interface.
	dev tun

	# SSL/TLS root certificate (ca), certificate
	# (cert), and private key (key). Each client
	# and the server must have their own cert and
	# key file. The server and all clients will
	# use the same ca file.
	#
	# See the "easy-rsa" directory for a series
	# of scripts for generating RSA certificates
	# and private keys. Remember to use
	# a unique Common Name for the server
	# and each of the client certificates.
	#
	# Any X509 key management system can be used.
	# OpenVPN can also use a PKCS #12 formatted key file
	# (see "pkcs12" directive in man page).
	ca ca.crt
	cert server.crt
	key server.key

	# Diffie hellman parameters.
	# Generate your own with:
	# openssl dhparam -out dh1024.pem 1024
	# Substitute 2048 for 1024 if you are using
	# 2048 bit keys.
	dh dh1024.pem

	# Configure server mode and supply a VPN subnet
	# for OpenVPN to draw client addresses from.
	# The server will take 10.8.0.1 for itself,
	# the rest will be made available to clients.
	# Each client will be able to reach the server
	# on 10.8.0.1. Comment this line out if you are
	# ethernet bridging. See the man page for more info.
	server 10.20.30.0 255.255.255.0

	# Push routes to the client to allow it
	# to reach other private subnets behind
	# the server. Remember that these
	# private subnets will also need
	# to know to route the OpenVPN client
	# address pool (10.8.0.0/255.255.255.0)
	# back to the OpenVPN server.
	push "route 130.132.0.0 255.255.0.0"
	push "route 172.28.0.0 255.255.0.0"
	push "dhcp-option DNS 130.132.1.9"

	# Maintain a record of client <-> virtual IP address
	# associations in this file. If OpenVPN goes down or
	# is restarted, reconnecting clients can be assigned
	# the same virtual IP address from the pool that was
	# previously assigned.
	ifconfig-pool-persist ipp.txt

	# The keepalive directive causes ping-like
	# messages to be sent back and forth over
	# the link so that each side knows when
	# the other side has gone down.
	# Ping every 10 seconds, assume that remote
	# peer is down if no ping received during
	# a 120 second time period.
	keepalive 10 120

	# Enable compression on the VPN link.
	# If you enable it here, you must also
	# enable it in the client config file.
	comp-lzo

	# It's a good idea to reduce the OpenVPN
	# daemon's privileges after initialization.
	#
	# You can uncomment this out on
	# non-Windows systems.
	user nobody
	group users

	# The persist options will try to avoid
	# accessing certain resources on restart
	# that may no longer be accessible because
	# of the privilege downgrade.
	persist-key
	persist-tun

	# Output a short status file showing
	# current connections, truncated
	# and rewritten every minute.
	status openvpn-status.log

	# Set the appropriate level of log
	# file verbosity.
	#
	# 0 is silent, except for fatal errors
	# 4 is reasonable for general usage
	# 5 and 6 can help to debug connection problems
	# 9 is extremely verbose
	verb 3

	# Uncomment this directive to allow different
	# clients to be able to "see" each other.
	# By default, clients will only see the server.
	# To force clients to only see the server, you
	# will also need to appropriately firewall the
	# server's TUN/TAP interface.
	client-to-client

	# Uncomment this directive if multiple clients
	# might connect with the same certificate/key
	# files or common names. This is recommended
	# only for testing purposes. For production use,
	# each client should have its own certificate/key
	# pair.
	#
	# IF YOU HAVE NOT GENERATED INDIVIDUAL
	# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
	# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
	# UNCOMMENT THIS LINE OUT.
	duplicate-cn

	# Which local IP address should OpenVPN
	# listen on? (optional)
	local ip.addr.of.host