lookingcloudy/client.opvn

## client.opvn
#sample client configuration file
#place the ca.crt, client.crt, and client.key
#in the same folder as this configuration file.
#Import this into your OpenVPN client

client
dev tun
proto udp

# change this to the IP or name of your server
remote home.mydyndns.org 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt

#use the name of the certificate you generated
cert client.crt
key client.key
comp-lzo
verb 3

## install instructions
# install open vpn server for open media vault
# these steps need to be run manually on the OMV server
# as the OMV server will not allow to run as a shell script

#need to add the standard debian repository
echo 'deb http://ftp.us.debian.org/debian sid main' >>/etc/apt/sources.list

#next update the repositories
apt-get update

#install open vpn packages
apt-get install openvpn -y
apt-get install easy-rsa -y
mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/


#cofigure CA & client keys - note update this with your information
echo 'export KEY_COUNTRY="US"' > /etc/openvpn/easy-rsa/vars
echo 'export KEY_PROVINCE="FL"' >> /etc/openvpn/easy-rsa/vars
echo 'export KEY_CITY="Tampa"' >> /etc/openvpn/easy-rsa/vars
echo 'export KEY_ORG="none"' >> /etc/openvpn/easy-rsa/vars
echo 'export KEY_EMAIL="me@me.com"' >> /etc/openvpn/easy-rsa/vars

#use your name, computer name, etc for this
echo 'export KEY_CN="client" '>> /etc/openvpn/easy-rsa/vars
echo 'export KEY_NAME="client" '>> /etc/openvpn/easy-rsa/vars

echo 'export KEY_OU="home.mydyndns.org" '>> /etc/openvpn/easy-rsa/vars
echo 'export KEY_ALTNAMES="me@me.com" '>> /etc/openvpn/easy-rsa/vars

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-ca

./build-key-server server
./build-dh
cd keys/
cp server.crt /etc/openvpn/
cp server.key  /etc/openvpn/


cp ca.crt  /etc/openvpn/
cp dh2048.pem /etc/openvpn/

cd /etc/openvpn/easy-rsa/
source vars
./build-key client

#the client certs need to be copied to clients.  should be removed from the server
cd /etc/openvpn
tar czvf client.gz ca.crt easy-rsa/keys/client.crt easy-rsa/keys/client.key

## copy the client.gz to your client computer


#CONFIGURE OPENVPN SERVER
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz
sed -i.bak 's/\(cert \).*$/\1'"server"'.crt/' server.conf
sed -i.bak 's/\(key \).*$/\1'"server"'.key/' server.conf
sed -i.bak 's/\(dh \).*$/\1dh2048.pem/' server.conf

#push private network to clients - assumes your private network is 10.0.0.0/24
echo 'push "route 10.0.0.0 255.255.255.0"' > server.conf

#redirect all traffic to the VPN tunnel, including DHCP, DNS, etc
echo 'push "redirect-gateway def1 bypass-dhcp"' > server.conf

#push dns settings - assuming you have setup a local DNS server on your OMV server
#and your OMV server is 10.0.0.100
#if you are not running a DNS server on your private network, comment this line out
echo 'push "dhcp-option DNS 10.0.0.100"' > server.conf

#CONFIGURE IPV4 FORWARDING - THIS IS ONLY FOR CURRENTLY RUNNING SYSTEM
echo 1 > /proc/sys/net/ipv4/ip_forward

#THIS MAKES PORT FORWARDING PERM
sed -i.bak 's/#\(net.ipv4.ip_forward\).*$/\1=1/' /etc/sysctl.conf

#TO HAVE INTERNET ACCESS THROUGH THE VPN TUNNEL...NEED TO RUN THE FOLLOWING AS ROOT
  modprobe iptable_nat
  sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  iptables -t nat -A POSTROUTING -s 10.8.80.0/24 -o eth0 -j MASQUERADE
  iptables-save > /etc/iptables.conf
  echo '#!/bin/sh' > /etc/network/if-up.d/iptables
  echo "iptables-restore < /etc/iptables.conf" >> /etc/network/if-up.d/iptables
  chmod +x /etc/network/if-up.d/iptables

#This is a good mac client for OpenVPN
#http://sourceforge.net/projects/tunnelblick/files/All%20files/Tunnelblick_3.4.1_r3054.dmg/download

#change your router to forward the following ports to your openvpn server
# 1194/udp -> to your internal open vpn sever IP address
# 943/tcp -> to your internal open vpn server IP address

#also if you are access other servers on your private network, those servers will need to know how to
#return traffic back to 10.8.0.0 network.  In most cases, you can add a static route on your router.

## server.conf
#Sample server.conf file for openvpn

port 1194
proto udp
dev tun
ca ca.crt

#assumes you generated a server key named 'server'
cert server.crt
key server.key

dh dh2048.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

#only if there is a private network 10.0.0.0 behind the VPN server
push "route 10.0.0.0 255.255.255.0"

#redirects all traffic, including DHCP and DNS to the client
push "redirect-gateway def1 bypass-dhcp"

#only if you are running a private DNS server at 10.0.0.100
push "dhcp-option DNS 10.0.0.100"

keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
	#sample client configuration file
	#place the ca.crt, client.crt, and client.key
	#in the same folder as this configuration file.
	#Import this into your OpenVPN client

	client
	dev tun
	proto udp

	# change this to the IP or name of your server
	remote home.mydyndns.org 1194

	resolv-retry infinite
	nobind
	persist-key
	persist-tun

	ca ca.crt

	#use the name of the certificate you generated
	cert client.crt
	key client.key
	comp-lzo
	verb 3
	# install open vpn server for open media vault
	# these steps need to be run manually on the OMV server
	# as the OMV server will not allow to run as a shell script

	#need to add the standard debian repository
	echo 'deb http://ftp.us.debian.org/debian sid main' >>/etc/apt/sources.list

	#next update the repositories
	apt-get update

	#install open vpn packages
	apt-get install openvpn -y
	apt-get install easy-rsa -y
	mkdir /etc/openvpn/easy-rsa/
	cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/


	#cofigure CA & client keys - note update this with your information
	echo 'export KEY_COUNTRY="US"' > /etc/openvpn/easy-rsa/vars
	echo 'export KEY_PROVINCE="FL"' >> /etc/openvpn/easy-rsa/vars
	echo 'export KEY_CITY="Tampa"' >> /etc/openvpn/easy-rsa/vars
	echo 'export KEY_ORG="none"' >> /etc/openvpn/easy-rsa/vars
	echo 'export KEY_EMAIL="me@me.com"' >> /etc/openvpn/easy-rsa/vars

	#use your name, computer name, etc for this
	echo 'export KEY_CN="client" '>> /etc/openvpn/easy-rsa/vars
	echo 'export KEY_NAME="client" '>> /etc/openvpn/easy-rsa/vars

	echo 'export KEY_OU="home.mydyndns.org" '>> /etc/openvpn/easy-rsa/vars
	echo 'export KEY_ALTNAMES="me@me.com" '>> /etc/openvpn/easy-rsa/vars

	cd /etc/openvpn/easy-rsa/
	source vars
	./clean-all
	./build-ca

	./build-key-server server
	./build-dh
	cd keys/
	cp server.crt /etc/openvpn/
	cp server.key /etc/openvpn/


	cp ca.crt /etc/openvpn/
	cp dh2048.pem /etc/openvpn/

	cd /etc/openvpn/easy-rsa/
	source vars
	./build-key client

	#the client certs need to be copied to clients. should be removed from the server
	cd /etc/openvpn
	tar czvf client.gz ca.crt easy-rsa/keys/client.crt easy-rsa/keys/client.key

	## copy the client.gz to your client computer


	#CONFIGURE OPENVPN SERVER
	cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
	gzip -d /etc/openvpn/server.conf.gz
	sed -i.bak 's/\(cert \).*$/\1'"server"'.crt/' server.conf
	sed -i.bak 's/\(key \).*$/\1'"server"'.key/' server.conf
	sed -i.bak 's/\(dh \).*$/\1dh2048.pem/' server.conf

	#push private network to clients - assumes your private network is 10.0.0.0/24
	echo 'push "route 10.0.0.0 255.255.255.0"' > server.conf

	#redirect all traffic to the VPN tunnel, including DHCP, DNS, etc
	echo 'push "redirect-gateway def1 bypass-dhcp"' > server.conf

	#push dns settings - assuming you have setup a local DNS server on your OMV server
	#and your OMV server is 10.0.0.100
	#if you are not running a DNS server on your private network, comment this line out
	echo 'push "dhcp-option DNS 10.0.0.100"' > server.conf

	#CONFIGURE IPV4 FORWARDING - THIS IS ONLY FOR CURRENTLY RUNNING SYSTEM
	echo 1 > /proc/sys/net/ipv4/ip_forward

	#THIS MAKES PORT FORWARDING PERM
	sed -i.bak 's/#\(net.ipv4.ip_forward\).*$/\1=1/' /etc/sysctl.conf

	#TO HAVE INTERNET ACCESS THROUGH THE VPN TUNNEL...NEED TO RUN THE FOLLOWING AS ROOT
	modprobe iptable_nat
	sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
	iptables -t nat -A POSTROUTING -s 10.8.80.0/24 -o eth0 -j MASQUERADE
	iptables-save > /etc/iptables.conf
	echo '#!/bin/sh' > /etc/network/if-up.d/iptables
	echo "iptables-restore < /etc/iptables.conf" >> /etc/network/if-up.d/iptables
	chmod +x /etc/network/if-up.d/iptables

	#This is a good mac client for OpenVPN
	#http://sourceforge.net/projects/tunnelblick/files/All%20files/Tunnelblick_3.4.1_r3054.dmg/download

	#change your router to forward the following ports to your openvpn server
	# 1194/udp -> to your internal open vpn sever IP address
	# 943/tcp -> to your internal open vpn server IP address

	#also if you are access other servers on your private network, those servers will need to know how to
	#return traffic back to 10.8.0.0 network. In most cases, you can add a static route on your router.
	#Sample server.conf file for openvpn

	port 1194
	proto udp
	dev tun
	ca ca.crt

	#assumes you generated a server key named 'server'
	cert server.crt
	key server.key

	dh dh2048.pem

	server 10.8.0.0 255.255.255.0
	ifconfig-pool-persist ipp.txt

	#only if there is a private network 10.0.0.0 behind the VPN server
	push "route 10.0.0.0 255.255.255.0"

	#redirects all traffic, including DHCP and DNS to the client
	push "redirect-gateway def1 bypass-dhcp"

	#only if you are running a private DNS server at 10.0.0.100
	push "dhcp-option DNS 10.0.0.100"

	keepalive 10 120
	comp-lzo
	user nobody
	group nogroup
	persist-key
	persist-tun
	status openvpn-status.log
	verb 3