特殊:Badtitle/NS100:VPNServer:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
第37行: | 第37行: | ||
<pre><nowiki> | <pre><nowiki> | ||
# Default declaration, with DROP as a default INPUT policy | |||
*filter | *filter | ||
:INPUT DROP [0:0] | :INPUT DROP [0:0] | ||
第42行: | 第43行: | ||
:OUTPUT ACCEPT [0:0] | :OUTPUT ACCEPT [0:0] | ||
# Enable full access from localhost | |||
-A INPUT -i lo -p all -j ACCEPT | -A INPUT -i lo -p all -j ACCEPT | ||
# Allow connections initiated from this machine | |||
-A INPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT | -A INPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
# WIFI --> LAN | |||
# Preventing Wifi to reach LAN_SUBNET | |||
# LAN_SUBNET: Ethernet LAN subnet. Ex: 192.168.0.0/24 | |||
-A FORWARD -d LAN_SUBNET -j DROP | -A FORWARD -d LAN_SUBNET -j DROP | ||
# Enable VPN | |||
-A INPUT -i tun+ -j ACCEPT | -A INPUT -i tun+ -j ACCEPT | ||
-A FORWARD -i tun+ -j ACCEPT | -A FORWARD -i tun+ -j ACCEPT | ||
# Force the machine(s) identified as SYSTEM to use VPN. | |||
# This means that without using VPN, SYSTEM will NOT access the Internet | |||
# SYSTEM: A Wifi machine, or the whole Wifi subnet. Ex: 192.168.1.3 | |||
# | |||
# -A FORWARD -s SYSTEM -j DROP | |||
# Allow access to the VPN service | |||
-A INPUT -p udp --dport 1194 -j ACCEPT | -A INPUT -p udp --dport 1194 -j ACCEPT | ||
# INTERNET/WIFI -> LAN services | |||
# Internal services on the VPN server can potentially | |||
# be made available to LAN_SUBNET | |||
# LAN_SUBNET: Ethernet LAN subnet. Ex: 192.168.0.0/24 | |||
-A INPUT -s LAN_SUBNET -p all -j ACCEPT | -A INPUT -s LAN_SUBNET -p all -j ACCEPT | ||
# Allow SSH from the Internet AND from the Wifi | |||
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | ||
# DHCP may also be useful | |||
# -A INPUT -p udp --dport 137:138 -j ACCEPT | |||
# Log all rejected packets to syslog (useful for debugging) | |||
# -A INPUT -j LOG --log-level warn --log-prefix "[DENIED] " | |||
COMMIT | COMMIT | ||
第87行: | 第109行: | ||
<pre><nowiki> | <pre><nowiki> | ||
dev tun | dev tun | ||
# Network interface used by the VPN server on WIFI_SUBNET | |||
# eth1 (192.168.1.1) in the previous example | |||
local 192.168.1.1 | local 192.168.1.1 | ||
# The following line defines two new VPN interfaces | |||
# ifconfig VPN_SERVER VPN_CLIENT | |||
ifconfig 10.1.0.1 10.1.0.2 | ifconfig 10.1.0.1 10.1.0.2 | ||
up ./office.up | up ./office.up | ||
第99行: | 第125行: | ||
* /etc/openvpn/office.up should be executable and contain: | * /etc/openvpn/office.up should be executable and contain: | ||
<pre><nowiki> | <pre><nowiki> | ||
#!/bin/sh | |||
route add -net 10.0.1.0 netmask 255.255.255.0 gw $5 | route add -net 10.0.1.0 netmask 255.255.255.0 gw $5 | ||
</nowiki></pre> | </nowiki></pre> | ||
第104行: | 第131行: | ||
* Finally, we can complete the routing for the wireless network in the [[UbuntuHelp:IptablesHowTo|iptables]] configuration: | * Finally, we can complete the routing for the wireless network in the [[UbuntuHelp:IptablesHowTo|iptables]] configuration: | ||
<pre><nowiki> | <pre><nowiki> | ||
# ROUTING WIFI -> LAN/INTERNET | |||
# Route the Wifi traffic to the Internet | |||
*nat | *nat | ||
:PREROUTING ACCEPT [0:0] | :PREROUTING ACCEPT [0:0] | ||
第109行: | 第138行: | ||
:OUTPUT ACCEPT [0:0] | :OUTPUT ACCEPT [0:0] | ||
# Route all the Wifi traffic -even without VPN!- to the Internet | |||
# WIFI_SUBNET: Wifi subnet. Ex: 192.168.1.0/24 | |||
# -A POSTROUTING -s WIFI_SUBNET -o eth0 -j MASQUERADE | |||
# Route traffic from VPN_HOST to the LAN/Internet | |||
# VPN_CLIENT: VPN host (or VPN subnet for multiple-clients setups). Ex: 10.1.0.2 | |||
-A POSTROUTING -s VPN_CLIENT -o eth0 -j MASQUERADE | -A POSTROUTING -s VPN_CLIENT -o eth0 -j MASQUERADE | ||
COMMIT | COMMIT | ||
</nowiki></pre> | </nowiki></pre> | ||
第135行: | 第169行: | ||
dev tun | dev tun | ||
# Network interface used by the VPN client (SYSTEM) on WIFI_SUBNET | |||
# eth0 (192.168.1.3) in the previous example | |||
local 192.168.1.3 | local 192.168.1.3 | ||
# Network interface used by the VPN server on WIFI_SUBNET | |||
# eth1 (192.168.1.1) in the previous example | |||
remote 192.168.1.1 | remote 192.168.1.1 | ||
nobind | nobind | ||
# The following line defines two new VPN interfaces | |||
# ifconfig VPN_CLIENT VPN_SERVER | |||
ifconfig 10.1.0.2 10.1.0.1 | ifconfig 10.1.0.2 10.1.0.1 | ||
up ./home.up | up ./home.up | ||
第150行: | 第190行: | ||
* /etc/openvpn/home.up should be executable and contain: | * /etc/openvpn/home.up should be executable and contain: | ||
<pre><nowiki> | <pre><nowiki> | ||
#!/bin/sh | |||
route add -net 10.0.0.0 netmask 255.255.255.0 gw $5 | route add -net 10.0.0.0 netmask 255.255.255.0 gw $5 | ||
route add -net 0.0.0.0 netmask 0.0.0.0 dev tun0 | route add -net 0.0.0.0 netmask 0.0.0.0 dev tun0 | ||
# In the following, eth0 is the network interface | |||
# used by the VPN client (SYSTEM) on WIFI_SUBNET | |||
route del -net 0.0.0.0 netmask 0.0.0.0 dev eth0 | route del -net 0.0.0.0 netmask 0.0.0.0 dev eth0 | ||
</nowiki></pre> | </nowiki></pre> | ||
* /etc/openvpn/home.down should be executable and contain: | * /etc/openvpn/home.down should be executable and contain: | ||
<pre><nowiki> | <pre><nowiki> | ||
# In the following, eth0 is the network interface | |||
# used by the VPN client (SYSTEM) on WIFI_SUBNET | |||
route add -net 0.0.0.0 netmask 0.0.0.0 dev eth0 | route add -net 0.0.0.0 netmask 0.0.0.0 dev eth0 | ||
</nowiki></pre> | </nowiki></pre> |
2007年5月24日 (四) 14:27的版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/VPNServer }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/af | • {{#if: UbuntuHelp:VPNServer|Afrikaans| [[::VPNServer/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/ar | • {{#if: UbuntuHelp:VPNServer|العربية| [[::VPNServer/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/az | • {{#if: UbuntuHelp:VPNServer|azərbaycanca| [[::VPNServer/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/bcc | • {{#if: UbuntuHelp:VPNServer|جهلسری بلوچی| [[::VPNServer/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/bg | • {{#if: UbuntuHelp:VPNServer|български| [[::VPNServer/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/br | • {{#if: UbuntuHelp:VPNServer|brezhoneg| [[::VPNServer/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/ca | • {{#if: UbuntuHelp:VPNServer|català| [[::VPNServer/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/cs | • {{#if: UbuntuHelp:VPNServer|čeština| [[::VPNServer/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/de | • {{#if: UbuntuHelp:VPNServer|Deutsch| [[::VPNServer/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/el | • {{#if: UbuntuHelp:VPNServer|Ελληνικά| [[::VPNServer/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/es | • {{#if: UbuntuHelp:VPNServer|español| [[::VPNServer/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/fa | • {{#if: UbuntuHelp:VPNServer|فارسی| [[::VPNServer/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/fi | • {{#if: UbuntuHelp:VPNServer|suomi| [[::VPNServer/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/fr | • {{#if: UbuntuHelp:VPNServer|français| [[::VPNServer/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/gu | • {{#if: UbuntuHelp:VPNServer|ગુજરાતી| [[::VPNServer/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/he | • {{#if: UbuntuHelp:VPNServer|עברית| [[::VPNServer/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/hu | • {{#if: UbuntuHelp:VPNServer|magyar| [[::VPNServer/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/id | • {{#if: UbuntuHelp:VPNServer|Bahasa Indonesia| [[::VPNServer/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/it | • {{#if: UbuntuHelp:VPNServer|italiano| [[::VPNServer/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/ja | • {{#if: UbuntuHelp:VPNServer|日本語| [[::VPNServer/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/ko | • {{#if: UbuntuHelp:VPNServer|한국어| [[::VPNServer/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/ksh | • {{#if: UbuntuHelp:VPNServer|Ripoarisch| [[::VPNServer/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/mr | • {{#if: UbuntuHelp:VPNServer|मराठी| [[::VPNServer/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/ms | • {{#if: UbuntuHelp:VPNServer|Bahasa Melayu| [[::VPNServer/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/nl | • {{#if: UbuntuHelp:VPNServer|Nederlands| [[::VPNServer/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/no | • {{#if: UbuntuHelp:VPNServer|norsk| [[::VPNServer/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/oc | • {{#if: UbuntuHelp:VPNServer|occitan| [[::VPNServer/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/pl | • {{#if: UbuntuHelp:VPNServer|polski| [[::VPNServer/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/pt | • {{#if: UbuntuHelp:VPNServer|português| [[::VPNServer/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/ro | • {{#if: UbuntuHelp:VPNServer|română| [[::VPNServer/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/ru | • {{#if: UbuntuHelp:VPNServer|русский| [[::VPNServer/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/si | • {{#if: UbuntuHelp:VPNServer|සිංහල| [[::VPNServer/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/sq | • {{#if: UbuntuHelp:VPNServer|shqip| [[::VPNServer/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/sr | • {{#if: UbuntuHelp:VPNServer|српски / srpski| [[::VPNServer/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/sv | • {{#if: UbuntuHelp:VPNServer|svenska| [[::VPNServer/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/th | • {{#if: UbuntuHelp:VPNServer|ไทย| [[::VPNServer/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/tr | • {{#if: UbuntuHelp:VPNServer|Türkçe| [[::VPNServer/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/vi | • {{#if: UbuntuHelp:VPNServer|Tiếng Việt| [[::VPNServer/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/yue | • {{#if: UbuntuHelp:VPNServer|粵語| [[::VPNServer/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/zh | • {{#if: UbuntuHelp:VPNServer|中文| [[::VPNServer/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/zh-hans | • {{#if: UbuntuHelp:VPNServer|中文(简体)| [[::VPNServer/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:VPNServer | UbuntuHelp:VPNServer | {{#if: | :}}VPNServer}}/zh-hant | • {{#if: UbuntuHelp:VPNServer|中文(繁體)| [[::VPNServer/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:VPNServer|:VPNServer|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :VPNServer/zh | | {{#ifexist: VPNServer/zh | | {{#ifeq: {{#titleparts:VPNServer|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:VPNServer|1|-1|}} | zh | | }}
Parent page: Internet and Networking
Securing a small Wireless network using VPN
TODO: this document should be split into VPN and wireless specific parts.
Summary
While Wifi encryption generally provides a first protective layer for a wireless network, it is far from being perfect:
- WEP is still widely used and must be considered as very insecure
- WPA can also be broken (it requires more efforts), and many devices are still not WPA-enabled
This document intends to provide a complementary approach to secure a wireless network, by using an additional encryption level using a Virtual Private Network (VPN). It is assumed that the reader understands basic IP networks routing and Linux system administration. However, in an attempt to widen the audience to non-experts, this document will not cover many technical aspects of VPN.
This document contains instructions to setup a routed VPN using a static key, which will work with one client only. Multiple-clients setup requires a public key infrastructure (PKI), which is slightly more complex, and is not treated here.
Routing
Ideally, the wireless access point, as well as the Wifi machine, have no direct Internet access. It should be connected to the VPN server, so that all the routing can be handled by the router. In practice, the VPN server would be connected to the LAN_SUBNET with one network interface, and to the wireless access point with another network interface. It is highly recommended to configure different subnets for these two interfaces.
In the document, the network topology is expected to look like:
[WIFI_MACHINE]----(WIFI)---->[WIRELESS_ACCESS_POINT]----(LAN)---->[VPN_SERVER]----->INTERNET (potentially via a local gateway)
Example:
- The Internet gateway: eth0 inet adr:192.168.0.10 bcast:192.168.0.255 (LAN_SUBNET)
- The VPN server: eth0 inet adr:192.168.0.1 bcast:192.168.0.255 (LAN_SUBNET)
- The VPN server: eth1 inet adr:192.168.1.1 bcast:192.168.1.255 (WIFI_SUBNET)
- The wireless access point: eth0 inet adr:192.168.1.2 bcast:192.168.1.255 (WIFI_SUBNET)
- Wifi machine (SYSTEM): eth0 inet adr:192.168.1.3 bcast:192.168.1.255 (WIFI_SUBNET)
The following iptables configuration could be installed on the VPN server to route the traffic:
# Default declaration, with DROP as a default INPUT policy *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Enable full access from localhost -A INPUT -i lo -p all -j ACCEPT # Allow connections initiated from this machine -A INPUT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT # WIFI --> LAN # Preventing Wifi to reach LAN_SUBNET # LAN_SUBNET: Ethernet LAN subnet. Ex: 192.168.0.0/24 -A FORWARD -d LAN_SUBNET -j DROP # Enable VPN -A INPUT -i tun+ -j ACCEPT -A FORWARD -i tun+ -j ACCEPT # Force the machine(s) identified as SYSTEM to use VPN. # This means that without using VPN, SYSTEM will NOT access the Internet # SYSTEM: A Wifi machine, or the whole Wifi subnet. Ex: 192.168.1.3 # # -A FORWARD -s SYSTEM -j DROP # Allow access to the VPN service -A INPUT -p udp --dport 1194 -j ACCEPT # INTERNET/WIFI -> LAN services # Internal services on the VPN server can potentially # be made available to LAN_SUBNET # LAN_SUBNET: Ethernet LAN subnet. Ex: 192.168.0.0/24 -A INPUT -s LAN_SUBNET -p all -j ACCEPT # Allow SSH from the Internet AND from the Wifi -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # DHCP may also be useful # -A INPUT -p udp --dport 137:138 -j ACCEPT # Log all rejected packets to syslog (useful for debugging) # -A INPUT -j LOG --log-level warn --log-prefix "[DENIED] " COMMIT
Configuring OpenVPN
Setting up the server
- Install OpenVPN
Install the following package: openvpn
(see InstallingSoftware).
- Generate a shared static key
cd /etc/openvpn/ && /usr/sbin/openvpn --genkey --secret static.key
- Comment all the lines from /etc/default/openvpn, and add:
AUTOSTART="openvpn"
- Populate the configuration file /etc/openvpn/openvpn.conf with:
dev tun # Network interface used by the VPN server on WIFI_SUBNET # eth1 (192.168.1.1) in the previous example local 192.168.1.1 # The following line defines two new VPN interfaces # ifconfig VPN_SERVER VPN_CLIENT ifconfig 10.1.0.1 10.1.0.2 up ./office.up secret static.key ping 15 tun-mtu 1200 mssfix 1400 verb 3
- /etc/openvpn/office.up should be executable and contain:
#!/bin/sh route add -net 10.0.1.0 netmask 255.255.255.0 gw $5
- Finally, we can complete the routing for the wireless network in the iptables configuration:
# ROUTING WIFI -> LAN/INTERNET # Route the Wifi traffic to the Internet *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Route all the Wifi traffic -even without VPN!- to the Internet # WIFI_SUBNET: Wifi subnet. Ex: 192.168.1.0/24 # -A POSTROUTING -s WIFI_SUBNET -o eth0 -j MASQUERADE # Route traffic from VPN_HOST to the LAN/Internet # VPN_CLIENT: VPN host (or VPN subnet for multiple-clients setups). Ex: 10.1.0.2 -A POSTROUTING -s VPN_CLIENT -o eth0 -j MASQUERADE COMMIT
- Start the OpenVPN service:
/etc/init.d/openvpn start
Setting up the client
- Install OpenVPN
apt-get install openvpn
- Copy the static key /etc/openvpn/static.key to the client system in /etc/openvpn.
- Comment all the lines from /etc/default/openvpn, and add:
AUTOSTART="openvpn"
- Populate the configuration file /etc/openvpn/openvpn.conf with:
dev tun # Network interface used by the VPN client (SYSTEM) on WIFI_SUBNET # eth0 (192.168.1.3) in the previous example local 192.168.1.3 # Network interface used by the VPN server on WIFI_SUBNET # eth1 (192.168.1.1) in the previous example remote 192.168.1.1 nobind # The following line defines two new VPN interfaces # ifconfig VPN_CLIENT VPN_SERVER ifconfig 10.1.0.2 10.1.0.1 up ./home.up down ./home.down secret static.key ping 15 tun-mtu 1200 mssfix 1400 verb 3
- /etc/openvpn/home.up should be executable and contain:
#!/bin/sh route add -net 10.0.0.0 netmask 255.255.255.0 gw $5 route add -net 0.0.0.0 netmask 0.0.0.0 dev tun0 # In the following, eth0 is the network interface # used by the VPN client (SYSTEM) on WIFI_SUBNET route del -net 0.0.0.0 netmask 0.0.0.0 dev eth0
- /etc/openvpn/home.down should be executable and contain:
# In the following, eth0 is the network interface # used by the VPN client (SYSTEM) on WIFI_SUBNET route add -net 0.0.0.0 netmask 0.0.0.0 dev eth0
- Start the OpenVPN service:
/etc/init.d/openvpn start
- If the following ping commands do not return an error, it worked!
ping 10.1.0.1 ping 10.1.0.2