OpenVPN Server Konfiguration Debian 8

#1
- OpvenVPN Server Konfiguration (Systemd) unter Debian 8.
- Zertifikatsbasiert mit X.509-Zertifikate über TLS-Protokoll - 4096Bit verschlüsselt
- iptables konfigurieren und Traffic kontrollieren
- VPN optimieren
- gesamten Traffic üner VPN umleiten


#OpenVPN Installation
Code:
apt-get install openvpn


#vars Schlüsseldatei bearbeiten und Eckdaten für Zertifikate angeben

Code:
root@whoami /usr/share/easy-rsa # vi vars 

export KEY_SIZE=4096
export KEY_COUNTRY="DE"
export KEY_PROVINCE="MD"
export KEY_CITY="Magdeburg"
export KEY_ORG="hack2sec"
export KEY_EMAIL="bazzd@posteo.de"
export KEY_OU="Whoami"


#Zertifizierungsstelle erstellen

Code:
[B]root@whoami /usr/share/easy-rsa # ./clean-all [/B]
[B]root@whoami /usr/share/easy-rsa # ./build-ca [/B]
Generating a 4096 bit RSA private  key...............................................................................................................++
...........................................................................................................................................................................................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [MD]:
Locality Name (eg, city) [Magdeburg]:
Organization Name (eg, company) [hack2sec]:
Organizational Unit Name (eg, section) [Whoami]:
Common Name (eg, your name or your server's hostname) [hack2sec CA]:Server
Name [EasyRSA]:
Email Address [bazzd@posteo.de]:
#Server Zertifikat erstellen

Code:
[B]root@whoami /usr/share/easy-rsa # ./build-key-server Server[/B]
Generating a 4096 bit RSA private key
.........................++
........................................++
writing new private key to 'Server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [MD]:
Locality Name (eg, city) [Magdeburg]:
Organization Name (eg, company) [hack2sec]:
Organizational Unit Name (eg, section) [Whoami]:
Common Name (eg, your name or your server's hostname) [Server]:
Name [EasyRSA]:
Email Address [bazzd@posteo.de]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'MD'
localityName          :PRINTABLE:'Magdeburg'
organizationName      :PRINTABLE:'hack2sec'
organizationalUnitName:PRINTABLE:'Whoami'
commonName            :PRINTABLE:'Server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'bazzd@posteo.de'
Certificate is to be certified until Oct 18 21:33:39 2026 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#Client Zertifikate erstellen

Code:
[B]root@whoami /usr/share/easy-rsa # ./build-key client1[/B]
Generating a 4096 bit RSA private key
......................................++
..++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [MD]:
Locality Name (eg, city) [Magdeburg]:
Organization Name (eg, company) [hack2sec]:
Organizational Unit Name (eg, section) [Whoami]:
Common Name (eg, your name or your server's hostname) [client1]:
Name [EasyRSA]:
Email Address [bazzd@posteo.de]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'MD'
localityName          :PRINTABLE:'Magdeburg'
organizationName      :PRINTABLE:'hack2sec'
organizationalUnitName:PRINTABLE:'Whoami'
commonName            :PRINTABLE:'client1'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'bazzd@posteo.de'
Certificate is to be certified until Oct 18 21:39:17 2026 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#Diffie-Hellman-Parameter generieren

Code:
root@whoami /usr/share/easy-rsa # ./build-dh
#Client Keys nach /etc/openvpn/keys/ zum Client kopieren
Code:
scp -P 'sshPort' 'ServerIP':/usr/share/easy-rsa/keys/client1.key /etc/openvpn/keys/
scp -P 'sshPort' 'ServerIP':/usr/share/easy-rsa/keys/client1.crt /etc/openvpn/keys/
scp -P 'sshPort 'ServerIP:/usr/share/easy-rsa/keys/ca.crt /etc/openvpn/keys/
#ServerKeys von /usr/share/easy-rsa/keys nach /etc/openvpn/keys kopieren
Code:
cp /usr/share/easy-rsa/keys/ca.crt /etc/openvpn/keys/
cp /usr/share/easy-rsa/keys/server.crt /etc/openvpn/keys/
cp /usr/share/easy-rsa/keys/server.key /etc/openvpn/keys/
cp /usr/share/easy-rsa/keys/dh4096.pem /etc/openvpn/keys/


#Server Konfigurationsdatei erstellen
Code:
vi /etc/openvpn/server.conf

#server.conf

Code:
cd /etc/openvpn

tls-server
mode server
[B]server 1.2.3.4 255.255.255.0 (Server IP)[/B]

client-to-client

user nobody
group nogroup

#max-clients 7 (Bei Bedarf)

persist-key
persist-tun

proto udp
[B]port 12345 (VPN Port)[/B]

ifconfig-pool-persist ipp.txt

dev tun0
tun-mtu 1500
fragment 1300

[B]ca keys/ca.crt
cert keys/Server.crt
key keys/Server.key
dh keys/dh4096.pem[/B]

ping-timer-rem
keepalive 60 120

comp-lzo yes
push "comp-lzo yes"

verb 3

status status.log 5
status-version 2


#Client Konfigurationsdatei erstellen:
Code:
vi /etc/openvpn/client.conf
#client.conf
Code:
cd /etc/openvpn

client
tls-client
ns-cert-type server

[B]remote 1.2.3.4 12345[/B]

dev tun

proto udp

user nobody
group nogroup

[B]persist-tun[/B]
persist-key

tun-mtu 1500
fragment 1300

pull

[B]ca keys/ca.crt
cert keys/client1.crt
key keys/client1.key[/B]

comp-lzo yes

verb 3

ping-timer-rem
keepalive 20 120
#OpenVPN starten

Code:
Client: openvpn /etc/openvpn/client.conf
Server: openvpn /etc/openvpn/server.conf


#Dienst unter systemd automatisch starten lassen
#Server VPN Systemd Dienst verknüpfen (automatischer Start)

Code:
ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service
Code:
systemctl -f enable [EMAIL="openvpn@server.service"]openvpn@server.service[/EMAIL]
#Client VPN Systemd Dienst verknüpfen (automatischer Start)

Code:
ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@client.service
Code:
systemctl -f enable [EMAIL="openvpn@server.service"]openvpn@client.service[/EMAIL]
#Sämtlichen Traffic blockieren
#VPN und SSH erlauben
#Alles Protokollieren
#Firewall mit Systemstart starten
Code:
vi firewallregeln.sh
#firewallregeln.sh
Code:
#!/bin/bash


IPT="/sbin/iptables"
 

$IPT -F
$IPT -t nat -F
$IPT -X
$IPT -Z


$IPT -N MYACCEPT
$IPT -A MYACCEPT -j LOG --log-prefix "FW-MYACCEPT:"
$IPT -A MYACCEPT -j ACCEPT
$IPT -N MYDROP
$IPT -A MYDROP -j LOG --log-prefix "FW-MYDROP:"
$IPT -A MYDROP -j DROP


$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

INT=eth0
VPN=tun0

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -s 127.0.0.1/8 -j DROP

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT

$IPT -A INPUT -i $VPN -j ACCEPT
$IPT -A OUTPUT -o $VPN -j ACCEPT
$IPT -A FORWARD -i $VPN -j ACCEPT


#SSH
$IPT -A INPUT -m state --state NEW -i eth0 -p tcp --dport 12345 -j MYACCEPT

#VPN
$IPT -A INPUT -m state --state NEW -i eth0 -p udp --dport 12345 -j MYACCEPT

$IPT -A INPUT -j LOG --log-prefix "FW-LAST-DROP:"
$IPT -A OUTPUT -j LOG --log-prefix "FW-LAST-DROP:"
$IPT -A FORWARD -j LOG --log-prefix "FW-LAST-DROP:"

exit
#bashdatei ausführbar machen
Code:
chmod 700 firewallregeln.sh


#automatischer start der firewall beim booten

Code:
vi /etc/rc.local
#rc.local
Code:
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

# Firewall
[B]/root/firewallregeln.sh[/B]
exit 0
#openVPN Tuning
#in datei /etc/openvpn/server.con:
Code:
sndbuf 562500 
rcvbuf 562500 

push "sndbuf 562500" 
push "rcvbuf 562500"
#eintrag in datei /etc/sysctl.conf (auf server + client)

Code:
net.core.rmem_default = 562500 
net.core.rmem_max = 562500 
net.core.wmem_default = 562500 
net.core.wmem_max = 562500
#sämtlichen traffic nach vpn-einwahl über den server umleiten:

#in datei /etc/openvpn/server.conf

Code:
push "redirect-gateway def1" 
push "dhcp-option DNS 8.8.8.8"

#in datei /etc/sysctl.conf weiterleitung von paketen einschalten

Code:
net.ipv4.ip_forward=1
#in firewallregeln.sh NAT aktivieren

Code:
$IPT -t nat -A POSTROUTING -o eth0 -s 1.2.3.4/24 -j SNAT --to 'ServerIP'
#firewall einsehen
Code:
iptables -nvL
#firewall ausschalten
Code:
vi firewallausschalten.sh
#firewallausschalten.sh
Code:
#!/bin/bash


IPT="/sbin/iptables"
 

$IPT -F
$IPT -t nat -F
$IPT -X
$IPT -Z

$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

exit
 
#2
Der Thread ist schon sehr alt aber wer sich das ganze nicht antun will mit der Installation, derjenige kann sich ja mal das hier anschauen.

GitHub - Nyr/openvpn-install: OpenVPN road warrior installer for Debian, Ubuntu and CentOS

Damit bekommt wirklich jeder, OpenVpn auf seinem Server eingerichtet und das Script erledigt alles von allein.

Code ist natürlich Open und für jeden einsehbar.

Funktioniert unter Debian, Ubuntu und CentOS.

mfg
 
Oben