During my holidays, it became clear that having a VPN access towards home might just come in handy some times. Besides that, it can also allow to protect your data when using a public/untrusted WiFi connection.
So with the bad weather, I started setting up an OpenVPN server using some of my course material from Annecy and other documentation.
I’ll skip the certificate generation (can be found here), but here’s a sample config:
;local 192.168.5.20 port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh1024.pem server 10.0.8.0 255.255.255.0 #DHCP assigned to clients ifconfig-pool-persist ipp.txt #keeps track of client/address allocation push "route 192.168.5.0 255.255.255.0" #pushes local network to client push "redirect-gateway def1 bypass-dhcp" #makes all client traffic go through vpn push "dhcp-option DNS 184.108.40.206" #push dns push "dhcp-option DNS 220.127.116.11" # ^ client-to-client #allows connected clients to see each other keepalive 10 120 comp-lzo #enable compression user nobody #reduce daemon priviliges group nogroup # ^ persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 mute 20
To allow traffic to go on the network, we have to add NAT on the VPN server
iptables -t nat -A POSTROUTING -s 10.0.8.0/24 -o eth0 -j MASQUERADE
Also allow ip forwarding. To have persistent firewall rules, check here.
client dev tun proto udp remote example.com 1194 resolv-retry infinite nobind #no need for specific port number persist-key #preserve state between restarts persist-tun #^ ca ca.crt cert client.crt #generate one per client key client.key ns-cert-type server comp-lzo #enable compression
I’ve put it on a machine that has Wake-On-LAN, so that I can fire it up by sending a magic packet through the net, then connect to it with the VPN.