Setting up a home VPN

During my holidays, it became clear that having a VPN access towards home might just come in handy some times. Besides that, it can also allow to protect your data when using a public/untrusted WiFi connection.

So with the bad weather, I started setting up an OpenVPN server using some of my course material from Annecy and other documentation.

I’ll skip the certificate generation (can be found here), but here’s a sample config:

;local 192.168.5.20
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.0.8.0 255.255.255.0 #DHCP assigned to clients
ifconfig-pool-persist ipp.txt #keeps track of client/address allocation
push "route 192.168.5.0 255.255.255.0" #pushes local network to client
push "redirect-gateway def1 bypass-dhcp" #makes all client traffic go through vpn
push "dhcp-option DNS 4.4.4.4" #push dns
push "dhcp-option DNS 8.8.8.8" # ^
client-to-client #allows connected clients to see each other
keepalive 10 120
comp-lzo #enable compression
user nobody #reduce daemon priviliges
group nogroup # ^
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20

To allow traffic to go on the network, we have to add NAT on the VPN server
iptables -t nat -A POSTROUTING -s 10.0.8.0/24 -o eth0 -j MASQUERADE
Also allow ip forwarding. To have persistent firewall rules, check here.

Client configuration:

client
dev tun
proto udp
remote example.com 1194
resolv-retry infinite
nobind #no need for specific port number
persist-key #preserve state between restarts
persist-tun #^
ca ca.crt
cert client.crt #generate one per client
key client.key
ns-cert-type server
comp-lzo #enable compression

I’ve put it on a machine that has Wake-On-LAN, so that I can fire it up by sending a magic packet through the net, then connect to it with the VPN.

This entry was posted in Linux, Software and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *