3. OpenVPN installation directory, Prep software
7). Enable Kernal IP forwarding
Enabling ip_forward tells your Linux system to do this. For it to be meaningful, you need two network interfaces. When doing routing, security is important and that's where Linux's packet filter, iptables, gets involved. So you will need an iptables configuration consistent with your needs.
Note that enabling forwarding with iptables disabled and/or without taking firewalling and security into account could leave you open to vulnerabilites if one of the NICs is facing the Internet or a subnet you don't have control over.
- Check using sysctl -p to validate the ip_forward setting.
- if net.ipv4.ip_forward = 0, then run sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#' /etc/sysctl.conf to change or you can directly vi /etc/sysctl.conf and change 0 to 1
- Activate the change by sysctl -p
[root@localhost ~]# sysctl -p net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key error: "net.bridge.bridge-nf-call-iptables" is an unknown key error: "net.bridge.bridge-nf-call-arptables" is an unknown key kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 [root@localhost ~]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#' /etc/sysctl.conf [root@localhost ~]# vi /etc/sysctl.conf [root@localhost ~]# cat /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 1 //now changed to 1
|
8). Start Openvpn Server
/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &
netstat -lntup |grep vpn
lsof -i :11945
[root@localhost openvpn]# /usr/local/sbin/openvpn --config /etc/openvpn/server.conf & [1] 41314 [root@localhost openvpn]# netstat -lntup |grep vpn tcp 0 0 192.168.2.16:1194 0.0.0.0:* LISTEN 41314/openvpn [root@localhost rpm]# lsof -i :11945 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME openvpn 1802 root 5u IPv4 13516 0t0 TCP 192.168.2.16:openvpn (LISTEN)
|
Note after openvpn service started, new interface added in the network config.
[root@localhost openvpn]# ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:D0:10:3F ...................., ................................. tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
|
9). Stop OpenVPN server
to stop OpenVPN server, you can:
- run ps -ef|grep vpn
- run pkill openvpn
- validate if openvpn session is killed
[root@VpnL01 keys]# ps -ef |grep vpn root 2082 1 0 08:31 ? 00:00:00 /usr/local/sbin/openvpn --config /etc/openvpn/server.conf root 3013 2878 0 11:37 pts/0 00:00:00 grep vpn [root@VpnL01 keys]# pkill openvpn [root@VpnL01 keys]# netstat -nltup Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1901/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1757/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2026/master tcp 0 0 :::22 :::* LISTEN 1901/sshd tcp 0 0 ::1:631 :::* LISTEN 1757/cupsd tcp 0 0 ::1:25 :::* LISTEN 2026/master udp 0 0 0.0.0.0:631 0.0.0.0:* 1757/cupsd udp 0 0 0.0.0.0:68 0.0.0.0:* 1765/dhclient udp 0 0 0.0.0.0:68 0.0.0.0:* 1762/dhclient [root@VpnL01 keys]# ps -ef |grep vpn root 3035 2878 0 11:38 pts/0 00:00:00 grep vpn [root@VpnL01 keys]#
|
10). Add openvpn run on startup - Method 1 rc.local
echo '#startup OpenVPN service' >> /etc/rc.local
echo '/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &' >> /etc/rc.local
[root@localhost openvpn]# echo '#startup OpenVPN service' >> /etc/rc.local [root@localhost openvpn]# echo '/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &' >> /etc/rc.local [root@localhost openvpn]# tail -2 /etc/rc.local tail: inotify cannot be used, reverting to polling #startup OpenVPN service /usr/local/sbin/openvpn --config /etc/openvpn/server.conf &
|
Note: that build-in openvpn startup using:
/usr/local/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn
11). Add openvpn run on startup - Method 2 Service
For earlier version of openvpn, you can find the openvpn.init file under /sample-scripts/
for example, in OpenVPN 2.2.2 openvpn.init file located under openvpn-2.2.2/sample-scripts/openvpn.init.
For later version,
To install: copy this file to /etc/rc.d/init.d/openvpn chkconfig --add openvpn mkdir /etc/openvpn make .conf or .sh files in /etc/openvpn (see below) to stop service: /etc/rc.d/init.d/openvpn stop to start service: /etc/rc.d/init.d/openvpn start It's important to make sure only one .conf file exist in /etc/openvpn folder.. or it wont start the service.
[root@localhost openvpn]# cp /home/admin/tools/openvpn/openvpn-2.3.12/distro/rpm/openvpn.init.d.rhel /etc/rc.d/init.d/openvpn [root@localhost openvpn]# chkconfig --add openvpn [root@localhost openvpn]#
|