Installing openvpn on Linux Debian wheezy 7

I have installed openvpn on my Debian system so it’s possible to surf with my winhoos laptop on the amprnet. Work quite nice

In this description I do not give much text and explanation. On the internet there is plenty to find about configuring openvpn.

apt-get update
apt-get install openvpn easy-rsa
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
nano /etc/openvpn/server.conf

This is what I use, it’s a simple setup.

# OpenVpn server.conf setup
port 1194
proto udp
dev tap

ca /etc/openvpn/ca.crt
cert /etc/openvpn/gw.pd2lt.crt
key /etc/openvpn/gw.pd2lt.key
dh /etc/openvpn/dh1024.pem

server 44.137.31.80 255.255.255.248
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 44.137.0.1"
push "route 44.0.0.0 255.0.0.0"
push "route 44.137.31.64 255.255.255.224"

keepalive 1800 4000

comp-lzo
max-clients 10

persist-key
persist-tun

Enable Packet Forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward
nano /etc/sysctl.conf

Change
#net.ipv4.ip_forward=1
to
net.ipv4.ip_forward=1

Save and exit

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys
nano /etc/openvpn/easy-rsa/vars

Changes to your own needs.

export KEY_COUNTRY="NL"
export KEY_PROVINCE="Zeeland"
export KEY_CITY="Kortgene"
export KEY_ORG="packet-radio"
export KEY_EMAIL="packet ( @ ) packet-radio.net"
export KEY_OU="packet-radio"

In the same vars file, also edit this one line shown below.

# X509 Subject Field
export KEY_NAME="EasyRSA"

Also changes to your own needs.

# X509 Subject Field
export KEY_NAME="packet-radio"

Next

openssl dhparam -out /etc/openvpn/dh1024.pem 1024

Cd to directory easy-rsa

cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca
./build-key-server packet-radio

Hit ENTER to accept defined, default values.

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Press ENTER to pass through each one.

Hit (Y) and enter

Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]

cp /etc/openvpn/easy-rsa/keys/{packet-radio.crt,packet-radio.key,ca.crt} /etc/openvpn
service openvpn start
service openvpn status

Generate Certificates and Keys for Clients

./build-key pd2lt

Press ENTER to accept the defaults.

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Hit (Y) enter

Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/pd2lt.ovpn
nano /etc/openvpn/easy-rsa/keys/pd2lt.ovpn
client
remote server-ip 1194
ca c:\\certs\\ca.crt
cert c:\\certs\\pd2lt.crt
key c:\\certs\\pd2lt.key
ns-cert-type server
comp-lzo yes
dev tap
proto udp
nobind
auth-nocache
persist-key
persist-tun

Copy the the files to the client computer in the c:\certs directory.

pd2lt.crt
pd2lt.key
pd2lt.ovpn
ca.crt

Policy based routing Amprnet

Setup een amprnet gateway met policy based routing.

Neem een kijkje op deze website voor de uitleg.
http://wiki.ampr.org/wiki/Startampr

############# tunnel ampr.org ################################
ifconfig tunl0 up 44.137.31.65/27 multicast
ip tunnel change ttl 64 mode ipip tunl0
ip link set dev tunl0 up
################# default route naar gw-44-137.ampr.org ##################
ip route add default dev tunl0 via 213.222.29.194 onlink table 44
######################## route ampr.org #################################
ip rule add to 44.0.0.0/8 table 44 priority 44
ip rule add from 44.137.31.64/27 table 44 priority 45
# Xnet Route
ip route add 44.137.31.70 dev sl0 table 44 src 44.137.31.69
# Jnos Route
ip route add 44.137.31.67 dev tun0 table 44 src 44.137.31.68
ip rule add from 44.137.31.64/27 to 192.168.1.0/24 table main priority 22
ip rule add to 44.137.31.64/27 table main priority 44
ip rule add dev tunl0 table 44 priority 45
ip rule add dev eth0 table 44 priority 46
ip rule add from 44.137.31.64/27 table 44 priority 47

### STARTS THE ampr-ripd ROUTER DAMEON
# -s saves routes to /var/lib/ampr-ripd/encap.txt
# -r use raw socket instead of multicast
# -t routing table to use
# -i tunnel interface to use
# -p RIPv2 password (latest ampr-ripd defaults to the current valid password)
# -a ampr subnets to be ignored (remove your allocation from the table)
/usr/sbin/ampr-ripd -s -r -t 44 -i tunl0 -L pi1lap@jo11vn

Ampr Gateway

Configuratie voorbeeld van een Ampr Gateway. Hier heb je het volgende programma(tje) voor nodig.
http://www.yo2loj.ro/hamprojects/ampr-ripd-1.15.tgz

Ik heb dit toegevoegd in het filetje /etc/rc.local zodat het bij het booten van het systeem automatische wordt geladen.

######################### tunnel ampr.org ################################
ifconfig tunl0 up 44.137.31.65/27 multicast
#ip tunnel change ttl 64 mode ipip tunl0
ip link set dev tunl0 up
################# default route naar gw-44-137.ampr.org ##################
ip route add default dev tunl0 via 213.222.29.194 onlink table 44
######################## route ampr.org #################################
ip rule add to 44.0.0.0/8 table 44 priority 44
ip rule add from 44.137.31.64/27 table 44 priority 45
route add -net 44.0.0.0 netmask 255.0.0.0 tunl0
ip route add 44.137.31.64/27 dev tunl0 table 44
## Start ampr-ripd to learn rest of mesh routes
/usr/sbin/ampr-ripd -r -s -i tunl0 -a (extern ip-adres) -t 44 -p (password)

Voor de rest heb ik nog wat regeltjes toegevoegd in de firewall. (de geleerde zullen er wel opmerkingen over hebben. Maar dit werkt voor mij)

-A INPUT -s 44.0.0.0/8 -j ACCEPT
# Block all non 44 incoming traffic
-A INPUT ! -s 44.0.0.0/8 -i tunl0 -j DROP
-A INPUT -i eth0 -p ipencap -j ACCEPT
-A INPUT -p udp --dport 520 -j ACCEPT
-A FORWARD -s 44.128.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 44.128.0.0/16 -j REJECT --reject-with icmp-port-unreachable
# Only allow ampr.org traffic ######
-A FORWARD -i tunl0 -o eth0 -s 44.0.0.0/8 -j ACCEPT
-A FORWARD -i eth0 -o tunl0 -d 44.0.0.0/8 -j ACCEPT
#####################################
-A FORWARD -d 44.0.0.0/8 -j ACCEPT
-A FORWARD -s 44.0.0.0/8 -j ACCEPT