Personal VPN on Fedora
Reindl Harald
h.reindl at thelounge.net
Sat Aug 20 09:38:25 UTC 2011
Am 20.08.2011 11:33, schrieb Manuel Escudero:
> Hi there:
>
> I was wondering if is there something like Hotspot Shield or TunnelBear for Linux
> or if not, How can I easily mount a VPN connection in Fedora?
>
> Have been reading a lot, but it's quite difficult :S
>
> OpenVPN is too difficult to Setup
what is there difficult?
you only need to generate the certs and a config like the follwoing
and for the client nearly 1:1 the same config and you start openvpn
on the client automatically as service
cat /etc/openvpn/openvpn.conf
# We are working as server
mode server
tls-server
# Which TCP/UDP port should OpenVPN listen on?
port 1194
# TCP or UDP server?
proto udp
# Protocol options
tun-mtu 1500
mssfix
key-method 2
# tun is an IP tunnel,
# tap an ethernet tunnel and used with bridges
dev tap0
# SSL/TLS root certificate (ca)
# certificate (cert), and private key (key).
# Each client and the server must have their own cert and key file.
# The server and all clients will use the same ca file.
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
tls-auth /etc/openvpn/ta.key 0
# Diffie hellman parameters.
dh /etc/openvpn/dh1024.pem
# auth method
auth SHA1
# encryption method
cipher AES-256-CBC
# TAP-Configuration
server-bridge 10.0.0.134 255.255.255.0 10.0.0.241 10.0.0.252
# Uncomment this directive to allow different
# clients to be able to "see" each other.
client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.
duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
keepalive 10 120
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
max-clients 20
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
user nobody
group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Logging and chroot
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
chroot /var/log/openvpn
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages.
mute 20
# do not allow user-defined scripts
script-security 1
_____________
ok, a bridge service should also run on the server
cat /etc/init.d/openvpn-bridge
#!/bin/bash
# openvpn-bridge
# This shell script takes care of starting and stopping
# network-bridge on RedHat or other chkconfig-based system.
#
# chkconfig: - 23 76
#
# description:
# Start and stop ethernet-bridge for openvpn
# Requires package 'bridge-utils'
### BEGIN INIT INFO
# Provides: openvpn-bridge
# Required-Start: $network
# Required-Stop: $network
# Short-Description: start and stop openvpn-ethernet-bridge
# Description:
# This shell script takes care of starting and stopping
# network-bridge on RedHat or other chkconfig-based system.
### END INIT INFO
br="br0"
tap="tap0"
eth="eth1"
eth_ip="10.0.0.134"
eth_netmask="255.255.255.0"
eth_broadcast="10.0.0.255"
gw="10.0.0.1"
start_bridge () {
for t in $tap; do
openvpn --mktun --dev $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
# route add default gw $gw $br
}
stop_bridge () {
ifconfig $br down
brctl delbr $br
for t in $tap; do
openvpn --rmtun --dev $t
done
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
# route add default gw $gw $eth
}
case "$1" in
start)
echo -n "Starting Bridge"
start_bridge
;;
stop)
echo -n "Stopping Bridge"
stop_bridge
;;
restart)
stop_bridge
sleep 2
start_bridge
;;
*)
echo "Usage: $0 {start|stop|restart}" >&2
exit 1
;;
esac
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20110820/c119aa95/attachment.bin
More information about the users
mailing list