Personal VPN on Fedora

Reindl Harald h.reindl at thelounge.net
Sat Aug 20 09:38:25 UTC 2011 


Am 20.08.2011 11:33, schrieb Manuel Escudero:
> Hi there:
> 
> I was wondering if is there something like Hotspot Shield or TunnelBear for Linux
> or if not, How can I easily mount a VPN connection in Fedora?
> 
> Have been reading a lot, but it's quite difficult :S
> 
> OpenVPN is too difficult to Setup

what is there difficult?
you only need to generate the certs and a config like the follwoing
and for the client nearly 1:1 the same config and you start openvpn
on the client automatically as service

cat /etc/openvpn/openvpn.conf
# We are working as server
mode server
tls-server

# Which TCP/UDP port should OpenVPN listen on?
port 1194

# TCP or UDP server?
proto udp

# Protocol options
tun-mtu 1500
mssfix
key-method 2

# tun is an IP tunnel,
# tap an ethernet tunnel and used with bridges
dev tap0

# SSL/TLS root certificate (ca)
# certificate (cert), and private key (key).
# Each client and the server must have their own cert and key file.
# The server and all clients will use the same ca file.
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
tls-auth /etc/openvpn/ta.key 0

# Diffie hellman parameters.
dh /etc/openvpn/dh1024.pem

# auth method
auth SHA1

# encryption method
cipher AES-256-CBC

# TAP-Configuration
server-bridge 10.0.0.134 255.255.255.0 10.0.0.241 10.0.0.252

# Uncomment this directive to allow different
# clients to be able to "see" each other.
client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.
duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
keepalive 10 120

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 20

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
user nobody
group nobody

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Logging and chroot
status /var/log/openvpn/openvpn-status.log
log  /var/log/openvpn/openvpn.log
chroot /var/log/openvpn

# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages.
mute 20

# do not allow user-defined scripts
script-security 1
_____________

ok, a bridge service should also run on the server

cat /etc/init.d/openvpn-bridge
#!/bin/bash

# openvpn-bridge
# This shell script takes care of starting and stopping
# network-bridge on RedHat or other chkconfig-based system.
#
# chkconfig: - 23 76
#
# description:
# Start and stop ethernet-bridge for openvpn
# Requires package 'bridge-utils'

### BEGIN INIT INFO
# Provides: openvpn-bridge
# Required-Start: $network
# Required-Stop: $network
# Short-Description: start and stop openvpn-ethernet-bridge
# Description:
# This shell script takes care of starting and stopping
# network-bridge on RedHat or other chkconfig-based system.
### END INIT INFO

br="br0"
tap="tap0"
eth="eth1"
eth_ip="10.0.0.134"
eth_netmask="255.255.255.0"
eth_broadcast="10.0.0.255"
gw="10.0.0.1"

start_bridge () {
 for t in $tap; do
  openvpn --mktun --dev $t
 done

 for t in $tap; do
  ifconfig $t 0.0.0.0 promisc up
 done

 ifconfig $eth 0.0.0.0 promisc up

 brctl addbr $br
 brctl addif $br $eth

 for t in $tap; do
  brctl addif $br $t
 done

 ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
 # route add default gw $gw $br
}



stop_bridge () {
 ifconfig $br down
 brctl delbr $br
 for t in $tap; do
  openvpn --rmtun --dev $t
 done

 ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
 # route add default gw $gw $eth
}



case "$1" in
 start)
   echo -n "Starting Bridge"
   start_bridge
   ;;
 stop)
   echo -n "Stopping Bridge"
   stop_bridge
   ;;
 restart)
   stop_bridge
   sleep 2
   start_bridge
   ;;
 *)
   echo "Usage: $0 {start|stop|restart}" >&2
   exit 1
   ;;
esac

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20110820/c119aa95/attachment.bin

More information about the users mailing list