Install

• sudo apt install openvpn

Server

Create DH Key

• cd /etc/openvpn
• openssl dhparam -out dh2048.pem 2048

Selbstsigniertes Zertifikat

• Selbstsigniertes Zertifikat
• Zertifikat der Zertifizierungsstelle

/etc/openvpn/ca.crt

• Zertifikat des Servers

/etc/openvpn/frieda.xx.de.crt

• Privater Schlüssel des Servers

/etc/openvpn/frieda.xx.de.key

Server Config

• vi /etc/openvpn/server.conf

#Router Modus
dev tun
mode server
tls-server
#Port 
port 5000
topology subnet
#Transit Netz
server 172.31.2.0 255.255.255.0
#Pushs an die Clients
push "route 10.82.228.0 255.255.255.0"
push "dhcp-option DOMAIN xx.de"
push "dhcp-option DNS 8.8.8.8"
#Symetrisches Protokoll
cipher AES-256-CBC
#maximale Transmit Unit der Verbindung
link-mtu 1542
status /tmp/cool-vpn.status
keepalive 10 30
#Die Clients können sich untereinander erreichen
client-to-client
#maximale Anzahl
max-clients 150
verb 3
#Diffie Hellman Key
dh /etc/openvpn/dh2048.pem
#Zertifikat der Zertifizierungsstelle
ca /etc/openvpn/ca.crt
#Zertifikat des Servers
cert /etc/openvpn/frieda.xx.de.crt
#Privater Schlüssel des Servers
key /etc/openvpn/frieda.xx.de.key
verify-client-cert none
compress
persist-key
persist-tun
#Konfig Verzeichnis der Clients
client-config-dir client
username-as-common-name
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/login

Manueller Start

• openvpn --config server.conf

2022-09-07 09:21:01 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256- GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to - - data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-09-07 09:21:01 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional may accept 
clients which do not present a certificate
2022-09-07 09:21:01 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] 
[MH/PKTINFO] [AEAD] built on May 14 2021
2022-09-07 09:21:01 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2022-09-07 09:21:01 net_route_v4_best_gw query: dst 0.0.0.0
2022-09-07 09:21:01 net_route_v4_best_gw result: via XX.59.156.161 dev eth0
2022-09-07 09:21:01 PLUGIN AUTH-PAM: initialization succeeded (fg)
2022-09-07 09:21:01 PLUGIN_INIT: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so 
'[/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so] [/etc/pam.d/login]' 
intercepted=PLUGIN_AUTH_USER_PASS_VERIFY 
2022-09-07 09:21:01 Diffie-Hellman initialized with 2048 bit key
2022-09-07 09:21:01 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 
1500 (currently it is 1420)
2022-09-07 09:21:01 TUN/TAP device tun0 opened
2022-09-07 09:21:01 PLUGIN AUTH-PAM: BACKGROUND: initialization succeeded
2022-09-07 09:21:01 net_iface_mtu_set: mtu 1420 for tun0
2022-09-07 09:21:01 net_iface_up: set tun0 up
2022-09-07 09:21:01 net_addr_v4_add: 172.31.2.1/24 dev tun0
2022-09-07 09:21:01 Could not determine IPv4/IPv6 protocol. Using AF_INET
2022-09-07 09:21:01 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-09-07 09:21:01 UDPv4 link local (bound): [AF_INET][undef]:5000
2022-09-07 09:21:01 UDPv4 link remote: [AF_UNSPEC]
2022-09-07 09:21:01 MULTI: multi_init called, r=256 v=256
2022-09-07 09:21:01 IFCONFIG POOL IPv4: base=172.31.2.2 size=252
2022-09-07 09:21:01  Initialization Sequence Completed  

Automatischer Start

• systemctl enable openvpn --now

openvpn und iptables

• iptables und openvpn