Setting up openvpn & bind for use in the amazon’s servers

Launch instance and associate address in Elastic IP’s (using ubuntu server os)

$ aptitude update
$ aptitude install openvpn – installing openvpn
$ aptitude install bind9  – bind (for internal ip resolved for domain names)
$ aptitude install iptables-persistent  – iptables-persistent (soft for easy tune iptables) 

$ cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
$ cp openssl-1.0.0.cnf openssl.cnf – copy config if not exists openssl.cnf (I’ve got it out after installation)
$ chmod +x vars
$ source ./vars – loads variables
$ ./clean-all – deletу all from key dir
$ ./build-ca – create a private key and the Centre Authority certificate on the basis of which will certify other keys issued
$ ./build-key-server server – generate server key
$ ./build-dh – generation file DH (Diffie–Hellman’s algorithm)

$ cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt /etc/openvpn/keys/
$ cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.crt /etc/openvpn/keys/
$ cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.key /etc/openvpn/keys/
$ cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/keys/

$ zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

edit server.conf
$ vim /etc/openvpn/server.conf

# OpenVPN server config file
local #listen ip (внутренний ip amazon)
port 1194 #listen port
proto tcp #using protocol
dev tun #interface name
server #ip adress pull for openvpn clients
keepalive 10 120 #retrive connections
comp-lzo #traffic compression
management localhost 7505 #open port 7505 for monitoring by telnet

# Keys and certificates.
ca   /etc/openvpn/keys/ca.crt # locate the self-signed trusted certificate (CA)
key  /etc/openvpn/keys/server.key # location of the private key of the server# This file should be kept secret.
cert /etc/openvpn/keys/server.crt # locate the server certificate
dh   /etc/openvpn/keys/dh1024.pem # Diffli-Helman file location
#crl-verify /etc/openvpn/keys/crl.pem # need for user certificate revoke

ifconfig-pool-persist /etc/openvpn/ipp.txt

# user under which runs openvpn
user root
group root

# avoid accessing certain resources on restart
# current client connections
status /etc/openvpn/openvpn-status.log

# logging settings.
log-append  /var/log/openvpn.log
verb 1  # don’t spam the log with messages.
mute 10  # suppress identical messages > 10 occurances.

script-security 1
push “route” # add route to client
push “dhcp-option DNS” # add internal DNS server ip

edit iptables rules
$ vim /etc/iptables/rules.v4

# Generated by iptables-save v1.4.12 on Wed Dec  4 15:23:43 2013
:INPUT ACCEPT [85:5100]
:OUTPUT ACCEPT [18:1249]
-A POSTROUTING -s -j SNAT –to-source eth0 #or use internal ip if need
# Completed on Wed Dec  4 15:23:43 2013
# Generated by iptables-save v1.4.12 on Wed Dec  4 15:23:43 2013
:INPUT ACCEPT [1519:231593]
:OUTPUT ACCEPT [1348:175229]
# Completed on Wed Dec  4 15:23:43 2013

$ iptables-save
$ /etc/init.d/iptables-persistent stop
$ /etc/init.d/iptables-persistent start

Enable packet forwarding for IPv4
$ vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4

$ echo 1 > /proc/sys/net/ipv4/conf/all/forwarding allow forwarding without reboot

edit bind server config
$ vim /etc/bind/named.conf

acl internals {;};
options {
      directory “/var/cache/bind”;
      forwarders {
      listen-on {
auth-nxdomain no;    # conform to RFC1035
allow-query {internals;};
allow-transfer {internals;};
#include “/etc/bind/named.conf.options”;
include “/etc/bind/named.conf.local”;
include “/etc/bind/named.conf.default-zones”;

$ /etc/init.d/bind9 stop
$ /etc/init.d/bind9 start
$ /etc/init.d/openvpn stop
$ /etc/init.d/openvpn start

1194 allow incoming port in Amazon Security Group

$ ./build-key-pkcs12 user1 generate key with name user1 (we need this file user1.p12 later)

for revoke sertificate
$ ./revoke-full user1
crl-verify /etc/openvpn/keys/crl.pem in /etc/openvpn/server.conf

crl.pem file will appear in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/
create symbolic link for it
$ ln -s /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/crl.pem /etc/openvpn/keys/crl.pem

setting up macos client

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 1194
;remote my-server-2 1194
# Keep trying indefinitely to resolve the

host name of the OpenVPN server.  Very useful

on machines which are not permanently connected

to the internet such as laptops.

resolv-retry infinite

# Most clients don’t need to bind to
# a specific local port number.

# Try to preserve some state across restarts.

# SSL/TLS parms.
# See the server config file for more
# description.  It’s best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key
pkcs12 user1.p12

# Enable compression on the VPN link.
# Don’t enable this unless it is also
# enabled in the server config file.

# Set log file verbosity.
verb 3

change name of the folder to company_name.tblk

setting up windows client

required program OpenVPN GUI
copy key file user1.p12 and config file config.ovpn to C:\Program Files\OpenVPN\config

Leave a comment