Most of the server setup came from here and the config file and routing setup came from here.
This setup has been tested on Ubuntu 8.04, but should work for most debian-based linux distros. For redhat or other linux distros, substitute yum for apt-get. This tutorial uses the 10.44.77.0 network for openvpn and the 10.44.78.0 network for pptp. Any private network should work as long as the same subnet is not in use on the server or client's existing networks.
OPENVPN SERVER SETUP:
1. Install OpenVPN on the server:
$ apt-get install openvpn openssl2. Set up OpenVPN:
$ cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/ $ cd /etc/openvpn/ $ mkdir keys3. Create keys:
$ nano vars (edit the last section) $ source ./vars $ ./clean-all $ ./build-ca $ ./build-key-server server $ ./build-key client $ ./build-dh4. Repeat the $ ./build-key [client name] line to create additional client keys
5. Create Server Config File:
$ nano server.confInsert the following text in server.conf:
dev tun proto tcp port 1194 ca /etc/openvpn/keys/ca.crt # Path of ca.crt file you generated cert /etc/openvpn/keys/server.crt # Path of certificate you generated key /etc/openvpn/keys/server.key # Path of key file you generated dh /etc/openvpn/keys/dh1024.pem # Path of dh file you generated user nobody group nogroup server 10.44.77.0 255.255.255.0 # Any private subnet not currently in use persist-key persist-tun #status openvpn-status.log verb 3 client-to-client push "dhcp-option DOMAIN ###.###.###.###" # Server public IP or domain name push "dhcp-option DNS 220.127.116.11" # Primary dns server (opendns shown) push "dhcp-option DNS 18.104.22.168" # Secondary dns server (opendns shown) push "redirect-gateway" # Directs all traffic through your VPN #log-append /var/log/openvpn #comp-lzo6. Make OpenVPN start automatically (debian-based instructions only):
$ nano /etc/default/openvpnUncomment or add the following line:
AUTOSTART="all"7. Set the server to route all VPN traffic to eth0:
$ iptables -t nat -A POSTROUTING -s 10.44.77.0/24 -o eth0 -j MASQUERADE8. Allow IP Forwarding:
Edit the file /etc/sysctl.conf
$ nano proc/sys/net/ipv4/ip_forward Uncomment the following line:
net.ipv4.ip_forward = 19. Restart OpenVPN and Networking:
$ /etc/init.d/networking restart $ /etc/init.d/openvpn restart
OPENVPN CLIENT SETUP:
1. Copy the ca.crt and the client key and cert files to the client computer.
2. Create a client config file with the extension '.conf':
3. Insert the following text: (Note: for windows clients, the paths will look like "C:\Program Files\OpenVPN\Config\ca.crt")
client dev tun proto tcp remote ###.###.###.### 1194 # Server IP address or domain name remote-cert-tls server resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ca /etc/openvpn/keys/ca.crt # Path of ca.crt you generated cert /etc/openvpn/keys/client.crt # Path of client certificate you generated key /etc/openvpn/keys/client.key # Path of client key you generated #comp-lzo verb 3
4. Start OpenVPN using the client software of your choice:
If you're using an Ubuntu client:
Place your *.conf file and keys in "/etc/openvpn/" and run
$ /etc/init.d/openvpn startIf you're using a windows client.
Place your *.conf and keys in "C:\Program Files\OpenVPN\Config".
Start OpenVPN in windows services.
IPOD/IPHONE VPN SETUP (PPTPD)
1. Install pptpd:
$ apt-get install pptpd
2. Edit /etc/pptpd.conf and change the following lines as shown:
localip 10.44.78.1 remoteip 10.44.78.2-1003. Edit /etc/ppp/chap-secrets and add new users as follows:
# Secrets for authentication using CHAP # client server secret IP addresses username1 pptpd password1 10.44.78.2 username2 pptpd password2 10.44.78.34. Set the server to route all VPN traffic to eth0:
$ iptables -t nat -A POSTROUTING -s 10.44.78.0/24 -o eth0 -j MASQUERADE5. To allow dns routing, edit /etc/ppp/pptpd-options and uncomment/edit the following lines (the DNS addresses can be whatever you want - opendns shown):
ms-dns 22.214.171.124 ms-dns 126.96.36.199
CHECK NEW VPN SERVER
To check your VPN connection, open a web browser and navigate to http://whatismyip.com or http://getip.com. Your IP address should be the same as the VPN server.