picoenterprise:openvpn
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
picoenterprise:openvpn [2013/12/01 15:07] Olivier Brugman [install openvpn server] |
picoenterprise:openvpn [2013/12/01 18:57] (current) Olivier Brugman [configuration openvpn server] |
||
|---|---|---|---|
| Line 27: | Line 27: | ||
| In case you have a lot of users, you might want to store their credentials in LDAP instead of creating separate user accounts on the openvpn server. Check our existing [[hannibal:ldap-auth|Hannibal documentation]] on howto configure pam and nss to connect to an LDAP backend. | In case you have a lot of users, you might want to store their credentials in LDAP instead of creating separate user accounts on the openvpn server. Check our existing [[hannibal:ldap-auth|Hannibal documentation]] on howto configure pam and nss to connect to an LDAP backend. | ||
| + | |||
| ====install openvpn server==== | ====install openvpn server==== | ||
| Line 62: | Line 63: | ||
| openvpn --genkey --secret ta.key | openvpn --genkey --secret ta.key | ||
| + | |||
| + | Openvpn stores the IP addresses it dynamically assignes to clients in a file (cfm. the 'ifconfig-pool-persist' directive in server.conf as described in the next chapter): | ||
| + | |||
| + | cd /etc/openvpn | ||
| + | touch ipp.txt | ||
| + | chown nobody.nogroup ipp.txt | ||
| + | |||
| + | Create an openvpn status log file: | ||
| + | |||
| + | touch openvpn-status.log | ||
| + | |||
| + | |||
| + | In order to harden the security level of our openvpn server, we'll tell openvpn to run chrooted in subdirectory /etc/openvpn/jail | ||
| + | Openvpn needs access to /dev and /tmp directories within the chroot. | ||
| + | |||
| + | mkdir -p /etc/openvpn/jail/dev | ||
| + | mkdir -p /etc/openvpn/jail/tmp | ||
| + | chown -R nobody.nogroup /etc/openvpn/jail/tmp | ||
| + | chmod -R 770 /etc/openvpn/jail/tmp | ||
| + | |||
| + | As soon as openvpn will run chrooted, it can't open new file handles outside the chroot. So we'll configure rsyslog to add a socket for logging within the openvpn chroot. | ||
| + | |||
| + | echo '$AddUnixListenSocket /etc/openvpn/jail/dev/log' > /etc/rsyslog.d/openvpn.conf | ||
| + | |||
| + | service rsyslog restart | ||
| + | |||
| + | |||
| + | ====configuration openvpn server==== | ||
| The main configuration file for openvpn is /etc/openvpn/server.conf | The main configuration file for openvpn is /etc/openvpn/server.conf | ||
| Line 96: | Line 125: | ||
| </code> | </code> | ||
| - | + | Now our openvpn server setup should be ready! Restart the service: | |
| - | Openvpn stores the IP addresses it dynamically assignes to clients in a file (cfm. the 'ifconfig-pool-persist' directive in server.conf): | + | |
| - | + | ||
| - | cd /etc/openvpn | + | |
| - | touch ipp.txt | + | |
| - | chown nobody.nogroup ipp.txt | + | |
| - | + | ||
| - | Create an openvpn status log file: | + | |
| - | + | ||
| - | touch openvpn-status.log | + | |
| - | + | ||
| - | + | ||
| - | In order to harden the security level of our openvpn server, we'll tell openvpn to run chrooted in subdirectory /etc/openvpn/jail | + | |
| - | Openvpn needs access to /dev and /tmp directories within the chroot. | + | |
| - | + | ||
| - | mkdir -p /etc/openvpn/jail/dev | + | |
| - | mkdir -p /etc/openvpn/jail/tmp | + | |
| - | chown -R nobody.nogroup /etc/openvpn/jail/tmp | + | |
| - | chmod -R 770 /etc/openvpn/jail/tmp | + | |
| - | + | ||
| - | As soon as openvpn will run chrooted, it can't open new file handles outside the chroot. So we'll configure rsyslog to add a socket for logging within the openvpn chroot. | + | |
| - | + | ||
| - | echo '$AddUnixListenSocket /etc/openvpn/jail/dev/log' > /etc/rsyslog.d/openvpn.conf | + | |
| - | + | ||
| - | service rsyslog restart | + | |
| - | + | ||
| - | + | ||
| - | Now our openvpn server configuration should be ready! Restart the service: | + | |
| service openvpn restart | service openvpn restart | ||
picoenterprise/openvpn.1385906868.txt.gz · Last modified: 2013/12/01 15:07 by Olivier Brugman
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
