OpenVPN for Llamas

From WikiMarkBallew

Jump to: navigation, search

It's Defcon. People want to hax0r you. You probably want to make it slightly harder. This method is the simplest way of getting OpenVPN up and running, forwarding all traffic over a point-to-point VPN connection. It's easy to set up (just start the server end before you leave), and the client script is easy to switch on and off, and shouldn't require any special hacking once you get there (IE, it automagically figures out your gateway).

(Warning: automagic probably only works in Linux. If not fully satisfied, please return unused portion of automagic for a full refund.)

Set up the server (IE, any reachable off-site machine): 

server# apt-get install openvpn #(or your favorite equivalent)
server# openvpn --genkey --secret /etc/openvpn/static.key
server# echo 1 >/proc/sys/net/ipv4/ip_forward
server# iptables -t nat -A POSTROUTING -j MASQUERADE

And the server's command file: 

#! /bin/sh
set -e

VPNCLIENTINTIP="10.82.111.2"
VPNSERVERINTIP="10.82.111.1"
VPNKEYFILE="/etc/openvpn/static.key"
VPNUSER="nobody"

export PATH="${PATH:+$PATH:}/usr/sbin:/sbin:/usr/bin:/bin"

case "$1" in
  start)
    openvpn --daemon "${VPNUSER}" --dev tun \
      --ifconfig "${VPNSERVERINTIP}" "${VPNCLIENTINTIP}" --secret "${VPNKEYFILE}"
    ;;
  stop)
    killall openvpn
    ;;
  *)
    echo "Usage: $0 {start|stop}"
    exit 1
esac

exit 0

Now set up the client: 

client# apt-get install openvpn #(or your favorite equivalent)
client# scp root@server:/etc/openvpn/static.key /etc/openvpn/

And the client's command file: 

#! /bin/sh
set -e

VPNEXTERNALIP="1.2.3.4" #(your server's IP here)
VPNCLIENTINTIP="10.82.111.2"
VPNSERVERINTIP="10.82.111.1"
VPNKEYFILE="/etc/openvpn/static.key"
VPNUSER="nobody"

export PATH="${PATH:+$PATH:}/usr/sbin:/sbin:/usr/bin:/bin"

case "$1" in
  start)
    openvpn --daemon "${VPNUSER}" --remote "${VPNEXTERNALIP}" --dev tun \
      --ifconfig "${VPNCLIENTINTIP}" "${VPNSERVERINTIP}" --secret "${VPNKEYFILE}"
    ISPGW="$(route -n | egrep "^0.0.0.0" | awk '{print $2}')"
    if [ -z "${ISPGW}" ]; then echo "ERROR"; exit 1; fi
    route add "${VPNEXTERNALIP}" gw "${ISPGW}"
    route del default gw "${ISPGW}"
    route add default gw "${VPNSERVERINTIP}"
    ;;
  stop)
    ISPGW="$(route -n | egrep "^${VPNEXTERNALIP}" | awk '{print $2}')"
    if [ -z "${ISPGW}" ]; then echo "ERROR"; exit 1; fi
    route del default gw "${VPNSERVERINTIP}"
    route add default gw "${ISPGW}"
    route del "${VPNEXTERNALIP}" gw "${ISPGW}"
    killall openvpn
    ;;
  *)
    echo "Usage: $0 {start|stop}"
    exit 1
esac

exit 0

Voila.

Retrieved from "http://markballew.com/wiki/OpenVPN_for_Llamas"
Personal tools