OpenVPN Client unter Debian 8 Jessie installieren und einrichten
Familie Bühl Support Wissensdatenbank
Inhaltsverzeichnis
Informationen
VerfasserBuehl, Kevin
Erstellt01.07.2016
Angesehen14.04.2024
Aufrufe923
Neueste Artikel
Beliebte Artikel
Beliebte Schlagwörter
openvpn client


Vorwort


Ich habe einen Linux Server im Rechenzentrum mit der IP-Adresse 1.1.1.1, dieser soll sich mit dem VPN Server 2.2.2.2 verbinden. Aller Pakete an 1.1.1.1 und zu 3.3.3.3 sollen direkt über die WAN (eth0) Schnittstelle geroutet werden. Der sonstige Traffic soll über den VPN Tunnel geroutet werden.

Installation


Installieren Sie OpenVPN mit folgendem Befehl:
apt-get install openvpn


Konfiguration


OpenVPN


Erstellen Sie eine neue Konfiguration für den Client:
nano /etc/openvpn/client.conf
client
dev tun
proto udp
remote 2.2.2.2 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert 4b42.crt
key 4b42.key
cipher AES-256-CBC
tls-auth ta.key 1
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
ns-cert-type server
comp-lzo
verb 3
chmod 0600 4b42.key ta.key


Interfaces


Passen Sie die Netzwerk-Konfiguration an
nano /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
 iface lo inet loopback

# The primary network interface
auto eth0
 iface eth0 inet static
  address		1.1.1.1
  netmask               255.255.255.255
  broadcast             1.1.1.1
  post-up route add 192.0.2.254 dev eth0
  post-up route add default gw 192.0.2.254
  pre-down route del 192.0.2.254 dev eth0
  pre-down route del default gw 192.0.2.254
  post-up ip rule add from 1.1.1.1 table 128
  post-up ip rule add to 3.3.3.3/24 table 128
  post-up ip route add table 128 to 192.0.2.254 dev eth0
  post-up ip route add table 128 default via 192.0.2.254


== Firewall==
nano /etc/network/if-up.d/iptables
#!/bin/bash
#-----------------------------------------------------------------------#
# Copyright 2006-2014 by Kevin Bühl <kevin@buehl.biz>                   #
#-----------------------------------------------------------------------#
#  __          __    _____________    __          __    ______________  #
# |  |  2006  |  |  |   _______   \  |  |        |  |  |___________   | #
# |  |  2014  |  |  |  |       \  |  |  |        |  |              |  | #
# |  |___ ____|  |  |  |_______/  /  |  |___ ____|  |   ___________|  | #
# |______ ____   |  |   _______  |   |______ ____   |  |   ___________| #
#  by         |  |  |  |       \  \  Content     |  |  |  |             #
#    Kevin    |  |  |  |_______/  |   Management |  |  |  |___________  #
#      Bühl   |__|  |_____________/     System   |__|  |______________| #
#                                                                       #
# No part of this website or any of its contents may be reproduced,     #
# copied, modified or adapted, without the prior written consent of     #
# the author, unless otherwise indicated for stand-alone materials.     #
# For more Information visit www.4b42.com.                              #
# This notice must be untouched at all times.                           #
#-----------------------------------------------------------------------#

#-----------------------------------------------------------------------#
# 2015-10-12    Kevin Bühl      created
#-----------------------------------------------------------------------#
# remove all rules
iptables -F
# drop all input and output packets
iptables -P INPUT DROP
iptables -P OUTPUT DROP
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# allow 4b42 networks
iptables -A INPUT -s 188.165.2.254 -j ACCEPT
iptables -A OUTPUT -d 188.165.2.254 -j ACCEPT

iptables -A INPUT -s 195.154.123.82 -p udp --sport 443  -j ACCEPT
iptables -A OUTPUT -d 195.154.123.82 -p udp --dport 443 -j ACCEPT
#iptables -A INPUT -i tun+ -j ACCEPT
# allow all to vpn
iptables -A INPUT -i tun+  -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT

chmod +x /etc/network/if-up.d/iptables


Neustarten


Starten Sie nun die Dienste neu
/etc/init.d/networking restart && /etc/init.d/openvpn restart
[ ok ] Restarting networking (via systemctl): networking.service.
[ ok ] Restarting openvpn (via systemctl): openvpn.service.


Hinweis


Da die default route vom VPN Server übermittelt wird, routet der Client den Gesamten Traffic über den VPN Tunnel. Deshalb ist eine Verbindung zu der IP-Adresse nur noch über VPN möglich (2.2.2.2), jedoch nicht mehr über 1.1.1.1. Um dieses Problem zu beheben sind die ip rule und ip routes (letzte vier Zeilen) erforderlich.