We also need to copy some files to our client machine. You can use WinSCP to do this on Windows, the scp
command on Linux, or Cyberduck on Mac OS X. Start up your SCP client, connect to the server using the IP address and root credentials you used for the SSH session, and copy these files to your client system:
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/remote1.crt
/etc/openvpn/easy-rsa/keys/remote1.key
These will be used to connect to your VPN server.
Now, we need to create our OpenVPN configuration file. We move to the /etc/openvpn directory, and create a new file (with Nano):
root@localhost:/etc/openvpn/easy-rsa/keys# cd /etc/openvpn
root@localhost:/etc/openvpn # nano vpnserver.conf
Then copy and paste this configuration:
port 10000
proto udp
dev-type tun
dev vpnclient
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
comp-lzo
duplicate-cn
server 10.200.200.0 255.255.255.0
client-to-client
keepalive 10 120
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
persist-key
persist-tun
user nobody
group nogroup
log openvpn.log
verb 1
Save the file (Ctrl-O) and exit. Note that if you want to use a different DNS server, you can change the 8.8.8.8 in the example to a server located at your VPS provider, or any DNS server you wish. The 8.8.8.8 server is Google's DNS server.
We're almost done with the server. We just need to configure routing and network address translation:
root@localhost:/etc/openvpn # echo "1" > /proc/sys/net/ipv4/ip_forward
root@localhost:/etc/openvpn # /sbin/iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE
And we need to make these changes persist after a reboot. To do this, we edit /etc/sysctl.conf to remove the # at the beginning of the line:
net.ipv4.ip_forward=1
Then save the file. To open the file with Nano:
root@localhost:/etc/openvpn # nano /etc/sysctl.conf
We also need to add the iptables
line to be run at startup. A quick way to do this is to add it to /etc/rc.local:
root@localhost:/etc/openvpn # nano /etc/rc.local
Above the line reading "exit 0," paste the iptables
command:
/sbin/iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE
The server configuration is now complete. Let's start/restart the OpenVPN service:
root@localhost:/etc/openvpn # service openvpn restart
The way this is configured, a tunnel device will be created on the server, and the address of 10.200.200.1 will be assigned to that device. When a client connects to the server, the client will be assigned an address in the 10.200.200.0/24 network, and all routes will be configured on the client to permit data to pass through the encrypted tunnel to the server-side tunnel interface. Then, the net.ipv4.ip_forward
value will allow the VPN server to route that traffic through its public network interface, and (based on the iptables
command) NAT will translate traffic from the VPN through the single public IP address. In short, all traffic from a connecting client will be routed through the VPN server.