Found this thread on HF, I want to use it later so I'm just going to store it here for future uses. (If this is alright)
Note: This doesn't affect SEO in anyway because from what I've found out is that anything under a spoiler is shown as a spoiler on Google. (Correct me if I'm wrong)
(03-16-2012 03:59 AM)kaotik2003 Wrote: I remember when I had to buy a VPN service to go online without beeing traced, or to access services only available for other country and after a while the vpn did not work. So I build my own VPN on my VPS running Centos and it rocks. Now I will share with you guys how to set up a fast and very secure openvpn server.
Requirements:
You will need to buy a VPS with vanilla install of Centos 32 bit as OS . The minimum memory is 64 mb but i would recommend 128 mb to be on the safe side. You will buy vps with an IP of the country u wish to see content from. For example if you want to watch HULU or other american restricted content , you will buy vps with IP located in USA . If you want to watch BBC content , you will need to buy vps from UK hosting companies. If you just want to byepass content filters in your country , then any vps outside your country will do.
You will also need to download and install Putty if you are going to do it in a Windows machine, in Unix you just need the terminal.
Step 1.
Log in to your VPS using Putty or terminal
![[Image: putty-login.jpg]](http://91.68.209.10/bmi/tipupdate.com/wp-content/uploads/2011/07/putty-login.jpg)
In terminal just make a
and tap the password
![[Image: putty-screen.jpg]](http://91.68.209.10/bmi/tipupdate.com/wp-content/uploads/2011/07/putty-screen.jpg)
Step 2:
You also need to ensure that TUN/TAP interface is installed and enabled by your vps provider. In order to check if TUN/TAP is installed or not , issue the follow command and see the output. If the output is something like this ” File Descriptor is in bad state” , then TUN/TAP is installed . Otherwise contact your VPS provider to install it or correctly install it.
![[Image: tun-tap-installed.jpg]](http://91.68.209.9/bmi/tipupdate.com/wp-content/uploads/2011/07/tun-tap-installed.jpg)
Step 2
In order to install OpenVPN server on the vps we need to add extra respository named EPEL. Issue the following command to add the repository on Centos 32 bit.
Code:
rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
yum update
Step 3
OpenVPN uses easy-rsa as its encryption tools. In order for them to work correctly , they are required to be moved to openvpn directory. Issue the following command.
Code:
cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn
Step 4.
Next we need to configure public key infrastructure variables. This is about time you learn basic commands of linux text editor called VI . Issue the following command.
Code:
vi /etc/openvpn/easy-rsa/2.0/vars
In order to edit the file , hit letter i on your computer. This will take the editor in insert mode. At the end of the file change the email to email of your choice. Leave the other options as it is or there you can increase your export key size to 2048 like I did, and add a name for your VPN. After finishing editing hit escape button , and then write :wq and hit enter. Your changes will be saved.
![[Image: pki-variables.jpg]](http://91.68.209.12/bmi/tipupdate.com/wp-content/uploads/2011/07/pki-variables.jpg)
Now is the time to initialize Public key infrastructure and build our own Certificate Authority. Issue the following commands one by one.
Code:
cd /etc/openvpn/easy-rsa/2.0/
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/clean-all
. /etc/openvpn/easy-rsa/2.0/build-ca
After the last command , you will be presented with different options , just keep on hitting enter button because we have already set the values in the previous step 4.
![[Image: public-key-infrastructure-one.jpg]](http://91.68.209.11/bmi/tipupdate.com/wp-content/uploads/2011/07/public-key-infrastructure-one.jpg)
![[Image: public-key-infrastructure-two.jpg]](http://tipupdate.com/wp-content/uploads/2011/07/public-key-infrastructure-two.jpg)
Now for the tls-auth directive that adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:
- DoS attacks or port flooding on the OpenVPN UDP port.
- Port scanning to determine which server UDP ports are in a listening state.
- Buffer overflow vulnerabilities in the SSL/TLS implementation.
- SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).
Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key:
Code:
openvpn --genkey --secret ta.key
This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a pre-existing secure channel to the server and all client machines.
Step 6
In this step we are going to build Server Keys and certificates etc. Issue the following command.
Code:
. /etc/openvpn/easy-rsa/2.0/build-key-server server
Just hit enter as many times as it is asked for and twice you will need to enter y when offered with the options of y/n
![[Image: server-key-generated.jpg]](http://tipupdate.com/wp-content/uploads/2011/07/server-key-generated.jpg)
Step 7
In the next step we are going to create client keys. Issue the following command.
Code:
. /etc/openvpn/easy-rsa/2.0/build-key "client"
And as in the previous step , just hit enter as many times as asked for and twice y.
If you would like to password-protect your client keys, substitute the build-key-pass script.
Code:
. /etc/openvpn/easy-rsa/2.0/build-key-pass "client"
Note: If going to create multiple clients, change the name of the client for any name that will help you distinguish the clients like "Tony" Marc", etc.
![[Image: client1-key-created.jpg]](http://91.68.209.9/bmi/tipupdate.com/wp-content/uploads/2011/07/client1-key-created.jpg)
Step 8
In this step , we are going to generate Diffie Hellman Parameters which are needed for key exchange and authentication with OpenVPN server on VPS. Issue the following command.
Code:
. /etc/openvpn/easy-rsa/2.0/build-dh
It will take some time (more with 2048 size) and you will see the following output.
![[Image: Diffie-Hellman-Parameters.jpg]](http://91.68.209.9/bmi/tipupdate.com/wp-content/uploads/2011/07/Diffie-Hellman-Parameters.jpg)
Step 9
Next we need to relocate the following files to /etc/openvpn directory on VPS server
- ca.crt
- ca.key
- dh1024.pem or dh2048.pem
- server.crt
- server.key
- ta.key
We can do so by issuing the following commands one by one
Code:
cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key dh1024.pem server.crt server.key ta.key /etc/openvpn
OR
Code:
cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key dh2048.pem server.crt server.key ta.key /etc/openvpn
Step 10
In this step we are going to configure the client.conf file on the VPS server which we will subequently use to connect to OpenVPN server. Issue the following commands.
Code:
cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/
cp /usr/share/doc/openvpn-2.1.4/sample-config-files/client.conf ~/
cd ~/
Next we need to edit the client.conf file. Issue the following command
Here we will edit the IP or DNS of the VPS server and change client.crt and client.key to "Tony".crt and "Tony".key (the name you previously used for each client).
![[Image: editing-client.conf-server-ip2.jpg]](http://91.68.209.10/bmi/tipupdate.com/wp-content/uploads/2011/07/editing-client.conf-server-ip2.jpg)
Also choose the cipher remove the semicolon and write instead of X, I recommend AES-256-CBC.
Remove the semicolon before to activate the tls-auth.
Next we are going to edit the server.conf file . Issue the following command
vi /etc/openvpn/server.conf
In order to tunnel traffic through vps server uncomment the following lines by deleting the starting semicolon
Code:
push "redirect-gateway def1 bypass-dhcp"
cipher AES-256-CBC (need to write this)
tls-auth ta.key 0
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option WINS 10.8.0.1" (use OpenDNS Servers)
If you choose 2048 bits previously for DF change the line
to
save the file with :wq
Step 11
Now is the time to start the Openvpn server and make it start even after boot. Issue the following commands.
Code:
/etc/init.d/openvpn start
chkconfig openvpn on
Next issue the following command
Code:
vi /etc/sysctl.conf
Change
Code:
net.ipv4.ip_forward = 0
to
Code:
net.ipv4.ip_forward = 1
Now we set this variable for the current session by issuing the following command.
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
Next we need to configure IPTables for Nating the traffic through VPS. Issue the following commands one by one.
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 130.xx.xxx.xx
Instead of 130.xx.xxx.xx , use your own VPS IP above.
Step 12
Next issue the following command to make these IPtables rules permanant.
Edit the file and make it look like this
Instead of 130.xx.xxx.xx , use your own VPS IP above.
Step 13
In this step , we are going to relocate the client keys to the Client PC. You will need WinScp ftp client and transfer keys to any folder of your choice on your computer using sftp protocol. You will need your vps IP and root login and password to login using WinScp.
![[Image: keys-moved-to-pc.jpg]](http://91.68.209.10/bmi/tipupdate.com/wp-content/uploads/2011/07/keys-moved-to-pc.jpg)
Finally we restart the openvpn server by issuing the following command.
Code:
/etc/init.d/openvpn restart
Now on the client side on your pc , you need to download openvpn client and install it. That I will not cover but you can ask anytime.
Images from hxxp://tipupdate.com with some changes made by me
Post: #1
-Compulsion
.png "Super Donator")
![[Image: aaJbA.png]](http://i.imgur.com/aaJbA.png)
