Lxc guest have their dev recreated on each restart in a tmpfs. This should work both as server and as client. In /var/lib/lxc/mylxc/config = c 10:200 rwm Mknod /var/lib/lxc/mylxc/rootfs/dev/net/tun c 10 200Ĭhmod 666 /var/lib/lxc/mylxc/rootfs/dev/net/tun The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration: The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory. build-key-server Set up an 'OpenVPN Client' Change KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to match your system.Įcho 00 > /etc/openvpn/keys/serial Set up a 'Certificate Authority' (CA).Change KEY_DIR= from " $EASY_RSA/keys" to " /etc/openvpn/keys".( This file is used for defining paths and other standard settings) If not already done, edit /etc/openvpn/keys/vars The instructions below are for EasyRSA v2: If not already done, create a folder where you will save your certificates and save a copy of your /usr/share/easy-rsa/vars for later use. Start by moving to the /usr/share/openvpn/easy-rsa folder to execute commandsĪpk add easy-rsa # from the community repo The following instructions assume you want to save your configs, certs and keys in /etc/openvpn/keys. Initial setup for administrating certificates ( Instructions are based on /howto.html#pki) Rc-update add openvpn.AlphaBravo Alternate Certificate Method Manual Certificate Commands Have the new service start automatically.Ln -s /etc/init.d/openvpn /etc/init.d/openvpn.AlphaBravo create a new symlink of the init.d script:.Create an approriate /etc/openvpn/nf file, but name it "/etc/openvpn/nf".If you want more than one server or client running on the same Alpine box, use the standard Multiple Instances of Services process.įor example, to create a config named "AlphaBravo": Lbu commit More than one server or client ( Instructions are based on /howto.html#client)ĭon't forget to save all your settings if you are running a RAM-based system. Ns-cert-type server # This means the certificate on the openvpn server needs to have this field. Openvpn -config /etc/openvpn/nf Configure OpenVPN client ( Instructions are based on /howto.html#server) Key /etc/openvpn/easy-rsa/keys/Server.key # SWAP WITH YOUR KEY NAMEĭh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here! Place the following content in /etc/openvpn/nf:Ĭert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR CRT NAME If you would prefer to generate your certificates using OpenVPN utilities, see #Alternate Certificate Method Configure OpenVPN serverĮxample configuration file for server. There is also a button to automatically generate the Diffie-Hellman parameters. On the VPN server, you can also install the acf-openvpn package, which contains a web page to automatically upload and extract the server certificate. Openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem To get the private key file out: (Make sure the key stays private) Openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem Openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem To use the certificates, you should download the. You will need to create a server (ssl_server_cert) certificate for the server and one client certificate (ssl_client_cert) for each client. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity. Documentation for it can be found here: Generating SSL certs with ACF. Alpine makes this easy by having a web interface to manage the certificates. One of the first things that needs to be done is to make sure you have secure keys to work with. If your Internet-connected machine doesn't have a static IP address, No-ip can be used for resolving DNS names to IP addresses.įollow Installation to set up Alpine Linux.Įcho "tun" > /etc/modules-load.d/tun.confĮcho "_forward = 1" > /etc/sysctl.d/nf This means that your IP address cannot be in the private IP address ranges described here: Wikipedia It is recommended you have a publicly routable static IP address in order for this to work. This is an ideal solution for allowing single users or devices to remotely connect to your network. This article describes how to set up an OpenVPN server with the Alpine Linux.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |