Tuesday, July 12, 2011

How to Make VPS


Nowadays a lot of which can be used to create a vpn server from starting a direct form of hardware up to the only form of application, from the expensive to the free.

OpenVPN is a VPN application is free (opensource) is quite reliable. Some sources say OpenVPN is in fact not the safest but if the data must be transferred between two or more networks are not too sensitive like more than enough moreover OpenVPN OpenVPN is also very easy to install.

Here I will just tell you about the installation steps OpenVPN on FreeBSD. Although probably could have used some of his tricks on Linux or * nix like any other OS.

Ok long story rather than let's start it.

First OpenVPN on FreeBSD can be found in the folder / usr / ports / security / openvpn, which is required usually lzo library lib but since I installed it through the ports, then all the dependencies will automatically be installed.

For installation please follow these steps (all performed by root)

cd / usr / ports / security / openvpn
make config
Make the build
make install clean

Performed the above steps so that you have a chance to see what happens at each step. Actually you can just change directory and typing make install clean immediately.

After the installation process goes wrong and no significant errors, then input the following line to / etc / rc.conf with your favorite text editor.

openvpn_enable = "YES"

Now we will create a config file to be placed in the folder / usr / local / etc / openvpn if the folder does not exist yet please make advance with the command

mkdir / usr / local / etc / openvpn

Then please move to the folder and start creating openvpn.conf file with your favorite text editor.

cd / usr / local / etc / openvpn
pico openvpn.conf

Now please enter the following sample config.

# Specify device
dev tun

# # The server and client IP Pool
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# Certificates for VPN Authentication
ca / usr / local / etc / openvpn / keys / ca.crt
cert / usr / local / etc / openvpn / keys / server.crt
key / usr / local / etc / openvpn / keys / server.key
dh / usr/local/etc/openvpn/keys/dh1024.pem

# Routes to client
push "route 192.168.0.0 255.255.255.0"
# Compression VPN link
comp-lzo

keepalive 10 60
ping-timer-rem
persist-tun
persist-key

# Run OpenVPN as a daemon and drop privileges to user / group nobody user nobody
group nobody
daemon

Save the file above, and we continue with cerificates. Copy the script to create a certificate from the folder / usr / local / share / doc / openvpn manner as follows (examples copied it to the folder / home / giest please be replaced with your user).

cp-r / usr / local / share / doc / openvpn / easy-rsa / home / guest /
cd / home / guest / easy-rsa

After successfully copying easy-rsa scripts then please adan edit the vars file with your favorite editor and adjust purposes (without dieditpun no problems then you will be given only a few questions over and over again). Here are examples of parts that you need to edit.

export KEY_COUNTRY = ID
export KEY_PROVINCE = "ENGLAND"
export KEY_CITY = LONDON
export KEY_ORG = "GUEST-VPN"
export KEY_EMAIL = "admin@guest.org"

Then we moved from the FreeBSD default shell (usually tcsh) to sh or bash first. If you do not move the shell I guarantee you will not succeed in making certificates for openvpn.

To switch to sh or bash please type the following command.

sh

Once you move the shell follow the steps below.

. vars
NOTE: Pls you run. / Clean-all, I Will be doing a rm-rf on / usr / home / Guest / easy-rsa / keys
. / Clean-all
. / Build-ca
Generating a 1024 bit RSA private key
....................................++++++
..............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information That Will be incorporated
into your certificate request.
What you are about to enter is what is Called a Distinguished Name or a DN.
There are quite a Few fields but you can leave some blank
For some fields there Will be a default value,
If you enter '.,' Will the field be left blank.
-----
Country Name (2 letter code) [ID]:
State or Province Name (full name) [ENLAND]:
Locality Name (eg, city) [LONDON]:
Organization Name (eg, company) [GUEST-VPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [admin@guest.org]:

Ok as you can see you are required to answer some questions, but because previously I've edit the file vars so I can just hit enter to use the default answer.

Next is to build certificate and key follow the steps below

. / Build-key-server server
Generating a 1024 bit RSA private key
..........++++++
.................................................. ++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information That Will be incorporated
into your certificate request.
What you are about to enter is what is Called a Distinguished Name or a DN.
There are quite a Few fields but you can leave some blank
For some fields there Will be a default value,
If you enter '.,' Will the field be left blank.
-----
Country Name (2 letter code) [ID]:
State or Province Name (full name) [ENGLAND]:
Locality Name (eg, city) [LONDON]:
Organization Name (eg, company) [GUEST-VPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: SERVER
Email Address [admin@guest.org]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 123456
An optional company name []: ARSENAL
Using configuration from / usr / home / Guest / easy-rsa / openssl.cnf
Check That the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName : P RINTABLE: 'ID'
stateOrProvinceName: P RINTABLE: 'ENGLAND'
localityName : RINTABLE: 'LONDON'
OrganizationName : RINTABLE: 'GUEST-VPN'
commonName : RINTABLE: 'SERVER'
emailAddress : IA5STRING: 'admin@guest.org'
Certificate is to be certified until July 12 18:04:29 2019 GMT (3650 days)
Sign the certificate? [Y / n]: y

1 out of 1 certificate requests certified, commit? [Y / n] y
Write out database with 1 new entries
Data Base Updated

See if we do not edit the file vars we need to answer that question once again. now we will build certificate and key for use by the client. I emulated this will make the client certificate for 2 only. if you have more than two clients please adjusted.

. / Build-key client1
Generating a 1024 bit RSA private key
.........++++++
....................................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information That Will be incorporated
into your certificate request.
What you are about to enter is what is Called a Distinguished Name or a DN.
There are quite a Few fields but you can leave some blank
For some fields there Will be a default value,
If you enter '.,' Will the field be left blank.
-----
Country Name (2 letter code) [ID]:
State or Province Name (full name) [ENGLAND]:
Locality Name (eg, city) [LONDON]:
Organization Name (eg, company) [GUEST-VPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: CLIENT1
Email Address [admin@giest.org]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 123456
An optional company name []: ARSENAL
Using configuration from / usr / home / Guest / easy-rsa / openssl.cnf
DEBUG [load_index]: unique_subject = "yes"
Check That the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName: P RINTABLE: 'ID'
stateOrProvinceName: P RINTABLE: 'england'
localityName: P RINTABLE: 'london'
OrganizationName: P RINTABLE: 'GUEST-VPN'
commonName: P RINTABLE: 'CLIENT1'
emailAddress: IA5STRING: 'admin@guest.org'
Certificate is to be certified until July 12 18:10:43 2019 GMT (3650 days)
Sign the certificate? [Y / n]: y

1 out of 1 certificate requests certified, commit? [Y / n] y
Write out database with 1 new entries
Data Base Updated

To client2 just typing

. / Build-key client2

you should replace only the part

[Source] Common Name (eg, your name or your server's hostname) []: CLIENT2 [/ source]

If you do not make changes here the certificates and keys for the client to the two would not formed.

Next we build dh parameters with a command like the following

1. #. / Build-dh
2. Generating DH parameters, 1024 bit long safe prime, generator 2
3. This is going to take a long time
4.

ok now completed the process of making key right now you just exit back to your default shell with the command exit

Now copied keys folder to / usr / local / etc / openvpn with the command

cp-r keys / usr / local / etc / openvpn /

Before we start running the openvpn server we first prepare a file for the log. Please edit the file / etc / syslog.conf and add the following line at the bottom of the syslog.conf file.

! Openvpn
.* / Var / log / openvpn.log

then create the file and restart syslog openvpn.log ny

touch / var / log / openvpn.log
killall-HUP syslogd

Now we load the first module tun / tap tun device that could arise later.

kldload if_tun
kldload if_tap

if you find errors kldload: can not load if_tun: File exists mean tun or tap and it was too load so do not worry.

In order to tun and tap was loaded each time the boot please edit the file / boot / defaults / loader.conf then locate the following lines and change to YES

if_tap_load = "YES" # Ethernet tunnel software network interface
if_tun_load = "YES" # Tunnel driver (user process ppp)

Ok lah is now complete we are ready to run the OpenVPN server for the first time. To run OpenVPN please type the following command.

/ Usr / local / etc / rc.d / openvpn start

Next we check whether everything is ready or not we check first with the command ifconfig tun device

tun0: flags = 8051 mtu 1500
inet 10.8.0.1 -> 10.8.0.2 netmask 0xffffffff
Opened by PID 10147

If you've seen a display like the above means that the OpenVPN server is already successful path.

It remains to add the following rules for your pf.conf

# VPN Interface
vpn_if = "tun0"

# VPN Network
vpn_network = "10.8.0.0/24"

# NAT VPN connections
nat on $ ext_if from $ vpn_network to any -> ($ ext_if)

# Inbound VPN connections
pass in on $ ext_if proto udp from any to port 1194 keep state
pass quick on $ vpn_if


No comments:

Post a Comment

 

katololo/luna © 2006 is Designed by Yuril