Here is what I did.
Down load the openvpn rpm from:
http://dag.wieers.com/packages/openvpn/
The specific one I downloaded was:
http://dag.wieers.com/packages/openvpn/openvpn-2.0.7-1.el3.rf.i386.rpm
Down load lzo from:
http://dag.wieers.com/packages/lzo/
The specific one I downloaded was:
http://dag.wieers.com/packages/lzo/lzo-1.08-4.1.el3.rf.i386.rpm
Then install both RPM's with rpm -ivh
lzo needs to be installed first.
Okay then the configuration part.
Take a look at the documentation for openvpn
http://openvpn.net/howto.html#install
The first thing I did was cd to /usr/share/doc/openvpn-2.0.7/
Then cd to easy-rsa
And follow the instructions on creating your on PKI from the openvpn howto guide.
After that cd back up one level to /usr/share/doc/openvpn-2.0.7/
Then cd in to the sample-config-files directory
Copy the server.conf file to /etc/openvpn
You will also need to copy the the following files from /usr/share/doc/openvpn-2.0.7/easy-rsa/keys folder
ca.crt
dh1024.pem
server.crt
server.key
Then you will need to modify the server.conf file in /etc/openvpn to reflect your set up.
The conf file has a pretty good set of comments to tell you all about what needs to be filled in and how it needs to be set. I really did not do anything special for the Clarkconnect firewall.
I did set
push "redirect-gateway"
So all traffic would go through the vpn and be encrypted.
Okay here is the magic part for Clarkconnect
You need to go to the clarkconnect web admin. Select the network tab under firewall select incoming.
You want to allow incoming connections port 1194 (or what ever port you set up in your /etc/openvpn/server.conf file) for UDP or TCP depending on how you set up your server.conf file.
Here is what stumped me for awhile.
The problem is with all the iptables examples that are given on the openvpn site use the A option which is append. This errrr appends the rule at the bottom of the table the problem with this is it places the new rule after the very useful for a firewall rule that says "deny anything from anywhere" the packets hit the deny anything and boom they get dropped on the firewall floor.
So to get around that do this.
cd to /etc/rc.d
vi rc.firewall.local
I added something like this
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
Okay I changed that entry a little.
iptables -I OUTPUT -s 192.168.7.100 -d 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
On iptables -I OUTPUT the -s (source) address is the ip for the internal interface on your clarkconnect box.
The -i tun0 worked except for the output rule
This way the rule gets added higher in the iptables and the packets are passed on instead of dropped. Also by using the rc.firewall.local the rules will survive a firewall restart.
That pretty much configures the server.
For clients I used.
For OS X tunnelblick
http://tunnelblick.net/
Go right for the version 3.0 product (it was rc3 when I grabbed it) the 2.0 version just did not work.
For Windows Openvpn Gui for windows :-)
http://openvpn.se/
You will need to check the instructions on where to copy the client certificates that you created in /usr/share/doc/openvpn-2.0.7/easy-rsa/ folder.
That pretty much is all I did to get it to work.
Oh yeah and it really does not work to good when I'm trying to connect from the inside you really need to be on the outside connecting to get a good test.
So far though it seems to work.
1 comment:
I am very happy to use vpn. Because it has many positive points like privacy
Post a Comment