See network diagram above describing our scenario

1. Traffic is encrypted on the way to OpenVPN server
2. Traffic is initiated from OpenVPN server on behalf of client (mobile, laptop)

Introduction

Welcome to the second part of our article where we will finish our setup on client side. In our scenario I will use smartphone as end-device. At the end we will be able to establish VPN tunnel between smartphone and raspberry Pi, so it does not matter where you are connected, you will be fully redirected to the VPN and using Internet connectivity as you should be sitting at home. Exactly the same procedure with any small differences can be used also for your laptop, table or any other device which is able to install OpenVPN application. 

In case you have some troubles or need to review your server config again, feel free to check our first post:

Build own OpenVPN server by using Raspberry Pi (Part1/2) – server configuration (Raspberry Pi)

Preparing configuration file

 Open (create) new config file so we will edit it according to our requirements:

vi /etc/openvpn/Client1.conf

Now put following content to the file:

client
dev tun
proto udp
remote <YOUR PUBLIC IP OR DYNDNS HOSTNAME> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
<ca>
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIB94fjldnIFhelx9kZMA0GCSqGSIb3DQEBCwUAMIGoMQswCQYD
VQQGEwJTSzELMAkGA1UECBMCQ0ExETAPBgNVBAcTCFNsb3Zha2lhMRIwEAYDVQQK
FAlrYWxrb19ycGkxFjAUBgNVBAsUDWthbGtvX3JwaV9WUE4xFTATBgNVBAMUDGth
bGtvX3JwaV9DQTETMBEGA1UEKRQKa2Fsa29fcnBpMTEhMB8GCSqGSIb3DQEJARYS
bWVAbXlob3N0Lm15ZG9tYWluMB4XDTE3MDIyMTEzMTcwNFoXDTI3MDIxOTEzMTcw
NFowgagxCzAJBgNVBAYTAlNLMQswCQYDVQQIEwJDQTERMA8GA1UEBxMIU2xvdmFr
aWExEjAQBgNVBAoUCWthbGtvX3JwaTEWMBQGA1UECxQNa2Fsa29fcnBpX1ZQTjEV
MBMGA1UEAxQMa2Fsa29fcnBpX0NBMRMwEQYDVQQpFAprYWxrb19ycGkxMSEwHwYJ
KoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDOJVHGvKSsTXbsg03PPzl0VXMM99IRhsxKHuoHqN8Wz9bO
UPzUR6ziZvq82VKmiLKzGkEd8y38IwwktULrbutLsFoht7HPDRP6NGUUyR0HaVVz
v1dVxCQnNp+/H2xrY84pKIrEBLfa4R1mi8JGASSFqwyUpEL6SMCORewU2mG+LC8Y
DTe/Yq9RdDlnIbFt1LS3G/fid4ljhfghsls/didoa3jHpdhaP9a42hS4cySp+e8I
dh8Ic/BwsdjELCyJRklBLC5bBu7ltbvBXuJxNZB9IRuLXzx5SG+1/AU0NygWG5pa
28cc127/c8QTYmGDWLb1s8nhMSUSPTq9bf1kmfGVAgMBAAGjggERMIIBDTAdBgNV
HQ4EFgQUMLiihqD72jepOM0w5EmvsQuRTIcwgd0GA1UdIwSB1TCB0oAUMLiihqD7
2jepOM0w5EmvsQuRTIehga6kgaswgagxCzAJBgNVBAYTAlNLMQswCQYDVQQIEwJD
QTERMA8GA1UEBxMIU2xvdmFraWExEjAQBgNVBAoUCWthbGtvX3JwaTEWMBQGA1UE
CxQNa2Fsa29fcnBpX1ZQTjEVMBMGA1UEAxQMa2Fsa29fcnBpX0NBMRMwEQYDVQQp
FAprYWxrb19ycGkxMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6C
CQCQMvK1dXdAWTAMBKJlssi3hjADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC6U7eq
DYd2l1UAiW4b0rLc7CVtsOnJIiQiK3PzOxt/y/U7Sz0afyCHfj+4hzhE48CxrbX3
Dn9yIWOGp6ouDA2TOTJzo6FNtpSpuCO8ESbsJ80of7/pZeRIZpjneFcv8ZQOJHE4
X3WaXgprO9LMDPsxk14ugFKMlDcqh8h9FOspvql3mfbFWRSQ2Z/d8NlXSAs1yqQF
fEG1kYcSBUQmXXtIHBtxeWBfPSv8uIrGzjCRucqt9ULNBJsvhnt339U7VDwNr2gT
DPhbUCHYPE7qyjF86WG3uh4KzSTc4Aj7d/C369nwvtIgXEDgxxTPH+OcQ7r1/ezh
iJotjiH7cHkLdoPj
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIFWjCCBEKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCU0sx
CzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTbG92YWtpYTESMBAGA1UEChQJa2Fsa29f
cnBpMRYwFAYDVQQLFA1rYWxrb19ycGlfVlBOMRUwEwYDVQQDFAxrYWxrb19ycGlf
Q0ExEzARBgNVBCkUCmthbGtvX3JwaTExITAfBgkqhkiG9w0BCQEWEm1lQG15aG9z
dC5teWRvbWFpbjAeFw0xNzAyMjExMkxMzIzNDZaMIHAMQswzIzNDZaFw0yNzAyMT
CQYDVQQGEwJTSzERMA8GA1UECBMIU2xvdmFraWExETAPBgNVBAcTCFNsb3Zha2lh
MRwwGgYDVQQKFBNrYWxrb19ycGlfY2VsbHBob25lMRIwEAYDVQQLFAlrYWxrb19y
cGkxGjAYBgjdoGUKDJDnkjndoidkaV9jbGllbnQxMRowGAYDVQQpFBFrYWxrb19y
cGlfY2xpZW50MTEhMB8GCSqGSIbZG9tYWluMIIB3DQEJARYSbWVAbXlob3N0Lm15
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAte0UGlgxXx1PBeyeFeqxtu30
x2+ymCMosVjtcHKFfBR8mZloW0fRzul9lMHI624DmffdkfMeCuHGZrUPNNEyUxuu
rWDDWvMRSX0xDCGU4kVUBp5nq/2BqapcE1zOUe8j2wRj8hfrsZpggcahhK/M+pII
QYc7zhZtpmZYYnFsjRF8T4ryb+NKQmZ1P56n3bD63gZIZ00B5K8k/z7eXhqIXyE9
7OF6F7ajTNVW81eTnkptZUJamU60YpCqbyAR8dsojdosncoirfzEtTLo9X1Mb97o
N7wNheyODAKX0Ruthmlct0izcGUEI7x/C4GD88aSrGG2oX8bOsWH+6chxYS0+wID
AQABo4IBczCCAW8wCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0Eg
R2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSUvenLD/ihyQL3qVd7gcjg
jIfou49jfoiDVR0jBIHVMIHSgBQwuKKGoPvaN6k4zTDkSa+xC5FMh6GBrqSBqzCB
qDELMAkGA1UEBhMCU0sxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTbG92YWtpYTES
MBAGA1UEChQJa2Fsa29fcnBpMRYwFAYDVQQLFA1rYWxrb19ycGlfVlBOMRUwEwYD
VQQDFAxrYWxrb19ycGlfQ0ExEzARBgNVBCkUCmthbGtvX3JwaTExITAfBgkqhkiG
9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpboIJAJAy8rV1d0BZMBMGA1UdJQQMMAoG
CCsGAQUFBwMCMAsGA1UdDwQEAwIHgDASBgNVHREECzAJggdDbGllbnQxMA0GCSqG
SIb3DQEBCwUAA4IBAQCuOVdpMYetjDHFD40bIIu8OGoTef2Eg9f6OmoysLfxjEvS
P7ZGVHjyGjXv8QzXfdAMpTdJgYzMJkBeUyqMeEHt9gECBtQcNibBOMQFiBE9bWc7
ZnPVkxcIhco14MlkfOJG0lPYwt5AyB9aQFER7IU+9f54kqkq8tbO1mDGRbMlLJV+
zEm1MiqIGlSxXDpc9JCgIYM8S0NCcX2PydD+Pm88ScAGm8qLvqJ1ZYjHTT8UdDTX
0piD8kyrl2anelNe2I6lKdP+0/2AvhcS/Bkdnlq3hAW0tZ6Du7GcKGu4dk8ktUPY
vRTSTx6+7BOxi4IrddzDjgE+CwOo5ZYs1J6rqnDQ
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,6BD4184CD60B517CC2B9F1E93526DEDE

Hmdhosu/djoL0L2x8I0VBDy+Rwye1eXUs5V2kLgJAROTjuO7odHik9HkLqkaC8C4
hqtfoIHN9soeYhQpGEGWXhSgE7az4RPTn9Xi+pmfuSHlv/33t+tviWaMeaHPrgnt
Ku2mFcCFMr1dgvUjwzRaaz6kVQpUQAo1Hymn/8spBmpG+eSjrLE/JzVXpeH8XxtC
BbHLpIHiBs+6jvogJi5LybHuteQo3uUoAKkT1Z2NrbYkXcN5jMCUgCqHKUkM84p3
CXFjh4pyW1KZXtmtD9DwEuQOAtsFAAI+GcbOsotYRWCeR2MwQBs0hYzqE41hVdRW
rJcD8eZhM/otLYBS0cqVZjbSNgO+KL/7mPXkYDEp/gV0AFT7b8k3Vr6DYSHbsZ5r
0/Pb3cK4WUIPK7hMHGa6MoSOQNaULcO2JBS7w4uJh38fUM+nFdqFOax1olcqS3KH
eh2qpyRqOIymdvzJotnmlstp1mGeDUyhzvRNjvzvnPTZ6YJ2D4/7kpIE8+3jnpxy
1L3SQAk0ogNA/n9QlRgL4jOvEMI1EI2/yZQnBB5Jy5Ok9ci/3Mj/66rjBNd6v8pX
WSOwarNKz940BaUa7Dhx1xaPf5FOncM/VXhSIrFhxxTrXDZwWUiNlZ1KC1PT6U3v
IDQ6jwz43BVVqOtLQWe9c/q7j5CxtSv3A63a98INs9rThGl2DTuzeH9IXD6BiEcx
xF/4NsTw/P4TmRsHxtxjB5I6GL3dU7E/6vfGQY8cl+HcBiS53vbM8gE2DzrCRAxQ
FCZ18oiU7679sGz+CSGqhR7PVfuTshq3WWWUuP3KCUL6cV/S+4qTgs7kYvAahAF9
881CMOHlVPMmvak+hYHdfGoxuvrBYaucg+1q7WIpEBUdFcZPGDwcm7vw1547Pcql
YzHlQBkF4Sk/9thBZMKdkljGXoaCWNeZdhQprWMaclZEDJhcUPEV3ndjV2X7nC5Y
qaSJaTmgeHx5Y2dUr5+9riRcSruU4f6vE9DnBpNBcQE3dTlVDWqs9caMApdJSCIO
KC9rYFN1F+rsbthfVw3J3uJVeS66FPtDIILqdtTchcMLqPZh17DZTkh+tEi8O6gm
+YftPRdPrqYemeF6TRN6Wox0kI1JKhvD0z/c04vat2oWFyJyIMjvk7o2c2blWeCE
DXpkatLk0EPWVyQDxlIagSIReh0tRu5cfUKINpvYnjE0E9yZPw6R72KpiyQuiPV1
Yt/YUJLXOmaWhH7aexQihYqzakkbpZaGcX+a0bCweAL+vuoCS2PZLOo2XnWe1YQe
LBOJ2cGJrih1Lk3yPs2p4JNGksc/9pcq9J+qevkeSY5v7Hx+rpyNjuYhrg3qKGsE
6yruFzG0Id4tEAqUT8JJKsOf1kzfrPtmUY8aEzBATdSnNSb+qJhzwQ/qkxVHgi1B
pcVaFtVuvm7/7cwtanqjoHBAiuyK5VKzZKZCxsdzZ6eYkdH3FEL/EF5hJQGO5Pqj
ipNyLt0skpwotcNl4hduHD81bPB1qcANhUVIzhvhTVEpt9nn12xJ9wjInA+0rAmp
dUxfAUEGghJzmfYFYAL1eFGd5VQGikgzMnNTCYZjdplKJML1GHktzJGn61C6W8Z3
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
0fe00c09a3716d9deb7dc82d97e97eee
0a845ebc99ab3e2dfe2afc968f45a2fc
661ab2674570a4fb4d0b7f88784e52d6
03129226690d546f8d1d9c1f420c8a22
9f8aa8dd05a6d3cfff71b9b5f98d5122
bcf1624a621bb95da5a3097969bc7c8b
43b88070fdf855a9b794dcd933b56be7
ec2253030392c93c91201df444db0815
34a11fe37c92711512a65ec723321766
b01a79d181f785a84f57693add25ae34
93cad70a4341a6b5a5ff32b853eb3e07
1d5e8df34de82caade714c3d0be26df8
84862fe81f9668952afdc8c4acab302f
eef0c896674e5892b7539b3bac17c6ab
412c6a9b3756cebc083e5dd865f5bdea
efeae4c1020eb199a9fc8fe89a6731b8
-----END OpenVPN Static key V1-----
</tls-auth>

Now let me put some words here. First of all, above published keys/certificates are randomly generated and not used in production (security reasons). I have just pasted it here to be sure that you know exactly how content of your config file should look like and what format should be used. You will have to make some adjustments to the config above:

1. Replace segment <YOUR PUBLIC IP OR DYNDNS HOSTNAME> with your static public IP or dynamic dns record. It has to point to the public IP (dns record) behind which your openVPN server is sitting on. Beware that usually is also needed to make port-forwarding on your router: <any_public_ip>:1194 —-> <local_IP_of_your_raspberry>:1194 Please follow official guideline of your router how to proceed here.

2.  We used inline references to the keys and certificates as opposed to packaging them up together. Copy and paste each in the appropriate area. Be sure to paste it completely without any  additional spaces or characters.

<ca>
-----BEGIN CERTIFICATE-----
# insert base64 blog from file ca.crt
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
# insert base64 blog from file Client1.crt
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
# insert base64 blog from file Client1.aes256.key
-----END PRIVATE KEY-----
</key>

Once your config file is ready, rename it to the extension .ovpn which is used by OpenVPN application:

mv client1.conf client1.ovpn

Email the Config File to Yourself, or Use Dropbox/Google Drive, etc. Please use secure way to transfer file as it is containing also your private key.

OpenVPN application and import

Just follow screenshots below to install application and import configuration file on client side (in our case android smartphone).

Install OpenVPN application

Import configuration file

Import Client1.ovpn file from SDcard

Insert pass-phrase you’ve entered during creation

OVPN profile has been successfully imported

VPN connection successfully established

Final testing

In order to test VPN implementation, you can try to find out what is your current public IP before VPN activation and what is after. If everything is working correctly you will be able to see different IPs. Once you are connected to the VPN tunnel you will see exactly the same public IP as you have at home. For simple testing, you can use website: https://www.whatismyip.com/

During any troubles, you can check logs on server side:

less /var/log/openvpn.log

If you need to check logs on client side, use “Show log file” option directly in OpenVPN application.

Conclusion

Congratulations! Now you have successfully finished openVPN configuration on server and client side. In case of any questions, do not hesitate to leave comment below.

source: openvpn.com

The post Build own OpenVPN server by using raspberry Pi (Part2/2) appeared first on ITBlogSec.com.

Privacy and defense against cyber attacks is priority one. Use your own raspberry Pi to build up powerful and secure openVPN server. Just connect from anywhere (free public WiFi networks, hotel room etc.) and use advantages of virtual private network (VPN) for free. By using your own openVPN server, Internet browsing stays encrypted and secure.

See network diagram above describing our scenario

1. Traffic is encrypted on the way to OpenVPN server
2. Traffic is initiated from OpenVPN server on behalf of client (mobile, laptop)

Introduction

Almost everybody wants to stay connected and “to be online”. For that purpose there are almost everywhere WiFi networks which can be used for free but usually they have one big disadvantage – NO ENCRYPTION. It means data which are transmitted/received are visible for everybody. It is great opportunity for hackers to intercept traffic and use it in their profits. By following simple steps you can set-up your own OpenVPN (located at home or workplace) which can be used as encryption endpoint. This will make your computer think it’s actually on your home network, even when you may be miles away. All network traffic is encrypted and sent to and from the VPN server, stopping would-be hackers in their tracks. We tried to prepare our tutorial as simple as possible with many details. In our scenario we used well-known raspberry Pi, credit card-sized single-board computer.

Tutorial is divided into two parts:

Build own OpenVPN server by using Raspberry Pi (Part1/2) – server configuration (Raspberry Pi)
Build own OpenVPN server by using Raspberry Pi (Part2/2) – client configuration (mobile/laptop)

Usage scenarios

A) To encrypt your traffic during Internet browsing, connected to free/open WiFi networks (airport, hotel etc.) – nobody is able to sniff data
B) To connect to your home network so you can access your web-camera, IPTV, router etc.
C) To access pages which are usually blocked by local network you are connected to (bypass proxy, firewall rules etc.)

Prerequisites

• raspberry Pi with pre-installed image (e.g. Raspbian image)
• raspberry Pi accessible from the Internet (via dynamic DNS or public IP)
• client (laptop/pc or smartphone) connected to the Internet
• UDP port 1194 forwarded to your local raspberry Pi (configuration depends on type of your router, try to google it: “your router model” port forwarding)

Allow the OpenVPN server to route ip traffic

First of all, you need to allow the OpenVPN server to route packets:

sudo vim /etc/sysctl.conf

Uncomment following line to ensure that packets will be forwarded:

net.ipv4.ip_forward=1

Your modified file should look like this

Activate change and  make it persistent:

sudo sysctl -p

Permanent/static local IP

In that case you have two options, please follow option A) or option B). It is not required to follow both.

A) Configure Raspberry Pi to use static IP instead of dynamic IP

sudo vim /etc/network/interfaces

Replace above mentioned IP addresses with yours

B) Set-up DHCP/IP address reservation on your router
It depends on model of your router, try to google it: “your router model” DHCP/IP reservation

Installing openVPN

sudo apt-get update && sudo apt-get upgrade
sudo apt-get install openvpn -y

It will take some time, please be patient. First you will update your repositories and make upgrade of all currently installed packages. By second command you will install openVPN package.

Creating local CA and generating server certificate

For generating certificates we will use easy-rsa. It is a CLI utility to build and manage a PKI CA. It is able to create a root certificate authority, and request and sign certificates, including sub-CAs and certificate revocation lists (CRL).In older versions there was needed to installs easy-rsa separately but currently easy-rsa package is already included in openVPN dependencies (version used in tutorial: OpenVPN 2.3.4).

Switch to root user:

sudo -s

Copy easy-rsa folder to openvpn folder:

cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa

Open copy of easy-rsa and modify variable EASY_RSA:

cd /etc/openvpn/easy-rsa
vi vars

In the file, modify:

export EASY_RSA="`pwd`"
to:
export EASY_RSA="/etc/openvpn/easy-rsa"

Modification vars file – adding absolute path

In the same file, just scrolling down, double check what KEY SIZE is currently defined. In the newest version there is value of 2048 by default. In case there is value lower than 2048, increase it to 2048. It will definitely increase security.

export KEY_SIZE=2048

Now, build your encryption certificates, type exact commands as mentioned below.
After editing vars file, you have to source it (to apply changes):

source ./vars

To start with a fresh PKI configuration and to delete any previous certificates and keys

./clean-all

After issuing this command there will be some fields you have to type in (or just press ENTER to use default values)

./build-ca

Creating local CA – later on used to sign certificates

Once all steps above were successfully accomplished, you can now generate certificate for your server (in our case ITBlogSec.com will be name of our server):

./build-key-server ITBlogSec.com

Creation of certificate for your OpenVPN server

By this step you successfully created certificate for your openVPN server named ITBlogSec.com. The most important part of this step is attribute “commonName”, here name has to exactly match with name you entered in previous step.

Creating client certificates

In that part we will create certificates for all our clients. Beware that you can generate only one client certificate and import to many clients but in this case only one client would be able to connect at a time. Therefore is recommended to create certificate for each client.

Enter command below to generate certificate for Client1:

./build-key-pass Client1

Fill in all fields as described below, of course you can use your information. For “PEM pass phrase” use your own password. This password must be entered every time Client1 is connecting to server. For “A challenge password” must be left blank.

Generating certificate for Client1

Now we’re going to change the keys to different encryption scheme. I would recommend to use AES-256-CBC.
Issue command to find out what ciphers are supported by your version of openvpn:

openvpn --show-ciphers

In case AES-256-CBC is one of supported, issue commands below. Once asked to enter pass phrase and PEM phrase, use same PEM phrase password as above:

cd keys
openssl rsa -in Client1.key -aes256 -out Client1.aes256.key

Change the keys to an encryption scheme called aes256

It is time to generate Diffie-Hellman keys for your server. It will allow to exchange keys via public internet. If you want to understand in details, please check YouTube video here. Issuing command will take some time, apx. 15 min, so please be patient.

cd ..
./build-dh

Configuring OpenVPN server

By this part you will make basic configuration of your openVPN server based on our requirements.

Create server.conf file which will contain all important attributes:

touch /etc/openvpn/server.conf

Open newly created file and paste there config. Follow comments in the code and adjust according to your network:

local 192.168.1.100 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun
proto udp  #Some people prefer to use tcp. Don't change it if you don't know.
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/ITBlogSec.com.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/ITBlogSec.com.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.1.0 255.255.255.255" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 192.168.1.1" # This should match your router's IP address.
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

Finally, we’re going to implement OpenVPN’s build-in Denial of Service (DoS) attack protection. You might already know that a DoS attack is successful when a hacker finds out your server’s address, and generates such a large number of access requests that your server crashes.

OpenVPN has a way to prevent this kind of attack from occurring before it even starts by generating a static pre-shared hash-based message authentication code (HMAC) key. With this in place, the server won’t even entertain the idea of authenticating an access request unless it detects this static key first. Thus, a hacker can’t just spam the server with random repeated requests.

Generate the static HMAC key with the following line:

openvpn --genkey --secret keys/ta.key

The IPtables

This article is about building proper iptable rules and how to make iptable configurations to load on every reboot.

I have been trying to find a consistent and easy solution to implement iptables on Raspberry Pi (Raspbian-wheezy), the way Debian and Raspbian works does not provide a way to load iptables on every boot, it needs to be added manually as a script to load on start-up. There are ways to make Raspbian work without the instructions below, although the following – I think – are very simple and elegant.

Install package called “iptables-persistent”:

apt-get update
apt-get install iptables-persistent

On the menu, select Yes on the rule.v4 file. The second choice is about rule.v6 and IPv6 support, choose based on your needs.

By rule below you will ensure that all traffic initiated from clients will be masqueraded as traffic outgoing from eth0. Now you can manually add rule by following command:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Save current rules to be loaded automatically after next reboot:

iptables-save > /etc/iptables/rules.v4

Please reboot raspberry and check that rules are still present:

less /etc/iptables/rules.v4

Output should be similar as below:

Output of file /etc/iptables/rules.v4

Conclusion

If you successfully followed all steps above, congratulations! Your openVPN server is ready. Please follow our next article (Part2/2) where will be mentioned exact steps how to import certificates to the client and how to establish VPN tunnel successfully.

Thank you!

SEE ALSO: Build own OpenVPN server by using Raspberry Pi (Part2/2) – client configuration (mobile/laptop)

The post Build own OpenVPN server by using raspberry Pi (Part1/2) appeared first on ITBlogSec.com.