License

Copyright (C) 2008-2017 Oliver Bohlen.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

A copy of the license is included in the section entitled "GNU Free Documentation License".

Introduction

This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Howto: VPN-Server for Gentoo Linux

Here my OpenVPN Server configuration. You need to create the needed certificates first. You can do this with the following commands:

cp -r /usr/share/openvpn/easy-rsa /etc/openvpn/ssl
cd /etc/openvpn/ssl
vi vars # Set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters.
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
# Now you can create client Key(s)
./build-key client1
./build-key client2
./build-key client3
cd keys
openvpn --genkey --secret ta.key

You find the created keys in the keys directory.
To check the expiration date of a certificate you can do e.g.:
openssl x509 -in keys/client1.crt -noout -enddate

To revoke a certificate you can do e.g.:
./revoke-full client2

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-misc/openvpn

Changes in /etc/crontab

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/crontab

Changed on 04.06.13
Issued by olli
Beginning line 42

Create new VPN-Certificates Mondays at 5

0 5 * * 5       root    /usr/local/sbin/vpnusercerts.sh 2>&1 | mail -E -s "Neue VPN-Zertifikate" root

Changes in /etc/openvpn/openvpn.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-------

Click here for a download of the complete file: /etc/openvpn/openvpn.conf

Changed on 06.08.08
Issued by olli
Beginning line 1

This is the configuration file for the OpenVPN Server optimized for ADSL connections.

dev tap0
proto udp
port 5724
mode server
tls-server
float
dh /etc/openvpn/ssl/keys/dh2048.pem
ca /etc/openvpn/ssl/keys/ca.crt
cert /etc/openvpn/ssl/keys/server.crt
key /etc/openvpn/ssl/keys/server.key
tls-auth /etc/openvpn/ssl/keys/ta.key 0
tls-cipher DHE-RSA-AES256-SHA
user nobody
group nogroup
status /var/log/openvpn/vpn-status.log
log /var/log/openvpn/vpn.log
comp-lzo
verb 3
#client-to-client
keepalive 10 120
fragment 1300
mssfix
hand-window 300
tcp-nodelay

Changes in /usr/local/sbin/vpnusercerts.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/vpnusercerts.sh

Changed on 04.06.13
Issued by olli
Beginning line 2

Create new VPN-Certificates Mondays at 5

#!/bin/bash
. /etc/profile

# Montag Morgens um 5 Uhr die VPN-Zertifikate generieren

if mount | grep -q vpnusers
then
 echo OK >/dev/null
else
 echo "ERROR: VPN-Share not mounted"
 exit 1
fi

cd /etc/openvpn/ssl/keys || exit 1

rm -r /var/www/gtc.example.com/htdocs/vpnusers/*
cat /etc/openvpn/ssl/keys/ta.key > /var/www/gtc.example.com/htdocs/vpnconfig/ta.key
cat /etc/openvpn/ssl/keys/ca.crt > /var/www/gtc.example.com/htdocs/vpnconfig/ca.crt

cd /etc/openvpn/ssl
. vars
./revoke-full server
./build-key-server server
/etc/init.d/openvpn restart
sleep 10
/etc/init.d/net.tap0 zap
/etc/init.d/net.tap0 start

#for i in `getent passwd | cut -d":" -f 3`
#do
# if [ $i -gt 999 ]
# then
#  if [ $i -lt 65000 ]
#  then
#   # Get Infos
for USER in `getent group vpn | cut -d: -f4 | perl -pe 's/,/ /g'`
do
#   USER=`getent passwd $i | cut -d":" -f 1`
   # Montag Morgens um 5 Uhr die VPN-Zertifikate generieren
   if [ -d "/etc/openvpn/ssl" ]
   then
    if ldapsearch -LLL -x uid=$USER dn | egrep 'SystemUsers|admin' >/dev/null
    then
     echo "No VPN User" >/dev/null
    else
     echo "Generating new VPN-Certificate for $USER"
     cd /etc/openvpn/ssl
     . vars
     ./revoke-full $USER
     ./build-key $USER
     mkdir -p /var/www/gtc.example.com/htdocs/vpnusers/$USER
     cp -p /etc/openvpn/ssl/keys/$USER.key /var/www/gtc.example.com/htdocs/vpnusers/$USER/
     cp -p /etc/openvpn/ssl/keys/$USER.crt /var/www/gtc.example.com/htdocs/vpnusers/$USER/
     mkdir -p /home/$USER/vpn
     ./revoke-full ${USER}usercert
     ./build-key ${USER}usercert
     cat /etc/openvpn/ssl/keys/${USER}usercert.key >/home/$USER/vpn/key
     cat /etc/openvpn/ssl/keys/${USER}usercert.crt >/home/$USER/vpn/crt
     cat /etc/openvpn/ssl/keys/ta.key >/home/$USER/vpn/ta.key
     cat /etc/openvpn/ssl/keys/ca.crt >/home/$USER/vpn/ca.crt
     chown -R ${USER}. /home/$USER/vpn
     chmod 400 /home/$USER/vpn/*
     chmod 500 /home/$USER/vpn
    fi
   fi
#  fi
# fi
done

find /var/www/gtc.example.com/htdocs/vpnusers -type f -exec  chmod 640 {} \;
find /var/www/gtc.example.com/htdocs/vpnusers -type d -exec  chmod 750 {} \;
chown -R root:apache /var/www/gtc.example.com/htdocs/vpnusers

echo "<Directory /var/www/gtc.example.com/htdocs/vpnconfig>
 AuthType Basic
 AuthName 'Data'
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile '/dev/null'
 AuthLDAPURL 'ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub'
 Require valid-user
</Directory>
" >/etc/apache2/vhosts.d/vpnconfig.conf
>/etc/apache2/vhosts.d/vpnusers.conf
for USER in `ls -1 /var/www/gtc.example.com/htdocs/vpnusers`
do
 echo "<Directory /var/www/gtc.example.com/htdocs/vpnusers/$USER>
 AuthType Basic
 AuthName 'Data'
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile '/dev/null'
 AuthLDAPURL 'ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub'
 Require user $USER
</Directory>
" >> /etc/apache2/vhosts.d/vpnusers.conf
done

>/tmp/catchall-$$
for user in `ls /var/www/gtc.example.com/htdocs/vpnusers/`
do
 if grep $user /var/www/gtc.example.com/htdocs/vpnconfig/client-mac-ips >/dev/null
 then
  echo $user OK >/dev/null
 else
  mac=`openssl rand -hex 5 | sed 's/\(..\)/\1:/g; s/.$//'`
  mac="02:$mac"
  ip=`echo "172.24.$((RANDOM%254)).$((RANDOM%254))" | perl -pe 's/0/1/g'`
  echo "$user-$ip-$mac" >> /var/www/gtc.example.com/htdocs/vpnconfig/client-mac-ips
  echo "$ip $user $user.example.com" >>/etc/hosts
 fi
 echo "/$user\\@.+\.gabosh\.net\$/ $user" >>/tmp/catchall-$$
done
echo '/.+\@.+\.gabosh\.net$/ admin' >>/tmp/catchall-$$
cat /tmp/catchall-$$ > /etc/postfix/catchall
rm /tmp/catchall-$$

/etc/init.d/apache2 restart >/dev/null

/etc/init.d/openvpn restart
sleep 10
/etc/init.d/net.tap0 zap
/etc/init.d/net.tap0 start



Changes in /usr/local/sbin/vpnwatch

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/vpnwatch

Changed on 03.03.11
Issued by olli
Beginning line 2

This is an optional daemon which sends an eMail if a OpenVPN-Connection is established.

#!/usr/bin/perl -w

# Load modules
use strict;
use File::Tail;
use Proc::Daemon;
use File::Basename;

# Stop running daemon if exists
my $me=basename("$0");
if (-f "/var/run/$me") {
 open(PID, "</var/run/$me");
 my $pid=<PID>;
 close(PID);
 chomp($pid);
 if (-d "/proc/$pid") {
  print "Killing old daemon with PID: $pid\n";
  kill 9, $pid;
 }
}

# Daemonize
Proc::Daemon::Init();

# Write PID file
open(PID, ">/var/run/$me");
print PID $$;
close(PID);


# The address where notification mails should go to
my $mailto='mail@example.com';
# Targetlogfile
my $logfile="/var/log/openvpn/vpn.log";
# Statusfile
my $statefile="/var/log/openvpn/vpn-status.log";


my $file=File::Tail->new(name => $logfile, maxinterval => 1, adjustafter => 1, reset_tail => 0);
while (defined(my $line=$file->read)) {
 if ($line =~ / VERIFY OK\: depth\=0/) {
  $line=~s/  +/ /g;
  sleep 5;
  open(FILE, "<$statefile");
  my @state=<FILE>;
  close(FILE);
  chomp($line);
  my @line=split(/ CN\=/,$line);
  $line[1]=~s/,.+$//;
  `echo "Hi,

$line[1] is connecting to VPN!

@state
$line

Your $0 [$$]
" | mail -s "VPNWATCH: $line[1] is logging in" $mailto`;
 }
}

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add openvpn 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Here you can find the official Gentoo Linux Forums where you can find a lot of answers.

Here a link to the official Gentoo Linux Homepage.

Edit Howto

About / Impressum

Click here for About / Impressum

Wishlist

If you want to support my work you can find my Amazon whishlist here