Category Archives: openvpn

OpenVPN setup with mysql auth and ssl port sharing

So, I decided it was time to prevent some firewalls from blocking my connection to openvpn.
Here’s what I did to share port 443 ( which I already had an apache listening on ) with openvpn !

# Make apache Listen on port 4545 and replace all VirtualHost directives to use that.
emerge net-misc/openvpn app-crypt/easy-rsa sys-auth/pam_mysql
cp -prv /usr/share/easy-rsa ~
cd ~/easy-rsa
cp vars{,.orig}
cat >> vars << _EOF_
export EASY_RSA="`pwd`"
export KEY_DIR="$EASY_RSA/keys"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_SIZE=4096
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="FL"
export KEY_CITY="Miami"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="master@myhost.domain"
export KEY_CN=changeme # Common Name (eg, your name or your server's hostname) 
export KEY_NAME=changeme # Name
export KEY_OU=changeme # Organizational Unit Name (eg, section)
_EOF_
source ./vars
./clean_all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret /root/easy-rsa/keys/ta.key
mkdir -p /etc/openvpn/certs
cp -pv ~/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,ta.key,dh4096.pem} /etc/openvpn/certs/

cat >> /etc/openvpn/openvpn.conf << _EOF_
dev tun
# use udp .. it performs alot better, this tutorial just uses tcp because it is sharing the port with apache !
proto tcp
local 203.0.113.10 # replace with the ip you want it listening instead of 0.0.0.0
port 443
port-share 127.0.0.1 4545
keepalive 10 120
comp-lzo
user nobody
group nobody
server 192.168.7.0 255.255.255.0
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh2048.pem
tls-auth /etc/openvpn/certs/ta.key
#tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA # bettercrypto.org
tls-version-min 1.2 # you can try use tls-cipher see if everything is ok for you, if not, try this.
cipher AES-256-CBC
auth SHA384
verb 5
_EOF_

sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf
sysctl -p
rc-update add openvpn default
/etc/init.d/apache2 restart
/etc/init.d/openvpn restart

# now for the client part, give him this one file
./build-key-pass client
cat >> ~/client.ovpn << _EOF_
client
remote 203.0.113.10
dev tun
# set udp here too if you decided to use that!
proto tcp
port 443
cipher AES-256-CBC
comp-lzo yes
nobind
auth-nocache
script-security 2
persist-key
persist-tun
auth sha384

<ca>
$(cat ~/easy-rsa/keys/ca.crt)
</ca>

<cert>
$(cat ~/easy-rsa/keys/client.crt)
</cert>

<key>
$(cat ~/easy-rsa/keys/client.key)
</key>

<tls-auth>
$(cat ~/easy-rsa/keys/ta.key)
</tls-auth>
_EOF_