VPN Solution on Linux
How to public any service without public ip using OPENVPN.
Some time we want to publish our website or any service from our desktop to internet . Then we require public IP to publish our services on the internet.
So resolve this issue we can user third party services like PORTMAP.IO this gives you ability to publish your services over the internet using OPEN VPN Client.
For more information visit there website https://portmap.io/
How to configure SSL VPN on OPENVPN
If you want to configure openvpn on SSL port below are the example for server and client side.
Server side configuration
local 192.168.1.250 port 443 proto tcp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-crypt tc.key topology subnet server 10.8.0.0 255.255.255.0 #server-ipv6 fddd:1194:1194:1194::/64 #push "redirect-gateway def1 ipv6 bypass-dhcp" ## To avoid all internet traffic except VPN## push "route 192.168.29.0 255.255.255.0" ## To advertise Network ## ifconfig-pool-persist ipp.txt push "dhcp-option DNS 192.168.29.254" #push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-256-CBC user nobody duplicate-cn ##To use single certificate for multiple user# group nobody persist-key persist-tun verb 3 crl-verify crl.pem
VERIFY ERROR: depth=0, error=CRL has expired: CN=servername
In order to fix the issue, we just need to recreate the crl.pem file.
we need to backup the current crl.pem file before creating a new one.
The location of the crl.pem file at /etc/openvpn/
#mv crl.pem crl.pem.back
Now go to easy-rsa folder
# cd easy-rsa
now generate crl.pem
# ./easyrsa gen–crl
Now copy the new crl.pem to openvpn folder
# cp –pr /etc/openvpn/easy–rsa/pki/crl.pem
Now restart openvpn service
source link :- https://www.jobishmathew.me/openvpn-crl-has-expired/
OPENVPN Logs
To troubleshoot connection issues check below logs
grep the client name in /var/log/messages
# grep VPN /var/log/messages
Check the connection time
#cat /etc/openvpn/openvpn-status.log
Check the connection negotiation activity
# tail -f /var/log/messages
GL-inet allow clients ( behind the LAN ) access from other Network
Edit the firewall add following lines
vi /etc/config/firewall
config forwarding option dest 'lan' option src 'VPN_client'
Restart firewall service
/etc/init.d/firewall restart
Step-1 Forward GRE protocol and TCP port 1723 through your firewall
Step-2 Add the Poptop Yum Repository
rpm -Uhv http://poptop.sourceforge.net/yum/stable/rhel5/pptp-release-current.noarch.rpm
Step-3 Configure iptables
Create iptables_set.sh, chmod +x iptables_set.sh, and run the script.
Note: The following will work but you may wish to change the source address from 10.10.9.0/24 to the network range of your choosing based on your network.
#!/bin/bash
/sbin/iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp –dport 1723 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p gre -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/service iptables save
/sbin/iptables -L -v
Step-4 Configure Routing
Edit /etc/sysctl.conf
net.ipv4.ip_forward = 1
Step-5 Make the changes active
sysctl -p
Step-6 Install PPTP Server
yum install ppp pptpd
Step-7 Configure the service to start on boot
chkconfig –levels 345 pptpd on
Step-7 Configure Client Network Options change IP address according to your requirement
Modify /etc/pptpd.conf
localip 10.10.11.1
remoteip 10.10.11.5-100
Modify /etc/ppp/options.pptpd
ms-dns 208.67.222.222
ms-dns 208.67.220.220
Step-8 Configure Client Access
You will need to customize the client name, secret (password), and you can either allow all IP address or limit as necessary.
Edit /etc/ppp/chap-secrets.
# Secrets for authentication using CHAP
# client server secret IP addresses
test-user * test-password *
Step-9 Start the Server
Start the pptpd service
service pptpd start
Step-10 Configure the Client
source link