Server certificate creation:
Go to directory /usr/share/doc/openvpn/examples/easy-rsa/2.0/ or the directory that corresponds to your openvpn installation.
Edit vars file according to your needs.
It may be usefull to be able to push different configuration per client, for example different routing tables.
To do that you have to create client certificates based on the client hostname. The server will include scripts whose names are the same as the names of clients.
We assume first that the certificate part for the server has already been done:
You can also create an extra certificate for the server or you can put the same entry in the server configuration file for ca and cert.
Now the client certificates: we will create one certificate per client, the client hostname will be used to name the certificate file as well as it will be used as the Common Name in the certificate creation.
Example with the client hostname JDOE
First certificates creation: go to directory /usr/share/doc/openvpn/examples/easy-rsa/2.0/ or the directory that corresponds to your openvpn installation.
Edit the vars file according to your needs.
Now the per client configuration, on the server create a dedicated directory:
Add in the server configuration file this line:
In directory /etc/openvpn/clients create a script file with the hostname client name and put in this file the customized settings:
# cat /etc/openvpn/clients/JDOE
ifconfig-push 10.0.45.1 255.255.255.0
push "route 10.0.45.0 255.255.255.0 10.0.45.254"
In the following example, we have a server with only one NIC (eth0) and we will create a bridgeabled interface (tap0) that will be used by openvpn.
In order to have VPN clients in the same subnet as the server, both interfaces will be bridged together in one interface br0.
First you will have to make network configuration to bridge VPN adaptater with LAN adaptater.
You may need to install some packages:
apt-get install bridge-utils uml-utilities
Ensure you have tap interface created in /dev/net, if not created it:
mknod /dev/net/tap c 10 200
chmod 666 /dev/net/tap
iface lo inet loopback
up tunctl -t tap0 -u nobody
up ifconfig tap0 promisc up
iface eth0 inet manual
up ifconfig eth0 promisc up
iface br0 inet static
# dns-* options are implemented by the resolvconf package, if installed
# dns-nameservers 220.127.116.11
bridge_ports eth0 tap0
Server side configuration:
# user this plugin to authenticate with /etc/passwd
plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
server-bridge 192.168.45.100 255.255.255.0 192.168.45.91 192.168.45.99
push "route 192.168.45.0 255.255.255.0"
push "dhcp-option DNS 192.168.45.100"
push "dhcp-option DOMAIN mydomain.com"
keepalive 10 120
Client side configuration:
remote mydomain.com 1194
Enable forwarding to be able to reach local net, edit file /etc/sysctl.conf and add:
To take it into account then run:
Adjust iptables rules, you may have to adapt these rules to your system:
iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -s $LAN -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT