Set up a VPN, route samba over it
- install openvpn on your server and your client
-
generate the certificates as in the official HOWTO:
root@server:/etc/openvpn/easy-rsa# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa root@server:/etc/openvpn/easy-rsa# cd /etc/openvpn/easy-rsaEdit /etc/openvpn/easy-rsa/vars and fill in the appropiate values
root@server:/etc/openvpn/easy-rsa# . ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys root@server:/etc/openvpn/easy-rsa# ./clean-all root@server:/etc/openvpn/easy-rsa# ./build-ca Generating a 1024 bit RSA private key ......................++++++ ........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [HK]: State or Province Name (full name) [New Territories]: Locality Name (eg, city) [Tuen Mun]: Organization Name (eg, company) [Home]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [OpenVPN-CA]: Name [OpenVPN-CA]: Email Address [[email protected]]: root@server:/etc/openvpn/easy-rsa# ./build-key-server server Generating a 1024 bit RSA private key ...............++++++ ..........++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [HK]: State or Province Name (full name) [New Territories]: Locality Name (eg, city) [Tuen Mun]: Organization Name (eg, company) [Home]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [server]: Name [OpenVPN-CA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'HK' stateOrProvinceName :PRINTABLE:'New Territories' localityName :PRINTABLE:'Tuen Mun' organizationName :PRINTABLE:'Home' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'server' name :PRINTABLE:'OpenVPN-CA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Mar 18 13:18:09 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated root@server:/etc/openvpn/easy-rsa# ./build-key client Generating a 1024 bit RSA private key ..........++++++ ...................................................++++++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [HK]: State or Province Name (full name) [New Territories]: Locality Name (eg, city) [Tuen Mun]: Organization Name (eg, company) [Home]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [client]: Name [OpenVPN-CA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'HK' stateOrProvinceName :PRINTABLE:'New Territories' localityName :PRINTABLE:'Tuen Mun' organizationName :PRINTABLE:'Home' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'client' name :PRINTABLE:'OpenVPN-CA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Mar 18 13:20:00 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated root@server:/etc/openvpn/easy-rsa# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ............................................................................+..................+...........+...........................+..............+..............................................................+......................................................................................................+......................................................................................+..............................................................................+..................+.................+..................................................................+.........................................+...........+..........................................................................................+..............................................+....................................+...................+....+..+................+.+.........+..............................................................+....................................................................................................................+...........+.....................................................................................................................................+.........................................................+...........................................................+.......................................................................................................................................................................................................................................+..............+..............................................................................................................................................+............................+..........................................+....................................................................................................................................++*++*++* -
copy the needed files from /etc/openvpn/easy-rsa/keys on the server to /etc/openvpn
for server: ca.crt dh1024.pem server.crt server.key
for client: ca.crt client.crt client.key
-
copy the appropriate sample configuration files from /usr/share/doc/openvpn/examples/sample-config-files/ to /etc/openvpn and decompress them
server: server.conf.gz
client: client.conf
- The server configuration file should be workable by default
-
edit the "remote" entry on the client /etc/openvpn/client.conf
Input the server name / IP-address. No other changes needs to be done
- Open up UDP 1194 on the server's firewall
-
The service is ready to start now, the server is at 10.8.0.1
I assume you only need to access the server, additional work need to be done if you want to access other internal networks.
configure samba to listen on 10.8.0.0/24
Everything should have been done, leave comment here if something goes wrong.