====== OpenVPN ======

This procedure is for KerOs 5.x only.

===== Overview =====


  - OpenVPN server configuration
  - OpenVPN client configuration
  - Firewall configuration
  - Start OpenVPN

===== Step by step guide =====


==== OpenVPN server configuration ====

Easy way exist to set up an OpenVPN server on Linux. A Script named "//openvpn-install//" may be used to configure OpenVPN server (for Debian, Ubuntu, Fedora, CentOS, Arch Linux, Oracle Linux, Rocky Linux and AlmaLinux) : 

[[https://github.com/angristan/openvpn-install]]


==== OpenVPN client configuration ====


Generate a client from the script "//openvpn-install//". It will generate a file "//.ovpn//" that contain the system requirements (Certificate Authority, certificates, Keys). Transfer the file "//.ovpn//" to the Gateway in "///etc/openvpn///" folder and rename it to "//.conf//" :

<code bash>scp client-openvpn.ovpn root@192.168.0.x://etc/openvpn/client-openvpn.conf</code>





==== Firewall configuration ====

Create a file call "//openvpn.rules//" as the example below (replace the port number with the same number port set on the open vpn server) : 

<code bash>
*filter
-A INPUT -p udp --sport 1194 -j ACCEPT
-A OUTPUT -p udp --dport 1194 -j ACCEPT
COMMIT
</code>

Transfert the file on the Gateway in the firewall folder "/etc/firewall.d/" :
<code bash>scp openvpn.rules root@192.168.0.x://etc/firewall.d/</code>

Reset the firewall process : 
<code bash>/etc/init.d/firewall restart</code>

To check the rules, launch the command: ''iptables -L'' for IPv4 rules and ''ip6tables -L'' for IPv6 rules.

==== Start OpenVPN ====

Launch the OpenVPN main configuration file on the gateway (replace with the appropriate file name):
<code bash>openvpn --config /etc/openvpn/client-openvpn.conf 2>&1 | logger &</code>

Check that OpenVPN client is well launched on your gateway:
<code bash>
ps | grep [o]penvpn
31342 root      4700 S    openvpn --config /user/client-openvpn.conf</code>

Check with the ''ifconfig'' command that the ''vpn0'' interface is now active.

Once everything is working, you can add initialization scripts to enable the VPN automatically. Don't forget to enable the firewall again if it was disabled. We recommend monitoring the VPN with [[wiki:systeme_mana:monitoring#monit_daemon|Monit daemon]].