openvpn --genkey --secret static.key
Then copy this key to both client/server. server-static.conf:
# run with: 'openvpn --config server-static.conf' mode p2p # default proto udp # default dev tun # default port 1194 # default - server will listen on all interfaces, on this port dev tun ifconfig 10.4.0.1 10.4.0.2 # first Tunnel-IP is local, 2nd Tunnel-IP is remote verb 3 secret static.key # openvpn --genkey --secret static.key keepalive 10 60 persist-tun persist-key persist-local-ip comp-lzo
client-static.conf:
# run with: 'openvpn --config client-static.conf' mode p2p # default proto udp # default dev tun # default remote [server ip] 1194 # client will connect to this (server) IP + port ifconfig 10.4.0.2 10.4.0.1 # first Tunnel-IP is local, 2nd Tunnel-IP is remote verb 3 secret static.key keepalive 10 60 comp-lzo explicit-exit-notify 2
firewall and port forwarding firewall.sh:
# run as 'sudo sh ./firewall.sh' iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT SERVER='paste IP address of the server here' iptables -A POSTROUTING -t nat --match iprange --src-range 10.4.0.2 -j SNAT --to-source $SERVER ## low ports first iptables -A PREROUTING -t nat --dst $SERVER -p tcp --dport 23:1024 -j DNAT --to 10.4.0.2 ## other ports (watch not to forward OpenVPN port 1194!) # iptables -A PREROUTING -t nat --dst [server ip] --dport 1200:20000 -j DNAT --to 10.4.0.2 # # echo 1 > /proc/sys/net/ipv4/ip_forward
complete and (way) more secure setup: http://john.de-graaff.net/wiki/doku.php/links/openvpn#server_tls_mode_with_client-auth
automated setup (nice!): https://github.com/Nyr/openvpn-install