====== OpenVPN Server - Linux ======
===== Setting up an OpenVPN server =====
  - Install OpenVPN Server<code>
# yum install openvpn</code>
  - Install easy-rsa<code>
# yum install easy-rsa
# mkdir ~/easy-rsa
# cp -ai /usr/share/easy-rsa/2.0/* ~/easy-rsa/</code>
  - Initial vars appropriately\\ 修改預設值 vars, 這樣才不用再次輸入<code>
# vi vars

.
.
.
# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
.
.
.
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="TW"
export KEY_PROVINCE="Taiwan"
export KEY_CITY="NewTaipei"
export KEY_ORG="Wieson"
export KEY_EMAIL="eddie@wieson.com"
export KEY_OU="WSY"
.
.
.
export KEY_CN="SVNServer"
.
.
</code><code>
# cd ~/easy-rsa
# . vars
# ./clean-all
</code>
  - 生成 root CA\\ <html><body><font color="red">
Before continuing, make sure the system time is correct. Preferably, set up NTP
</font></body></html><code>
# ./build-ca
</code>範例<code>
[root@RD30 easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
.++++++
.++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:TW
State or Province Name (full name) [CA]:Taiwan
Locality Name (eg, city) [SanFrancisco]:Taoyuan
Organization Name (eg, company) [Fort-Funston]:Mapower
Organizational Unit Name (eg, section) []:Software
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:Eddie
Name []:
Email Address [me@myhost.mydomain]:eddie@mapower.com.tw
</code>
  - 生成Server使用的証書<code>
# ./build-inter $( hostname | cut -d. -f1 )
or
# ./build-key-server server
</code>範例<code>
[root@RD30 easy-rsa]# ./build-inter $( hostname | cut -d. -f1 )
Generating a 1024 bit RSA private key
.............++++++
.....................................++++++
writing new private key to 'RD30.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:TW
State or Province Name (full name) [CA]:Taiwan
Locality Name (eg, city) [SanFrancisco]:Taoyuan
Organization Name (eg, company) [Fort-Funston]:Mapower
Organizational Unit Name (eg, section) []:Software
Common Name (eg, your name or your server's hostname) [RD30]:
Name []:
Email Address [me@myhost.mydomain]:eddie@mapower.com.tw

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:784026
An optional company name []:eddie
Using configuration from /root/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'TW'
stateOrProvinceName   :PRINTABLE:'Taiwan'
localityName          :PRINTABLE:'Taoyuan'
organizationName      :PRINTABLE:'Mapower'
organizationalUnitName:PRINTABLE:'Software'
commonName            :PRINTABLE:'RD30'
emailAddress          :IA5STRING:'eddie@mapower.com.tw'
Certificate is to be certified until Oct 14 12:17:45 2020 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@RD30 easy-rsa]#
</code>
  - 生成dh1024.pem文件，Server使用TLS必须使用的一个文件。<code>
# ./build-dh
</code>
  - 將產生的 Key 複製到 Service 目錄<code>
# mkdir /etc/openvpn/keys    (如果沒有的話)
# cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh1024.pem /etc/openvpn/keys/
</code>
  - 編輯 /etc/openvpn/server.conf (從/usr/share/doc/openvpn-2.3.2/sample/sample-config-files複制過來)<code>
# cp -ai /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf

# TLS parms
tls-server 
ca keys/ca.crt
cert keys/4000A.crt
key keys/4000A.key
dh keys/dh1024.pem
</code><code>
local a.b.c.d  -->  Listen IP, if mask is listen 0.0.0.0 
port 1194  --> Listen Port
proto tcp  --> tcp/udp
dev tun  --> tun/tap
ca ./keys/ca.crt  -->  ca.crt path
cert ./keys/server.crt  -->  server.crt path
key ./keys/server.key   -->  server.key path
dh ./keys/dh1024.pem  -->  dh1024.pem path
server 192.168.125.0 255.255.255.0  -->  openvpn ip range(server 為 192.168.125.1)
push "redirect-gateway"  -->  所有連線都透過此gateway
push "dhcp-option DNS 168.95.1.1"  -->  重導 DNS 為 此
duplicate-cn  -->  使用者可重覆發入
</code>
  - 啟動 OpenVPN<code>
# service openvpn start
</code>
  - 啟動成功的話，可下達以下指令來查看狀況<code>
指令：ifconfig，來查看VPN的網卡連線（tun or tap）
指令：netstat -tulnp（可查看port 1194是否有傾聽）
</code>
  - Verify that firewall rules allow traffic in from tun+, out from the LAN to tun+, and in from the outside on UDP port 1194. 
  - The following should work (assuming your outside interface is eth1 and your inside interface is eth0):<code>
iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
</code>
  - Or for genfw (my firewall-generation script, not currently available in Fedora), this in /etc/sysconfig/genfw/rules:<code>
append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
append INPUT -i tun+ -j ACCEPT
append FORWARD -i tun+ -j ACCEPT
append FORWARD -i eth0 -o tun+ -j ACCEPT
append FORWARD -i eth1 -o tun+ -j established
</code>

===== Get Client List =====
  - from server config add management IP port [pw-file]<code>
management localhost 8998</code>
  - used telnet to connect this management<code>
telnet localhost 8998</code>
  - used <html><font color=red>status</font></html> to list clients\\  or\\  used <html><font color=red>help</font></html>\\ for example<code>

[root@4000A openvpn]# telnet 127.0.0.1 8998
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
status
OpenVPN CLIENT LIST
Updated,Sat May  6 09:46:15 2017
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
eddie,220.189.249.222:59038,1309218,3106911,Sat May  6 09:15:38 2017
blue,112.17.235.18:12333,27023,24983,Sat May  6 09:46:01 2017
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
192.168.126.6,eddie,220.189.249.222:59038,Sat May  6 09:45:52 2017
192.168.126.10,blue,112.17.235.18:12333,Sat May  6 09:46:15 2017
GLOBAL STATS
Max bcast/mcast queue length,0
END

</code>