Server Setting

OVPN Config     # Centos 7 on DC

/etc/openvpn/nas0.conf

tls-server
port 1194
proto udp
# 指定 device 的名義, 因為 Outgoing NAT 要用到它
dev tun0
ifconfig 10.3.0.1 10.3.0.2

cipher AES-256-CBC

persist-key
persist-tun

comp-lzo

ping 5

#tls-auth /etc/openvpn/ssl/ta.key 0
dh   /etc/openvpn/ssl/dh2048.pem
ca   /etc/openvpn/ssl/ca.crt
cert /etc/openvpn/ssl/server.crt
key  /etc/openvpn/ssl/server.key

mute 10
verb 4
log /var/log/openvpn/openvpn.log
status /var/log/openvpn/status

mkdir /etc/openvpn/ssl /var/log/openvpn

cd /etc/openvpn/ssl

OS Setting

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

sysctl -p

Firewall Setting

# for OVPN service

firewall-cmd --add-port=1194/udp --permanent

# for outgoing nat

firewall-cmd --zone=public --add-masquerade --permanent

firewall-cmd --zone=internal --add-interface=tun0 --permanent

# port forwarding

firewall-cmd --add-forward-port=port=5001:proto=tcp:toport=5001:toaddr=10.3.0.2 --permanent

# apply setting

firewall-cmd --reload

NAS

MyServer.ovpn

remote MyServer 1194 udp
tls-client
dev tun
ifconfig 10.3.0.2 10.3.0.1
comp-lzo

ping 5
ping-restart 15

cipher AES-256-CBC

remote-cert-tls server

<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>

# DSM 7.0