====== Information ======

  * OpenVPN ((https://openvpn.net))
  * [[Information:Realm of Espionage]]
  * vpn.realmofespionage.xyz ((OpenVPN))

===== Prerequisites =====

  * [[distros:ubuntu_server | Ubuntu Server]]

====== Dependencies ======

****

  sudo apt install openvpn easy-rsa

====== Firewall ======

===== Kernel Parameter =====

  /etc/sysctl.d/99-custom.conf

  net.ipv4.ip_forward = 1

===== ufw =====

==== Forward Policy ====

  * Change ''DEFAULT_FORWARD_POLICY'' from ''DENY'' to ''ACCEPT''

  sudo -e '/etc/default/ufw'

  #DEFAULT_FORWARD_POLICY="DROP"
  DEFAULT_FORWARD_POLICY="ACCEPT"

==== Masquerade Rule ====

  * https://help.ubuntu.com/lts/serverguide/firewall.html#ip-masquerading

  * ''10.8.0.0/24'' is the default coming from the ''server'' setting in OpenVPN's ''server.conf''
  * ''enp3s0'' can change

  sudo -e '/etc/ufw/before.rules'

<code>
# Rule for OpenVPN
# Adapted from https://help.ubuntu.com/lts/serverguide/firewall.html#ip-masquerading
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o enp3s0 -j MASQUERADE
COMMIT</code>

==== OpenVPN Server Rule ====

  * 1194/udp is for OpenVPN clients to connect to the server

  sudo -e '/etc/ufw/applications.d/custom' && sudo ufw allow 'openvpn-custom'

<code>
[openvpn-custom]
title=openvpn-custom
description=OpenVPN Server
ports=1194/udp</code>

====== Certificate Authority ======

===== Settings =====

  * Remove existing settings and copy/paste this block in place of it
  * Be sure to finish the email at ''KEY_EMAIL''

  cd ~ && rm -Rf ~/'openvpn-ca' && make-cadir ~/'openvpn-ca' && nano ~/'openvpn-ca/vars'

<code>
export KEY_COUNTRY="US"
export KEY_PROVINCE="PA"
export KEY_CITY="Charleroi"
export KEY_ORG="Realm of Espionage"
export KEY_EMAIL="espionage724@x"
export KEY_OU="VPN"
export KEY_CN="realmofespionage.xyz"
#export KEY_CN="realmofespionage.ddns.net"

# X509 Subject Field
export KEY_NAME="RoE | VPN"
export KEY_ALTNAMES="RoE VPN"</code>

===== Build CA =====

****

  cd ~/'openvpn-ca' && source ~/'openvpn-ca/vars' && ~/'openvpn-ca/clean-all' && ~/'openvpn-ca/build-ca'

===== Build Key Server =====

  * ''server's hostname'' should be ''realmofespionage.xyz'' or ''realmofespionage.ddns.net''
  * No ''challenge password''
  * No ''optional company name''
  * Yes ''Sign the certificate''
  * Yes ''commit''

  cd ~/'openvpn-ca' && ~/'openvpn-ca/build-key-server' 'RoE | VPN'

===== Build Diffie-Hellman Keys =====

****

  cd ~/'openvpn-ca' && ~/'openvpn-ca/build-dh'

===== Generate HMAC Signature =====

****

  openvpn --genkey --secret ~/'openvpn-ca/keys/ta.key'

===== Generate Client Keys =====

  * ''x'' is the hostname for a client
  * No ''challenge password''
  * No ''optional company name''
  * Yes ''Sign the certificate''
  * Yes ''commit''

  cd ~/'openvpn-ca' && source ~/'openvpn-ca/vars' && ~/'openvpn-ca/build-key' 'x'

===== Copy Keys to OpenVPN =====

****

  sudo cp ~/'openvpn-ca/keys/ca.crt' ~/'openvpn-ca/keys/ca.key' ~/'openvpn-ca/keys/RoE.crt' ~/'openvpn-ca/keys/RoE.key' ~/'openvpn-ca/keys/ta.key' ~/'openvpn-ca/keys/dh2048.pem' '/etc/openvpn'

====== OpenVPN ======

===== Settings =====

==== Default Config ====

****

  gunzip -c '/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz' | sudo tee '/etc/openvpn/server.conf' > '/dev/null'

==== Custom Config ====

  * Complete as of 2018/04/08

  sudo -e '/etc/openvpn/server.conf'

<code>
port 1194
proto udp
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/RoE.crt
key /etc/openvpn/RoE.key
dh /etc/openvpn/dh2048.pem

server 10.8.0.0 255.255.255.0

client-to-client

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"

keepalive 10 120

tls-auth /etc/openvpn/ta.key 0
key-direction 0

cipher AES-256-CBC
auth SHA512

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status /etc/openvpn/openvpn-status.log

verb 0</code>

===== OpenVPN User =====

****

  sudo adduser --system --shell '/usr/sbin/nologin' --no-create-home 'openvpn'

====== Client Profiles ======

===== Base =====

  mkdir -p ~/'openvpn-clients' && nano ~/'openvpn-clients/base.conf'

<code>
client

dev tun

proto udp

remote realmofespionage.xyz 1194

resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

remote-cert-tls server

cipher AES-256-CBC
auth SHA512
key-direction 1

comp-lzo

verb 0</code>

===== Client-specific =====

  * Be sure to [[#generate_client_keys | generate client keys]]

==== Izaro ====

  * Imports ''base.conf'' and adds ''<ca>'', ''<cert>'', ''<key>'', and ''<tls-auth>'' sections to ''Izaro.ovpn''

  cat ~/'openvpn-clients/base.conf' | tee ~/'openvpn-clients/Izaro.ovpn' > '/dev/null' && echo -e "\n<ca>\n$(cat ~/'openvpn-ca/keys/ca.crt')\n</ca>\n<cert>\n$(cat ~/'openvpn-ca/keys/Izaro.crt')\n</cert>\n<key>\n$(cat ~/'openvpn-ca/keys/Izaro.key')\n</key>\n<tls-auth>\n$(cat ~/'openvpn-ca/keys/ta.key')\n</tls-auth>" | tee --append ~/'openvpn-clients/Izaro.ovpn' > '/dev/null'

=== scp ===

****

  scp espionage724@192.168.1.155:~/'openvpn-clients/Izaro.ovpn' ~/'Downloads'

==== Spinesnap ====

  * Imports ''base.conf'' and adds ''<ca>'', ''<cert>'', ''<key>'', and ''<tls-auth>'' sections to ''Spinesnap.ovpn''

  cat ~/'openvpn-clients/base.conf' | tee ~/'openvpn-clients/Spinesnap.ovpn' > '/dev/null' && echo -e "\n<ca>\n$(cat ~/'openvpn-ca/keys/ca.crt')\n</ca>\n<cert>\n$(cat ~/'openvpn-ca/keys/Spinesnap.crt')\n</cert>\n<key>\n$(cat ~/'openvpn-ca/keys/Spinesnap.key')\n</key>\n<tls-auth>\n$(cat ~/'openvpn-ca/keys/ta.key')\n</tls-auth>" | tee --append ~/'openvpn-clients/Spinesnap.ovpn' > '/dev/null'

=== scp ===

****

  scp espionage724@192.168.1.155:~/'openvpn-clients/Spinesnap.ovpn' ~/'Downloads'