-
-
vpn.realmofespionage.xyz
2)
Prerequisites
Dependencies
sudo apt install openvpn easy-rsa
Firewall
Kernel Parameter
/etc/sysctl.d/99-custom.conf
net.ipv4.ip_forward = 1
ufw
Forward Policy
sudo -e '/etc/default/ufw'
#DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_FORWARD_POLICY="ACCEPT"
Masquerade Rule
sudo -e '/etc/ufw/before.rules'
# Rule for OpenVPN
# Adapted from https://help.ubuntu.com/lts/serverguide/firewall.html#ip-masquerading
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o enp3s0 -j MASQUERADE
COMMIT
OpenVPN Server Rule
sudo -e '/etc/ufw/applications.d/custom' && sudo ufw allow 'openvpn-custom'
[openvpn-custom]
title=openvpn-custom
description=OpenVPN Server
ports=1194/udp
Certificate Authority
Settings
cd ~ && rm -Rf ~/'openvpn-ca' && make-cadir ~/'openvpn-ca' && nano ~/'openvpn-ca/vars'
export KEY_COUNTRY="US"
export KEY_PROVINCE="PA"
export KEY_CITY="Charleroi"
export KEY_ORG="Realm of Espionage"
export KEY_EMAIL="espionage724@x"
export KEY_OU="VPN"
export KEY_CN="realmofespionage.xyz"
#export KEY_CN="realmofespionage.ddns.net"
# X509 Subject Field
export KEY_NAME="RoE | VPN"
export KEY_ALTNAMES="RoE VPN"
Build CA
cd ~/'openvpn-ca' && source ~/'openvpn-ca/vars' && ~/'openvpn-ca/clean-all' && ~/'openvpn-ca/build-ca'
Build Key Server
cd ~/'openvpn-ca' && ~/'openvpn-ca/build-key-server' 'RoE | VPN'
Build Diffie-Hellman Keys
cd ~/'openvpn-ca' && ~/'openvpn-ca/build-dh'
Generate HMAC Signature
openvpn --genkey --secret ~/'openvpn-ca/keys/ta.key'
Generate Client Keys
cd ~/'openvpn-ca' && source ~/'openvpn-ca/vars' && ~/'openvpn-ca/build-key' 'x'
Copy Keys to OpenVPN
sudo cp ~/'openvpn-ca/keys/ca.crt' ~/'openvpn-ca/keys/ca.key' ~/'openvpn-ca/keys/RoE.crt' ~/'openvpn-ca/keys/RoE.key' ~/'openvpn-ca/keys/ta.key' ~/'openvpn-ca/keys/dh2048.pem' '/etc/openvpn'
OpenVPN
Settings
Default Config
gunzip -c '/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz' | sudo tee '/etc/openvpn/server.conf' > '/dev/null'
Custom Config
sudo -e '/etc/openvpn/server.conf'
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/RoE.crt
key /etc/openvpn/RoE.key
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
client-to-client
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0
key-direction 0
cipher AES-256-CBC
auth SHA512
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
verb 0
OpenVPN User
sudo adduser --system --shell '/usr/sbin/nologin' --no-create-home 'openvpn'
Client Profiles
Base
mkdir -p ~/'openvpn-clients' && nano ~/'openvpn-clients/base.conf'
client
dev tun
proto udp
remote realmofespionage.xyz 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
key-direction 1
comp-lzo
verb 0
Client-specific
Izaro
cat ~/'openvpn-clients/base.conf' | tee ~/'openvpn-clients/Izaro.ovpn' > '/dev/null' && echo -e "\n<ca>\n$(cat ~/'openvpn-ca/keys/ca.crt')\n</ca>\n<cert>\n$(cat ~/'openvpn-ca/keys/Izaro.crt')\n</cert>\n<key>\n$(cat ~/'openvpn-ca/keys/Izaro.key')\n</key>\n<tls-auth>\n$(cat ~/'openvpn-ca/keys/ta.key')\n</tls-auth>" | tee --append ~/'openvpn-clients/Izaro.ovpn' > '/dev/null'
scp
scp espionage724@192.168.1.155:~/'openvpn-clients/Izaro.ovpn' ~/'Downloads'
Spinesnap
cat ~/'openvpn-clients/base.conf' | tee ~/'openvpn-clients/Spinesnap.ovpn' > '/dev/null' && echo -e "\n<ca>\n$(cat ~/'openvpn-ca/keys/ca.crt')\n</ca>\n<cert>\n$(cat ~/'openvpn-ca/keys/Spinesnap.crt')\n</cert>\n<key>\n$(cat ~/'openvpn-ca/keys/Spinesnap.key')\n</key>\n<tls-auth>\n$(cat ~/'openvpn-ca/keys/ta.key')\n</tls-auth>" | tee --append ~/'openvpn-clients/Spinesnap.ovpn' > '/dev/null'
scp
scp espionage724@192.168.1.155:~/'openvpn-clients/Spinesnap.ovpn' ~/'Downloads'