servers:linux:openvpn
Table of Contents
Information
Prerequisites
Dependencies
sudo apt install openvpn easy-rsa
Firewall
Kernel Parameter
/etc/sysctl.d/99-custom.conf
net.ipv4.ip_forward = 1
ufw
Forward Policy
- Change
DEFAULT_FORWARD_POLICY
fromDENY
toACCEPT
sudo -e '/etc/default/ufw'
#DEFAULT_FORWARD_POLICY="DROP" DEFAULT_FORWARD_POLICY="ACCEPT"
Masquerade Rule
10.8.0.0/24
is the default coming from theserver
setting in OpenVPN'sserver.conf
enp3s0
can change
sudo -e '/etc/ufw/before.rules'
# Rule for OpenVPN # Adapted from https://help.ubuntu.com/lts/serverguide/firewall.html#ip-masquerading *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/24 -o enp3s0 -j MASQUERADE COMMIT
OpenVPN Server Rule
- 1194/udp is for OpenVPN clients to connect to the server
sudo -e '/etc/ufw/applications.d/custom' && sudo ufw allow 'openvpn-custom'
[openvpn-custom] title=openvpn-custom description=OpenVPN Server ports=1194/udp
Certificate Authority
Settings
- Remove existing settings and copy/paste this block in place of it
- Be sure to finish the email at
KEY_EMAIL
cd ~ && rm -Rf ~/'openvpn-ca' && make-cadir ~/'openvpn-ca' && nano ~/'openvpn-ca/vars'
export KEY_COUNTRY="US" export KEY_PROVINCE="PA" export KEY_CITY="Charleroi" export KEY_ORG="Realm of Espionage" export KEY_EMAIL="espionage724@x" export KEY_OU="VPN" export KEY_CN="realmofespionage.xyz" #export KEY_CN="realmofespionage.ddns.net" # X509 Subject Field export KEY_NAME="RoE | VPN" export KEY_ALTNAMES="RoE VPN"
Build CA
cd ~/'openvpn-ca' && source ~/'openvpn-ca/vars' && ~/'openvpn-ca/clean-all' && ~/'openvpn-ca/build-ca'
Build Key Server
server's hostname
should berealmofespionage.xyz
orrealmofespionage.ddns.net
- No
challenge password
- No
optional company name
- Yes
Sign the certificate
- Yes
commit
cd ~/'openvpn-ca' && ~/'openvpn-ca/build-key-server' 'RoE | VPN'
Build Diffie-Hellman Keys
cd ~/'openvpn-ca' && ~/'openvpn-ca/build-dh'
Generate HMAC Signature
openvpn --genkey --secret ~/'openvpn-ca/keys/ta.key'
Generate Client Keys
x
is the hostname for a client- No
challenge password
- No
optional company name
- Yes
Sign the certificate
- Yes
commit
cd ~/'openvpn-ca' && source ~/'openvpn-ca/vars' && ~/'openvpn-ca/build-key' 'x'
Copy Keys to OpenVPN
sudo cp ~/'openvpn-ca/keys/ca.crt' ~/'openvpn-ca/keys/ca.key' ~/'openvpn-ca/keys/RoE.crt' ~/'openvpn-ca/keys/RoE.key' ~/'openvpn-ca/keys/ta.key' ~/'openvpn-ca/keys/dh2048.pem' '/etc/openvpn'
OpenVPN
Settings
Default Config
gunzip -c '/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz' | sudo tee '/etc/openvpn/server.conf' > '/dev/null'
Custom Config
- Complete as of 2018/04/08
sudo -e '/etc/openvpn/server.conf'
port 1194 proto udp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/RoE.crt key /etc/openvpn/RoE.key dh /etc/openvpn/dh2048.pem server 10.8.0.0 255.255.255.0 client-to-client push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 1.1.1.1" push "dhcp-option DNS 1.0.0.1" keepalive 10 120 tls-auth /etc/openvpn/ta.key 0 key-direction 0 cipher AES-256-CBC auth SHA512 comp-lzo user nobody group nogroup persist-key persist-tun status /etc/openvpn/openvpn-status.log verb 0
OpenVPN User
sudo adduser --system --shell '/usr/sbin/nologin' --no-create-home 'openvpn'
Client Profiles
Base
mkdir -p ~/'openvpn-clients' && nano ~/'openvpn-clients/base.conf'
client dev tun proto udp remote realmofespionage.xyz 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun remote-cert-tls server cipher AES-256-CBC auth SHA512 key-direction 1 comp-lzo verb 0
Client-specific
- Be sure to generate client keys
Izaro
- Imports
base.conf
and adds<ca>
,<cert>
,<key>
, and<tls-auth>
sections toIzaro.ovpn
cat ~/'openvpn-clients/base.conf' | tee ~/'openvpn-clients/Izaro.ovpn' > '/dev/null' && echo -e "\n<ca>\n$(cat ~/'openvpn-ca/keys/ca.crt')\n</ca>\n<cert>\n$(cat ~/'openvpn-ca/keys/Izaro.crt')\n</cert>\n<key>\n$(cat ~/'openvpn-ca/keys/Izaro.key')\n</key>\n<tls-auth>\n$(cat ~/'openvpn-ca/keys/ta.key')\n</tls-auth>" | tee --append ~/'openvpn-clients/Izaro.ovpn' > '/dev/null'
scp
scp espionage724@192.168.1.155:~/'openvpn-clients/Izaro.ovpn' ~/'Downloads'
Spinesnap
- Imports
base.conf
and adds<ca>
,<cert>
,<key>
, and<tls-auth>
sections toSpinesnap.ovpn
cat ~/'openvpn-clients/base.conf' | tee ~/'openvpn-clients/Spinesnap.ovpn' > '/dev/null' && echo -e "\n<ca>\n$(cat ~/'openvpn-ca/keys/ca.crt')\n</ca>\n<cert>\n$(cat ~/'openvpn-ca/keys/Spinesnap.crt')\n</cert>\n<key>\n$(cat ~/'openvpn-ca/keys/Spinesnap.key')\n</key>\n<tls-auth>\n$(cat ~/'openvpn-ca/keys/ta.key')\n</tls-auth>" | tee --append ~/'openvpn-clients/Spinesnap.ovpn' > '/dev/null'
scp
scp espionage724@192.168.1.155:~/'openvpn-clients/Spinesnap.ovpn' ~/'Downloads'
/usr/local/www/wiki/data/pages/servers/linux/openvpn.txt · Last modified: by 127.0.0.1