User Tools

Site Tools


servers:linux:openvpn

Information

Prerequisites

Dependencies

sudo apt install openvpn easy-rsa

Firewall

Kernel Parameter

/etc/sysctl.d/99-custom.conf
net.ipv4.ip_forward = 1

ufw

Forward Policy

  • Change DEFAULT_FORWARD_POLICY from DENY to ACCEPT
sudo -e '/etc/default/ufw'
#DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_FORWARD_POLICY="ACCEPT"

Masquerade Rule

  • 10.8.0.0/24 is the default coming from the server setting in OpenVPN's server.conf
  • enp3s0 can change
sudo -e '/etc/ufw/before.rules'
# Rule for OpenVPN
# Adapted from https://help.ubuntu.com/lts/serverguide/firewall.html#ip-masquerading
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o enp3s0 -j MASQUERADE
COMMIT

OpenVPN Server Rule

  • 1194/udp is for OpenVPN clients to connect to the server
sudo -e '/etc/ufw/applications.d/custom' && sudo ufw allow 'openvpn-custom'
[openvpn-custom]
title=openvpn-custom
description=OpenVPN Server
ports=1194/udp

Certificate Authority

Settings

  • Remove existing settings and copy/paste this block in place of it
  • Be sure to finish the email at KEY_EMAIL
cd ~ && rm -Rf ~/'openvpn-ca' && make-cadir ~/'openvpn-ca' && nano ~/'openvpn-ca/vars'
export KEY_COUNTRY="US"
export KEY_PROVINCE="PA"
export KEY_CITY="Charleroi"
export KEY_ORG="Realm of Espionage"
export KEY_EMAIL="espionage724@x"
export KEY_OU="VPN"
export KEY_CN="realmofespionage.xyz"
#export KEY_CN="realmofespionage.ddns.net"

# X509 Subject Field
export KEY_NAME="RoE | VPN"
export KEY_ALTNAMES="RoE VPN"

Build CA

cd ~/'openvpn-ca' && source ~/'openvpn-ca/vars' && ~/'openvpn-ca/clean-all' && ~/'openvpn-ca/build-ca'

Build Key Server

  • server's hostname should be realmofespionage.xyz or realmofespionage.ddns.net
  • No challenge password
  • No optional company name
  • Yes Sign the certificate
  • Yes commit
cd ~/'openvpn-ca' && ~/'openvpn-ca/build-key-server' 'RoE | VPN'

Build Diffie-Hellman Keys

cd ~/'openvpn-ca' && ~/'openvpn-ca/build-dh'

Generate HMAC Signature

openvpn --genkey --secret ~/'openvpn-ca/keys/ta.key'

Generate Client Keys

  • x is the hostname for a client
  • No challenge password
  • No optional company name
  • Yes Sign the certificate
  • Yes commit
cd ~/'openvpn-ca' && source ~/'openvpn-ca/vars' && ~/'openvpn-ca/build-key' 'x'

Copy Keys to OpenVPN

sudo cp ~/'openvpn-ca/keys/ca.crt' ~/'openvpn-ca/keys/ca.key' ~/'openvpn-ca/keys/RoE.crt' ~/'openvpn-ca/keys/RoE.key' ~/'openvpn-ca/keys/ta.key' ~/'openvpn-ca/keys/dh2048.pem' '/etc/openvpn'

OpenVPN

Settings

Default Config

gunzip -c '/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz' | sudo tee '/etc/openvpn/server.conf' > '/dev/null'

Custom Config

  • Complete as of 2018/04/08
sudo -e '/etc/openvpn/server.conf'
port 1194
proto udp
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/RoE.crt
key /etc/openvpn/RoE.key
dh /etc/openvpn/dh2048.pem

server 10.8.0.0 255.255.255.0

client-to-client

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"

keepalive 10 120

tls-auth /etc/openvpn/ta.key 0
key-direction 0

cipher AES-256-CBC
auth SHA512

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status /etc/openvpn/openvpn-status.log

verb 0

OpenVPN User

sudo adduser --system --shell '/usr/sbin/nologin' --no-create-home 'openvpn'

Client Profiles

Base

mkdir -p ~/'openvpn-clients' && nano ~/'openvpn-clients/base.conf'
client

dev tun

proto udp

remote realmofespionage.xyz 1194

resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

remote-cert-tls server

cipher AES-256-CBC
auth SHA512
key-direction 1

comp-lzo

verb 0

Client-specific

Izaro

  • Imports base.conf and adds <ca>, <cert>, <key>, and <tls-auth> sections to Izaro.ovpn
cat ~/'openvpn-clients/base.conf' | tee ~/'openvpn-clients/Izaro.ovpn' > '/dev/null' && echo -e "\n<ca>\n$(cat ~/'openvpn-ca/keys/ca.crt')\n</ca>\n<cert>\n$(cat ~/'openvpn-ca/keys/Izaro.crt')\n</cert>\n<key>\n$(cat ~/'openvpn-ca/keys/Izaro.key')\n</key>\n<tls-auth>\n$(cat ~/'openvpn-ca/keys/ta.key')\n</tls-auth>" | tee --append ~/'openvpn-clients/Izaro.ovpn' > '/dev/null'

scp

scp espionage724@192.168.1.155:~/'openvpn-clients/Izaro.ovpn' ~/'Downloads'

Spinesnap

  • Imports base.conf and adds <ca>, <cert>, <key>, and <tls-auth> sections to Spinesnap.ovpn
cat ~/'openvpn-clients/base.conf' | tee ~/'openvpn-clients/Spinesnap.ovpn' > '/dev/null' && echo -e "\n<ca>\n$(cat ~/'openvpn-ca/keys/ca.crt')\n</ca>\n<cert>\n$(cat ~/'openvpn-ca/keys/Spinesnap.crt')\n</cert>\n<key>\n$(cat ~/'openvpn-ca/keys/Spinesnap.key')\n</key>\n<tls-auth>\n$(cat ~/'openvpn-ca/keys/ta.key')\n</tls-auth>" | tee --append ~/'openvpn-clients/Spinesnap.ovpn' > '/dev/null'

scp

scp espionage724@192.168.1.155:~/'openvpn-clients/Spinesnap.ovpn' ~/'Downloads'
/usr/local/www/wiki/data/pages/servers/linux/openvpn.txt · Last modified: by 127.0.0.1