Differences

This shows you the differences between two versions of the page.

--- servers:openvpn [2018/04/08 03:59] – Sean Rhone
+++ servers:openvpn [2018/04/29 16:47] (current) – [Custom Config] Sean Rhone
@@ Line 1: / Line 1: @@
+====== Information ======
+  * OpenVPN ((https://openvpn.net))
+  * [[Information:Realm of Espionage]]
+  * vpn.realmofespionage.xyz ((OpenVPN))
+===== Prerequisites =====
+  * [[distros:ubuntu_server | Ubuntu Server]]
+====== Dependencies ======
+****
+  sudo apt install openvpn easy-rsa
+====== Firewall ======
+===== Kernel Parameter =====
+  /etc/sysctl.d/99-custom.conf
+  net.ipv4.ip_forward = 1
+===== ufw =====
+==== Forward Policy ====
+  * Change ''DEFAULT_FORWARD_POLICY'' from ''DENY'' to ''ACCEPT''
+  sudo -e '/etc/default/ufw'
+  #DEFAULT_FORWARD_POLICY="DROP"
+  DEFAULT_FORWARD_POLICY="ACCEPT"
+==== Masquerade Rule ====
+  * https://help.ubuntu.com/lts/serverguide/firewall.html#ip-masquerading
+  * ''10.8.0.0/24'' is the default coming from the ''server'' setting in OpenVPN's ''server.conf''
+  * ''enp3s0'' can change
+  sudo -e '/etc/ufw/before.rules'
+<code>
+# Rule for OpenVPN
+# Adapted from https://help.ubuntu.com/lts/serverguide/firewall.html#ip-masquerading
+*nat
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -s 10.8.0.0/24 -o enp3s0 -j MASQUERADE
+COMMIT</code>
+==== OpenVPN Server Rule ====
+  * 1194/udp is for OpenVPN clients to connect to the server
+  sudo -e '/etc/ufw/applications.d/custom' && sudo ufw allow 'openvpn-custom'
+<code>
+[openvpn-custom]
+title=openvpn-custom
+description=OpenVPN Server
+ports=1194/udp</code>
+====== Certificate Authority ======
+===== Settings =====
+  * Remove existing settings and copy/paste this block in place of it
+  * Be sure to finish the email at ''KEY_EMAIL''
+  cd ~ && rm -Rf ~/'openvpn-ca' && make-cadir ~/'openvpn-ca' && nano ~/'openvpn-ca/vars'
+<code>
+export KEY_COUNTRY="US"
+export KEY_PROVINCE="PA"
+export KEY_CITY="Charleroi"
+export KEY_ORG="Realm of Espionage"
+export KEY_EMAIL="espionage724@x"
+export KEY_OU="VPN"
+export KEY_CN="realmofespionage.xyz"
+#export KEY_CN="realmofespionage.ddns.net"
+# X509 Subject Field
+export KEY_NAME="RoE | VPN"
+export KEY_ALTNAMES="RoE VPN"</code>
+===== Build CA =====
+****
+  cd ~/'openvpn-ca' && source ~/'openvpn-ca/vars' && ~/'openvpn-ca/clean-all' && ~/'openvpn-ca/build-ca'
+===== Build Key Server =====
+  * ''server's hostname'' should be ''realmofespionage.xyz'' or ''realmofespionage.ddns.net''
+  * No ''challenge password''
+  * No ''optional company name''
+  * Yes ''Sign the certificate''
+  * Yes ''commit''
+  cd ~/'openvpn-ca' && ~/'openvpn-ca/build-key-server' 'RoE | VPN'
+===== Build Diffie-Hellman Keys =====
+****
+  cd ~/'openvpn-ca' && ~/'openvpn-ca/build-dh'
+===== Generate HMAC Signature =====
+****
+  openvpn --genkey --secret ~/'openvpn-ca/keys/ta.key'
+===== Generate Client Keys =====
+  * ''x'' is the hostname for a client
+  * No ''challenge password''
+  * No ''optional company name''
+  * Yes ''Sign the certificate''
+  * Yes ''commit''
+  cd ~/'openvpn-ca' && source ~/'openvpn-ca/vars' && ~/'openvpn-ca/build-key' 'x'
+===== Copy Keys to OpenVPN =====
+****
+  sudo cp ~/'openvpn-ca/keys/ca.crt' ~/'openvpn-ca/keys/ca.key' ~/'openvpn-ca/keys/RoE.crt' ~/'openvpn-ca/keys/RoE.key' ~/'openvpn-ca/keys/ta.key' ~/'openvpn-ca/keys/dh2048.pem' '/etc/openvpn'
+====== OpenVPN ======
+===== Settings =====
+==== Default Config ====
+****
+  gunzip -c '/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz' | sudo tee '/etc/openvpn/server.conf' > '/dev/null'
+==== Custom Config ====
+  * Complete as of 2018/04/08
+  sudo -e '/etc/openvpn/server.conf'
+<code>
+port 1194
+proto udp
+dev tun
+ca /etc/openvpn/ca.crt
+cert /etc/openvpn/RoE.crt
+key /etc/openvpn/RoE.key
+dh /etc/openvpn/dh2048.pem
+server 10.8.0.0 255.255.255.0
+client-to-client
+push "redirect-gateway def1 bypass-dhcp"
+push "dhcp-option DNS 1.1.1.1"
+push "dhcp-option DNS 1.0.0.1"
+keepalive 10 120
+tls-auth /etc/openvpn/ta.key 0
+key-direction 0
+cipher AES-256-CBC
+auth SHA512
+comp-lzo
+user nobody
+group nogroup
+persist-key
+persist-tun
+status /etc/openvpn/openvpn-status.log
+verb 0</code>
+===== OpenVPN User =====
+****
+  sudo adduser --system --shell '/usr/sbin/nologin' --no-create-home 'openvpn'
+====== Client Profiles ======
+===== Base =====
+  mkdir -p ~/'openvpn-clients' && nano ~/'openvpn-clients/base.conf'
+<code>
+client
+dev tun
+proto udp
+remote realmofespionage.xyz 1194
+resolv-retry infinite
+nobind
+user nobody
+group nogroup
+persist-key
+persist-tun
+remote-cert-tls server
+cipher AES-256-CBC
+auth SHA512
+key-direction 1
+comp-lzo
+verb 0</code>
+===== Client-specific =====
+  * Be sure to [[#generate_client_keys | generate client keys]]
+==== Izaro ====
+  * Imports ''base.conf'' and adds ''<ca>'', ''<cert>'', ''<key>'', and ''<tls-auth>'' sections to ''Izaro.ovpn''
+  cat ~/'openvpn-clients/base.conf' | tee ~/'openvpn-clients/Izaro.ovpn' > '/dev/null' && echo -e "\n<ca>\n$(cat ~/'openvpn-ca/keys/ca.crt')\n</ca>\n<cert>\n$(cat ~/'openvpn-ca/keys/Izaro.crt')\n</cert>\n<key>\n$(cat ~/'openvpn-ca/keys/Izaro.key')\n</key>\n<tls-auth>\n$(cat ~/'openvpn-ca/keys/ta.key')\n</tls-auth>" | tee --append ~/'openvpn-clients/Izaro.ovpn' > '/dev/null'
+=== scp ===
+****
+  scp espionage724@192.168.1.155:~/'openvpn-clients/Izaro.ovpn' ~/'Downloads'
+==== Spinesnap ====
+  * Imports ''base.conf'' and adds ''<ca>'', ''<cert>'', ''<key>'', and ''<tls-auth>'' sections to ''Spinesnap.ovpn''
+  cat ~/'openvpn-clients/base.conf' | tee ~/'openvpn-clients/Spinesnap.ovpn' > '/dev/null' && echo -e "\n<ca>\n$(cat ~/'openvpn-ca/keys/ca.crt')\n</ca>\n<cert>\n$(cat ~/'openvpn-ca/keys/Spinesnap.crt')\n</cert>\n<key>\n$(cat ~/'openvpn-ca/keys/Spinesnap.key')\n</key>\n<tls-auth>\n$(cat ~/'openvpn-ca/keys/ta.key')\n</tls-auth>" | tee --append ~/'openvpn-clients/Spinesnap.ovpn' > '/dev/null'
+=== scp ===
+****
+  scp espionage724@192.168.1.155:~/'openvpn-clients/Spinesnap.ovpn' ~/'Downloads'