Howto/OpenVPN

From Bask
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

This is how to install OpenVPN 2.4.7 server including a local CA on Ubuntu 20.04.1 LTS (Focal Fossa).

We will also create client configurations for OpenVPN and OpenWRT.

Assumptions: Login username is "ubuntu". Working material saved under that users home directory Editor used is "vi" OpenVPN Server’s CommonName will be ov-server Use OpenVPNs "tls-crypt" functionality The default route interface is "eth0" Use Layer 3 routing (tun interface and separate IP addresses) IP address range for client is 10.88.0.0/16 Use NAT

Good references: https://openvpn.net/ https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04 https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-a-certificate-authority-ca-on-ubuntu-20-04


Install needed packages: sudo apt update sudo apt install openvpn easy-rsa


Bootstrat Easy-RSA

mkdir ~/easy-rsa

cp -a /usr/share/easy-rsa/* ~/easy-rsa/

Creating PKI structure including local CA

sudo chown ubuntu ~/easy-rsa chmod 700 ~/easy-rsa cd ~/easy-rsa ./easyrsa init-pki

vi vars

set_var EASYRSA_REQ_COUNTRY "SE" set_var EASYRSA_REQ_PROVINCE "VG" set_var EASYRSA_REQ_CITY "Trollhattan" set_var EASYRSA_REQ_ORG "Bask" set_var EASYRSA_REQ_EMAIL "admin@bask.se" set_var EASYRSA_REQ_OU "OPS" set_var EASYRSA_ALGO "ec" set_var EASYRSA_DIGEST "sha512"

Create the CA certificate without password. Remove "nopass" if you would like to enter a password for each use. ./easyrsa build-ca nopass


sudo cp pki/ca.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates

Creating OpenVPN Server Certificate and Private Key

./easyrsa gen-req ov-server nopass

./easyrsa sign-req server ov-server

sudo cp pki/private/ov-server.key /etc/openvpn/server/ sudo cp pki/issued/ov-server.crt /etc/openvpn/server/ sudo cp pki/ca.crt /etc/openvpn/server/

openvpn --genkey --secret ta.key sudo cp ta.key /etc/openvpn/server

mkdir -p ~/client-configs/keys chmod -R 700 ~/client-configs cp ~/easy-rsa/ta.key ~/client-configs/keys/

./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1

cp pki/private/client1.key ~/client-configs/keys/ cp pki/issued/client1.crt ~/client-configs/keys/ sudo cp /etc/openvpn/server/ca.crt ~/client-configs/keys/ sudo chown ubuntu ~/client-configs/keys/*

Configure OpenVPN

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/server/ sudo gunzip /etc/openvpn/server/server.conf.gz

sudo vi /etc/openvpn/server/server.conf

Add the following: tls-crypt ta.key cipher AES-256-GCM auth SHA256 dh none user nobody group nogroup push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" cert ov-server.crt key ov-server.key

sudo nano /etc/sysctl.conf net.ipv4.ip_forward = 1 sudo sysctl -p

sudo nano /etc/ufw/before.rules

  1. START OPENVPN RULES
  2. NAT table rules
  • nat
POSTROUTING ACCEPT [0:0]
  1. Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)

-A POSTROUTING -s 10.88.0.0/16 -o eth0 -j MASQUERADE COMMIT

  1. END OPENVPN RULES

sudo nano /etc/default/ufw DEFAULT_FORWARD_POLICY="ACCEPT" (cahnge from DROP)

Update firewall to allow UDP port 1194 sudo ufw allow 1194/udp

sudo ufw disable sudo ufw enable

sudo systemctl -f enable openvpn-server@server.service sudo systemctl start openvpn-server@server.service sudo systemctl status openvpn-server@server.service

mkdir -p ~/client-configs/files cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

nano ~/client-configs/base.conf user nobody group nogroup

ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1

cipher AES-256-GCM auth SHA256

key-direction 1

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
dhcp-option DOMAIN-ROUTE .

nano ~/client-configs/make_config.sh

  1. !/bin/bash
  1. First argument: Client identifier

KEY_DIR=~/client-configs/keys OUTPUT_DIR=~/client-configs/files BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} \

   <(echo -e '<ca>') \
   ${KEY_DIR}/ca.crt \
   <(echo -e '</ca>\n<cert>') \
   ${KEY_DIR}/${1}.crt \
   <(echo -e '</cert>\n<key>') \
   ${KEY_DIR}/${1}.key \
   <(echo -e '</key>\n<tls-crypt>') \
   ${KEY_DIR}/ta.key \
   <(echo -e '</tls-crypt>') \
   > ${OUTPUT_DIR}/${1}.ovpn

chmod 700 ~/client-configs/make_config.sh

cd ~/client-configs ./make_config.sh client1