Howto/OpenVPN

From Bask
Jump to navigation Jump to search

This is how to install OpenVPN 2.4.7 server including a local CA on Ubuntu 20.04.1 LTS (Focal Fossa).

We will also create client configurations for OpenVPN and OpenWRT.

Assumptions: Login username is "ubuntu". Working material saved under that users home directory Editor used is "vi" OpenVPN Server’s CommonName will be ov-server Use OpenVPNs "tls-crypt" functionality The default route interface is "eth0" Use Layer 3 routing (tun interface and separate IP addresses) IP address range for client is 10.88.0.0/16 Use NAT

Good references: https://openvpn.net/ https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04 https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-a-certificate-authority-ca-on-ubuntu-20-04


Install needed packages: sudo apt update sudo apt install openvpn easy-rsa


Bootstrat Easy-RSA

mkdir ~/easy-rsa

cp -a /usr/share/easy-rsa/* ~/easy-rsa/

Creating PKI structure including local CA

sudo chown ubuntu ~/easy-rsa chmod 700 ~/easy-rsa cd ~/easy-rsa ./easyrsa init-pki

vi vars

set_var EASYRSA_REQ_COUNTRY "SE" set_var EASYRSA_REQ_PROVINCE "VG" set_var EASYRSA_REQ_CITY "Trollhattan" set_var EASYRSA_REQ_ORG "Bask" set_var EASYRSA_REQ_EMAIL "admin@bask.se" set_var EASYRSA_REQ_OU "OPS" set_var EASYRSA_ALGO "ec" set_var EASYRSA_DIGEST "sha512"

Create the CA certificate without password. Remove "nopass" if you would like to enter a password for each use. ./easyrsa build-ca nopass


sudo cp pki/ca.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates

Creating OpenVPN Server Certificate and Private Key

./easyrsa gen-req ov-server nopass

./easyrsa sign-req server ov-server

sudo cp pki/private/ov-server.key /etc/openvpn/server/ sudo cp pki/issued/ov-server.crt /etc/openvpn/server/ sudo cp pki/ca.crt /etc/openvpn/server/

openvpn --genkey --secret ta.key sudo cp ta.key /etc/openvpn/server

mkdir -p ~/client-configs/keys chmod -R 700 ~/client-configs cp ~/easy-rsa/ta.key ~/client-configs/keys/

./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1

cp pki/private/client1.key ~/client-configs/keys/ cp pki/issued/client1.crt ~/client-configs/keys/ sudo cp /etc/openvpn/server/ca.crt ~/client-configs/keys/ sudo chown ubuntu ~/client-configs/keys/*

Configure OpenVPN

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/server/ sudo gunzip /etc/openvpn/server/server.conf.gz

sudo vi /etc/openvpn/server/server.conf

Add the following: tls-crypt ta.key cipher AES-256-GCM auth SHA256 dh none user nobody group nogroup push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" cert ov-server.crt key ov-server.key

sudo nano /etc/sysctl.conf net.ipv4.ip_forward = 1 sudo sysctl -p

sudo nano /etc/ufw/before.rules

  1. START OPENVPN RULES
  2. NAT table rules
  • nat
POSTROUTING ACCEPT [0:0]
  1. Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)

-A POSTROUTING -s 10.88.0.0/16 -o eth0 -j MASQUERADE COMMIT

  1. END OPENVPN RULES

sudo nano /etc/default/ufw DEFAULT_FORWARD_POLICY="ACCEPT" (cahnge from DROP)

Update firewall to allow UDP port 1194 sudo ufw allow 1194/udp

sudo ufw disable sudo ufw enable

sudo systemctl -f enable openvpn-server@server.service sudo systemctl start openvpn-server@server.service sudo systemctl status openvpn-server@server.service

mkdir -p ~/client-configs/files cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

nano ~/client-configs/base.conf user nobody group nogroup

ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1

cipher AES-256-GCM auth SHA256

key-direction 1

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
dhcp-option DOMAIN-ROUTE .

nano ~/client-configs/make_config.sh

  1. !/bin/bash
  1. First argument: Client identifier

KEY_DIR=~/client-configs/keys OUTPUT_DIR=~/client-configs/files BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} \

   <(echo -e '<ca>') \
   ${KEY_DIR}/ca.crt \
   <(echo -e '</ca>\n<cert>') \
   ${KEY_DIR}/${1}.crt \
   <(echo -e '</cert>\n<key>') \
   ${KEY_DIR}/${1}.key \
   <(echo -e '</key>\n<tls-crypt>') \
   ${KEY_DIR}/ta.key \
   <(echo -e '</tls-crypt>') \
   > ${OUTPUT_DIR}/${1}.ovpn

chmod 700 ~/client-configs/make_config.sh

cd ~/client-configs ./make_config.sh client1