The World According To Vissie

User Tools

Site Tools

Trace:
openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
openvpn [2021/11/03 03:00] – created vissieopenvpn [2021/11/10 03:39] (current) – [Here is my steps] vissie
Line 6: Line 6:
 ==== This was my starting point: ==== ==== This was my starting point: ====
  
-https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8+https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-10
  
 +====Here is my steps====
 +===Step 1 — Installing OpenVPN and EasyRSA===
 +  sudo apt install openvpn
 +  wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
 +  aunpack ./EasyRSA-3.0.8.tgz
 +===Step 2 — Configuring the EasyRSA Variables and Building the CA===
 +  cd ./EasyRSA-3.0.8/
 +  cp vars.example vars
 +  vim ./vars
 +  
 +  Uncomment these lines and update the highlighted values to whatever you’d prefer, but do not leave them blank:
 +  . . .
 +
 +  set_var EASYRSA_REQ_COUNTRY    "US"
 +  set_var EASYRSA_REQ_PROVINCE   "NewYork"
 +  set_var EASYRSA_REQ_CITY       "New York City"
 +  set_var EASYRSA_REQ_ORG        "DigitalOcean"
 +  set_var EASYRSA_REQ_EMAIL      "admin@example.com"
 +  set_var EASYRSA_REQ_OU         "Community"
 +===Step 3 — Creating the Server Certificate, Key, and Encryption Files===
 +  ./easyrsa init-pki
 +  "... Your newly created PKI dir is: /home/vissie/EasyRSA-3.0.8/pki"
 +  ./easyrsa build-ca
 +  "Pick a password"
 +  "name the server"
 +  "... Your new CA certificate file for publishing is at:
 +  /home/vissie/EasyRSA-3.0.8/pki/ca.crt
 +  cp ./pki/ca.crt /etc/openvpn/
 +  ./easyrsa gen-req server nopass
 +  sudo cp ./pki/private/server.key /etc/openvpn/
 +  ./easyrsa sign-req server server
 +  sudo cp ./pki/issued/server.crt /etc/openvpn/
 +  sudo cp ./pki/ca.crt /etc/openvpn/
 +  ./easyrsa gen-dh
 +  sudo openvpn --genkey --secret ta.key
 +  sudo cp ./ta.key /etc/openvpn/
 +  sudo cp ./pki/dh.pem /etc/openvpn/
 +===Step 4 — Generating a Client Certificate and Key Pair===
 +  cd ~
 +  mkdir -p ~/client-configs/keys
 +  chmod -R 700 ~/client-configs
 +  cd ~/EasyRSA-3.0.8/
 +  ./easyrsa gen-req vissie nopass
 +  cp ./pki/private/vissie.key ~/client-configs/keys/
 +  ./easyrsa sign-req client vissie
 +  'Yes'
 +  'Password'
 +  cp ./pki/issued/vissie.crt ~/client-configs/keys/
 +  sudo cp ~/EasyRSA-3.0.8/ta.key ~/client-configs/keys/
 +  sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/
 +===Step 5 — Configuring the OpenVPN Service===
 +  sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
 +  sudo gzip -d /etc/openvpn/server.conf.gz
 +  sudo vim /etc/openvpn/server.conf
 +  ...
 +  tls-auth ta.key 0 # This file is secret
 +  cipher AES-256-CBC
 +  # Below this, add an auth directive
 +  auth SHA256
 +  #If necessary, change the file name by removing the 2048 so it aligns with the key you generated in the previous step:
 +  dh dh.pem
 +  user nobody
 +  group nogroup
 +  #Find the redirect-gateway
 +  push "redirect-gateway def1 bypass-dhcp"
 +  #Just below this, find the dhcp-option section. Again, remove the “;” from in front of both of the lines to uncomment them:
 +  push "dhcp-option DNS 208.67.222.222"
 +  push "dhcp-option DNS 208.67.220.220"
 +  # Optional!
 +  port 11
 +  # Optional!
 +  proto tcp
 +  #If you do switch the protocol to TCP, you will need to change the explicit-exit-notify directive’s value from 1 to 0
 +  explicit-exit-notify 0
 +  ...
 +===Step 6 — Adjusting the Server Networking Configuration===
 +  sudo vim /etc/sysctl.conf
 +  ...
 +  net.ipv4.ip_forward=1
 +  ...
 +  sudo sysctl -p
 +  ip route | grep default
 +  #Your public interface is the string found within this command’s output that follows the word “dev”. For example, this result shows the interface named eth0:
 +  #Output
 +  #default via 203.0.113.1 dev eth0 proto static
 +  
 +  sudo apt install ufw
 +  sudo vim /etc/ufw/before.rules
 +  
 +  # UFW rules are typically added using the ufw command. Rules listed in the before.rules file, though, are read and put into place before the conventional UFW rules are loaded. 
 +  # Towards the top of the file, add the highlighted lines below. This will set the default policy for the POSTROUTING chain in the nat table and masquerade any traffic coming 
 +  # from the VPN. Remember to replace eth0 in the -A POSTROUTING line below with the interface you found in the above command:
 +
 +<sxh bash; gutter: false>
 +#
 +# rules.before
 +#
 +# Rules that should be run before the ufw command line added rules. Custom
 +# rules should be added to one of these chains:
 +#   ufw-before-input
 +#   ufw-before-output
 +#   ufw-before-forward
 +#
 +
 +# START OPENVPN RULES
 +# NAT table rules
 +*nat
 +:POSTROUTING ACCEPT [0:0]
 +# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)
 +-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
 +COMMIT
 +# END OPENVPN RULES
 +
 +# Don't delete these required lines, otherwise there will be errors
 +*filter
 +. . .
 +</sxh>  
 +  
 +  sudo vim /etc/default/ufw
 +  ...
 +  DEFAULT_FORWARD_POLICY="ACCEPT"
 +  ...
 +  sudo ufw allow 1194/udp
 +  sudo ufw allow OpenSSH
 +===Step 7 — Starting and Enabling the OpenVPN Service===
 +  sudo systemctl start openvpn@server
 +  sudo systemctl status openvpn@server
 +  sudo systemctl enable openvpn@server
 +===Step 8 — Creating the Client Configuration Infrastructure===
 +  mkdir -p ~/client-configs/files
 +  cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
 +  vim ~/client-configs/base.conf
 +  ...
 +  remote my.server.com 1194
 +  proto udp
 +  # Downgrade privileges after initialization (non-Windows only)
 +  user nobody
 +  group nogroup
 +  #ca ca.crt
 +  #cert client.crt
 +  #key client.key
 +  #tls-auth ta.key 1
 +  cipher AES-256-CBC
 +  auth SHA256
 +  key-direction 1
 +  # Finally, add a few commented out lines. Although you can include these directives in every client configuration file, you only need to enable them for Linux clients 
 +  # that ship with an /etc/openvpn/update-resolv-conf file. This script uses the resolvconf utility to update DNS information for Linux clients.
 +  # script-security 2
 +  # up /etc/openvpn/update-resolv-conf
 +  # down /etc/openvpn/update-resolv-conf
 +  ...
 +  vim ~/client-configs/make_config.sh
 +  
 +  #!/bin/bash
 +
 +# First argument: Client identifier
 +<sxh bash; gutter: false>
 +KEY_DIR=/home/sammy/client-configs/keys
 +OUTPUT_DIR=/home/sammy/client-configs/files
 +BASE_CONFIG=/home/sammy/client-configs/base.conf
 +
 +cat ${BASE_CONFIG} \
 +    <(echo -e '<ca>') \
 +    ${KEY_DIR}/ca.crt \
 +    <(echo -e '</ca>\n<cert>') \
 +    ${KEY_DIR}/${1}.crt \
 +    <(echo -e '</cert>\n<key>') \
 +    ${KEY_DIR}/${1}.key \
 +    <(echo -e '</key>\n<tls-auth>') \
 +    ${KEY_DIR}/ta.key \
 +    <(echo -e '</tls-auth>') \
 +    > ${OUTPUT_DIR}/${1}.ovpn
 +</sxh>
 +  chmod 700 ~/client-configs/make_config.sh
 +===Step 9 — Generating Client Configurations===  
 +  cd ~/client-configs
 +  sudo ./make_config.sh vissie
 +  ls ~/client-configs/files
 +===Step 10 — Installing the Client Configuration===
 +  sudo apt install openvpn
 +  # Check to see if your distribution includes an /etc/openvpn/update-resolv-conf script:
 +  ls /etc/openvpn
 +  update-resolv-conf
 +  #Next, edit the OpenVPN client configuration file you transfered:
 +  vim client1.ovpn
 +<sxh bash; gutter: false>
 +...
 +script-security 2
 +up /etc/openvpn/update-resolv-conf
 +down /etc/openvpn/update-resolv-conf
 +...
 +</sxh>  
 +  
 +
 +  
 ==== Here is my notes: ====  ==== Here is my notes: ==== 
 Use dig command for determining my public IP address: Use dig command for determining my public IP address:
openvpn.1635933623.txt.gz · Last modified: 2021/11/03 03:00 by vissie

Page Tools