The World According To Vissie

User Tools

Site Tools

Trace:
openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
openvpn [2021/11/03 03:31] vissieopenvpn [2021/11/10 03:39] (current) – [Here is my steps] vissie
Line 9: Line 9:
  
 ====Here is my steps==== ====Here is my steps====
 +===Step 1 — Installing OpenVPN and EasyRSA===
   sudo apt install openvpn   sudo apt install openvpn
   wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz   wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
   aunpack ./EasyRSA-3.0.8.tgz   aunpack ./EasyRSA-3.0.8.tgz
 +===Step 2 — Configuring the EasyRSA Variables and Building the CA===
   cd ./EasyRSA-3.0.8/   cd ./EasyRSA-3.0.8/
   cp vars.example vars   cp vars.example vars
Line 25: Line 27:
   set_var EASYRSA_REQ_EMAIL      "admin@example.com"   set_var EASYRSA_REQ_EMAIL      "admin@example.com"
   set_var EASYRSA_REQ_OU         "Community"   set_var EASYRSA_REQ_OU         "Community"
-  +===Step 3 — Creating the Server Certificate, Key, and Encryption Files===
   ./easyrsa init-pki   ./easyrsa init-pki
   "... Your newly created PKI dir is: /home/vissie/EasyRSA-3.0.8/pki"   "... Your newly created PKI dir is: /home/vissie/EasyRSA-3.0.8/pki"
Line 32: Line 34:
   "name the server"   "name the server"
   "... Your new CA certificate file for publishing is at:   "... Your new CA certificate file for publishing is at:
-  /home/vissie/EasyRSA-3.0.8/pki/ca.crt"+  /home/vissie/EasyRSA-3.0.8/pki/ca.crt 
 +  cp ./pki/ca.crt /etc/openvpn/
   ./easyrsa gen-req server nopass   ./easyrsa gen-req server nopass
   sudo cp ./pki/private/server.key /etc/openvpn/   sudo cp ./pki/private/server.key /etc/openvpn/
   ./easyrsa sign-req server server   ./easyrsa sign-req server server
 +  sudo cp ./pki/issued/server.crt /etc/openvpn/
 +  sudo cp ./pki/ca.crt /etc/openvpn/
   ./easyrsa gen-dh   ./easyrsa gen-dh
   sudo openvpn --genkey --secret ta.key   sudo openvpn --genkey --secret ta.key
   sudo cp ./ta.key /etc/openvpn/   sudo cp ./ta.key /etc/openvpn/
   sudo cp ./pki/dh.pem /etc/openvpn/   sudo cp ./pki/dh.pem /etc/openvpn/
-Step 4 — Generating a Client Certificate and Key Pair+===Step 4 — Generating a Client Certificate and Key Pair=== 
 +  cd ~ 
 +  mkdir -p ~/client-configs/keys 
 +  chmod -R 700 ~/client-configs 
 +  cd ~/EasyRSA-3.0.8/ 
 +  ./easyrsa gen-req vissie nopass 
 +  cp ./pki/private/vissie.key ~/client-configs/keys/ 
 +  ./easyrsa sign-req client vissie 
 +  'Yes' 
 +  'Password' 
 +  cp ./pki/issued/vissie.crt ~/client-configs/keys/ 
 +  sudo cp ~/EasyRSA-3.0.8/ta.key ~/client-configs/keys/ 
 +  sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/ 
 +===Step 5 — Configuring the OpenVPN Service=== 
 +  sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ 
 +  sudo gzip -d /etc/openvpn/server.conf.gz 
 +  sudo vim /etc/openvpn/server.conf 
 +  ... 
 +  tls-auth ta.key 0 # This file is secret 
 +  cipher AES-256-CBC 
 +  # Below this, add an auth directive 
 +  auth SHA256 
 +  #If necessary, change the file name by removing the 2048 so it aligns with the key you generated in the previous step: 
 +  dh dh.pem 
 +  user nobody 
 +  group nogroup 
 +  #Find the redirect-gateway 
 +  push "redirect-gateway def1 bypass-dhcp" 
 +  #Just below this, find the dhcp-option section. Again, remove the “;” from in front of both of the lines to uncomment them: 
 +  push "dhcp-option DNS 208.67.222.222" 
 +  push "dhcp-option DNS 208.67.220.220" 
 +  # Optional! 
 +  port 11 
 +  # Optional! 
 +  proto tcp 
 +  #If you do switch the protocol to TCP, you will need to change the explicit-exit-notify directive’s value from 1 to 0 
 +  explicit-exit-notify 0 
 +  ... 
 +===Step 6 — Adjusting the Server Networking Configuration=== 
 +  sudo vim /etc/sysctl.conf 
 +  ... 
 +  net.ipv4.ip_forward=1 
 +  ... 
 +  sudo sysctl -p 
 +  ip route | grep default 
 +  #Your public interface is the string found within this command’s output that follows the word “dev”. For example, this result shows the interface named eth0: 
 +  #Output 
 +  #default via 203.0.113.1 dev eth0 proto static 
 +   
 +  sudo apt install ufw 
 +  sudo vim /etc/ufw/before.rules 
 +   
 +  # UFW rules are typically added using the ufw command. Rules listed in the before.rules file, though, are read and put into place before the conventional UFW rules are loaded.  
 +  # Towards the top of the file, add the highlighted lines below. This will set the default policy for the POSTROUTING chain in the nat table and masquerade any traffic coming  
 +  # from the VPN. Remember to replace eth0 in the -A POSTROUTING line below with the interface you found in the above command:
  
 +<sxh bash; gutter: false>
 +#
 +# rules.before
 +#
 +# Rules that should be run before the ufw command line added rules. Custom
 +# rules should be added to one of these chains:
 +#   ufw-before-input
 +#   ufw-before-output
 +#   ufw-before-forward
 +#
 +
 +# START OPENVPN RULES
 +# NAT table rules
 +*nat
 +:POSTROUTING ACCEPT [0:0]
 +# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)
 +-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
 +COMMIT
 +# END OPENVPN RULES
 +
 +# Don't delete these required lines, otherwise there will be errors
 +*filter
 +. . .
 +</sxh>  
 +  
 +  sudo vim /etc/default/ufw
 +  ...
 +  DEFAULT_FORWARD_POLICY="ACCEPT"
 +  ...
 +  sudo ufw allow 1194/udp
 +  sudo ufw allow OpenSSH
 +===Step 7 — Starting and Enabling the OpenVPN Service===
 +  sudo systemctl start openvpn@server
 +  sudo systemctl status openvpn@server
 +  sudo systemctl enable openvpn@server
 +===Step 8 — Creating the Client Configuration Infrastructure===
 +  mkdir -p ~/client-configs/files
 +  cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
 +  vim ~/client-configs/base.conf
 +  ...
 +  remote my.server.com 1194
 +  proto udp
 +  # Downgrade privileges after initialization (non-Windows only)
 +  user nobody
 +  group nogroup
 +  #ca ca.crt
 +  #cert client.crt
 +  #key client.key
 +  #tls-auth ta.key 1
 +  cipher AES-256-CBC
 +  auth SHA256
 +  key-direction 1
 +  # Finally, add a few commented out lines. Although you can include these directives in every client configuration file, you only need to enable them for Linux clients 
 +  # that ship with an /etc/openvpn/update-resolv-conf file. This script uses the resolvconf utility to update DNS information for Linux clients.
 +  # script-security 2
 +  # up /etc/openvpn/update-resolv-conf
 +  # down /etc/openvpn/update-resolv-conf
 +  ...
 +  vim ~/client-configs/make_config.sh
 +  
 +  #!/bin/bash
 +
 +# First argument: Client identifier
 +<sxh bash; gutter: false>
 +KEY_DIR=/home/sammy/client-configs/keys
 +OUTPUT_DIR=/home/sammy/client-configs/files
 +BASE_CONFIG=/home/sammy/client-configs/base.conf
 +
 +cat ${BASE_CONFIG} \
 +    <(echo -e '<ca>') \
 +    ${KEY_DIR}/ca.crt \
 +    <(echo -e '</ca>\n<cert>') \
 +    ${KEY_DIR}/${1}.crt \
 +    <(echo -e '</cert>\n<key>') \
 +    ${KEY_DIR}/${1}.key \
 +    <(echo -e '</key>\n<tls-auth>') \
 +    ${KEY_DIR}/ta.key \
 +    <(echo -e '</tls-auth>') \
 +    > ${OUTPUT_DIR}/${1}.ovpn
 +</sxh>
 +  chmod 700 ~/client-configs/make_config.sh
 +===Step 9 — Generating Client Configurations===  
 +  cd ~/client-configs
 +  sudo ./make_config.sh vissie
 +  ls ~/client-configs/files
 +===Step 10 — Installing the Client Configuration===
 +  sudo apt install openvpn
 +  # Check to see if your distribution includes an /etc/openvpn/update-resolv-conf script:
 +  ls /etc/openvpn
 +  update-resolv-conf
 +  #Next, edit the OpenVPN client configuration file you transfered:
 +  vim client1.ovpn
 +<sxh bash; gutter: false>
 +...
 +script-security 2
 +up /etc/openvpn/update-resolv-conf
 +down /etc/openvpn/update-resolv-conf
 +...
 +</sxh>  
 +  
 +
 +  
 ==== Here is my notes: ====  ==== Here is my notes: ==== 
 Use dig command for determining my public IP address: Use dig command for determining my public IP address:
openvpn.1635935485.txt.gz · Last modified: 2021/11/03 03:31 by vissie

Page Tools