User Tools
Sidebar
openvpn
Table of Contents
Quick setup
Long Setup
This was my starting point:
Here is my steps
Step 1 — Installing OpenVPN and EasyRSA
sudo apt install openvpn wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz aunpack ./EasyRSA-3.0.8.tgz
Step 2 — Configuring the EasyRSA Variables and Building the CA
cd ./EasyRSA-3.0.8/ cp vars.example vars vim ./vars Uncomment these lines and update the highlighted values to whatever you’d prefer, but do not leave them blank: . . .
set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "NewYork" set_var EASYRSA_REQ_CITY "New York City" set_var EASYRSA_REQ_ORG "DigitalOcean" set_var EASYRSA_REQ_EMAIL "admin@example.com" set_var EASYRSA_REQ_OU "Community"
Step 3 — Creating the Server Certificate, Key, and Encryption Files
./easyrsa init-pki "... Your newly created PKI dir is: /home/vissie/EasyRSA-3.0.8/pki" ./easyrsa build-ca "Pick a password" "name the server" "... Your new CA certificate file for publishing is at: /home/vissie/EasyRSA-3.0.8/pki/ca.crt cp ./pki/ca.crt /etc/openvpn/ ./easyrsa gen-req server nopass sudo cp ./pki/private/server.key /etc/openvpn/ ./easyrsa sign-req server server sudo cp ./pki/issued/server.crt /etc/openvpn/ sudo cp ./pki/ca.crt /etc/openvpn/ ./easyrsa gen-dh sudo openvpn --genkey --secret ta.key sudo cp ./ta.key /etc/openvpn/ sudo cp ./pki/dh.pem /etc/openvpn/
Step 4 — Generating a Client Certificate and Key Pair
cd ~ mkdir -p ~/client-configs/keys chmod -R 700 ~/client-configs cd ~/EasyRSA-3.0.8/ ./easyrsa gen-req vissie nopass cp ./pki/private/vissie.key ~/client-configs/keys/ ./easyrsa sign-req client vissie 'Yes' 'Password' cp ./pki/issued/vissie.crt ~/client-configs/keys/ sudo cp ~/EasyRSA-3.0.8/ta.key ~/client-configs/keys/ sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/
Step 5 — Configuring the OpenVPN Service
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz sudo vim /etc/openvpn/server.conf ... tls-auth ta.key 0 # This file is secret cipher AES-256-CBC # Below this, add an auth directive auth SHA256 #If necessary, change the file name by removing the 2048 so it aligns with the key you generated in the previous step: dh dh.pem user nobody group nogroup #Find the redirect-gateway push "redirect-gateway def1 bypass-dhcp" #Just below this, find the dhcp-option section. Again, remove the “;” from in front of both of the lines to uncomment them: push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" # Optional! port 11 # Optional! proto tcp #If you do switch the protocol to TCP, you will need to change the explicit-exit-notify directive’s value from 1 to 0 explicit-exit-notify 0 ...
Step 6 — Adjusting the Server Networking Configuration
sudo vim /etc/sysctl.conf ... net.ipv4.ip_forward=1 ... sudo sysctl -p ip route | grep default #Your public interface is the string found within this command’s output that follows the word “dev”. For example, this result shows the interface named eth0: #Output #default via 203.0.113.1 dev eth0 proto static sudo apt install ufw sudo vim /etc/ufw/before.rules # UFW rules are typically added using the ufw command. Rules listed in the before.rules file, though, are read and put into place before the conventional UFW rules are loaded. # Towards the top of the file, add the highlighted lines below. This will set the default policy for the POSTROUTING chain in the nat table and masquerade any traffic coming # from the VPN. Remember to replace eth0 in the -A POSTROUTING line below with the interface you found in the above command:
# # rules.before # # Rules that should be run before the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw-before-input # ufw-before-output # ufw-before-forward # # START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!) -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES # Don't delete these required lines, otherwise there will be errors *filter . . .
sudo vim /etc/default/ufw
... DEFAULT_FORWARD_POLICY="ACCEPT" ... sudo ufw allow 1194/udp sudo ufw allow OpenSSH
Step 7 — Starting and Enabling the OpenVPN Service
sudo systemctl start openvpn@server sudo systemctl status openvpn@server sudo systemctl enable openvpn@server
Step 8 — Creating the Client Configuration Infrastructure
mkdir -p ~/client-configs/files cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf vim ~/client-configs/base.conf ... remote my.server.com 1194 proto udp # Downgrade privileges after initialization (non-Windows only) user nobody group nogroup #ca ca.crt #cert client.crt #key client.key #tls-auth ta.key 1 cipher AES-256-CBC auth SHA256 key-direction 1 # Finally, add a few commented out lines. Although you can include these directives in every client configuration file, you only need to enable them for Linux clients # that ship with an /etc/openvpn/update-resolv-conf file. This script uses the resolvconf utility to update DNS information for Linux clients. # script-security 2 # up /etc/openvpn/update-resolv-conf # down /etc/openvpn/update-resolv-conf ... vim ~/client-configs/make_config.sh #!/bin/bash
# First argument: Client identifier
KEY_DIR=/home/sammy/client-configs/keys
OUTPUT_DIR=/home/sammy/client-configs/files
BASE_CONFIG=/home/sammy/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
chmod 700 ~/client-configs/make_config.sh
Step 9 — Generating Client Configurations
cd ~/client-configs sudo ./make_config.sh vissie ls ~/client-configs/files
Step 10 — Installing the Client Configuration
sudo apt install openvpn # Check to see if your distribution includes an /etc/openvpn/update-resolv-conf script: ls /etc/openvpn update-resolv-conf #Next, edit the OpenVPN client configuration file you transfered: vim client1.ovpn
... script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf ...
Here is my notes:
Use dig command for determining my public IP address:
sudo apt-get install dnsutils dig +short myip.opendns.com @resolver1.opendns.com
On step 3, I got an permision denied error onL
echo 1 > /proc/sys/net/ipv4/ip_forward
So rather I did:
In a nutshell, to enable IP forwarding, you can just put the following in /etc/sysctl.conf:
net.ipv4.ip_forward = 1 sudo sysctl -p
Plus I did both ipv4 and ipv6. Not knowing if that was correct. But it made sense to me that it would be.
For step 4 I had to use my actual network interface in the before,rule, not eth0.
For Step 5, sudo did NOT work. I had to BE root.
You might have the following issue : No /etc/openvpn/easy-rsa/openssl.cnf file could be found Further invocations will fail In this case, just create a symbolic link :
ln -s openssl-1.0.0.cnf openssl.cnf
And then clean everything :
I just did a install on Debian Jessie. I had the same issues. Seemingly the service started, no visual errors, but openvpn was not running. a
sudo netstat -uapn | grep openvpn
came up blank. After hours of trouble shooting I eventually came upon this way of starting the service
systemctl start openvpn@server.service.
This failed! Now I had a error.
journalctl -xn
showed me a error on TUN/TAP.
I had a issue with a ta-key. I just disabled that: If you do not have a ta.key, of course tls-auth will fail. You may:
drop the tls-auth instruction altogether. This is not a major dent in your security: the Manual in fact states: This feature by itself does not improve the TLS auth in any way, although it offers a 2nd line of defense if a future flaw is discovered in a particular TLS cipher-suite or implementation (such as CVE-2014-0160, Heartbleed, where the tls-auth key provided protection against attackers who did not have a copy). However, it offers no protection at all in the event of a complete cryptographic break that can allow decryption of a cipher-suite's traffic. or you may now generate the ta-key:
openvpn –genkey –secret /etc/openvpn/easy-rsa/keys/ta.key it is not too late for this.
Some more hours later I realised, that due to the fact that I was on a VPS, I had no TUN/TAP access from my provider as a default! I had to enable it via a console option.
I did that, the server rebooted. And now I have my openVPN.
So, 10 points to the author on a great setup guide! Thx dude.
I hope this little bit of info helps someone.
Tips
View connected users
sudo cat /etc/openvpn/openvpn-status.log
Logs
If you’re customizing rules for your own installation and breaking things on your server and clients to catch errors to match, you probably want to change your logging method in /etc/openvpn/server.conf from log /var/log/openvpn.log to log-append /var/log/openvpn.log and restart OpenVPN to keep your logs from being blown away when you stop and start. Then switch it back to log after you’re done.
Connection issues
Please remember, if your VPN is up, but there is no traffic going to the internet, make sure that UFW is running and that the rules is setup correctly.
New notes for Debian 9 (Stretch)
apt-get install openvpn easy-rsa
openvpn.txt · Last modified: 2021/11/10 03:39 by vissie