OpenVPN

From The World according to Vissie
Jump to navigation Jump to search

Quick setup

https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh

Long Setup

This was my starting point:

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8

Here is my notes:

Use dig command for determining my public IP address:

sudo apt-get install dnsutils
dig +short myip.opendns.com @resolver1.opendns.com

On step 3, I got an permision denied error onL

echo 1 > /proc/sys/net/ipv4/ip_forward

So rather I did:

In a nutshell, to enable IP forwarding, you can just put the following in /etc/sysctl.conf:

net.ipv4.ip_forward = 1
sudo sysctl -p

Plus I did both ipv4 and ipv6. Not knowing if that was correct. But it made sense to me that it would be.

For step 4 I had to use my actual network interface in the before,rule, not eth0.

For Step 5, sudo did NOT work. I had to BE root.

You might have the following issue :

**************************************************************
  No /etc/openvpn/easy-rsa/openssl.cnf file could be found
  Further invocations will fail
**************************************************************

In this case, just create a symbolic link :

ln -s openssl-1.0.0.cnf openssl.cnf

And then clean everything :

I just did a install on Debian Jessie. I had the same issues. Seemingly the service started, no visual errors, but openvpn was not running. a

sudo netstat -uapn | grep openvpn

came up blank. After hours of trouble shooting I eventually came upon this way of starting the service

systemctl start openvpn@server.service.

This failed! Now I had a error.

journalctl -xn

showed me a error on TUN/TAP.

I had a issue with a ta-key. I just disabled that:

If you do not have a ta.key, of course tls-auth will fail. You may:
drop the tls-auth instruction altogether. This is not a major dent in your security: the Manual in fact states:
This feature by itself does not improve the TLS auth in any way, although it offers a 2nd line of defense if a future flaw is discovered in a particular TLS cipher-suite or 
implementation (such as CVE-2014-0160, Heartbleed, where the tls-auth key provided protection against attackers who did not have a copy). However, it offers no protection at 
all in the event of a complete cryptographic break that can allow decryption of a cipher-suite's traffic.
or you may now generate the ta-key:
openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key

it is not too late for this.


Some more hours later I realised, that due to the fact that I was on a VPS, I had no TUN/TAP access from my provider as a default! I had to enable it via a console option.

I did that, the server rebooted. And now I have my openVPN.

So, 10 points to the author on a great setup guide! Thx dude.

I hope this little bit of info helps someone.


Tips

View connected users

sudo cat /etc/openvpn/openvpn-status.log

Logs

If you’re customizing rules for your own installation and breaking things on your server and clients to catch errors to match, you probably want to change your logging method in /etc/openvpn/server.conf from log /var/log/openvpn.log to log-append /var/log/openvpn.log and restart OpenVPN to keep your logs from being blown away when you stop and start. Then switch it back to log after you’re done.

Connection issues

Please remember, if your VPN is up, but there is no traffic going to the internet, make sure that UFW is running and that the rules is setup correctly.

New notes for Debian 9 (Stretch)

apt-get install openvpn easy-rsa