DevOps Buzz
Search…
Bash / Shell
Bitbucket
Distros
Elasticsearch
General
Guidelines / Standards
microk8s
Prometheus
RabbitMQ
VirtualBox
OpenVPN server on Ubuntu 18.06
Install openvpn server on Ubuntu 18.06

Setup server

Leverage an AWS instance

Leverage an instance with:
  • "Source/Destination Check" disabled.
  • Firewall open on port 1194/UDP.

Configure IP forward

Run:
1
nano /etc/sysctl.conf
Copied!
Enable net.ipv4.ip_forward:
1
net.ipv4.ip_forward=1
Copied!
Apply changes:
1
sysctl -p
Copied!

If you are using ufw...

Get your default network card:
1
ip route | grep default
Copied!
Output example:
1
default via 172.31.0.1 dev eth0 proto dhcp src 172.31.10.197 metric 100
Copied!
Edit ufw config:
1
nano /etc/ufw/before.rules
Copied!
Add the block START OPENVPN RULES and END OPENVPN RULES:
1
#
2
# rules.before
3
#
4
# Rules that should be run before the ufw command line added rules. Custom
5
# rules should be added to one of these chains:
6
# ufw-before-input
7
# ufw-before-output
8
# ufw-before-forward
9
#
10
11
# START OPENVPN RULES
12
# NAT table rules
13
*nat
14
:POSTROUTING ACCEPT [0:0]
15
# Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!)
16
-A POSTROUTING -s 10.22.0.0/16 -o eth0 -j MASQUERADE
17
-A POSTROUTING -s 3.4.3.0/8 -o eth0 -j MASQUERADE
18
COMMIT
19
# END OPENVPN RULES
20
21
# Don't delete these required lines, otherwise there will be errors
22
*filter
23
Copied!
Edit ufw default config:
1
nano /etc/default/ufw
Copied!
Allow forward:
1
DEFAULT_FORWARD_POLICY="ACCEPT"
Copied!
Allow openvpn and SSH:
1
ufw allow 1194/udp
2
ufw allow OpenSSH
Copied!

Install Openvpn

Run:
1
apt update
2
apt install openvpn
Copied!
Download EasyRSA:
1
wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
2
tar xvf EasyRSA-3.0.4.tgz
Copied!
Copy and edit vars:
1
cd ~/EasyRSA-3.0.4/
2
cp vars.example vars
3
nano vars
Copied!
Uncomment and change the following config:
1
set_var EASYRSA_REQ_COUNTRY "AU"
2
set_var EASYRSA_REQ_PROVINCE "New South Wales"
3
set_var EASYRSA_REQ_CITY "Sydney"
4
set_var EASYRSA_REQ_ORG "Your Company"
5
set_var EASYRSA_REQ_EMAIL "[email protected]"
6
set_var EASYRSA_REQ_OU "Your Company"
Copied!
Initiate the public key:
1
./easyrsa init-pki
Copied!
Build CA certificate. Keep the default Common Name and hit enter:
1
./easyrsa build-ca nopass
Copied!
Create a private key for the server and a certificate request:
1
./easyrsa gen-req server nopass
Copied!
Copy the server key to the /etc/openvpn/ directory:
1
cp ~/EasyRSA-3.0.4/pki/private/server.key /etc/openvpn/
Copied!
Sign the request. Input yes when prompted:
1
./easyrsa sign-req server server
Copied!
Sign the request. Input yes when prompted:
1
./easyrsa sign-req server server
Copied!
Copy certificates to openvpn dir:
1
cp ./pki/issued/server.crt /etc/openvpn/
2
cp ./pki/ca.crt /etc/openvpn/
Copied!
Create a strong Diffie-Hellman key to use during key exchange (may take a few minutes to complete):
1
./easyrsa gen-dh
Copied!
Generate an HMAC signature to strengthen the server's TLS integrity verification capabilities:
1
openvpn --genkey --secret ta.key
Copied!
Copy the files to openvpn dir:
1
sudo cp ~/EasyRSA-3.0.4/ta.key /etc/openvpn/
2
sudo cp ~/EasyRSA-3.0.4/pki/dh.pem /etc/openvpn/
Copied!

Configuring the OpenVPN Service

Copy sample config:
1
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
2
sudo gzip -d /etc/openvpn/server.conf.gz
Copied!
Edit server config:
1
nano /etc/openvpn/server.conf
Copied!
Double check tls-auth and add key-direction:
1
tls-auth ta.key 0
2
key-direction 0
3
Copied!
Double check cipher and add auth:
1
cipher AES-256-CBC
2
auth SHA256
Copied!
Change dh:
1
#dh dh2048.pem
2
dh dh.pem
Copied!
Enable user and group:
1
user nobody
2
group nogroup
Copied!
Enable client-to-client:
1
client-to-client
Copied!
Start and enable service:
1
systemctl enable [email protected]
2
systemctl restart [email protected]
3
systemctl status [email protected]
Copied!

Setup client config

Run:
1
mkdir -p ~/client-configs/keys
2
mkdir -p ~/client-configs/files
3
chmod -R 700 ~/client-configs
4
cp ~/EasyRSA-3.0.4/ta.key ~/client-configs/keys/
5
cp ~/EasyRSA-3.0.4/pki/ca.crt ~/client-configs/keys/
6
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
7
nano ~/client-configs/base.conf
Copied!
Config remote server:
1
#remote my-server-1 1194
2
remote YOUR-VPN-SERVER-DOMAIN 1194
Copied!
Double check proto:
1
proto udp
Copied!
Enable user and group:
1
user nobody
2
group nogroup
Copied!
Comment out certificates (they are provided in the .ovpn file):
1
#ca ca.crt
2
#cert client.crt
3
#key client.key
Copied!
Double check cipher and add auth:
1
cipher AES-256-CBC
2
auth SHA256
Copied!
Add these lines in the end of the file. The last ones are commented out (only need to enable them for Linux clients that ship with an /etc/openvpn/update-resolv-conf file):
1
key-direction 1
2
# script-security 2
3
# up /etc/openvpn/update-resolv-conf
4
# down /etc/openvpn/update-resolv-conf
Copied!
Create a script to compile the base config:
1
nano ~/client-configs/make_config.sh
Copied!
Add:
1
#!/bin/bash
2
3
# First argument: Client identifier
4
5
KEY_DIR=~/client-configs/keys
6
OUTPUT_DIR=~/client-configs/files
7
BASE_CONFIG=~/client-configs/base.conf
8
9
cat ${BASE_CONFIG} \
10
<(echo -e '<ca>') \
11
${KEY_DIR}/ca.crt \
12
<(echo -e '</ca>\n<cert>') \
13
${KEY_DIR}/${1}.crt \
14
<(echo -e '</cert>\n<key>') \
15
${KEY_DIR}/${1}.key \
16
<(echo -e '</key>\n<tls-auth>') \
17
${KEY_DIR}/ta.key \
18
<(echo -e '</tls-auth>') \
19
> ${OUTPUT_DIR}/${1}.ovpn
20
Copied!
Set permissions:
1
chmod 700 ~/client-configs/make_config.sh
Copied!

Add client certificate

Generate certificate:
1
cd ~/EasyRSA-3.0.4
2
./easyrsa gen-req client2 nopass
3
./easyrsa sign-req client client2
4
cp pki/private/client2.key ~/client-configs/keys/
5
cp pki/issued/client2.crt ~/client-configs/keys/
6
cd ~/client-configs
7
./make_config.sh client2
8
ls files/client2.ovpn
Copied!

References

Revoke certificate

Run EasyRsa revoke command. Type yes when prompted:
1
cd /root/EasyRSA-3.0.4
2
./easyrsa revoke client2
Copied!
Create a certificate revocation list (CRL):
1
./easyrsa gen-crl
Copied!
Copy the CRL to the server config folder:
1
cp pki/crl.pem /etc/openvpn
Copied!
Edit server config:
1
nano /etc/openvpn/server.conf
Copied!
Add the following line to the end of the file:
1
crl-verify crl.pem
Copied!
Restart server:
1
sudo systemctl restart [email protected]
Copied!

References

Multi instances

Copy your current server config:
1
cd /etc/openvpn/
2
cp server.conf server2.conf
Copied!
Edit the new file:
1
nano server2.conf
Copied!
Change the following config:
1
port XXXX
2
server X.X.X.0 255.255.255.0
Copied!
Start the server:
1
systemctl start [email protected]
2
systemctl enable [email protected]
Copied!

References

Fixed IP for clients

Edit servers config:
1
nano /etc/openvpn/server.conf
Copied!
Uncomment the following line:
1
client-config-dir ccd
Copied!
Create the dir:
1
mkdir /etc/openvpn/ccd/
Copied!
Create a file with same CN name used in the certificate:
1
nano /etc/openvpn/ccd/client-cn-name
Copied!
Define the static IP:
1
ifconfig-push 10.8.0.2 255.255.0.0
Copied!
Restart server:
1
systemctl restart [email protected]
Copied!

References

Restrict Client-to-client

Edit server config:
1
nano server-cluster.conf
Copied!
Make sure the option client-to-client is disabled:
1
;client-to-client
Copied!
Add the following line in the end of the file to route all traffic to the VPN server:
1
push "route 10.8.0.0 255.255.0.0"
Copied!
Configure iptables:
1
# Allow all traffic from 10.22.0.100 (K8s master)
2
iptables -A FORWARD -s 10.22.0.100 -j ACCEPT
3
4
# Allow all traffic to 10.22.0.100 (K8s master)
5
iptables -A FORWARD -d 10.22.0.100 -j ACCEPT
6
7
# Allow all traffic between two nodes
8
iptables -A FORWARD -s 10.22.0.101 -d 10.22.0.102 -j ACCEPT
9
iptables -A FORWARD -s 10.22.0.102 -d 10.22.0.101 -j ACCEPT
10
11
# Drop everything else
12
iptables -A FORWARD -j DROP
Copied!

References

Debug

Check service:
1
systemctl status [email protected]
Copied!
Monitor packets on interface tun0:
1
tcpdump -i tun0 -nn -s0 -v
2
tcpdump -i tun0 -nn -s0 -v port 6805
Copied!
Monitor ping on interface vpn-cluster with buffer size 512 (it is not set, the “packets dropped by kernel” will always be zero):
1
tcpdump -i vpn-cluster -B 4096 -n icmp
Copied!
Check open port:
1
netstat -a |grep 1194
Copied!