OpenVPN: Difference between revisions
(→Client) |
|||
(39 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Client == | |||
Just use the Network Manager applet to connect using *.ovpn files. | |||
NM applet > Edit Connections > + > (dropdown) > Import a saved VPN connection... | |||
It will prompt for the *.ovpn file. Then you can select to connect to it from the applet. | |||
== Server == | |||
=== Usage === | === Usage === | ||
==== Start client connection ==== | ==== Start client connection ==== | ||
* Import the .ovpn file | |||
rclick Networking applet > VPN > Add > Import a saved VPN connection > select the .ovpn file | |||
* MAKE SURE DEFAULT TRAFFIC does not go over VPN! | |||
rclick Networking applet > Edit connections > VPN > IPv4 tab > Routes > | |||
[x] Use this connection only for resources on its network | |||
* You can then turn on/off the vpn via the applet, and it does all the rather nasty work for ya | |||
You can connect on the command line, but this method does not properly update DNS to use vnc DNS: | |||
sudo openvpn --config ~/development/equityshift/log/openvpn/mbm-client.ovpn & | sudo openvpn --config ~/development/equityshift/log/openvpn/mbm-client.ovpn & | ||
ip a # you should now have a tun0 network! | ip a # you should now have a tun0 network! | ||
==== Stop client connection ==== | ==== Stop client connection ==== | ||
Use the networking applet. | |||
Hardcore killing of process, use this to kill a connection started via command line: | |||
sudo ifconfig tun0 down | sudo ifconfig tun0 down | ||
# or if that doesn't work, try a bigger hammer... | |||
sudo pkill -SIGTERM -f 'openvpn' | |||
==== Watch the server log ==== | ==== Watch the server log ==== | ||
tv # see alias setup, below | |||
# manually: | |||
sudo journalctl -xefu openvpn@server | sudo journalctl -xefu openvpn@server | ||
Line 15: | Line 39: | ||
==== Make a client key ==== | ==== Make a client key ==== | ||
# FROM OPENVPN | # FROM OPENVPN (ci-openvpn-1) | ||
cd ~/apps/EasyRSA-3.0.8 && ./easyrsa gen-req mbm-client nopass | cd ~/apps/EasyRSA-3.0.8 && ./easyrsa gen-req mbm-client nopass | ||
cp pki/private/mbm-client.key ~/client-configs/keys/ | cp pki/private/mbm-client.key ~/client-configs/keys/ | ||
emacs pki/reqs/mbm-client.req # copy | emacs pki/reqs/mbm-client.req # copy | ||
# FROM EASYRSA | # FROM EASYRSA (ci-devops-1) | ||
emacs /tmp/mbm-client.req # paste | emacs /tmp/mbm-client.req # paste | ||
cd ~/apps/EasyRSA-3.0.8 && ./easyrsa import-req /tmp/mbm-client.req mbm-client | cd ~/apps/EasyRSA-3.0.8 && ./easyrsa import-req /tmp/mbm-client.req mbm-client | ||
Line 27: | Line 51: | ||
# FROM OPENVPN | # FROM OPENVPN | ||
cd ~/client-configs | cd ~/client-configs | ||
emacs mbm-client.crt # paste | emacs keys/mbm-client.crt # paste | ||
# pull all the keys/conf into one .opvn file | |||
sudo ./make_config.sh mbm-client | |||
The key will be in ~/client-configs/files/mbm-client.opvn. It should be securely delivered to the user so they can import it into their vpn client. | |||
=== Install === | === Install === | ||
Line 46: | Line 74: | ||
# uncomment && update vars as desired | # uncomment && update vars as desired | ||
cd EasyRSA-3.0.8 && cp vars.example vars && emacs vars | cd EasyRSA-3.0.8 && cp vars.example vars && emacs vars | ||
# MBM define organizational fields | |||
set_var EASYRSA_REQ_COUNTRY "US" | |||
set_var EASYRSA_REQ_PROVINCE "North Carolina" | |||
set_var EASYRSA_REQ_CITY "Raleigh" | |||
set_var EASYRSA_REQ_ORG "My Comp, Inc." | |||
set_var EASYRSA_REQ_EMAIL "me@me.comp" | |||
set_var EASYRSA_REQ_OU "Administration" | |||
./easyrsa init-pki | ./easyrsa init-pki | ||
./easyrsa build-ca nopass | ./easyrsa build-ca nopass | ||
Line 52: | Line 87: | ||
===== Debian OpenVPN ===== | ===== Debian OpenVPN ===== | ||
OpenVPN (OSS) is available with most distros' package managers. | OpenVPN (OSS) is available with most distros' package managers. | ||
sudo apt install openvpn | sudo apt install openvpn wget emacs-nox | ||
# copy an initial config into place | |||
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ | |||
sudo gzip -d /etc/openvpn/server.conf.gz | |||
# set up an alias to tail the vpn log (tv) | |||
echo "alias tv='sudo journalctl -xefu openvpn@server'" >> ~/.bashrc | |||
Also install EasyRSA via [https://github.com/OpenVPN/easy-rsa/releases tarball] similar to instructions above, but we will be running different commands: | Also install EasyRSA via [https://github.com/OpenVPN/easy-rsa/releases tarball] similar to instructions above, but we will be running different commands: | ||
mkdir -p ~/apps && cd ~/apps | mkdir -p ~/apps && cd ~/apps | ||
Line 61: | Line 100: | ||
./easyrsa init-pki | ./easyrsa init-pki | ||
./easyrsa gen-req server nopass | ./easyrsa gen-req server nopass | ||
# use default name [server] | |||
sudo cp pki/private/server.key /etc/openvpn/ | sudo cp pki/private/server.key /etc/openvpn/ | ||
===== | ===== GCP special requirements ===== | ||
[ | On GCP, when you create the OpenVPN VM, you must select the following in the Networking section: | ||
[x] Enable IP forwarding | |||
If you didn't you have to go through all this bizarre instance property update thing: | |||
gcloud compute instances export ci-openvpn-1 --destination=fix-ci-openvpn-1-canIpForward.txt | |||
# edit the file | |||
gcloud compute instances update-from-file ci-openvpn-1 --source=fix-ci-openvpn-1-canIpForward.txt | |||
==== Set up initial certs and keys ==== | ==== Set up initial certs and keys ==== | ||
Line 85: | Line 131: | ||
sudo emacs /etc/openvpn/ca.crt # paste | sudo emacs /etc/openvpn/ca.crt # paste | ||
./easyrsa gen-dh | ./easyrsa gen-dh | ||
sudo openvpn --genkey secret ta.key | sudo openvpn --genkey --secret ta.key | ||
sudo cp ta.key /etc/openvpn/ | sudo cp ta.key /etc/openvpn/ | ||
sudo cp pki/dh.pem /etc/openvpn/ | sudo cp pki/dh.pem /etc/openvpn/ | ||
Line 92: | Line 138: | ||
sudo cp ta.key ~/client-configs/keys/ | sudo cp ta.key ~/client-configs/keys/ | ||
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/ | sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/ | ||
==== Set up for client key generation ==== | |||
===== Build a base client config ===== | |||
cd ~/client-configs | |||
mkdir -p files | |||
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf base.conf | |||
emacs base.conf | |||
Contents to change: | |||
remote myvpnhost.com 1290 | |||
user nobody | |||
group nogroup | |||
#ca ca.crt | |||
#cert client.crt | |||
#key client.key | |||
#tls-auth ta.key 1 | |||
cipher AES-256-GCM | |||
# add this | |||
key-direction 1 | |||
script-security 2 | |||
up /etc/openvpn/update-resolv-conf | |||
down /etc/openvpn/update-resolv-conf | |||
===== Set up opvn generation script ===== | |||
Set up a helper script to build a single opvn file from the bits: | |||
emacs ~/client-configs/make_config.sh | |||
chmod +x ~/client-configs/make_config.sh | |||
Contents: | |||
#!/bin/bash | |||
# First argument: Client identifier | |||
MYHOME=/home/esauto | |||
KEY_DIR=$MYHOME/client-configs/keys | |||
OUTPUT_DIR=$MYHOME/client-configs/files | |||
BASE_CONFIG=$MYHOME/client-configs/base.conf | |||
cat ${BASE_CONFIG} \ | |||
<(echo -e '<ca>') \ | |||
${KEY_DIR}/ca.crt \ | |||
<(echo -e '</ca>\n<cert>') \ | |||
${KEY_DIR}/${1}.crt \ | |||
<(echo -e '</cert>\n<key>') \ | |||
${KEY_DIR}/${1}.key \ | |||
<(echo -e '</key>\n<tls-auth>') \ | |||
${KEY_DIR}/ta.key \ | |||
<(echo -e '</tls-auth>') \ | |||
> ${OUTPUT_DIR}/${1}.ovpn | |||
==== Configure the service ==== | ==== Configure the service ==== | ||
Line 97: | Line 199: | ||
Edit server settings as needed, here: | Edit server settings as needed, here: | ||
sudo emacs /etc/openvpn/server.conf | sudo emacs /etc/openvpn/server.conf | ||
sudo service openvpn@server restart # to apply changes | |||
Some essential shit that is FUCKED UO by OPENVPN right out of the gate in their example config file: | |||
# change to a non-standard port | |||
# port 1194 | |||
port 1234 # or SOMEOTHERSTUPIDSUPERSECRETTHING | |||
# dh dh2048.pem | |||
dh dh.pem | |||
# Defaults to net30 (not recommended) | |||
;topology subnet | |||
# MBM WHY DEFAULT to a setting that is NOT RECOMMENDED? And it causes server to throw warnings. Idiots. | |||
topology subnet | |||
# Route client traffic to 10.150 | |||
# NOTE this replaces the OLD iptables routing we did earlier | |||
push "route 10.150.0.0 255.255.240.0" | |||
# MBM why is the $@(*$ openvpn sample config file using a deprecated cipher? Rrr... | |||
# Don't use -CBC or auth | |||
# cipher AES-256-CBC | |||
# auth SHA256 | |||
cipher AES-256-GCM | |||
# You can uncomment this out on | |||
# non-Windows systems. | |||
# MBM | |||
user nobody | |||
group nogroup | |||
==== Configure networking ==== | ==== Configure networking ==== | ||
sudo | We must enable IP forwarding in the OpenVPN VM (this is in addition to GCP): | ||
sudo emacs /etc/sysctl.conf | |||
net.ipv4.ip_forward=1 | net.ipv4.ip_forward=1 | ||
sudo sysctl -p | sudo sysctl -p # to apply | ||
Set up the openvpn service to start on boot: | |||
sudo systemctl start openvpn@server | sudo systemctl start openvpn@server | ||
sudo systemctl status openvpn@server # if ok, we will "enable" to run on startup | sudo systemctl status openvpn@server # if ok, we will "enable" to run on startup | ||
sudo systemctl enable openvpn@server | sudo systemctl enable openvpn@server | ||
Punch a hole in your OpenVPN host firewall on your selected port and protocol (UDP/TCP). | |||
===== Set up iptables routing ===== | |||
We need to set up networking on the VM to route incoming client requests to go to other machines on the OpenVPN internal LAN: | |||
We wanted to get the OpenVPN server to do this routing but haven't determined how, or if possible at all. This iptables method of nat routing the client traffic is tested and working. | |||
sudo iptables -t nat -I POSTROUTING -o ens4 -s 10.8.0.0/24 -j MASQUERADE | |||
sudo apt install iptables-persistent | |||
# i got two unreadable Yes prompts, i just hit Enter twice | |||
sudo su - | |||
iptables-save > /etc/iptables/rules.v4 | |||
Ctrl-D | |||
# iptables rule should now persist on reboot | |||
To review them: | |||
sudo iptables --list # this SUCKS | |||
sudo cat /etc/iptables/rules.v4 | |||
=== OLD === | |||
===== Docker OpenVPN ===== | |||
DO NOT DO THIS. Ubuntu and Debian apt package is good. | |||
[https://github.com/kylemanna/docker-openvpn This] seems to be a good starting point [https://www.digitalocean.com/community/tutorials/how-to-run-openvpn-in-a-docker-container-on-ubuntu-14-04?utm_source=githubreadme here] and [https://medium.com/@gurayy/set-up-a-vpn-server-with-docker-in-5-minutes-a66184882c45 here] are some instructions. Not going there, Keith "you don't want to mix security concerns", Tom "KISS". |
Latest revision as of 20:09, 20 March 2023
Client
Just use the Network Manager applet to connect using *.ovpn files.
NM applet > Edit Connections > + > (dropdown) > Import a saved VPN connection...
It will prompt for the *.ovpn file. Then you can select to connect to it from the applet.
Server
Usage
Start client connection
- Import the .ovpn file
rclick Networking applet > VPN > Add > Import a saved VPN connection > select the .ovpn file
- MAKE SURE DEFAULT TRAFFIC does not go over VPN!
rclick Networking applet > Edit connections > VPN > IPv4 tab > Routes > [x] Use this connection only for resources on its network
- You can then turn on/off the vpn via the applet, and it does all the rather nasty work for ya
You can connect on the command line, but this method does not properly update DNS to use vnc DNS:
sudo openvpn --config ~/development/equityshift/log/openvpn/mbm-client.ovpn & ip a # you should now have a tun0 network!
Stop client connection
Use the networking applet.
Hardcore killing of process, use this to kill a connection started via command line:
sudo ifconfig tun0 down # or if that doesn't work, try a bigger hammer... sudo pkill -SIGTERM -f 'openvpn'
Watch the server log
tv # see alias setup, below # manually: sudo journalctl -xefu openvpn@server
Configure
Make a client key
# FROM OPENVPN (ci-openvpn-1) cd ~/apps/EasyRSA-3.0.8 && ./easyrsa gen-req mbm-client nopass cp pki/private/mbm-client.key ~/client-configs/keys/ emacs pki/reqs/mbm-client.req # copy # FROM EASYRSA (ci-devops-1) emacs /tmp/mbm-client.req # paste cd ~/apps/EasyRSA-3.0.8 && ./easyrsa import-req /tmp/mbm-client.req mbm-client ./easyrsa sign-req client mbm-client emacs pki/issued/mbm-client.crt # copy # FROM OPENVPN cd ~/client-configs emacs keys/mbm-client.crt # paste # pull all the keys/conf into one .opvn file sudo ./make_config.sh mbm-client
The key will be in ~/client-configs/files/mbm-client.opvn. It should be securely delivered to the user so they can import it into their vpn client.
Install
Watch out, OpenVPN has tried to monetize with their "Access Server" product. What you want is OpenVPN "Open Source" aka "OSS".
You will need two machines to follow suggested installation: one for OpenVPN and a separate isolated machine to run EasyRSA to manage certificates.
We are basically following these instructions.
EasyRSA
Get the tarball link from the releases site, and install it:
mkdir -p ~/apps && cd ~/apps wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz tar xvf EasyRSA-3.0.8.tgz # uncomment && update vars as desired cd EasyRSA-3.0.8 && cp vars.example vars && emacs vars # MBM define organizational fields set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "North Carolina" set_var EASYRSA_REQ_CITY "Raleigh" set_var EASYRSA_REQ_ORG "My Comp, Inc." set_var EASYRSA_REQ_EMAIL "me@me.comp" set_var EASYRSA_REQ_OU "Administration" ./easyrsa init-pki ./easyrsa build-ca nopass
Install server
Debian OpenVPN
OpenVPN (OSS) is available with most distros' package managers.
sudo apt install openvpn wget emacs-nox # copy an initial config into place sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz # set up an alias to tail the vpn log (tv) echo "alias tv='sudo journalctl -xefu openvpn@server'" >> ~/.bashrc
Also install EasyRSA via tarball similar to instructions above, but we will be running different commands:
mkdir -p ~/apps && cd ~/apps wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz tar xvf EasyRSA-3.0.8.tgz cd EasyRSA-3.0.8 ./easyrsa init-pki ./easyrsa gen-req server nopass # use default name [server] sudo cp pki/private/server.key /etc/openvpn/
GCP special requirements
On GCP, when you create the OpenVPN VM, you must select the following in the Networking section:
[x] Enable IP forwarding
If you didn't you have to go through all this bizarre instance property update thing:
gcloud compute instances export ci-openvpn-1 --destination=fix-ci-openvpn-1-canIpForward.txt # edit the file gcloud compute instances update-from-file ci-openvpn-1 --source=fix-ci-openvpn-1-canIpForward.txt
Set up initial certs and keys
After installing, push things around between EasyRSA and OpenVPN...
# FROM OPENVPN # push server.req to EasyRSA CA machine # you can just copy/paste it emacs pki/reqs/server.req # copy # FROM EASYRSA emacs /tmp/server.req # paste ./easyrsa import-req /tmp/server.req server ./easyrsa sign-req server server emacs pki/issued/server.crt # copy emacs pki/ca.crt # copy # FROM OPENVPN sudo emacs /etc/openvpn/server.crt # paste sudo emacs /etc/openvpn/ca.crt # paste ./easyrsa gen-dh sudo openvpn --genkey --secret ta.key sudo cp ta.key /etc/openvpn/ sudo cp pki/dh.pem /etc/openvpn/ cd && mkdir -p client-configs/keys && chmod -R 700 ~/client-configs cd ~/apps/EasyRSA-3.0.8 sudo cp ta.key ~/client-configs/keys/ sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/
Set up for client key generation
Build a base client config
cd ~/client-configs mkdir -p files cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf base.conf emacs base.conf
Contents to change:
remote myvpnhost.com 1290 user nobody group nogroup #ca ca.crt #cert client.crt #key client.key #tls-auth ta.key 1 cipher AES-256-GCM # add this key-direction 1 script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
Set up opvn generation script
Set up a helper script to build a single opvn file from the bits:
emacs ~/client-configs/make_config.sh chmod +x ~/client-configs/make_config.sh
Contents:
#!/bin/bash # First argument: Client identifier MYHOME=/home/esauto KEY_DIR=$MYHOME/client-configs/keys OUTPUT_DIR=$MYHOME/client-configs/files BASE_CONFIG=$MYHOME/client-configs/base.conf cat ${BASE_CONFIG} \ <(echo -e '<ca>') \ ${KEY_DIR}/ca.crt \ <(echo -e '</ca>\n<cert>') \ ${KEY_DIR}/${1}.crt \ <(echo -e '</cert>\n<key>') \ ${KEY_DIR}/${1}.key \ <(echo -e '</key>\n<tls-auth>') \ ${KEY_DIR}/ta.key \ <(echo -e '</tls-auth>') \ > ${OUTPUT_DIR}/${1}.ovpn
Configure the service
Edit server settings as needed, here:
sudo emacs /etc/openvpn/server.conf sudo service openvpn@server restart # to apply changes
Some essential shit that is FUCKED UO by OPENVPN right out of the gate in their example config file:
# change to a non-standard port # port 1194 port 1234 # or SOMEOTHERSTUPIDSUPERSECRETTHING # dh dh2048.pem dh dh.pem # Defaults to net30 (not recommended) ;topology subnet # MBM WHY DEFAULT to a setting that is NOT RECOMMENDED? And it causes server to throw warnings. Idiots. topology subnet # Route client traffic to 10.150 # NOTE this replaces the OLD iptables routing we did earlier push "route 10.150.0.0 255.255.240.0" # MBM why is the $@(*$ openvpn sample config file using a deprecated cipher? Rrr... # Don't use -CBC or auth # cipher AES-256-CBC # auth SHA256 cipher AES-256-GCM # You can uncomment this out on # non-Windows systems. # MBM user nobody group nogroup
Configure networking
We must enable IP forwarding in the OpenVPN VM (this is in addition to GCP):
sudo emacs /etc/sysctl.conf net.ipv4.ip_forward=1 sudo sysctl -p # to apply
Set up the openvpn service to start on boot:
sudo systemctl start openvpn@server sudo systemctl status openvpn@server # if ok, we will "enable" to run on startup sudo systemctl enable openvpn@server
Punch a hole in your OpenVPN host firewall on your selected port and protocol (UDP/TCP).
Set up iptables routing
We need to set up networking on the VM to route incoming client requests to go to other machines on the OpenVPN internal LAN:
We wanted to get the OpenVPN server to do this routing but haven't determined how, or if possible at all. This iptables method of nat routing the client traffic is tested and working.
sudo iptables -t nat -I POSTROUTING -o ens4 -s 10.8.0.0/24 -j MASQUERADE sudo apt install iptables-persistent # i got two unreadable Yes prompts, i just hit Enter twice sudo su - iptables-save > /etc/iptables/rules.v4 Ctrl-D # iptables rule should now persist on reboot
To review them:
sudo iptables --list # this SUCKS sudo cat /etc/iptables/rules.v4
OLD
Docker OpenVPN
DO NOT DO THIS. Ubuntu and Debian apt package is good.
This seems to be a good starting point here and here are some instructions. Not going there, Keith "you don't want to mix security concerns", Tom "KISS".