OpenVPN: Difference between revisions
| Line 151: | Line 151: | ||
Set up networking on the VM to route 10.150.x.x client requests to the OpenVPN LAN: | Set up networking on the VM to route 10.150.x.x client requests to the OpenVPN LAN: | ||
sudo iptables -t nat -I POSTROUTING -o ens4 -s 10.8.0.0/24 -j MASQUERADE | sudo iptables -t nat -I POSTROUTING -o ens4 -s 10.8.0.0/24 -j MASQUERADE | ||
sudo apt install iptables-persistent | |||
sudo iptables-save > /etc/iptables/rules.v4 | |||
# iptables rule should now persist on reboot | |||
Set up the openvpn service to start on boot: | Set up the openvpn service to start on boot: | ||
Revision as of 21:00, 10 February 2022
Usage
Start client connection
sudo openvpn --config ~/development/equityshift/log/openvpn/mbm-client.ovpn & ip a # you should now have a tun0 network!
Stop client connection
sudo ifconfig tun0 down # or if that doesn't work, try a bigger hammer... sudo pkill -SIGTERM -f 'openvpn'
Watch the server log
sudo journalctl -xefu openvpn@server
Configure
Make a client key
# FROM OPENVPN (ci-openvpn-1) cd ~/apps/EasyRSA-3.0.8 && ./easyrsa gen-req mbm-client nopass cp pki/private/mbm-client.key ~/client-configs/keys/ emacs pki/reqs/mbm-client.req # copy # FROM EASYRSA (ci-devops-1) emacs /tmp/mbm-client.req # paste cd ~/apps/EasyRSA-3.0.8 && ./easyrsa import-req /tmp/mbm-client.req mbm-client ./easyrsa sign-req client mbm-client emacs pki/issued/mbm-client.crt # copy # FROM OPENVPN cd ~/client-configs/keys/ emacs mbm-client.crt # paste # pull all the keys/conf into one .opvn file cd .. sudo ./make_config.sh mbm-client # the key: ~/client-configs/files/mbm-client.opvn
Install
Watch out, OpenVPN has tried to monetize with their "Access Server" product. What you want is OpenVPN "Open Source" aka "OSS".
You will need two machines to follow suggested installation: one for OpenVPN and a separate isolated machine to run EasyRSA to manage certificates.
We are basically following these instructions.
EasyRSA
Get the tarball link from the releases site, and install it:
mkdir -p ~/apps && cd ~/apps wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz tar xvf EasyRSA-3.0.8.tgz # uncomment && update vars as desired cd EasyRSA-3.0.8 && cp vars.example vars && emacs vars ./easyrsa init-pki ./easyrsa build-ca nopass
Install server
Debian OpenVPN
OpenVPN (OSS) is available with most distros' package managers.
sudo apt install openvpn
Also install EasyRSA via tarball similar to instructions above, but we will be running different commands:
mkdir -p ~/apps && cd ~/apps wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz tar xvf EasyRSA-3.0.8.tgz cd EasyRSA-3.0.8 ./easyrsa init-pki ./easyrsa gen-req server nopass sudo cp pki/private/server.key /etc/openvpn/
GCP special requirements
On GCP, when you create the OpenVPN VM, you must select the following in the Networking section:
[x] Enable IP forwarding
If you didn't you have to go through all this bizarre instance property update thing:
gcloud compute instances export ci-openvpn-1 --destination=fix-ci-openvpn-1-canIpForward.txt # edit the file gcloud compute instances update-from-file ci-openvpn-1 --source=fix-ci-openvpn-1-canIpForward.txt
Docker OpenVPN
DO NOT DO THIS. Ubuntu and Debian apt package is good.
This seems to be a good starting point here and here are some instructions. Not going there, Keith "you don't want to mix security concerns", Tom "KISS".
Set up initial certs and keys
After installing, push things around between EasyRSA and OpenVPN...
# FROM OPENVPN # push server.req to EasyRSA CA machine # you can just copy/paste it emacs pki/reqs/server.req # copy # FROM EASYRSA emacs /tmp/server.req # paste ./easyrsa import-req /tmp/server.req server ./easyrsa sign-req server server emacs pki/issued/server.crt # copy emacs pki/ca.crt # copy # FROM OPENVPN sudo emacs /etc/openvpn/server.crt # paste sudo emacs /etc/openvpn/ca.crt # paste ./easyrsa gen-dh sudo openvpn --genkey secret ta.key sudo cp ta.key /etc/openvpn/ sudo cp pki/dh.pem /etc/openvpn/ cd && mkdir -p client-configs/keys && chmod -R 700 ~/client-configs cd ~/apps/EasyRSA-3.0.8 sudo cp ta.key ~/client-configs/keys/ sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/
Configure the service
Edit server settings as needed, here:
sudo emacs /etc/openvpn/server.conf sudo service openvpn@server restart # to apply changes
Some essential shit that is FUCKED UO by OPENVPN right out of the gate in their example config file:
# change to a non-standard port # port 1194 port 1234 # or SOMEOTHERSTUPIDSUPERSECRETTHING # dh dh2048.pem dh dh.pem # Defaults to net30 (not recommended) ;topology subnet # MBM WHY DEFAULT to a setting that is NOT RECOMMENDED? And it causes server to throw warnings. Idiots. topology subnet # MBM why is the $@(*$ openvpn sample config file using a deprecated cipher? Rrr... # Don't use -CBC or auth # cipher AES-256-CBC # auth SHA256 cipher AES-256-GCM # You can uncomment this out on # non-Windows systems. # MBM user nobody group nogroup
Configure networking
We must enable IP forwarding in the OpenVPN VM (this is in addition to GCP):
sudo nano /etc/sysctl.conf
net.ipv4.ip_forward=1
sudo sysctl -p # to apply
Set up networking on the VM to route 10.150.x.x client requests to the OpenVPN LAN:
sudo iptables -t nat -I POSTROUTING -o ens4 -s 10.8.0.0/24 -j MASQUERADE sudo apt install iptables-persistent sudo iptables-save > /etc/iptables/rules.v4 # iptables rule should now persist on reboot
Set up the openvpn service to start on boot:
sudo systemctl start openvpn@server sudo systemctl status openvpn@server # if ok, we will "enable" to run on startup sudo systemctl enable openvpn@server