OpenVPN: Difference between revisions

From Bitpost wiki
No edit summary
Line 73: Line 73:
===== Debian OpenVPN =====
===== Debian OpenVPN =====
OpenVPN (OSS) is available with most distros' package managers.
OpenVPN (OSS) is available with most distros' package managers.
  sudo apt install openvpn
  sudo apt install openvpn wget emacs-nox


Also install EasyRSA via [https://github.com/OpenVPN/easy-rsa/releases tarball] similar to instructions above, but we will be running different commands:
Also install EasyRSA via [https://github.com/OpenVPN/easy-rsa/releases tarball] similar to instructions above, but we will be running different commands:

Revision as of 16:36, 21 February 2022

Usage

Start client connection

  • Import the .ovpn file
rclick Networking applet > VPN > Add > Import a saved VPN connection > select the .ovpn file
  • MAKE SURE DEFAULT TRAFFIC does not go over VPN!
rclick Networking applet > Edit connections > VPN > IPv4 tab > Routes > 
[x] Use this connection only for resources on its network 
  • You can then turn on/off the vpn via the applet, and it does all the rather nasty work for ya

You can connect on the command line, but this method does not properly update DNS to use vnc DNS:

sudo openvpn --config ~/development/equityshift/log/openvpn/mbm-client.ovpn &
ip a # you should now have a tun0 network!

Stop client connection

Use the networking applet.

Hardcore killing of process, use this to kill a connection started via command line:

sudo ifconfig tun0 down
# or if that doesn't work, try a bigger hammer...
sudo pkill -SIGTERM -f 'openvpn'

Watch the server log

sudo journalctl -xefu openvpn@server

Configure

Make a client key

# FROM OPENVPN (ci-openvpn-1)
cd ~/apps/EasyRSA-3.0.8 && ./easyrsa gen-req mbm-client nopass
cp pki/private/mbm-client.key ~/client-configs/keys/
emacs pki/reqs/mbm-client.req # copy

# FROM EASYRSA (ci-devops-1)
emacs /tmp/mbm-client.req # paste
cd ~/apps/EasyRSA-3.0.8 && ./easyrsa import-req /tmp/mbm-client.req mbm-client
./easyrsa sign-req client mbm-client
emacs pki/issued/mbm-client.crt # copy

# FROM OPENVPN
cd ~/client-configs/keys/
emacs mbm-client.crt # paste
# pull all the keys/conf into one .opvn file
cd ..
sudo ./make_config.sh mbm-client

# the key: ~/client-configs/files/mbm-client.opvn

Install

Watch out, OpenVPN has tried to monetize with their "Access Server" product. What you want is OpenVPN "Open Source" aka "OSS".

You will need two machines to follow suggested installation: one for OpenVPN and a separate isolated machine to run EasyRSA to manage certificates.

We are basically following these instructions.

EasyRSA

Get the tarball link from the releases site, and install it:

mkdir -p ~/apps && cd ~/apps 
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
tar xvf EasyRSA-3.0.8.tgz
# uncomment && update vars as desired
cd EasyRSA-3.0.8 && cp vars.example vars && emacs vars
./easyrsa init-pki
./easyrsa build-ca nopass

Install server

Debian OpenVPN

OpenVPN (OSS) is available with most distros' package managers.

sudo apt install openvpn wget emacs-nox

Also install EasyRSA via tarball similar to instructions above, but we will be running different commands:

mkdir -p ~/apps && cd ~/apps
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
tar xvf EasyRSA-3.0.8.tgz
cd EasyRSA-3.0.8
./easyrsa init-pki
./easyrsa gen-req server nopass
sudo cp pki/private/server.key /etc/openvpn/
GCP special requirements

On GCP, when you create the OpenVPN VM, you must select the following in the Networking section:

[x] Enable IP forwarding

If you didn't you have to go through all this bizarre instance property update thing:

gcloud compute instances export ci-openvpn-1 --destination=fix-ci-openvpn-1-canIpForward.txt
# edit the file
gcloud compute instances update-from-file ci-openvpn-1 --source=fix-ci-openvpn-1-canIpForward.txt

Set up initial certs and keys

After installing, push things around between EasyRSA and OpenVPN...

# FROM OPENVPN
# push server.req to EasyRSA CA machine
# you can just copy/paste it
emacs pki/reqs/server.req # copy

# FROM EASYRSA
emacs /tmp/server.req # paste
./easyrsa import-req /tmp/server.req server
./easyrsa sign-req server server
emacs pki/issued/server.crt # copy
emacs pki/ca.crt # copy

# FROM OPENVPN
sudo emacs /etc/openvpn/server.crt # paste
sudo emacs /etc/openvpn/ca.crt # paste
./easyrsa gen-dh
sudo openvpn --genkey secret ta.key
sudo cp ta.key /etc/openvpn/
sudo cp pki/dh.pem /etc/openvpn/
cd && mkdir -p client-configs/keys && chmod -R 700 ~/client-configs
cd ~/apps/EasyRSA-3.0.8
sudo cp ta.key ~/client-configs/keys/
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/

Configure the service

Edit server settings as needed, here:

sudo emacs /etc/openvpn/server.conf 
sudo service openvpn@server restart # to apply changes

Some essential shit that is FUCKED UO by OPENVPN right out of the gate in their example config file:

# change to a non-standard port
# port 1194
port 1234 # or SOMEOTHERSTUPIDSUPERSECRETTHING

# dh dh2048.pem
dh dh.pem

# Defaults to net30 (not recommended)                                                                                                                                                                                      
;topology subnet
# MBM WHY DEFAULT to a setting that is NOT RECOMMENDED?  And it causes server to throw warnings.  Idiots.                                                                                                                  
topology subnet

# Route client traffic to 10.150
# NOTE this replaces the OLD iptables routing we did earlier
push "route 10.150.0.0 255.255.240.0"

# MBM why is the $@(*$ openvpn sample config file using a deprecated cipher?  Rrr...                                                                                                                                       
# Don't use -CBC or auth                                                                                                                                                                                                   
# cipher AES-256-CBC                                                                                                                                                                                                       
# auth SHA256                                                                                                                                                                                                              
cipher AES-256-GCM

# You can uncomment this out on                                                                                                                                                                                            
# non-Windows systems.                                                                                                                                                                                                      
# MBM                                                                                                                                                                                                                      
user nobody
group nogroup

Configure networking

We must enable IP forwarding in the OpenVPN VM (this is in addition to GCP):

sudo nano /etc/sysctl.conf
    net.ipv4.ip_forward=1
sudo sysctl -p # to apply

Set up the openvpn service to start on boot:

sudo systemctl start openvpn@server
sudo systemctl status openvpn@server # if ok, we will "enable" to run on startup
sudo systemctl enable openvpn@server


OLD

Docker OpenVPN

DO NOT DO THIS. Ubuntu and Debian apt package is good.

This seems to be a good starting point here and here are some instructions. Not going there, Keith "you don't want to mix security concerns", Tom "KISS".

Set up iptables routing

(this is not needed, the server does it via push) Set up networking on the VM to route 10.150.x.x client requests to the OpenVPN LAN:

sudo iptables -t nat -I POSTROUTING -o ens4 -s 10.8.0.0/24 -j MASQUERADE
sudo apt install iptables-persistent
sudo iptables-save > /etc/iptables/rules.v4
# iptables rule should now persist on reboot

To review them:

sudo iptables --list # this SUCKS
sudo cat /etc/iptables/rules.v4