OpenVPN

From Bitpost wiki
Revision as of 19:06, 7 February 2022 by M (talk | contribs) (→‎Docker OpenVPN)

Usage

Start client connection

sudo openvpn --config ~/development/equityshift/log/openvpn/mbm-client.ovpn &
ip a # you should now have a tun0 network!

Stop client connection

sudo ifconfig tun0 down

Watch the server log

sudo journalctl -xefu openvpn@server

Configure

Make a client key

# FROM OPENVPN (ci-openvpn-1)
cd ~/apps/EasyRSA-3.0.8 && ./easyrsa gen-req mbm-client nopass
cp pki/private/mbm-client.key ~/client-configs/keys/
emacs pki/reqs/mbm-client.req # copy

# FROM EASYRSA (ci-devops-1)
emacs /tmp/mbm-client.req # paste
cd ~/apps/EasyRSA-3.0.8 && ./easyrsa import-req /tmp/mbm-client.req mbm-client
./easyrsa sign-req client mbm-client
emacs pki/issued/mbm-client.crt # copy

# FROM OPENVPN
cd ~/client-configs/keys/
emacs mbm-client.crt # paste
# pull all the keys/conf into one .opvn file
cd ..
sudo ./make_config.sh mbm-client

Install

Watch out, OpenVPN has tried to monetize with their "Access Server" product. What you want is OpenVPN "Open Source" aka "OSS".

You will need two machines to follow suggested installation: one for OpenVPN and a separate isolated machine to run EasyRSA to manage certificates.

We are basically following these instructions.

EasyRSA

Get the tarball link from the releases site, and install it:

mkdir -p ~/apps && cd ~/apps 
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
tar xvf EasyRSA-3.0.8.tgz
# uncomment && update vars as desired
cd EasyRSA-3.0.8 && cp vars.example vars && emacs vars
./easyrsa init-pki
./easyrsa build-ca nopass

Install server

Debian OpenVPN

OpenVPN (OSS) is available with most distros' package managers.

sudo apt install openvpn

Also install EasyRSA via tarball similar to instructions above, but we will be running different commands:

mkdir -p ~/apps && cd ~/apps
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
tar xvf EasyRSA-3.0.8.tgz
cd EasyRSA-3.0.8
./easyrsa init-pki
./easyrsa gen-req server nopass
sudo cp pki/private/server.key /etc/openvpn/
Docker OpenVPN

DO NOT DO THIS. Ubuntu and Debian apt package is good.

This seems to be a good starting point here and here are some instructions. Not going there, Keith "you don't want to mix security concerns", Tom "KISS".

Set up initial certs and keys

After installing, push things around between EasyRSA and OpenVPN...

# FROM OPENVPN
# push server.req to EasyRSA CA machine
# you can just copy/paste it
emacs pki/reqs/server.req # copy

# FROM EASYRSA
emacs /tmp/server.req # paste
./easyrsa import-req /tmp/server.req server
./easyrsa sign-req server server
emacs pki/issued/server.crt # copy
emacs pki/ca.crt # copy

# FROM OPENVPN
sudo emacs /etc/openvpn/server.crt # paste
sudo emacs /etc/openvpn/ca.crt # paste
./easyrsa gen-dh
sudo openvpn --genkey secret ta.key
sudo cp ta.key /etc/openvpn/
sudo cp pki/dh.pem /etc/openvpn/
cd && mkdir -p client-configs/keys && chmod -R 700 ~/client-configs
cd ~/apps/EasyRSA-3.0.8
sudo cp ta.key ~/client-configs/keys/
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/

Configure the service

Edit server settings as needed, here:

sudo emacs /etc/openvpn/server.conf 

Configure networking

sudo nano /etc/sysctl.conf
    net.ipv4.ip_forward=1
sudo sysctl -p
sudo systemctl start openvpn@server
sudo systemctl status openvpn@server # if ok, we will "enable" to run on startup
sudo systemctl enable openvpn@server