This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
computing:vpnserver-debian [2023/05/21 20:35] – oemb1905 | computing:vpnserver-debian [2023/05/22 02:04] – oemb1905 | ||
---|---|---|---|
Line 3: | Line 3: | ||
* **Jonathan Haack** | * **Jonathan Haack** | ||
* **Haack' | * **Haack' | ||
- | * **netcmnd@jonathanhaack.com** | + | * **webmaster@haacksnetworking.org** |
------------------------------------------- | ------------------------------------------- | ||
Line 11: | Line 11: | ||
------------------------------------------- | ------------------------------------------- | ||
- | This tutorial is for installing a simple openvpn server on a public facing VPS and/or self-hosted virtualization stack. In my case, I am using a slim Debian boot OS, with two zfs pools in RAID10 or two-way mirror setups. I use virsh primarily and/or virt-manager with qemu/kvm to manage the stack. The full setup can be found here [[https:// | + | This tutorial is for installing a simple openvpn server on a public facing VPS and/or self-hosted virtualization stack. In my case, I am using a slim Debian boot OS, with two zfs pools in RAID10 or two-way mirror setups. I use virsh primarily and/or virt-manager with qemu/kvm to manage the stack. The full setup can be found here [[https:// |
sudo apt update | sudo apt update | ||
Line 21: | Line 21: | ||
cp -r / | cp -r / | ||
| | ||
- | Navigate inside of the easy-rsa directory (the one you just made by copying) and start building the server by initializing the pki tool, building your certificate authority, generating diffyhelmen for strong key exchange, and then building the openvpn server itself which will leverage these: | + | Navigate inside of the easy-rsa directory (the one you just made by copying) and start building the server by initializing the pki tool, building your certificate authority, generating diffyhelmen for strong key exchange, and then building |
+ | the openvpn server itself which will leverage these: | ||
cd / | cd / | ||
Line 43: | Line 44: | ||
cp -rp / | cp -rp / | ||
| | ||
- | The server has everything it needs to operate, but you need to build a configuration | + | I wanted a consistent static IP for the client, and changing '' |
+ | |||
+ | nano / | ||
+ | < | ||
+ | |||
+ | Note that for the above static assignment to work on the client, you must add '' | ||
cp / | cp / | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | Now that the server is configured, let's enable the systemd unit: | ||
+ | |||
+ | systemctl enable --now openvpn-server@server | ||
+ | |||
+ | Let's make sure the firewall only permits vpn server traffic and ssh from a private subnet as per the design mentioned at the outset: | ||
+ | |||
+ | ufw allow 1184/udp | ||
+ | ufw allow from 192.168.123.0/ | ||
| | ||
- | Here's what my config looks like for comparison: | + | The server is now setup, so time to build the client files on the server, build a client configuration file and test the connection. Copy all the generated files to a dedicated client directory |
- | | + | |
+ | | ||
+ | cp -p / | ||
+ | cp -rp / | ||
+ | cp -rp / | ||
+ | |||
+ | From your client, pull the files: | ||
+ | scp -r user@remotehost.com:/ | ||
+ | On your localhost, create a client configuration file to leverage these files and connect to the openvpn server. I also included my config as an example below. | ||
+ | |||
+ | nano / | ||
+ | | ||
+ | [[https:// | ||
+ | |||
+ | To test if everything is working, run openvpn against the config file as follows: | ||
+ | |||
+ | sudo openvpn remotehost.com.ovpn | ||
+ | | ||
+ | If everything works, you will get a final message of '' | ||
+ | |||
+ | chmod 600 client.key | ||
+ | chmod 640 ca.crt. client.crt. remotehost.com.ovpn | ||
+ | |||
+ | That should be it! To test, try shelling into the physical host of the virtualization stack: | ||
+ | |||
+ | ssh root@192.168.122.1 | ||
+ | | ||
+ | For traffic redirection, | ||
+ | |||
+ | nano / | ||
+ | < | ||
+ | nano / | ||
+ | < | ||
+ | <: | ||
+ | <-A POSTROUTING -s 192.168.123.0/ | ||
+ | < | ||
+ | nano / | ||
+ | < | ||
+ | sysctl -p | ||
+ | |||
+ | This enables masquerading, | ||
+ | |||
+ | redirect-gateway def1 | ||
+ | | ||
+ | My next goal is to add some routes to a different subnet on a virtual bridge I use for my VMs, and that's also on the physical host. Then, I can disable public facing ssh on all of VMs theoretically and access them through the vpnserver only. Again, even this is overkill since I am already using ssh keypairs, however, I might just do it to learn about pushing routes/ | ||
+ | |||
+ | --- // | ||
+ | | ||