Haack's Wiki

User Tools

Site Tools

Trace:
computing:vpnserver-debian

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
computing:vpnserver-debian [2023/05/22 02:16] – removed oemb1905computing:vpnserver-debian [2024/02/17 19:43] (current) – created oemb1905
Line 1: Line 1:
 +-------------------------------------------
 +  * **vpnserver-debian** 
 +  * **Jonathan Haack**
 +  * **Haack's Networking**
 +  * **webmaster@haacksnetworking.org**
  
 +-------------------------------------------
 +
 +//vpnserver-debian// 
 +
 +-------------------------------------------
 +
 +This tutorial is for installing a simple openvpn server on a public facing VPS and/or self-hosted virtualization stack. In my case, I am using a slim Debian boot OS, with two zfs pools in RAID10 or two-way mirror setups. I use virsh primarily and/or virt-manager with qemu/kvm to manage the stack. The full setup can be found here [[https://wiki.haacksnetworking.org/doku.php?id=computing:vmserver|vmserver]]. The point of setting up this openvpn server instance was to only expose port 1194 to the public, and turn off 80/443 (which I used for munin monitoring tool), and turn off 22 (which I used for shell access). Also, this is just intended as a vpn, **not traffic redirection**. Here's what I did:
 +
 +  sudo apt update
 +  sudo apt upgrade
 +  sudo apt install openvpn
 +  
 +To keep easyrsa from writing over your configurations, most people copy the directory you intend to use away from it's default location:
 +
 +  cp -r /usr/share/easy-rsa /etc/
 +  
 +Navigate inside of the easy-rsa directory (the one you just made by copying) and start building the server by initializing the pki tool, building your certificate authority, generating diffyhelmen for strong key exchange, and then building sudo ufw allow from 192.168.147.0/24 to any port 22
 +the openvpn server itself which will leverage these:
 +
 +  cd /etc/easy-rsa/
 +  ./easyrsa init-pki
 +  ./easyrsa build-ca nopass
 +  ./easyrsa gen-dh
 +  ./easyrsa build-server-full server nopass
 +  
 +To help thwart DDOS and/or UDP flooding, build a HMAC key as follows. Also, make sure to generate a revocation certificate so you can properly revoke previously signed certificates.
 +  
 +  openvpn --genkey secret /etc/easy-rsa/pki/ta.key
 +  ./easyrsa gen-crl
 +  
 +Copy all the files and directories for keys/certs that you just generated into the openvpn server directory:
 +
 +  cp -p /etc/easy-rsa/pki/ca.crt /etc/openvpn/server/
 +  cp -p /etc/easy-rsa/pki/dh.pem /etc/openvpn/server/
 +  cp -p /etc/easy-rsa/pki/ta.key /etc/openvpn/server/
 +  cp -p /etc/easy-rsa/pki/crl.pem /etc/openvpn/server/  
 +  cp -rp /etc/easy-rsa/pki/issued /etc/openvpn/server/
 +  cp -rp /etc/easy-rsa/pki/private /etc/openvpn/server/
 +  
 +I wanted a consistent static IP for the client, and changing ''ifconfig-pool-persist /var/log/openvpn/ipp.txt'' seemed to always get over-written, so I did the following:
 +
 +  nano /etc/openvpn/ccd/client
 +  <ifconfig-push 192.168.147.100 255.255.255.0>
 +
 +Note that for the above static assignment to work on the client, you must add ''client-config-dir /etc/openvpn/ccd'' to the server configuration. To build the server configuration, I used the template provided and some online resources. Here's where you get the provided template and a view of what my config looks like.
 +
 +  cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/
 +
 +[[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/configs/openvpn/vpnserver-debian.conf|vpnserver-debian.conf]]
 +
 +Now that the server is configured, let's enable the systemd unit:
 +
 +  systemctl enable --now openvpn-server@server
 +
 +Let's make sure the firewall only permits vpn server traffic and ssh from a private subnet as per the design mentioned at the outset:
 +
 +  ufw allow 1194/udp
 +  ufw allow from 192.168.147.0/24 to any port 22
 +  sudo ufw allow from 73.42.113.16 to any port 22 proto tcp [optional allowance from static external]
 +  
 +The server is now setup, so time to build the client files on the server, build a client configuration file and test the connection. Copy all the generated files to a dedicated client directory for safekeeping/backup, and this also makes it easier to ''scp'' them down to a client.
 +
 +  cd /etc/easy-rsa
 +  ./easyrsa build-client-full client nopass
 +  cp -p /etc/easy-rsa/pki/ca.crt /etc/openvpn/client/ca.crt
 +  cp -rp /etc/easy-rsa/pki/issued/client.crt /etc/openvpn/client/client.crt
 +  cp -rp /etc/easy-rsa/pki/private/client.key /etc/openvpn/client/client.key
 +  
 +From your client, pull the files:
 +
 +  scp -r user@remotehost.com:/etc/openvpn/client /home/user/vpn/
 +
 +On your localhost, create a client configuration file to leverage these files and connect to the openvpn server. I also included my config as an example below.
 +
 +  nano /home/user/vpn/remotehost.com.ovpn
 +  
 +[[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/configs/openvpn/remotehost.com.ovpn|remotehost.com.ovpn]]
 +
 +To test if everything is working, run openvpn against the config file as follows:
 +
 +  sudo openvpn remotehost.com.ovpn
 +  
 +If everything works, you will get a final message of ''Initialization Sequence Completed''. If any errors are given, begin debugging them. There's a rather large message at the top about a fallback cipher. Unless you need legacy support, ignore this. Also, make sure that your certs/keys and ca are given proper perms:
 +
 +  chmod 600 client.key 
 +  chmod 640 ca.crt. client.crt. remotehost.com.ovpn
 +
 +That should be it! To test, try shelling into the physical host of the virtualization stack:
 +
 +  ssh root@192.168.122.1
 +  
 +For traffic redirection, do the following:
 +
 +  nano /etc/default/ufw
 +  <DEFAULT_FORWARD_POLICY="ACCEPT">
 +  nano /etc/ufw/before.rules
 +  <*nat>
 +  <:POSTROUTING ACCEPT [0:0]>
 +  <-A POSTROUTING -s 192.168.147.0/24 -o enp1s0f0 -j MASQUERADE>
 +  <COMMIT>
 +  nano /etc/sysctl.conf
 +  <net.ipv4.ip_forward=1>
 +  sysctl -p  
 +
 +This enables masquerading, packet forwarding in ufw, and IP forwarding to the client. This will allow you to specify this additional line in the client config for traffic redirection:
 +
 +  redirect-gateway def1
 +  
 +I wrote some scripts to automate some of the aspects of server and client generation:
 +
 +  * [[https://repo.haacksnetworking.org/haacknet/haackingclub/-/tree/main/scripts/openvpn/openvpn-debian?ref_type=heads|Debian VPN Scripts]]
 +
 + --- //[[webmaster@haacksnetworking.org|oemb1905]] 2024/02/17 19:41//
computing/vpnserver-debian.txt · Last modified: 2024/02/17 19:43 by oemb1905

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki