This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
computing:vpnserver-debian [2023/05/21 20:49] – oemb1905 | computing:vpnserver-debian [2023/05/22 02:16] – removed oemb1905 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ------------------------------------------- | ||
- | * **vpnserver-debian** | ||
- | * **Jonathan Haack** | ||
- | * **Haack' | ||
- | * **netcmnd@jonathanhaack.com** | ||
- | |||
- | ------------------------------------------- | ||
- | |||
- | // | ||
- | |||
- | ------------------------------------------- | ||
- | |||
- | This tutorial is for installing a simple openvpn server on a public facing VPS and/or self-hosted virtualization stack. In my case, I am using a slim Debian boot OS, with two zfs pools in RAID10 or two-way mirror setups. I use virsh primarily and/or virt-manager with qemu/kvm to manage the stack. The full setup can be found here [[https:// | ||
- | |||
- | sudo apt update | ||
- | sudo apt upgrade | ||
- | sudo apt install openvpn | ||
- | | ||
- | To keep easyrsa from writing over your configurations, | ||
- | |||
- | cp -r / | ||
- | | ||
- | Navigate inside of the easy-rsa directory (the one you just made by copying) and start building the server by initializing the pki tool, building your certificate authority, generating diffyhelmen for strong key exchange, and then building sudo ufw allow from 192.168.123.0/ | ||
- | the openvpn server itself which will leverage these: | ||
- | |||
- | cd / | ||
- | ./easyrsa init-pki | ||
- | ./easyrsa build-ca nopass | ||
- | ./easyrsa gen-dh | ||
- | ./easyrsa build-server-full server nopass | ||
- | | ||
- | To help thwart DDOS and/or UDP flooding, build a HMAC key as follows. Also, make sure to generate a revocation certificate so you can properly revoke previously signed certificates. | ||
- | | ||
- | openvpn --genkey secret / | ||
- | ./easyrsa gen-crl | ||
- | | ||
- | Copy all the files and directories for keys/certs that you just generated into the openvpn server directory: | ||
- | |||
- | cp -p / | ||
- | cp -p / | ||
- | cp -p / | ||
- | cp -p / | ||
- | cp -rp / | ||
- | cp -rp / | ||
- | | ||
- | I wanted a consistent static IP for the client, and changing '' | ||
- | |||
- | nano / | ||
- | < | ||
- | |||
- | Note that for the above static assignment to work on the client, you must add '' | ||
- | |||
- | cp / | ||
- | |||
- | [[https:// | ||
- | |||
- | Now that the server is configured, let's enable the systemd unit: | ||
- | |||
- | systemctl enable --now openvpn-server@server | ||
- | |||
- | Let's make sure the firewall only permits vpn server traffic and ssh from a private subnet as per the design mentioned at the outset: | ||
- | |||
- | ufw allow 1184/udp | ||
- | ufw allow from 192.168.123.0/ | ||
- | | ||
- | |||
- | |||
- | | ||
- | |||
- | |||