summaryrefslogtreecommitdiff
path: root/blog/dst/a/vpn_server_with_openvpn.html
diff options
context:
space:
mode:
authorDavid Luevano Alvarado <david@luevano.xyz>2021-08-01 04:13:25 -0600
committerDavid Luevano Alvarado <david@luevano.xyz>2021-08-01 04:13:25 -0600
commitb4ebb8b00356efde02d8323a4b6648b4415fd265 (patch)
tree0d2e90c9bdef1910525af72249e4b0d1c87b0f75 /blog/dst/a/vpn_server_with_openvpn.html
parenta9dbd90aacab48d44dac3d6525be7e710fdf9e2f (diff)
tweak some things
Diffstat (limited to 'blog/dst/a/vpn_server_with_openvpn.html')
-rw-r--r--blog/dst/a/vpn_server_with_openvpn.html12
1 files changed, 7 insertions, 5 deletions
diff --git a/blog/dst/a/vpn_server_with_openvpn.html b/blog/dst/a/vpn_server_with_openvpn.html
index 000e72a..e65fc14 100644
--- a/blog/dst/a/vpn_server_with_openvpn.html
+++ b/blog/dst/a/vpn_server_with_openvpn.html
@@ -233,8 +233,8 @@ verb 3
# Only usable with udp.
explicit-exit-notify 1
</code></pre>
-<p><code>#</code> and <code>;</code> are comments. Read each and every line, you might want to change some stuff (like the logging).</p>
-<p>Now, we need to enable <em>packet forwarding</em>, which can be enabled on the interface level or globally (you can check the different options with <code>sysctl -a | grep forward</code>). I&rsquo;ll do it globally, run:</p>
+<p><code>#</code> and <code>;</code> are comments. Read each and every line, you might want to change some stuff (like the logging), specially the first line which is your server public IP.</p>
+<p>Now, we need to enable <em>packet forwarding</em> (so we can access the web while connected to the VPN), which can be enabled on the interface level or globally (you can check the different options with <code>sysctl -a | grep forward</code>). I&rsquo;ll do it globally, run:</p>
<pre><code class="language-sh">sysctl net.ipv4.ip_forward=1
</code></pre>
<p>And create/edit the file <code>/etc/sysctl.d/30-ipforward.conf</code>:</p>
@@ -243,6 +243,7 @@ explicit-exit-notify 1
<p>Now we need to configure <code>ufw</code> to forward traffic through the VPN. Append the following to <code>/etc/default/ufw</code> (or edit the existing line):</p>
<pre><code>...
DEFAULT_FORWARD_POLICY=&quot;ACCEPT&quot;
+...
</code></pre>
<p>And change the <code>/etc/ufw/before.rules</code>, appending the following lines after the header <strong>but before the *filter line</strong>:</p>
<pre><code>...
@@ -260,7 +261,7 @@ COMMIT
*filter
...
</code></pre>
-<p>Where <code>interface</code> must be changed depending on your interface (in my case is <code>ens3</code>, another common one is <code>eth0</code>); I always check this by running <code>ip addr</code>, you will get a list of interfaces of which the one containing your public ip is the one that you want, for me it looks something like:</p>
+<p>Where <code>interface</code> must be changed depending on your system (in my case it&rsquo;s <code>ens3</code>, another common one is <code>eth0</code>); I always check this by running <code>ip addr</code> which gives you a list of interfaces (the one containing your server public IP is the one you want, or whatever interface your server uses to connect to the internet):</p>
<pre><code>...
2: ens3: &lt;SOMETHING,SOMETHING&gt; bla bla
link/ether bla:bla
@@ -268,7 +269,7 @@ COMMIT
inet my.public.ip.addr bla bla
...
</code></pre>
-<p>And also make sure the <code>10.8.0.0/24</code> matches the subnet mask specified in the <code>server.conf</code> file (in this example it matches). You should check this very carefully, because I just spend a good 2 hours debugging why my configuration wasn&rsquo;t working, and this was te reason (I could connect to the VPN, but had no external connection to the web).</p>
+<p>And also make sure the <code>10.8.0.0/24</code> matches the subnet mask specified in the <code>server.conf</code> file (in this example it matches). You should check this very carefully, because I just spent a good 2 hours debugging why my configuration wasn&rsquo;t working, and this was te reason (I could connect to the VPN, but had no external connection to the web).</p>
<p>Finally, allow the OpenVPN port you specified (in this example its <code>1194/udp</code>) and reload <code>ufw</code>:</p>
<pre><code class="language-sh">ufw allow 1194/udp comment &quot;OpenVPN&quot;
ufw reload
@@ -277,7 +278,7 @@ ufw reload
<pre><code class="language-sh">systemctl start openvpn-server@server.service
systemctl enable openvpn-server@server.service
</code></pre>
-<p>Where the <code>server</code> after <code>@</code> is your specific configuration, in my case it is called just <code>server</code>.</p>
+<p>Where the <code>server</code> after <code>@</code> is the name of your configuration, <code>server.conf</code> without the <code>.conf</code> in my case.</p>
<h3 id="create-client-configurations">Create client configurations</h3>
<p>You might notice that I didn&rsquo;t specify how to actually connect to our server. For that we need to do a few more steps. We actually need a configuration file similar to the <code>server.conf</code> file that we created.</p>
<p>The real way of doing this would be to run similar steps as the ones with <code>easy-rsa</code> locally, send them to the server, sign them, and retrieve them. Nah, we&rsquo;ll just create all configuration files on the server as I was mentioning earlier.</p>
@@ -376,6 +377,7 @@ cd $CPWD
<div class="article-info">
<p>By David Luévano</p>
<p>Created: Sun, Aug 01, 2021 @ 09:27 UTC</p>
+ <p>Modified: Sun, Aug 01, 2021 @ 10:13 UTC</p>
<div class="article-tags">
<p>Tags:
<a href="https://blog.luevano.xyz/tag/@english.html">english</a>, <a href="https://blog.luevano.xyz/tag/@server.html">server</a>, <a href="https://blog.luevano.xyz/tag/@tools.html">tools</a>, <a href="https://blog.luevano.xyz/tag/@tutorial.html">tutorial</a> </p>