From 70e783628b1bf863da45cc8879b06288a498840b Mon Sep 17 00:00:00 2001 From: David Luevano Alvarado Date: Fri, 5 May 2023 03:16:06 -0600 Subject: update css, make articles more uniform, add toc and add functionality to scroll to the top --- live/blog/a/vpn_server_with_openvpn.html | 50 ++++++++++++++++++++++++-------- 1 file changed, 38 insertions(+), 12 deletions(-) (limited to 'live/blog/a/vpn_server_with_openvpn.html') diff --git a/live/blog/a/vpn_server_with_openvpn.html b/live/blog/a/vpn_server_with_openvpn.html index de80c45..6109f37 100644 --- a/live/blog/a/vpn_server_with_openvpn.html +++ b/live/blog/a/vpn_server_with_openvpn.html @@ -16,14 +16,21 @@ + + - + + + + + + @@ -73,18 +80,36 @@
+
+ +

Create a VPN server with OpenVPN (IPv4)

I’ve been wanting to do this entry, but had no time to do it since I also have to set up the VPN service as well to make sure what I’m writing makes sense, today is the day.

Like with any other of my entries I based my setup on the Arch Wiki, this install script and this profile generator script.

-

This will be installed and working alongside the other stuff I’ve wrote about on other posts (see the server tag). All commands here are executes as root unless specified otherwise. Also, this is intended only for IPv4 (it’s not that hard to include IPv6, but meh).

-

Prerequisites

+

This will be installed and working alongside the other stuff I’ve wrote about on other posts (see the server tag). All commands here are executes as root unless specified otherwise. Also, this is intended only for IPv4 (it’s not that hard to include IPv6, but meh). As always, all commands are executed as root unless stated otherwise.

+

Table of contents

+ +

Prerequisites

Pretty simple:

-

Create PKI from scratch

+

Create PKI from scratch

PKI stands for Public Key Infrastructure and basically it’s required for certificates, private keys and more. This is supposed to work between two servers and one client: a server in charge of creating, signing and verifying the certificates, a server with the OpenVPN service running and the client making the request.

This is supposed to work something like: 1) a client wants to use the VPN service, so it creates a requests and sends it to the signing server, 2) this server checks the requests and signs the request, returning the certificates to both the VPN service and the client and 3) the client can now connect to the VPN service using the signed certificate which the OpenVPN server knows about. In a nutshell, I’m no expert.

… but, to be honest, all of this is a hassle and (in my case) I want something simple to use and manage. So I’m gonna do all on one server and then just give away the configuration file for the clients, effectively generating files that anyone can run and will work, meaning that you need to be careful who you give this files (it also comes with a revoking mechanism, so no worries).

@@ -128,8 +153,8 @@ openssl dhparam -out dh.pem 2048 openvpn --genkey secret ta.key

That’s it for the PKI stuff and general certificate configuration.

-

OpenVPN

-

OpenVPN is a robust and highly flexible VPN daemon, that’s pretty complete feature wise.

+

OpenVPN

+

OpenVPN is a robust and highly flexible VPN daemon, that’s pretty complete feature-wise.

Install the openvpn package:

pacman -S openvpn
 
@@ -231,6 +256,7 @@ verb 3 explicit-exit-notify 1

# and ; are comments. Read each and every line, you might want to change some stuff (like the logging), specially the first line which is your server public IP.

+

Enable forwarding

Now, we need to enable packet forwarding (so we can access the web while connected to the VPN), which can be enabled on the interface level or globally (you can check the different options with sysctl -a | grep forward). I’ll do it globally, run:

sysctl net.ipv4.ip_forward=1
 
@@ -276,7 +302,7 @@ ufw reload systemctl enable openvpn-server@server.service

Where the server after @ is the name of your configuration, server.conf without the .conf in my case.

-

Create client configurations

+

Create client configurations

You might notice that I didn’t specify how to actually connect to our server. For that we need to do a few more steps. We actually need a configuration file similar to the server.conf file that we created.

The real way of doing this would be to run similar steps as the ones with easy-rsa locally, send them to the server, sign them, and retrieve them. Nah, we’ll just create all configuration files on the server as I was mentioning earlier.

Also, the client configuration file has to match the server one (to some degree), to make this easier you can create a client-common file in /etc/openvpn/server with the following content:

@@ -349,7 +375,7 @@ chown nobody:nobody pki/crl.pem chmod o+r pki/crl.pem cd $CPWD -

And the way to use is to run vpn_script new/rev client_name as sudo (when revoking, it doesn’t actually deletes the .ovpn file in ~/ovpn). Again, this is a little script that I put together, so you should check it out, it may need tweaks (depending on your directory structure for easy-rsa) and it could have errors.

+

And the way to use is to run vpn_script new/rev client_name as sudo (when revoking, it doesn’t actually delete the .ovpn file in ~/ovpn). Again, this is a little script that I put together, so you should check it out, it may need tweaks (depending on your directory structure for easy-rsa).

Now, just get the .ovpn file generated, import it to OpenVPN in your client of preference and you should have a working VPN service.