From 9090784e2f1bcd817ff1ebcc43bc56e16bfb4080 Mon Sep 17 00:00:00 2001 From: David Luevano Alvarado Date: Tue, 13 Jun 2023 03:54:21 -0600 Subject: update vpn server entry with new title --- live/blog/a/vpn_server_with_openvpn.html | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) (limited to 'live/blog/a') diff --git a/live/blog/a/vpn_server_with_openvpn.html b/live/blog/a/vpn_server_with_openvpn.html index 5d16d7d..8456352 100644 --- a/live/blog/a/vpn_server_with_openvpn.html +++ b/live/blog/a/vpn_server_with_openvpn.html @@ -6,8 +6,8 @@ -Create a VPN server with OpenVPN (IPv4) -- Luévano's Blog - +Set up a VPN server with OpenVPN -- Luévano's Blog + @@ -32,11 +32,11 @@ - + - + @@ -85,7 +85,7 @@ -

Create a VPN server with OpenVPN (IPv4)

+

Set up a VPN server with OpenVPN

I’ve been wanting to do this entry, but had no time to do it since I also have to set up the VPN service as well to make sure what I’m writing makes sense, today is the day.

Like with any other of my entries I based my setup on the Arch Wiki, this install script and this profile generator script.

@@ -107,12 +107,12 @@

Pretty simple:

Create PKI from scratch

PKI stands for Public Key Infrastructure and basically it’s required for certificates, private keys and more. This is supposed to work between two servers and one client: a server in charge of creating, signing and verifying the certificates, a server with the OpenVPN service running and the client making the request.

-

This is supposed to work something like: 1) a client wants to use the VPN service, so it creates a requests and sends it to the signing server, 2) this server checks the requests and signs the request, returning the certificates to both the VPN service and the client and 3) the client can now connect to the VPN service using the signed certificate which the OpenVPN server knows about. In a nutshell, I’m no expert.

-

… but, to be honest, all of this is a hassle and (in my case) I want something simple to use and manage. So I’m gonna do all on one server and then just give away the configuration file for the clients, effectively generating files that anyone can run and will work, meaning that you need to be careful who you give this files (it also comes with a revoking mechanism, so no worries).

+

In a nutshel, this is supposed to work something like: 1) a client wants to use the VPN service, so it creates a requests and sends it to the signing server, 2) this server checks the requests and signs the request, returning the certificates to both the VPN service and the client and 3) the client can now connect to the VPN service using the signed certificate which the OpenVPN server knows about.

+

That’s how the it should be st up… but, to be honest, all of this is a hassle and (in my case) I want something simple to use and manage. So I’m gonna do all on one server and then just give away the configuration file for the clients, effectively generating files that anyone can run and will work, meaning that you need to be careful who you give this files (it also comes with a revoking mechanism, so no worries).

This is done with Easy-RSA.

Install the easy-rsa package:

pacman -S easy-rsa
@@ -147,12 +147,11 @@ chmod o+rx pki/private/server.key
 chown nobody:nobody pki/crl.pem
 chmod o+r pki/crl.pem
 
-

Now, go to the openvpn directory and create the required files there:

+

Finally, go to the openvpn directory and create the required files there:

cd /etc/openvpn/server
 openssl dhparam -out dh.pem 2048
 openvpn --genkey secret ta.key
 
-

That’s it for the PKI stuff and general certificate configuration.

OpenVPN

OpenVPN is a robust and highly flexible VPN daemon, that’s pretty complete feature-wise.

Install the openvpn package:

@@ -303,8 +302,8 @@ systemctl enable openvpn-server@server.service

Where the server after @ is the name of your configuration, server.conf without the .conf in my case.

Create client configurations

-

You might notice that I didn’t specify how to actually connect to our server. For that we need to do a few more steps. We actually need a configuration file similar to the server.conf file that we created.

-

The real way of doing this would be to run similar steps as the ones with easy-rsa locally, send them to the server, sign them, and retrieve them. Nah, we’ll just create all configuration files on the server as I was mentioning earlier.

+

You might notice that I didn’t specify how to actually connect the VPN. For that we need a configuration file similar to the server.conf file that we created.

+

The real way of doing this would be to run similar steps as the ones with easy-rsa locally, send them to the server, sign them, and retrieve them. Fuck all that, we’ll just create all configuration files on the server as I was mentioning earlier.

Also, the client configuration file has to match the server one (to some degree), to make this easier you can create a client-common file in /etc/openvpn/server with the following content:

client
 dev tun
@@ -318,10 +317,10 @@ auth SHA512
 verb 3
 

Where you should make any changes necessary, depending on your configuration.

-

Now, we need a way to create and revoke new configuration files. For this I created a script, heavily based on one of the links I mentioned at the beginning, by the way. You can place these scripts anywhere you like, and you should take a look before running them because you’ll be running them as root.

+

Now, we need a way to create and revoke new configuration files. For this I created a script, heavily based on one of the links I mentioned at the beginning. You can place these scripts anywhere you like, and you should take a look before running them because you’ll be running them with elevated privileges (sudo).

In a nutshell, what it does is: generate a new client certificate keypair, update the CRL and create a new .ovpn configuration file that consists on the client-common data and all of the required certificates; or, revoke an existing client and refresh the CRL. The file is placed under ~/ovpn.

Create a new file with the following content (name it whatever you like) and don’t forget to make it executable (chmod +x vpn_script):

-
#!/bin/sh
+
#!/bin/sh
 # Client ovpn configuration creation and revoking.
 MODE=$1
 if [ ! "$MODE" = "new" -a ! "$MODE" = "rev" ]; then
@@ -375,7 +374,7 @@ chown nobody:nobody pki/crl.pem
 chmod o+r pki/crl.pem
 cd $CPWD
 
-

And the way to use is to run vpn_script new/rev client_name as sudo (when revoking, it doesn’t actually delete the .ovpn file in ~/ovpn). Again, this is a little script that I put together, so you should check it out, it may need tweaks (depending on your directory structure for easy-rsa).

+

And the way to use is to run bash vpn_script <mode> <client_name> where mode is new or rev (revoke) as sudo (when revoking, it doesn’t actually delete the .ovpn file in ~/ovpn). Again, this is a little script that I put together, so you should check it out, it may need tweaks (specially depending on your directory structure for easy-rsa).

Now, just get the .ovpn file generated, import it to OpenVPN in your client of preference and you should have a working VPN service.