Ubuntu/OpenVPN Server: Difference between revisions

From charlesreid1
Line 104: Line 104:
#push "redirect-gateway def1"
#push "redirect-gateway def1"
# use dnsmasq as a dns server
# use dnsmasq as a dns server
push "dhcp-option DNS 10.101.0.1"
push "dhcp-option DNS 10.10.10.1"


ca /opt/easy-rsa/keys/ca.crt
ca /opt/easy-rsa/keys/ca.crt
Line 118: Line 118:
client-config-dir /etc/openvpn/clients
client-config-dir /etc/openvpn/clients
</pre>
</pre>
==Configure iptables==
The way we plan on doing this, we're just going to use the VPN tunnel to be able to reach bespin. There is no need to share networks.
But what DNS server will the new VPN use? Do we need a new DHCP server too? Can we handle DNS for tun1 too? Do we need to set up another dnsmasq instance?


==Add PAM to OpenVPN Server Config File==
==Add PAM to OpenVPN Server Config File==

Revision as of 05:25, 8 July 2020

Install OpenVPN

Update and install, this should have been completed earlier for the PIA VPN tunnel: 

sudo apt update
sudo apt -y install openvpn

Install EasyRSA

Obtain and install EasyRSA to create a certificate authority and certificates for the server: 

wget -qO- https://github.com/OpenVPN/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz | tar xvz -C /opt/
cp -R /opt/EasyRSA-2.2.2 /opt/easy-rsa
ln -fs /opt/easy-rsa/openssl-1.0.0.cnf /opt/easy-rsa/openssl.cnf

Setup OpenVPN Server

Set local EasyRSA variables for the certificate.

/opt/easy-rsa/local_vars 

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="Santa Cruz"
export KEY_ORG="charlesreid1.com"
export KEY_OU="bespin VPN"
export KEY_EMAIL=""
export KEY_NAME="bespin VPN key"

Set permissions and ownership: 

chmod 0644 /opt/easy-rsa/local_vars
chown root:root /opt/easy-rsa/local_vars

Prepare to generate secrets: 

cd /opt/easy-rsa

Clean keys directory: 

test -e /opt/easy-rsa/clean-all
. /opt/easy-rsa/vars;. /opt/easy-rsa/local_vars;/opt/easy-rsa/clean-all

Build certificate - make script non-interactive, then run: 

test -e /opt/easy-rsa/build-ca
sed -i 's/--interact//g' /opt/easy-rsa/build-ca
. /opt/easy-rsa/vars;. /opt/easy-rsa/local_vars;/opt/easy-rsa/build-ca

Build DH parameters: 

test -e /opt/easy-rsa/build-dh
. /opt/easy-rsa/vars;. /opt/easy-rsa/local_vars;/opt/easy-rsa/build-dh

Build key - make script non-interactive, then run: 

test -e /opt/easy-rsa/build-key-server
sed -i 's/--interact//g' /opt/easy-rsa/build-key-server
. /opt/easy-rsa/vars;. /opt/easy-rsa/local_vars;/opt/easy-rsa/build-key-server server

Make keys directory: 

mkdir -p /opt/easy-rsa/keys
cd /opt/easy-rsa/keys

Generate static TLS secret: 

openvpn --genkey --secret statictlssecret.key

Configure VPN Server

Here we configure the VPN so that VPN IP addresses are in the CIDR block 10.10.10.0/24.

/etc/openvpn/server.conf 

port 1194
proto udp
dev tun
server 10.101.0.0 255.255.255.0
# enable this line to tunnel all client traffic thru vpn
#push "redirect-gateway def1"
# use dnsmasq as a dns server
push "dhcp-option DNS 10.10.10.1"

ca /opt/easy-rsa/keys/ca.crt
cert /opt/easy-rsa/keys/server.crt
key /opt/easy-rsa/keys/server.key
dh /opt/easy-rsa/keys/dh2048.pem

tls-auth statictlssecret.key 0

# use pam for auth
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
# custom client configurations
client-config-dir /etc/openvpn/clients

Configure iptables

The way we plan on doing this, we're just going to use the VPN tunnel to be able to reach bespin. There is no need to share networks.

But what DNS server will the new VPN use? Do we need a new DHCP server too? Can we handle DNS for tun1 too? Do we need to set up another dnsmasq instance?

Add PAM to OpenVPN Server Config File

PAM Configuration

Update Client Config File

Register Users

Retrieved from "https://charlesreid1.com/w/index.php?title=Ubuntu/OpenVPN_Server&oldid=28054"