Ubuntu/OpenVPN Server

From charlesreid1

Install OpenVPN

Update and install, this should have been completed earlier for the PIA VPN tunnel: 

sudo apt update
sudo apt -y install openvpn

Install EasyRSA

Obtain and install EasyRSA to create a certificate authority and certificates for the server: 

wget -qO- https://github.com/OpenVPN/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz | tar xvz -C /opt/
cp -R /opt/EasyRSA-2.2.2 /opt/easy-rsa
ln -fs /opt/easy-rsa/openssl-1.0.0.cnf /opt/easy-rsa/openssl.cnf

Setup OpenVPN Server

Set local EasyRSA variables for the certificate.

/opt/easy-rsa/local_vars 

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="Santa Cruz"
export KEY_ORG="charlesreid1.com"
export KEY_OU="bespin VPN"
export KEY_EMAIL=""
export KEY_NAME="bespin VPN key"

Set permissions and ownership: 

chmod 0644 /opt/easy-rsa/local_vars
chown root:root /opt/easy-rsa/local_vars

Prepare to generate secrets: 

cd /opt/easy-rsa

Clean keys directory: 

test -e /opt/easy-rsa/clean-all
. /opt/easy-rsa/vars;. /opt/easy-rsa/local_vars;/opt/easy-rsa/clean-all

Build certificate - make script non-interactive, then run: 

test -e /opt/easy-rsa/build-ca
sed -i 's/--interact//g' /opt/easy-rsa/build-ca
. /opt/easy-rsa/vars;. /opt/easy-rsa/local_vars;/opt/easy-rsa/build-ca

Build DH parameters: 

test -e /opt/easy-rsa/build-dh
. /opt/easy-rsa/vars;. /opt/easy-rsa/local_vars;/opt/easy-rsa/build-dh

Build key - make script non-interactive, then run: 

test -e /opt/easy-rsa/build-key-server
sed -i 's/--interact//g' /opt/easy-rsa/build-key-server
. /opt/easy-rsa/vars;. /opt/easy-rsa/local_vars;/opt/easy-rsa/build-key-server server

Make keys directory: 

mkdir -p /opt/easy-rsa/keys
cd /opt/easy-rsa/keys

Generate static TLS secret: 

openvpn --genkey --secret statictlssecret.key

Configure VPN Server

Here we configure the VPN so that VPN IP addresses are in the CIDR block 10.10.10.0/24.

/etc/openvpn/server.conf 

port 1194
proto udp
dev tun
server 10.101.0.0 255.255.255.0
# enable this line to tunnel all client traffic thru vpn
#push "redirect-gateway def1"
# use dnsmasq as a dns server
push "dhcp-option DNS 10.10.10.1"

ca /opt/easy-rsa/keys/ca.crt
cert /opt/easy-rsa/keys/server.crt
key /opt/easy-rsa/keys/server.key
dh /opt/easy-rsa/keys/dh2048.pem

tls-auth statictlssecret.key 0

# use pam for auth
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
# custom client configurations
client-config-dir /etc/openvpn/clients

Configure VPN Server Startup Service

Run this command to update the openvpn@ startup service to send separate logs for separate openvpn networks into their own log files: 

sed -i 's|^ExecStart=.*|& --log-append /var/log/openvpn.%i.log|' /lib/systemd/system/openvpn@.service

A Note on the OpenVPN Startup Service

Quick side note to explain /lib/systemd/system/openvpn@.service:

This is a TEMPLATED startup service that allows you to run multiple startup services for multiple instances of openvpn for multiple VPNs. If you run service openvpn@myvpn start, it will start OpenVPN with the configuration file myvpn.conf.

Enable and Start VPN Server Service

Given that our OpenVPN server config file is in server.conf in /etc/openvpn, we can start an OpenVPN service with this config file like this: 

systemctl enable openvpn@server.service
systemctl start openvpn@server.service

Configure iptables

The way we plan on doing this, we're just going to use the VPN tunnel to be able to reach bespin. There is no need to share networks.

But what DNS server will the new VPN use? Do we need a new DHCP server too? Can we handle DNS for tun1 too? Do we need to set up another dnsmasq instance?

Configure PAM

PAM is the pluggable authentication module in Linux. It provides a variety of methods for authenticating users in various contexts (for example, when you log into a desktop computer).

In the OpenVPN server config file, we included the following line to use PAM for authentication: 

# use pam for auth
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

This corresponds to a configuration file /etc/pam.d/openvpn that contains directives telling PAM how OpenVPN wants to authenticate users.

We can use Unix usernames/passwords to authenticate users:

/etc/pam.d/openvpn 

auth required pam_unix.so

Adding MFA to VPN Access

To add MFA to the VPN access (note: this will require changes to how users are created below), first install the Google Authenticator PAM library: 

apt-get -y install libpam-google-authenticator

Now modify the contents of /etc/pam.d/openvpn to replace the Unix login with Google Authenticator as a method of authentication:

/etc/pam.d/openvpn 

auth required /lib/x86_64-linux-gnu/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth try_first_pass

Also need to create a gauth user to handle Google Authenticator stuff: 

addgroup gauth && useradd -g gauth gauth

Create the Google Authenticator directory: 

mkdir /etc/openvpn/google-authenticator

Set ownership and permissions: 

chown gauth:gauth /etc/openvpn/google-authenticator
chmod 0700 /etc/openvpn/google-authenticator

Update Client Config File

Configure the OopenVPN client by creating a client config file:

/opt/easy-rsa/openvpn_client.conf 

client
dev tun
proto udp
remote <remote-ip-addr-server> 1194
nobind
pull
persist-key
persist-tun
remote-cert-tls server
ca ca.crt
cert clientuser.crt
key clientuser.key
tls-auth statictlssecret.key 1
auth-user-pass

Register Users

Retrieved from "https://charlesreid1.com/w/index.php?title=Ubuntu/OpenVPN_Server&oldid=28061"