Internal Errigal Collaboration Wiki

User Tools

Site Tools

Trace: openstack internal_idms_qa_environments
databaseandnetworkmanagement:open_vpn_install_18

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
databaseandnetworkmanagement:open_vpn_install_18 [2018/12/13 17:56] slawrencedatabaseandnetworkmanagement:open_vpn_install_18 [2021/06/25 10:09] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +===== Before Your Start =====
 +If you are looking for adding user (or yourself) to OpenVPN for support purposes, check out [[support:setup_open_vpn_2018_edition|Setup Open VPN User 2018 Edition]]
  
 +
 +===== Ubuntu 18.04 Open VPN Full installation as performed on on CA Server (AWS Northern California: Errigal CA - DO NOT DELETE) and Open VPN Server (olympus.err) =====
 + * Quick instructions on making new client certificate configurations are towards the bottom
 +
 +This article explains how to install Open VPN on Ubuntu 18.04. The steps followed came from this Tutorial: 
 + * https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
 +-------------------------------------
 +
 +==== CA Machine (AWS Northern California: Errigal CA - DO NOT DELETE) ====
 + * START THE AWS INSTANCE
 + * sudo apt update
 + * sudo apt install openvpn
 + * wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
 + * cd ~
 + * tar xvf EasyRSA-3.0.4.tgz
 + * cd ~/EasyRSA-3.0.4/
 + * cp vars.example vars
 + * vi vars
 + * [EDIT EASYRSA_REQ_ properties accordingly]
 + * ./easyrsa init-pki
 + * ./easyrsa build-ca nopass
 +-------------------------------------
 +==== OpenVPN Server Machine (olympus) ====
 +
 + * sudo apt update
 + * sudo apt install openvpn
 + * wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
 + * cd ~/EasyRSA-3.0.4/
 + * ./easyrsa init-pki
 + * ./easyrsa gen-req server nopass
 + * sudo cp ~/EasyRSA-3.0.4/pki/private/server.key /etc/openvpn/
 + * scp -i ~/pge2.pem ~/EasyRSA-3.0.4/pki/reqs/server.req ubuntu@10.91.200.205:/tmp
 +-------------------------------------
 +==== CA Machine (AWS Northern California: Errigal CA - DO NOT DELETE) ====
 +
 + * cd ~/EasyRSA-3.0.4/
 + * ./easyrsa import-req /tmp/server.req server
 + * [TYPE yes WHEN PROMPTED]
 +
 +-------------------------------------
 +
 +==== OpenVPN Server Machine (olympus) ====
 + * scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/issued/server.crt /tmp
 + * scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/ca.crt /tmp
 + * sudo cp /tmp/{server.crt,ca.crt} /etc/openvpn/
 + * cd EasyRSA-3.0.4/
 + * ./easyrsa gen-dh
 + * openvpn --genkey --secret ta.key
 + * sudo cp ~/EasyRSA-3.0.4/ta.key /etc/openvpn/
 + * sudo cp ~/EasyRSA-3.0.4/pki/dh.pem /etc/openvpn/
 +-------------------------------------
 +==== CLIENT KEY GEN on server (olympus) ====
 +
 + * mkdir -p ~/client-configs/keys
 + * chmod -R 700 ~/client-configs
 + * cd ~/EasyRSA-3.0.4/
 + * ./easyrsa gen-req client1 nopass
 + * cp pki/private/client1.key ~/client-configs/keys/
 + * scp -i ~/pge2.pem pki/reqs/client1.req ubuntu@10.91.200.205:/tmp
 +-------------------------------------
 +==== CA Machine (AWS Northern California: Errigal CA - DO NOT DELETE) ====
 +
 + * cd EasyRSA-3.0.4/
 + * ./easyrsa import-req /tmp/client1.req client1
 + * ./easyrsa sign-req client client1
 +-------------------------------------
 +==== OpenVPN Server Machine (olympus) ====
 +
 + * scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/issued/client1.crt /tmp
 + * cp /tmp/client1.crt ~/client-configs/keys/
 + * cp ~/EasyRSA-3.0.4/ta.key ~/client-configs/keys/
 + * sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/
 +-------------------------------------
 +==== Configure OpenVPN Server (olympus) ====
 +
 + * sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
 + * sudo gzip -d /etc/openvpn/server.conf.gz
 + * sudo vi /etc/openvpn/server.conf
 + * [Add "key-direction 0" below "tls-auth ta.key 0"]
 + * [Add "auth SHA256" below "cipher AES-256-CBC"]
 + * [Change "dh dh2048.pem" to "dh dh.pem"]
 + * [Uncomment "user nobody" and "group nogroup"]
 + * [NOTE:  Could update to PUSH DNS to clients.  Could upadte to use a different port/protocol like 443/tcp vs. default 1194/udp.]
 + * sudo vi /etc/sysctl.conf
 + * [Uncomment "net.ipv4.ip_forward=1"]
 + * [Uncomment "push "redirect-gateway def1 bypass-dhcp""]
 + * [Uncomment "push "dhcp-option DNS 208.67.222.222"" and "push "dhcp-option DNS 208.67.220.220""]
 + * ip router | grep default
 + * [Locate the interface name, i.e. enp7s0, and copy it]
 + * sudo vi /etc/ufw/before.rules
 + * [Add the following lines:
 +<code>
 +# START OPENVPN RULES
 +# NAT table rules
 +*nat
 +:POSTROUTING ACCEPT [0:0]
 +# Allow traffic from OpenVPN client to enp7s0 (change to the interface you discovered!)
 +-A POSTROUTING -s 10.8.0.0/8 -o enp7s0 -j MASQUERADE
 +COMMIT
 +# END OPENVPN RULES
 +</code>
 + * sudo vi /etc/default/ufw
 + * [Change DEFAULT_FORWARD_POLICY value from "DROP" to "ACCEPT"]
 + * sudo ufw allow 1194/udp
 + * sudo ufw allow OpenSSH
 + * sudo ufw disable
 + * sudo ufw enable
 + * sudo systemctl start openvpn@server
 + * sudo systemctl status openvpn@server
 + * [Output should show 'active (running)']
 + * sudo systemctl enable openvpn@server
 + * mkdir -p ~/client-configs/files
 + * cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
 + * vi ~/client-configs/base.conf
 + * [Update line "remote my-server-1 1194" to use your server IP "remote cloud.errigal.com 1194"]
 + * [Make sure "proto udp" is uncommented and that "proto tcp" is commented witht he ';' character]
 + * [Comment with '#' "tls-auth ta.key 1"]
 + * [Comment with '#' "ca", "cert" and "key" prop lines]
 + * [Under line "cipher AES-256-CBC" add line "auth SHA256"]
 + * [Add "key-direction 1" to the file]
 + * [Add the following commented out lines:
 +<code>
 +# script-security 2
 +# up /etc/openvpn/update-resolv-conf
 +# down /etc/openvpn/update-resolv-conf
 +</code>
 + * vi ~/client-configs/make_config.sh
 + * Insert the following content:
 +<code>
 +#!/bin/bash
 +
 +# First argument: Client identifier
 +
 +KEY_DIR=~/client-configs/keys
 +OUTPUT_DIR=~/client-configs/files
 +BASE_CONFIG=~/client-configs/base.conf
 +
 +cat ${BASE_CONFIG} \
 +    <(echo -e '<ca>') \
 +    ${KEY_DIR}/ca.crt \
 +    <(echo -e '</ca>\n<cert>') \
 +    ${KEY_DIR}/${1}.crt \
 +    <(echo -e '</cert>\n<key>') \
 +    ${KEY_DIR}/${1}.key \
 +    <(echo -e '</key>\n<tls-auth>') \
 +    ${KEY_DIR}/ta.key \
 +    <(echo -e '</tls-auth>') \
 +    > ${OUTPUT_DIR}/${1}.ovpn
 +</code>
 + * chmod 700 ~/client-configs/make_config.sh 
 +-------------------------------------
 +
 +==== Generate Client Configuration on OpenVPN Server (olympus) ====
 +
 + * cd ~/client-configs
 + * sudo ./make_config.sh client1
 +-------------------------------------
 +==== Your Client (i.e. your macbook) ====
 +
 + * sftp scotty@olympus.err:client-configs/files/client1.ovpn ~/
 + * INSTALL Tunnelblick:  https://tunnelblick.net/release/Tunnelblick_3.7.8_build_5180.dmg
 + * [Say you have no configuration files]
 + * [When install is complete, open a Finder window and double-click ~/client1.ovpn]
 + * In Tunnelblick, click 'Settings' and Check box to 'Redirect all IPV4 traffic through the VPN'
 + * If prompted to 'Always User Plugin', click it so that you always use the connect/disconnect plugin.  Do not click 'Do not use plugin' or the like.
 + * Manually update your System Prefences -> Network -> Settings to include OpenDNS and Errigal DNS:
 + *  10.91.100.71
 + *  208.67.222.222
 + *  208.67.220.220
 +-------------------------------------
 +===== GENERATING NEW CLIENT CONFIGS (Quick) =====
 +
 +> Visit OpenVPN Server Machine (olympus.err)
 +
 + * cd ~/EasyRSA-3.0.4/
 + * ./easyrsa gen-req CONFIG_NAME nopass
 + * cp pki/private/CONFIG_NAME.key ~/client-configs/keys/
 + * scp -i ~/pge2.pem pki/reqs/CONFIG_NAME.req ubuntu@10.91.200.205:/tmp
 +
 +> Visit CA Machine (AWS Northern California: Errigal CA - DO NOT DELETE)
 +
 + * cd EasyRSA-3.0.4/
 + * ./easyrsa import-req /tmp/CONFIG_NAME.req CONFIG_NAME
 + * ./easyrsa sign-req client CONFIG_NAME
 +
 +
 +> Visit OpenVPN Server Machine (olympus.err)
 +
 + * scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/issued/CONFIG_NAME.crt /tmp
 + * cp /tmp/CONFIG_NAME.crt ~/client-configs/keys/
 + * cd ~/client-configs
 + * sudo ./make_config.sh CONFIG_NAME
 + * [Config File is ~/client-configs/files/CONFIG_NAME.ovpn]
 +
 +> MAKE SURE YOU STOP THE AWS Nothern California: Errigal CA - DO NOT DELETE instance
 +
 +---------------------------------------
 +
 +===== START/STOP OpenVPN Server =====
 +> Visit OpenVPN Server Machine (olympus.err)
 +
 + * sudo systemctl stop openvpn@server
 + * sudo systemctl start openvpn@server
 + * sudo systemctl enable openvpn@server
 + * sudo systemctl status openvpn@server

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki