Internal Errigal Collaboration Wiki

User Tools

Site Tools

Trace: customer_idms_production_environments supportrequestpageticket_management greenbone_security_assistant rdf_server_setup support_request
toolsandtechnologies:raspberrypiopenvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
toolsandtechnologies:raspberrypiopenvpn [2017/07/26 12:16] – [VPN Program for Mac] 1carew1toolsandtechnologies:raspberrypiopenvpn [2021/06/25 10:09] (current) – external edit 127.0.0.1
Line 1: Line 1:
 + --- //[[colm.carew@errigal.com|Colm Carew]] 2017/07/24 04:53//
  
 +====== Install Open VPN on Raspberry Pi (Raspbian)/Ubuntu 16 ======
 +source : https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
 +The source is Ubuntu but there are some steps that need to be added to make it work on the Pi but not many
 +
 +===== Initial Setup =====
 +  * sudo apt-get update
 +  * sudo apt-get install openvpn easy-rsa
 +  * sudo apt-get install ufw
 +  * make-cadir ~/openvpn-ca
 +  * cd ~/openvpn-ca
 +  * nano vars
 +  * # The following variables should be something like : <code>
 +..............
 +export KEY_COUNTRY="IE"
 +export KEY_PROVINCE="WD"
 +export KEY_CITY="Waterford"
 +export KEY_ORG="Errigal"
 +export KEY_EMAIL="support@errigal.com"
 +export KEY_OU="Err"
 +
 +# X509 Subject Field
 +export KEY_NAME="server"
 +.................
 +</code>
 +  * NOTE: On newer versions of Ubuntu, you make have to make an update in vars for the KEY_CONFIG openssl.cnf pointer <code>
 +# This variable should point to
 +# the openssl.cnf file included
 +# with easy-rsa.
 +export KEY_CONFIG=$EASY_RSA/openssl-1.0.0.cnf #<-This format works
 +</code>
 +  * sudo chown -R scotty /usr/share/easy-rsa/
 +  * cd ~/openvpn-ca
 +  * source vars<code>
 +OUTPUT should look like:
 +
 +scotty@erato:~/openvpn-ca$ source vars
 +NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/scotty/openvpn-ca/keys
 +</code>
 +  * ./clean-all
 +  * ./build-ca
 +  * ./build-key-server server
 +  * # The next part will take a good few minutes
 +  * ./build-dh
 +  * openvpn --genkey --secret keys/ta.key **(TWO DASHSES BEFORE genkey and secret)**
 +  * cd ~/openvpn-ca
 +  * source vars
 +  * ./build-key-pass someUser
 +  * cd ~/openvpn-ca/keys
 +  * sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
 +  * gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
 +  * sudo nano /etc/openvpn/server.conf
 +  * # First, find the HMAC section by looking for the tls-auth directive. Remove the ";" to uncomment the tls-auth line. Below this, add the key-direction parameter set to "0": <code>tls-auth ta.key 0 # This file is secret
 +key-direction 0 </code>
 +  *# Next, find the section on cryptographic ciphers by looking for the commented out cipher lines. The AES-128-CBC cipher offers a good level of encryption and is well supported. Remove the ";" to uncomment the cipher AES-128-CBC line: <code>cipher AES-128-CBC </code>
 +  * # Below this, add an auth line to select the HMAC message digest algorithm. For this, SHA256 is a good choice: <code>auth SHA256 </code>
 +  * # Finally, find the user and group settings and remove the ";" at the beginning of to uncomment those lines: <code>user nobody
 +group nogroup </code>
 +  * # Ensure dh dh2048.pem is dh dh2048.pem and not dh dh1024.pem : <code>dh dh2048.pem </code>
 +  * # Ensure to push dhcp options and redirect the gateway : <code>push "redirect-gateway def1 bypass-dhcp"
 +push "dhcp-option DNS 10.91.100.71"
 +push "dhcp-option DNS 8.8.8.8" </code>
 +  * save and exit
 +  * sudo nano /etc/sysctl.conf
 +  * # Inside, look for the line that sets net.ipv4.ip_forward. Remove the "#" character from the beginning of the line to uncomment that setting: <code>net.ipv4.ip_forward=1 </code>
 +  * save and exit
 +  * sudo sysctl -p
 +  * ip route | grep default
 +  * # Your public interface should follow the word "dev". For example, this result shows the interface named wlp11s0, which is highlighted below: <code>default via 203.0.113.1 dev wlp11s0  proto static  metric 600 </code>
 +  * # For the RPI if using ethernet it will probably be eth0
 +  * # Make sure you actually replace wlp11s0 with whatever the interface is, incase of the pi it probably will be eth0 for ethernet but if you are using WiFi it would be wlan0 etc, make sure to check using : ip route | grep default
 +  * sudo nano /etc/ufw/before.rules
 +  * # Make it look like <code>#
 +# rules.before
 +#
 +# Rules that should be run before the ufw command line added rules. Custom
 +# rules should be added to one of these chains:
 +#   ufw-before-input
 +#   ufw-before-output
 +#   ufw-before-forward
 +#
 +
 +# START OPENVPN RULES
 +# NAT table rules
 +*nat
 +:POSTROUTING ACCEPT [0:0] 
 +# Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!)
 +-A POSTROUTING -s 10.8.0.0/8 -o wlp11s0 -j MASQUERADE
 +COMMIT
 +# END OPENVPN RULES
 +
 +# Don't delete these required lines, otherwise there will be errors
 +*filter
 +. . . </code>
 +  * sudo nano /etc/default/ufw
 +  * # Inside, find the DEFAULT_FORWARD_POLICY directive. We will change the value from DROP to ACCEPT: <code>DEFAULT_FORWARD_POLICY="ACCEPT" </code>
 +  * save and exit
 +  * sudo ufw allow 1194/udp
 +  * sudo ufw allow OpenSSH
 +  * sudo ufw disable
 +  * sudo ufw enable
 +  * # Now time to start open vpn
 +  * sudo systemctl start openvpn@server
 +  * # If this says anything after running, there probably an error
 +  * sudo systemctl status openvpn@server
 +  * # See the status it should show something like : <code>● openvpn@server.service - OpenVPN connection to server
 +   Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
 +   Active: active (running) since Tue 2016-05-03 15:30:05 EDT; 47s ago
 +     Docs: man:openvpn(8)
 +           https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
 +           https://community.openvpn.net/openvpn/wiki/HOWTO
 +  Process: 5852 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid (code=exited, sta
 + Main PID: 5856 (openvpn)
 +    Tasks: 1 (limit: 512)
 +   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
 +           └─5856 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
 +
 +May 03 15:30:05 openvpn2 ovpn-server[5856]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
 +May 03 15:30:05 openvpn2 ovpn-server[5856]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
 +May 03 15:30:05 openvpn2 ovpn-server[5856]: GID set to nogroup
 +May 03 15:30:05 openvpn2 ovpn-server[5856]: UID set to nobody
 +May 03 15:30:05 openvpn2 ovpn-server[5856]: UDPv4 link local (bound): [undef]
 +May 03 15:30:05 openvpn2 ovpn-server[5856]: UDPv4 link remote: [undef]
 +May 03 15:30:05 openvpn2 ovpn-server[5856]: MULTI: multi_init called, r=256 v=256
 +May 03 15:30:05 openvpn2 ovpn-server[5856]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
 +May 03 15:30:05 openvpn2 ovpn-server[5856]: IFCONFIG POOL LIST
 +May 03 15:30:05 openvpn2 ovpn-server[5856]: Initialization Sequence Completed </code>
 +  * # If it shows an error its fairly good at telling you what is missing and the error is probably in the /etc/openvpn/server.conf file
 +  * # Check the tun0 interface
 +  * ip addr show tun0
 +  * # If everything went well enable Open Vpn
 +  * sudo systemctl enable openvpn@server
 +
 +===== Client Configuration Infrastructure =====
 +  * mkdir -p ~/client-configs/files
 +  * chmod 700 ~/client-configs/files
 +  * cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
 +  * nano ~/client-configs/base.conf
 +  * # First, locate the remote directive. This points the client to our OpenVPN server address. This should be the public IP address of your OpenVPN server. If you changed the port that the OpenVPN server is listening on, change 1194 to the port you selected: <code>. . .
 +# The hostname/IP and port of the server.
 +# You can have multiple remote entries
 +# to load balance between the servers.
 +remote 212.17.60.121 1194
 +. . . </code>
 +  * Next, uncomment the user and group directives by removing the ";": <code># Downgrade privileges after initialization (non-Windows only)
 +user nobody
 +group nogroup</code>
 +  * Find the directives that set the ca, cert, and key. Comment out these directives since we will be adding the certs and keys within the file itself: <code># SSL/TLS parms.
 +# See the server config file for more
 +# description.  It's best to use
 +# a separate .crt/.key file pair
 +# for each client.  A single ca
 +# file can be used for all clients.
 +#ca ca.crt
 +#cert client.crt
 +#key client.key</code>
 +  * # Mirror the cipher and auth settings that we set in the /etc/openvpn/server.conf file: <code>cipher AES-128-CBC
 +auth SHA256</code>
 +  * # Next, add the key-direction directive somewhere in the file. This must be set to "1" to work with the server: <code>key-direction 1</code>
 +  * # Finally, add a few commented out lines. We want to include these with every config, but should only enable them for Linux clients that ship with a /etc/openvpn/update-resolv-conf file. This script uses the resolvconf utility to update DNS information for Linux clients. : <code># script-security 2
 +# up /etc/openvpn/update-resolv-conf
 +# down /etc/openvpn/update-resolv-conf</code>
 +  * save and exit
 +  * nano ~/client-configs/make_config.sh
 +  * # Ensure its blank and paste the following : <code>#!/bin/bash
 +
 +# First argument: Client identifier
 +
 +KEY_DIR=~/openvpn-ca/keys
 +OUTPUT_DIR=~/client-configs/files
 +BASE_CONFIG=~/client-configs/base.conf
 +
 +cat ${BASE_CONFIG} \
 +    <(echo -e '<ca>') \
 +    ${KEY_DIR}/ca.crt \
 +    <(echo -e '</ca>\n<cert>') \
 +    ${KEY_DIR}/${1}.crt \
 +    <(echo -e '</cert>\n<key>') \
 +    ${KEY_DIR}/${1}.key \
 +    <(echo -e '</key>\n<tls-auth>') \
 +    ${KEY_DIR}/ta.key \
 +    <(echo -e '</tls-auth>') \
 +    > ${OUTPUT_DIR}/${1}.ovpn</code>
 +  * save and exit
 +  * chmod 700 ~/client-configs/make_config.sh
 +  * # How to make client configs is below - the .ovpn file is the important file
 +
 +
 +
 +===== Initial Set up Revoking Certs - Only needs to be done once for initial setup =====
 +  * cd ~/openvpn-ca
 +  * source vars
 +  * ./revoke-full bad_user
 +  * # Should say error 23
 +  * sudo nano /etc/openvpn/server.conf
 +  * # At the bottom of the file, add the crl-verify option, so that the OpenVPN server checks the certificate revocation list that we've created each time a connection attempt is made: <code>crl-verify crl.pem</code>
 +  * save and exit
 +  * sudo cp ~/openvpn-ca/keys/crl.pem /etc/openvpn
 +  * sudo systemctl restart openvpn@server
 +
 +===== VPN Program for Mac =====
 +https://tunnelblick.net/downloads.html
 +
 +===== Generating New VPN Certs =====
 +  * ssh to the VPN server
 +  * cd ~/openvpn-ca
 +  * source vars
 +  * ./build-key-pass firstname_lastname
 +  * # Give them a good password (pem passphrase), you can just press enter for everything else except for email, change their email, do not set a challenge password just press enter.
 +  * # When asked to sign, y and enter, when asked to commit y and enter
 +  * # if an error appears such as db then the user already exists so give them a different name like firstname_lastname_1 etc.
 +  * # if successful it should say : Write out database with 1 new entries\n Data Base Updated
 +  * cd ~/client-configs
 +  * ./make_config.sh firstname_lastname
 +  * # The opvn file should be located : ~/client-configs/files
 +
 +===== Revoking VPN Certs =====
 +  * cd ~/openvpn-ca
 +  * source vars
 +  * ./revoke-full their_user
 +  * sudo cp ~/openvpn-ca/keys/crl.pem /etc/openvpn
 +  * sudo systemctl restart openvpn@server
 +
 +===== Rebooting Pi =====
 +Run the following commands:
 +  * ssh pi@10.5.5.11  (usual password)
 +  * sudo reboot

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki