===== Before Your Start =====
If you are looking for adding user (or yourself) to OpenVPN for support purposes, check out [[support:setup_open_vpn_2018_edition|Setup Open VPN User 2018 Edition]]
===== Ubuntu 18.04 Open VPN Full installation as performed on on CA Server (AWS Northern California: Errigal CA - DO NOT DELETE) and Open VPN Server (olympus.err) =====
* Quick instructions on making new client certificate configurations are towards the bottom
This article explains how to install Open VPN on Ubuntu 18.04. The steps followed came from this Tutorial:
* https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
-------------------------------------
==== CA Machine (AWS Northern California: Errigal CA - DO NOT DELETE) ====
* START THE AWS INSTANCE
* sudo apt update
* sudo apt install openvpn
* wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
* cd ~
* tar xvf EasyRSA-3.0.4.tgz
* cd ~/EasyRSA-3.0.4/
* cp vars.example vars
* vi vars
* [EDIT EASYRSA_REQ_ properties accordingly]
* ./easyrsa init-pki
* ./easyrsa build-ca nopass
-------------------------------------
==== OpenVPN Server Machine (olympus) ====
* sudo apt update
* sudo apt install openvpn
* wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
* cd ~/EasyRSA-3.0.4/
* ./easyrsa init-pki
* ./easyrsa gen-req server nopass
* sudo cp ~/EasyRSA-3.0.4/pki/private/server.key /etc/openvpn/
* scp -i ~/pge2.pem ~/EasyRSA-3.0.4/pki/reqs/server.req ubuntu@10.91.200.205:/tmp
-------------------------------------
==== CA Machine (AWS Northern California: Errigal CA - DO NOT DELETE) ====
* cd ~/EasyRSA-3.0.4/
* ./easyrsa import-req /tmp/server.req server
* [TYPE yes WHEN PROMPTED]
-------------------------------------
==== OpenVPN Server Machine (olympus) ====
* scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/issued/server.crt /tmp
* scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/ca.crt /tmp
* sudo cp /tmp/{server.crt,ca.crt} /etc/openvpn/
* cd EasyRSA-3.0.4/
* ./easyrsa gen-dh
* openvpn --genkey --secret ta.key
* sudo cp ~/EasyRSA-3.0.4/ta.key /etc/openvpn/
* sudo cp ~/EasyRSA-3.0.4/pki/dh.pem /etc/openvpn/
-------------------------------------
==== CLIENT KEY GEN on server (olympus) ====
* mkdir -p ~/client-configs/keys
* chmod -R 700 ~/client-configs
* cd ~/EasyRSA-3.0.4/
* ./easyrsa gen-req client1 nopass
* cp pki/private/client1.key ~/client-configs/keys/
* scp -i ~/pge2.pem pki/reqs/client1.req ubuntu@10.91.200.205:/tmp
-------------------------------------
==== CA Machine (AWS Northern California: Errigal CA - DO NOT DELETE) ====
* cd EasyRSA-3.0.4/
* ./easyrsa import-req /tmp/client1.req client1
* ./easyrsa sign-req client client1
-------------------------------------
==== OpenVPN Server Machine (olympus) ====
* scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/issued/client1.crt /tmp
* cp /tmp/client1.crt ~/client-configs/keys/
* cp ~/EasyRSA-3.0.4/ta.key ~/client-configs/keys/
* sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/
-------------------------------------
==== Configure OpenVPN Server (olympus) ====
* sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
* sudo gzip -d /etc/openvpn/server.conf.gz
* sudo vi /etc/openvpn/server.conf
* [Add "key-direction 0" below "tls-auth ta.key 0"]
* [Add "auth SHA256" below "cipher AES-256-CBC"]
* [Change "dh dh2048.pem" to "dh dh.pem"]
* [Uncomment "user nobody" and "group nogroup"]
* [NOTE: Could update to PUSH DNS to clients. Could upadte to use a different port/protocol like 443/tcp vs. default 1194/udp.]
* sudo vi /etc/sysctl.conf
* [Uncomment "net.ipv4.ip_forward=1"]
* [Uncomment "push "redirect-gateway def1 bypass-dhcp""]
* [Uncomment "push "dhcp-option DNS 208.67.222.222"" and "push "dhcp-option DNS 208.67.220.220""]
* ip router | grep default
* [Locate the interface name, i.e. enp7s0, and copy it]
* sudo vi /etc/ufw/before.rules
* [Add the following lines:
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to enp7s0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o enp7s0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
* sudo vi /etc/default/ufw
* [Change DEFAULT_FORWARD_POLICY value from "DROP" to "ACCEPT"]
* sudo ufw allow 1194/udp
* sudo ufw allow OpenSSH
* sudo ufw disable
* sudo ufw enable
* sudo systemctl start openvpn@server
* sudo systemctl status openvpn@server
* [Output should show 'active (running)']
* sudo systemctl enable openvpn@server
* mkdir -p ~/client-configs/files
* cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
* vi ~/client-configs/base.conf
* [Update line "remote my-server-1 1194" to use your server IP "remote cloud.errigal.com 1194"]
* [Make sure "proto udp" is uncommented and that "proto tcp" is commented witht he ';' character]
* [Comment with '#' "tls-auth ta.key 1"]
* [Comment with '#' "ca", "cert" and "key" prop lines]
* [Under line "cipher AES-256-CBC" add line "auth SHA256"]
* [Add "key-direction 1" to the file]
* [Add the following commented out lines:
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
* vi ~/client-configs/make_config.sh
* Insert the following content:
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '') \
${KEY_DIR}/ca.crt \
<(echo -e '\n') \
${KEY_DIR}/${1}.crt \
<(echo -e '\n') \
${KEY_DIR}/${1}.key \
<(echo -e '\n') \
${KEY_DIR}/ta.key \
<(echo -e '') \
> ${OUTPUT_DIR}/${1}.ovpn
* chmod 700 ~/client-configs/make_config.sh
-------------------------------------
==== Generate Client Configuration on OpenVPN Server (olympus) ====
* cd ~/client-configs
* sudo ./make_config.sh client1
-------------------------------------
==== Your Client (i.e. your macbook) ====
* sftp scotty@olympus.err:client-configs/files/client1.ovpn ~/
* INSTALL Tunnelblick: https://tunnelblick.net/release/Tunnelblick_3.7.8_build_5180.dmg
* [Say you have no configuration files]
* [When install is complete, open a Finder window and double-click ~/client1.ovpn]
* In Tunnelblick, click 'Settings' and Check box to 'Redirect all IPV4 traffic through the VPN'
* If prompted to 'Always User Plugin', click it so that you always use the connect/disconnect plugin. Do not click 'Do not use plugin' or the like.
* Manually update your System Prefences -> Network -> Settings to include OpenDNS and Errigal DNS:
* 10.91.100.71
* 208.67.222.222
* 208.67.220.220
-------------------------------------
===== GENERATING NEW CLIENT CONFIGS (Quick) =====
> Visit OpenVPN Server Machine (olympus.err)
* cd ~/EasyRSA-3.0.4/
* ./easyrsa gen-req CONFIG_NAME nopass
* cp pki/private/CONFIG_NAME.key ~/client-configs/keys/
* scp -i ~/pge2.pem pki/reqs/CONFIG_NAME.req ubuntu@10.91.200.205:/tmp
> Visit CA Machine (AWS Northern California: Errigal CA - DO NOT DELETE)
* cd EasyRSA-3.0.4/
* ./easyrsa import-req /tmp/CONFIG_NAME.req CONFIG_NAME
* ./easyrsa sign-req client CONFIG_NAME
> Visit OpenVPN Server Machine (olympus.err)
* scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/issued/CONFIG_NAME.crt /tmp
* cp /tmp/CONFIG_NAME.crt ~/client-configs/keys/
* cd ~/client-configs
* sudo ./make_config.sh CONFIG_NAME
* [Config File is ~/client-configs/files/CONFIG_NAME.ovpn]
> MAKE SURE YOU STOP THE AWS Nothern California: Errigal CA - DO NOT DELETE instance
---------------------------------------
===== START/STOP OpenVPN Server =====
> Visit OpenVPN Server Machine (olympus.err)
* sudo systemctl stop openvpn@server
* sudo systemctl start openvpn@server
* sudo systemctl enable openvpn@server
* sudo systemctl status openvpn@server