User Tools
Writing /app/www/public/data/meta/databaseandnetworkmanagement/open_vpn_install_18.meta failed
databaseandnetworkmanagement:open_vpn_install_18
Table of Contents
Before Your Start
If you are looking for adding user (or yourself) to OpenVPN for support purposes, check out Setup Open VPN User 2018 Edition
Ubuntu 18.04 Open VPN Full installation as performed on on CA Server (AWS Northern California: Errigal CA - DO NOT DELETE) and Open VPN Server (olympus.err)
- Quick instructions on making new client certificate configurations are towards the bottom
This article explains how to install Open VPN on Ubuntu 18.04. The steps followed came from this Tutorial:
————————————-
CA Machine (AWS Northern California: Errigal CA - DO NOT DELETE)
- START THE AWS INSTANCE
- sudo apt update
- sudo apt install openvpn
- cd ~
- tar xvf EasyRSA-3.0.4.tgz
- cd ~/EasyRSA-3.0.4/
- cp vars.example vars
- vi vars
- [EDIT EASYRSA_REQ_ properties accordingly]
- ./easyrsa init-pki
- ./easyrsa build-ca nopass
————————————-
OpenVPN Server Machine (olympus)
- sudo apt update
- sudo apt install openvpn
- cd ~/EasyRSA-3.0.4/
- ./easyrsa init-pki
- ./easyrsa gen-req server nopass
- sudo cp ~/EasyRSA-3.0.4/pki/private/server.key /etc/openvpn/
- scp -i ~/pge2.pem ~/EasyRSA-3.0.4/pki/reqs/server.req ubuntu@10.91.200.205:/tmp
————————————-
CA Machine (AWS Northern California: Errigal CA - DO NOT DELETE)
- cd ~/EasyRSA-3.0.4/
- ./easyrsa import-req /tmp/server.req server
- [TYPE yes WHEN PROMPTED]
————————————-
OpenVPN Server Machine (olympus)
- scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/issued/server.crt /tmp
- scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/ca.crt /tmp
- sudo cp /tmp/{server.crt,ca.crt} /etc/openvpn/
- cd EasyRSA-3.0.4/
- ./easyrsa gen-dh
- openvpn –genkey –secret ta.key
- sudo cp ~/EasyRSA-3.0.4/ta.key /etc/openvpn/
- sudo cp ~/EasyRSA-3.0.4/pki/dh.pem /etc/openvpn/
————————————-
CLIENT KEY GEN on server (olympus)
- mkdir -p ~/client-configs/keys
- chmod -R 700 ~/client-configs
- cd ~/EasyRSA-3.0.4/
- ./easyrsa gen-req client1 nopass
- cp pki/private/client1.key ~/client-configs/keys/
- scp -i ~/pge2.pem pki/reqs/client1.req ubuntu@10.91.200.205:/tmp
————————————-
CA Machine (AWS Northern California: Errigal CA - DO NOT DELETE)
- cd EasyRSA-3.0.4/
- ./easyrsa import-req /tmp/client1.req client1
- ./easyrsa sign-req client client1
————————————-
OpenVPN Server Machine (olympus)
- scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/issued/client1.crt /tmp
- cp /tmp/client1.crt ~/client-configs/keys/
- cp ~/EasyRSA-3.0.4/ta.key ~/client-configs/keys/
- sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/
————————————-
Configure OpenVPN Server (olympus)
- sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
- sudo gzip -d /etc/openvpn/server.conf.gz
- sudo vi /etc/openvpn/server.conf
- [Add “key-direction 0” below “tls-auth ta.key 0”]
- [Add “auth SHA256” below “cipher AES-256-CBC”]
- [Change “dh dh2048.pem” to “dh dh.pem”]
- [Uncomment “user nobody” and “group nogroup”]
- [NOTE: Could update to PUSH DNS to clients. Could upadte to use a different port/protocol like 443/tcp vs. default 1194/udp.]
- sudo vi /etc/sysctl.conf
- [Uncomment “net.ipv4.ip_forward=1”]
- [Uncomment “push “redirect-gateway def1 bypass-dhcp””]
- [Uncomment “push “dhcp-option DNS 208.67.222.222”” and “push “dhcp-option DNS 208.67.220.220””]
- ip router | grep default
- [Locate the interface name, i.e. enp7s0, and copy it]
- sudo vi /etc/ufw/before.rules
- [Add the following lines:
# START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to enp7s0 (change to the interface you discovered!) -A POSTROUTING -s 10.8.0.0/8 -o enp7s0 -j MASQUERADE COMMIT # END OPENVPN RULES
- sudo vi /etc/default/ufw
- [Change DEFAULT_FORWARD_POLICY value from “DROP” to “ACCEPT”]
- sudo ufw allow 1194/udp
- sudo ufw allow OpenSSH
- sudo ufw disable
- sudo ufw enable
- sudo systemctl start openvpn@server
- sudo systemctl status openvpn@server
- [Output should show 'active (running)']
- sudo systemctl enable openvpn@server
- mkdir -p ~/client-configs/files
- cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
- vi ~/client-configs/base.conf
- [Update line “remote my-server-1 1194” to use your server IP “remote cloud.errigal.com 1194”]
- [Make sure “proto udp” is uncommented and that “proto tcp” is commented witht he ';' character]
- [Comment with '#' “tls-auth ta.key 1”]
- [Comment with '#' “ca”, “cert” and “key” prop lines]
- [Under line “cipher AES-256-CBC” add line “auth SHA256”]
- [Add “key-direction 1” to the file]
- [Add the following commented out lines:
# script-security 2 # up /etc/openvpn/update-resolv-conf # down /etc/openvpn/update-resolv-conf
- vi ~/client-configs/make_config.sh
- Insert the following content:
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
- chmod 700 ~/client-configs/make_config.sh
————————————-
Generate Client Configuration on OpenVPN Server (olympus)
- cd ~/client-configs
- sudo ./make_config.sh client1
————————————-
Your Client (i.e. your macbook)
- sftp scotty@olympus.err:client-configs/files/client1.ovpn ~/
- INSTALL Tunnelblick: https://tunnelblick.net/release/Tunnelblick_3.7.8_build_5180.dmg
- [Say you have no configuration files]
- [When install is complete, open a Finder window and double-click ~/client1.ovpn]
- In Tunnelblick, click 'Settings' and Check box to 'Redirect all IPV4 traffic through the VPN'
- If prompted to 'Always User Plugin', click it so that you always use the connect/disconnect plugin. Do not click 'Do not use plugin' or the like.
- Manually update your System Prefences → Network → Settings to include OpenDNS and Errigal DNS:
- 10.91.100.71
- 208.67.222.222
- 208.67.220.220
————————————-
GENERATING NEW CLIENT CONFIGS (Quick)
Visit OpenVPN Server Machine (olympus.err)
- cd ~/EasyRSA-3.0.4/
- ./easyrsa gen-req CONFIG_NAME nopass
- cp pki/private/CONFIG_NAME.key ~/client-configs/keys/
- scp -i ~/pge2.pem pki/reqs/CONFIG_NAME.req ubuntu@10.91.200.205:/tmp
Visit CA Machine (AWS Northern California: Errigal CA - DO NOT DELETE)
- cd EasyRSA-3.0.4/
- ./easyrsa import-req /tmp/CONFIG_NAME.req CONFIG_NAME
- ./easyrsa sign-req client CONFIG_NAME
Visit OpenVPN Server Machine (olympus.err)
- scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/issued/CONFIG_NAME.crt /tmp
- cp /tmp/CONFIG_NAME.crt ~/client-configs/keys/
- cd ~/client-configs
- sudo ./make_config.sh CONFIG_NAME
- [Config File is ~/client-configs/files/CONFIG_NAME.ovpn]
MAKE SURE YOU STOP THE AWS Nothern California: Errigal CA - DO NOT DELETE instance
START/STOP OpenVPN Server
Visit OpenVPN Server Machine (olympus.err)
- sudo systemctl stop openvpn@server
- sudo systemctl start openvpn@server
- sudo systemctl enable openvpn@server
- sudo systemctl status openvpn@server
databaseandnetworkmanagement/open_vpn_install_18.txt · Last modified: 2021/06/25 10:09 by 127.0.0.1
