Installing Configuring OpenVPN in Linux - Paiet/Tech-Journal-for-Everything GitHub Wiki

  • Launch EC2 instance in AWS

    • I use Ubuntu, but most if not all commands should work with other distros
    • Login with SSH
    • Open AWS firewall(Security Group) to allow for VPN traffic
      • Inbound > Edit > Add Rule
        • Type: Custom UDP
        • Port Range: 1194
        • Source: Anywhere 0.0.0.0/0, ::/0

  • Update Linux ~# apt-get update && apt-get upgrade

  • Install OpenVPN and Easy-RSA

    • OpenVPN is our VPN software/service
    • Easy-RSA will allow us to easily create Key Pairs
      • ~# apt-get install openvpn easy-rsa

  • Extract Sample Server Config file

    • ~# cd /usr/share/doc/openvpn/examples/sample-config-files/
    • ~# gunzip -c server.conf.gz /etc/openvpn/server.conf

  • Configure the server.conf file

    • ~# cd /etc/openvpn/
    • ~# vi server.conf
      • Change dh1024.pem to dh2048.pem
      • Uncomment command push "redirect-gateway def1 bypass-dhcp"
      • Uncomment command `push "dhcp-option DNS"
      • Change DNS servers to 8.8.8.8 and 8.8.4.4
      • Uncomment command user nobody
      • Uncomment command group nogroup
      • Save and exit

  • Enable IP forwarding

    • ~# echo 1 /proc/sys/net/ipv4/ip_forward
    • ~# vi /etc/sysctl.conf
      • Uncomment command net.ipv4.ip_forward=1
      • Save and exit

  • Configure firewall (This may not be necessary because of the AWS Sec Group)

    • ~# ufw status
    • ~# ufw allow ssh
    • ~# ufw allow 1194/udp
    • Now change the default forwarding policy to ACCEPT (This is necessary)
      • ~# vi /etc/default/ufw
      • Change line
        • From: DEFAULT_FORWARD_POLICY="DROP"
        • To: DEFAULT_FORWARD_POLICY="ACCEPT"
      • Save and exit

  • Enable IP masquerading and NAT for VPN clients

    • ~# vi /etc/ufw/before.rules

    • Add this before the filter rules

      *nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT

ufw status

  • Create Keys for Server

    • ~# cp -r /usr/share/easy-rsa/ /etc/openvpn
    • ~# mkdir /etc/openvpn/easy-rsa/keys
    • nano /etc/openvpn/easy-rsa/vars
      • Change export KEY_* values to reflect your environment
      • Verify that export KEY_NAME="server" exists
        • May be found near # X509 Subject Field
        • You can change it from ="server" to whatever you like, but you'll have to bear that in mind down the road.
      • Save and exit
    • Run ~# source ./vars to set the variables
    • Run ~# ./clean-all as suggested after sourcing vars
    • Run ~# build-ca and accept the defaults
      • This creates the Certificate Authority(CA)
      • We set the defaults in vars
      • Don't enter a challenge password!
      • Enter y when asked...
        • Sign the certificate? [y/n]:
        • 1 out of 1 certificate requests certified, commit? [y/n]
    • Run ~# ./build-key-server server and accept the defaults
      • This will generate the server certificate and key
      • !!! IF YOU CHANGED THE VALUE OF export KEY_NAME="server" back in the vars setup, then you will need to input that instead of server when running the ./build-key-server script. You will also need to modify the server.conf file later to pint to the correct .crt and .key files. !!!
      • Enter y when asked...
        • Sign the certificate? [y/n]:
        • 1 out of 1 certificate requests certified, commit? [y/n]
    • Run ~# ./build-dh 2048
      • This creates a 2048-bit Diffie-Hellman, dh2048.pem file
    • Make sure server.crt server.key ca.crt dh2048.pem files are in /etc/openvpn

  • Setup keys for the first client

    • Run ~# ./build-key client
      • Accept defaults
      • Don't enter a challenge password!
      • Enter y when asked...
        • Sign the certificate? [y/n]:
        • 1 out of 1 certificate requests certified, commit? [y/n]
      • This should generate the client.csr client.crt client.key files
      • Make a new directory to manage client keys and config file
        • ~# mkdir /home/ubuntu/VPN_client_files
        • ~# cp client.crt client.key /home/ubuntu/VPN_client_files/
      • Copy the sample client config file and change file extension to .ovpn
        • ~# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /home/ubuntu/VPN_client_files/client.ovpn
      • Copy ca.crt file to /home/ubuntu/VPN_client_files/
      • Securely copy client.crt client.key ca.crt client.ovpn to client device
        • From Client: scp -i AWS_key.pem ubuntu@VPN_server:/VPN_client_files/c*

  • Configure OVPN File on Client

    • Determine public IP address of AWS VPN Server

      • Should be the same IP address you're SSHing with
      • You can get it from the AWS EC2 Instance dashboard

    • Edit the client.ovpn file

      • ~$ vi client.ovpn
        • Edit line remote my-server-1 1194
          • Replace my-server-1 with IP address of VPN server
        • Uncomment group nogroup
        • Uncomment user nobody
        • Comment out...(add # in front of)
          • ca ca.crt
          • cert client.crt
          • key client.key
        • Save and exit

    • Append client.ovpn file with contents of ca.crtclient.crt, and client.key files.

      ~$ echo "<ca>" >> client.ovpn
~$ cat ca.crt >> client.ovpn
~$ echo "</ca>" >> client.ovpn
~$
~$ echo "<cert>" >> client.ovpn
~$ cat client.crt >> client.ovpn
~$ echo "</cert>" >> client.ovpn
~$
~$ echo "<key>" >> client.ovpn
~$ cat client.key >> client.ovpn
~$ echo "</key>" >> client.ovpn

  • Start the OpenVPN service on server

    • ~# service openvpn start
    • ~# service openvpn status
    • Should see a tun0 adapter now

  • Connect with VPN client

    • ~$ sudo openvpn client.ovpn
    • Should see Initialization Sequence Completed
    • Should see a tun0 adapter now

  • Troubleshooting

    • Errors I got
      • TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        • FIX: I didn't setup TLS authorization, so I had to make sure to comment out this line...tls-auth ta.key 0 in server.conf and tls-auth ta.key 1 in client.ovpn.
          • Add a semicolon to comment out
            • ;tls-auth ta.key 0
            • ;tls-auth ta.key 1
      • Authenticate/Decrypt packet error: cipher final failed
        • FIX: Had to edit the server.conf file on VPN server
          • Googled it
          • Checked the client.ovpn file and found...
            • cipher AES-256-CBC
          • Checked the server.conf file and found...
            • cipher AES-128-CBC
          • Modified the server.conf line to read same as client.ovpn
      • openvpn write to tun/tap invalid argument (code=22)
        • FIX: Had to enable compression (comp-lzo)
          • Googled it
          • Checked that compression was enabled in both server.conf and client.conf
            • Uncomment or Add line...
              • comp-lzo

https://serverfault.com/questions/765521/openvpn-issue-tls-key-negotiation-failed-to-occur-within-60-seconds

http://matthewcasperson.blogspot.com/2015/03/fixing-openvpn-authenticatedecrypt.html

https://community.openvpn.net/openvpn/ticket/128

⚠️ **GitHub.com Fallback** ⚠️