OpenVPN - ilya-khadykin/notes-outdated GitHub Wiki

Installation

Debian based Linux System:

apt-get install openvpn easy-rsa

easy-rsa will help to create rsa keys

The following directory contains useful examples:

cd /usr/share/doc/openvpn/examples/
cd sample-config-files

gunzip -c server.conf.gz > /etc/openvpn/server.conf

Modify the following settings in server.conf

nano /etc/openvpn/server.conf

> dh dh2048.pem # change to
> push "redirect-gateway def1 bypass-dhcp" # uncomment

> push "dhcp-option DNS 8.8.8.8"
> push "dhcp-option DNS 8.8.4.4"

> user nobody
> group nogroup

push command sends settings to clients

Forwarding traffic:

cat /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/ip_forward

nano /etc/sysctl.conf
> net.ipv4.ip._forward=1 # uncomment

iptable configuration using ufw

nano /etc/default/ufw

> DEFAULT_FORWARD_POLICY="ACCEPT" # change

nano /etc/ufw/before.rules
> * nat
> :POSTROUTING ACCEPT [0.0]
> - A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
> COMMIT

ufw enable
ufw status

Generating Server Keys with easy-rsa

cd /usr/share/easy-rsa/

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/keys

nano /etc/openvpn/easy-rsa/vars
> export KEY_ORG="" # change accordingly
> export KEY_EMAIL="" # change accordingly

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

cd /etc/openvpn/easy-rsa/
. ./vars
./clean-all
# certificate authority
./build-ca
# key server
./build-key-server server

ls keys
cp server.crt server.key ca.crt /etc/openvpn/
ls /etc/openvpn/

service openvpn start
service openvpn status

Generating Client Keys with easy-rsa

cd /etc/openvpn/easy-rsa/
./build-key client_name

# move created keys to separate directory for better management
mkdir ~/client_name

# copy configuration file for the client
cd /usr/share/doc/openvpn/examples/sample-config-files/
cp client.conf ~/client_name/
cd ~/client_name/
# rename conf file to .ovpn since the client software is expecting this extension
mv client_name.conf client_name.ovpn

# copy keys and certificates to client dedicated directory
cd /etc/openvpn/easy-rsa/keys
cp ca.crt client_name.crt client_name.key ~/client_name/

# Change settings for client_name
cd ~/client_name/
nano client_name.ovpn
> remote x.x.x.x 1194 # change accrodingly to your server ip

> user nobody   # uncomment
> group nogroup # uncomment

# comment the following lines because unified will be created
# ca ca.crt
# cert client.crt
# key client.key

echo "<ca>" >> client_name.ovpn
echo ca.crt >> client_name.ovpn
echo "</ca>" >> client_name.ovpn

echo "<cert>" >> client_name.ovpn
echo client_name.crt >> client_name.ovpn
echo </cert> >> client_name.ovpn

echo "<key>" >> client_name.ovpn
echo client_name.key>> client_name.ovpn
echo </key> >> client_name.ovpn

# get .ovpn file on client machine
> scp [email protected]:client_name/client_name.ovpn .
> sudo openvpn client_name.ovpn

Running OpenVPN in Docker container | Hosted on DigitalOcean

Note: To run on port 443 no special config file hacks are needed, just generate a proper config and user Docker to map the port.

Configure it internally to use TCP:

$ docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u tcp://VPN.SERVERNAME.COM

Tell Docker to map port 443/tcp on the host to port 1194 in the container at runtime:

$ docker run --volumes-from $OVPN_DATA -d -p 443:1194 --privileged kylemanna/openvpn

Based on https://www.digitalocean.com/community/tutorials/how-to-run-openvpn-in-a-docker-container-on-ubuntu-14-04

Step 1 — Setting Up and Test Docker on a new server

1.1 Creating a new Droplet in required region and adding the upstream Docker repository package signing key as well as Docker repository to the system list:

curl -L https://get.docker.com/gpg | sudo apt-key add -
echo deb http://get.docker.io/ubuntu docker main | sudo tee /etc/apt/sources.list.d/docker.list

1.2 Updating package list and installing Docker:

sudo apt-get update && sudo apt-get install -y lxc-docker

1.3 Adding user to docker group and verifying it:

sudo usermod -aG docker ikhadykin
logout
id

1.4 Download a docker image which will be used later, it helps test docker

docker pull kylemanna/openvpn

Step 2 — Setting Up the EasyRSA PKI Certificate Store

2.1 Configure envrinment variable which will be used later:

OVPN_DATA="ovpn-data"

2.2 Creating an empty Docker volume container using busybox as a minimal Docker image:

docker run --name $OVPN_DATA -v /etc/openvpn busybox

2.3 Initializing the $OVPN_DATA container that will hold the configuration files and certificates, and replace vpn.example.com with your FQDN. The vpn.example.com value should be the fully-qualified domain name you use to communicate with the server. If it isn't set up yet you should do it now - https://www.digitalocean.com/community/tutorials/how-to-set-up-a-host-name-with-digitalocean

docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com:1194

2.4 Generating the EasyRSA PKI certificate authority. Don't forget the PEM pass phrase!

docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki

Step 3 — Launching the OpenVPN Server

3.1 Creating Upstart script to add Docker to autostart of the system:

sudo nano /etc/init/docker-openvpn.conf

Contents to place in /etc/init/docker-openvpn.conf:

description "Docker container for OpenVPN server"
start on filesystem and started docker
stop on runlevel [!2345]
respawn
script
  exec docker run --volumes-from ovpn-data --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
end script

Starting Docker using the Upstart init mechanism:

sudo start docker-openvpn

Checking if a required docker image is running:

docker ps

Output should look like this:

ikhadykin@ubuntu-512mb-sfo2-01:~$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                    NAMES
494e049ddc0c        kylemanna/openvpn   "ovpn_run"          38 seconds ago      Up 37 seconds       0.0.0.0:1194->1194/udp   dreamy_jones

Step 4 — Generating Client Certificates and Config Files

4.1 Creating client certificates (e.g., "home-laptop", "work-laptop", "nexus5", etc.). The easyrsa tool will prompt for the CA password. CLIENTNAME should be changed approprietly:

docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass

4.2 Creating .ovpn file which contains certificates and a configuration for connection. CLIENTNAME should be changed accordingly:

docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn

The resulting CLIENTNAME.ovpn file contains the private keys and certificates necessary to connect to the VPN. Keep these files secure and not lying around. You'll need to securely transport the *.ovpn files to the clients that will use them.

Step 5 — Setting Up OpenVPN Clients

5.1 Setting OpenVPN client on Windows 10: 5.1.1 Download and install OpenVPN client - https://openvpn.net/index.php/open-source/downloads.html 5.1.2 Copy prepared .ovpn config file to C:\Program Files\OpenVPN\config (by default) 5.2 You can now connect to the server by starting up OpenVPN and click connect in system tray.

Step 6 — Verify Operation You can verify the setup by checking your IP, it should change on one that the server uses - https://whatismyipaddress.com/

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️