OpenVPN with Ubuntu 20.04 LTS

shtzeng Posted in 系統設定,Tags: , , ,
11 2 月 2022
0

Install Ubuntu 20.04 Server or Desktop

  • Update all packages
    • sudo apt update
    • sudo apt upgrade -y
    • sudo apt dist-upgrade -y
    • sudo apt autoremove
    • sudo shutdown -r now
  • Install easy-rsa for easy setup certifications
    • sudo apt update
    • sudo apt install easy-rsa -y
  • Install OpenVPN
    • sudo apt update
    • sudo apt install openvpn
  • Install OpenVPN with stable version (Option)
    • Ref: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
    • wget -O – https://swupdate.openvpn.net/repos/repo-public.gpg | sudo apt-key add –
    • echo “deb http://build.openvpn.net/debian/openvpn/statble focal main” > /etc/apt/sources.list.d/openvpn-aptrepo.list
    • sudo apt update
    • sudo apt install openvpn
  • Config OpenVPN Server
    • setup certifications using easyrsa for OpenVPN
      • but you can still use openssl command … XD
      • Ref: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
      • go to /etc/openvpn/ and run `sudo make-cadir easy-rsa`
      • go to easy-rsa dir, you must change to root account or change this dir permission for entry
      • edit vars file, or left default value
      • build require files
        • ./easyrsa init-pki
        • ./easyrsa build-ca
          • it will ask a password for this ca key, please remember it
        • ./easyrsa gen-dh
        • ./easyrsa gen-req openvpn-server nopass
        • ./easyrsa sign-req server openvpn-server
        • ./easyrsa gen-req client-user nopass
        • ./easyrsa sign-req client client-user
        • openvpn –genkey –secret tls-auth.key
      • now, you have files to config OpenVPN Server and Client under /etc/openvpn/ dir
        • easy-rsa/pki/ca.crt
        • easy-rsa/pki/issued/openvpn-server.crt
        • easy-rsa/pki/private/openvpn-server.key
        • easy-rsa/pki/issued/client-user.crt
        • easy-rsa/pki/private/client-user.key
        • easy-rsa/dh.pem
        • tls-auth.key
      • you can copy all of them to /etc/openvpn/ dir for less editing
    • setup OpenVPN config file
      • Ref: https://openvpn.net/community-resources/how-to/
      • back to /etc/openvpn/ dir
      • copy example file for less editing :)
        • cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz ./
        • gunzip server.conf.gz
      • minimal modify server.conf, this section just use ssl certification to auth, if you want user / password for auth, see next part
        • push “redirect-gateway def1 bypass-dhcp”
          • uncomment it for route all traffic to vpn server
        • push “dhcp-option DNS 8.8.8.8”
        • ca ca.crt
        • cert openvpn-server.crt
        • key openvpn-server.key
        • dh dh.pem
        • tls-auth tls-auth.key 0
        • duplicate-cn
        • log-append /var/log/openvpn/openvpn.log
      • add following for user / password auth
        • Ref: https://openvpn.net/community-resources/how-to/#auth
        • use simple script
          • auth-user-pass-verify auth-user.sh via-env
          • script-security 3
          • username-as-common-name
        • use pam
          • auth-user-pass-verify auth-pam.pl via-file
            • auth-pam.pl at /usr/share/doc/openvpn/examples/sample-scripts/auth-pam.pl
            • sudo cp /usr/share/doc/openvpn/examples/sample-scripts/auth-pam.pl /etc/openvpn/
          • script-security 3
          • username-as-common-name
      • now OpenVPN Server configuration completed!
  • Config OpenVPN Client
    • go to /etc/openvpn/
    • copy example files for less editing :)
      • cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ./
    • mininal modify client.conf
      • Since we want just one config file, remove
        • ca ca.crt
        • cert client.crt
        • key client.key
        • tls-auth ta.key 1
      • Add or Modify
        • remote your-ip/your-fqdn 1194

        • —–BEGIN CERTIFICATE—–
          put your ca.crt content here
          —–END CERTIFICATE—–

        • —–BEGIN CERTIFICATE—–
          put your client-user.crt content here
          —–END CERTIFICATE—–

        • —–BEGIN PRIVATE KEY—–
          put your client-user.key content here
          —–END PRIVATE KEY—–

        • —–BEGIN OpenVPN Static key V1—–
          put you tls-auth.key content here
          —–END OpenVPN Static key V1—–
        • key-direction 1
    • Add for user / password auth
      • auth-user-pass
  • Start OpenVPN
    • check for OpenVPN ‘server.conf’ start at boot
      • sudo systemctl enable openvpn@server
    • start OpenVPN ‘server.conf’
      • sudo systemctl start openvpn@server
  • Ensure NAT traffic route correctly
    • put ip forward for NAT
      • add file /etc/sysctl.d/30-openvpn.conf
        • net.ipv4.ip_forward = 1
      • reload sysctl
        • sudo sysctl -p /etc/sysctl.d/30-openvpn.conf
    • setup iptable for NAT
      • sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -o ens5 -j MASQUERADE
    • save iptable for boot
      • sudo apt-get install iptables-persistent -y
      • sudo iptables-save > /etc/iptables/rules.v4
  • Test for Connect
    • open browser with https://ipinfo.io to check the ip you change to