Skip to content

Use Case 3 VPN Server Setup

Jump to bottom
Stefan Schneider edited this page Jan 17, 2020 · 1 revision

VPN Server

Server setup was done based on this guide. Using VPN server as CA machine. The following steps summarize the guide:

  • Install openvpn and EasyRSA
sudo apt update
sudo apt install openvpn
wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
tar xvf EasyRSA-3.0.4.tgz

  • Setup EasyRSA and build CA

  • Create RSA variables

cd ~/EasyRSA-3.0.4/
cp vars.example vars
nano vars
  • Changed the following in vars:
set_var EASYRSA_REQ_COUNTRY     "DE"
set_var EASYRSA_REQ_PROVINCE    "North Rhine-Westphalia"
set_var EASYRSA_REQ_CITY        "Paderborn"
set_var EASYRSA_REQ_ORG         "University Paderborn"
set_var EASYRSA_REQ_EMAIL       "[email protected]"
set_var EASYRSA_REQ_OU          "FGCN"
  • Build CA
./easyrsa init-pki
./easyrsa build-ca nopass
  • Create certificaes, key and encryption
./easyrsa gen-req server nopass
sudo cp ~/EasyRSA-3.0.4/pki/private/server.key /etc/openvpn/
./easyrsa import-req ~/EasyRSA-3.0.4/pki/private/server.req server
./easyrsa sign-req server server
sudo cp pki/issued/server.crt /etc/openvpn/
sudo cp pki/ca.crt /etc/openvpn/
./easyrsa gen-dh
openvpn --genkey --secret ta.key
sudo cp ~/EasyRSA-3.0.4/ta.key /etc/openvpn/
sudo cp ~/EasyRSA-3.0.4/pki/dh.pem /etc/openvpn/
  • Generate Client certificate and key
mkdir -p ~/client-configs/keys
chmod -R 700 ~/client-configs
./easyrsa gen-req client1 nopass
cp pki/private/client1.key ~/client-configs/keys/
./easyrsa import-req pki/reqs/client1.req client1
./easyrsa sign-req client client1
cp pki/issued/client1.crt ~/client-configs/keys/
cp ~/EasyRSA-3.0.4/ta.key ~/client-configs/keys/
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/
  • Configure OpenVPN service
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
sudo nano /etc/openvpn/server.conf

Uncomment/add the follwoing lines:

tls-auth ta.key 0 # This file is secret

cipher AES-256-CBC
auth SHA256

dh dh.pem

user nobody
group nogroup

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
  • Adjust the server network config
sudo nano /etc/sysctl.conf

Uncomment the following:

net.ipv4.ip_forward=1

Continue with network config

sudo sysctl -p
ip route | grep default

The later should present a similar output:

default via 203.0.113.1 dev wlp11s0 proto static

Adjust before.rules:

sudo nano /etc/ufw/before.rules

Add the following: (make sure to replace wlp11s0 with the one you got earlier)

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0] 
# Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o wlp11s0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

Continue with the firewall settings:

sudo nano /etc/default/ufw

Change the forwarding policy to ACCEPT:

DEFAULT_FORWARD_POLICY="ACCEPT"

Add SSH port to firewall:

sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable
  • Starting the VPN service
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
  • Create the client config infrastructutre
mkdir -p ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
nano ~/client-configs/base.conf

Edit the base config file: (Lines 5-8 the to be commented out as they are added into the file directly; The bottom 3 lines need to be uncommented for Linux clients)

remote 131.234.28.141 1194
proto udp
user nobody
group nogroup
#ca ca.crt
#cert client.crt
#key client.key
#tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
key-direction 1
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf

Create a config generator:

nano ~/client-configs/make_config.sh

Like this:

#!/bin/bash

# First argument: Client identifier

KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${1}.ovpn

Make it an executable:

chmod 700 ~/client-configs/make_config.sh
  • Generating client configs:
cd ~/client-configs
sudo ./make_config.sh client1

Copy the generated file from ~/client-configs/files to the client and install it.

Clone this wiki locally