OpenVPN: Difference between revisions
Jump to navigation
Jump to search
(115 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
100 active users times 10Mbps is 1000Mbps or 1Gbps. Most systems nowadays have this by default, even servers that are several years old. 1000Mbps time 40MHz is about 40000MHz or 40GHz. Older servers with a dual octa-core setup with 2.5GHz will be able to get you to those requirements. With 200 connected devices in this example you would need about 2GB of memory, a fairly low amount. | 100 active users times 10Mbps is 1000Mbps or 1Gbps. Most systems nowadays have this by default, even servers that are several years old. 1000Mbps time 40MHz is about 40000MHz or 40GHz. Older servers with a dual octa-core setup with 2.5GHz will be able to get you to those requirements. With 200 connected devices in this example you would need about 2GB of memory, a fairly low amount. | ||
== | ==PiVPN== | ||
curl -L https://install.pivpn.io | bash | |||
vim /etc/pivpn/openvpn/setupVars.conf | |||
<syntaxhighlight lang="ini" line highlight="4-10,14-17,19,25-27"> | |||
PLAT=Raspbian | |||
OSCN=buster | |||
USING_UFW=0 | |||
pivpnforceipv6route=1 | |||
IPv4dev=wlan0 | |||
dhcpReserv=1 | |||
IPv4addr=10.19.83.103/24 | |||
IPv4gw=10.19.83.1 | |||
install_user=pi | |||
install_home=/home/pi | |||
VPN=openvpn | |||
pivpnPROTO=udp | |||
pivpnPORT=1194 | |||
pivpnDNS1=10.19.83.1 | |||
pivpnDNS2=10.19.83.100 | |||
pivpnSEARCHDOMAIN=dev.shahed.biz | |||
pivpnHOST=vpn.shahed.biz | |||
TWO_POINT_FOUR=0 | |||
pivpnENCRYPT=2048 | |||
USE_PREDEFINED_DH_PARAM=0 | |||
INPUT_CHAIN_EDITED=0 | |||
FORWARD_CHAIN_EDITED=0 | |||
INPUT_CHAIN_EDITEDv6= | |||
FORWARD_CHAIN_EDITEDv6= | |||
pivpnDEV=tun0 | |||
pivpnNET=10.20.30.0 | |||
subnetClass=24 | |||
pivpnenableipv6=0 | |||
ALLOWED_IPS="" | |||
UNATTUPG=1 | |||
INSTALLED_PACKAGES=() | |||
HELP_SHOWN=1 | |||
</syntaxhighlight> | |||
==Server== | |||
<syntaxhighlight lang="bash" highlight="3-5,9-11,13-15,17,21"> | |||
vim /etc/openvpn/server.conf | |||
: <<'END_COMMENT' | |||
dev tun | |||
proto udp | |||
port 1194 | |||
ca /etc/openvpn/easy-rsa/pki/ca.crt | |||
cert /etc/openvpn/easy-rsa/pki/issued/pi03_cd0b38fd-1194-4fc2-b8e8-284b04ad0d02.crt | |||
key /etc/openvpn/easy-rsa/pki/private/pi03_cd0b38fd-1194-4fc2-b8e8-284b04ad0d02.key | |||
dh /etc/openvpn/easy-rsa/pki/dh2048.pem | |||
topology subnet | |||
server 10.20.30.0 255.255.255.0 | |||
# Set your primary domain name server address for clients | |||
push "dhcp-option DOMAIN dev.shahed.biz" | |||
push "dhcp-option DNS 10.19.83.1" | |||
push "dhcp-option DNS 10.19.83.100" | |||
# Prevent DNS leaks on Windows | |||
push "block-outside-dns" | |||
# Override the Client default gateway by using 0.0.0.0/1 and | |||
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of | |||
# overriding but not wiping out the original default gateway. | |||
push "redirect-gateway def1 bypass-dhcp" | |||
client-to-client | |||
client-config-dir /etc/openvpn/ccd | |||
keepalive 15 120 | |||
remote-cert-tls client | |||
tls-version-min 1.2 | |||
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 | |||
cipher AES-256-CBC | |||
auth SHA256 | |||
user openvpn | |||
group openvpn | |||
persist-key | |||
persist-tun | |||
crl-verify /etc/openvpn/crl.pem | |||
status /var/log/openvpn-status.log 20 | |||
status-version 3 | |||
syslog | |||
verb 3 | |||
#DuplicateCNs allow access control on a less-granular, per user basis. | |||
#Remove # if you will manage access by user instead of device. | |||
#duplicate-cn | |||
# Generated for use by PiVPN.io | |||
END_COMMENT | |||
</syntaxhighlight> | |||
openssl dhparam -out /etc/openvpn/easy-rsa/pki/dh1024.pem 1024 | |||
openssl dhparam -out /etc/openvpn/easy-rsa/pki/dh2048.pem 2048 | |||
sudo systemctl start [email protected] | |||
sudo systemctl status [email protected] | |||
==Client== | |||
{| | |||
| valign="top" colspan="3" | | |||
<syntaxhighlight lang="bash" highlight="3-5,11-12"> | |||
pivpn add -n shahed_note | |||
: <<'EOC' | |||
How many days should the certificate last? 1080 | |||
Enter the password for the client: | |||
Enter the password again to verify: | |||
--more-skipped-- | |||
======================================================== | |||
Done! shahed_note.ovpn successfully created! | |||
shahed_note.ovpn was copied to: | |||
/home/pi/ovpns | |||
for easy transfer. Please use this profile only on one | |||
device and create additional profiles for other devices. | |||
======================================================== | |||
EOC | |||
</syntaxhighlight> | |||
|- | |||
| colspan="3" | | |||
---- | |||
|- | |||
| valign="top" colspan="2" | | |||
ls -lah /home/pi/ovpns/*.ovpn | |||
ls -lah /etc/openvpn/easy-rsa/pki/reqs/*.req | |||
ls -lah /etc/openvpn/easy-rsa/pki/issued/*.crt | |||
ls -lah /etc/openvpn/easy-rsa/pki/private/*.key | |||
| valign="top"| | |||
stat -c '%a %n' /home/pi/ovpns/*.ovpn | |||
chmod 644 /home/pi/ovpns/*.ovpn | |||
chmod 640 /home/pi/ovpns/*.ovpn | |||
stat -c '%a %n' /home/pi/ovpns/*.ovpn | |||
|- | |||
| colspan="3" | | |||
---- | |||
|- | |||
| valign="top" colspan="3" | | |||
ln -s /home/pi/ovpns/shahed_note.ovpn\ | |||
/var/shahed/www/vpn.shahed.biz/docs/comn/ovpns/shahed_note.ovpn | |||
https://vpn.shahed.biz/docs/comn/ovpns/ | |||
|} | |||
==Debug== | |||
<syntaxhighlight lang="bash"> | |||
mkdir /etc/openvpn/ccd | |||
systemctl restart openvpn | |||
tail -f /var/log/openvpn.log | |||
sysctl -w net.ipv4.ip_forward=1 | |||
nc -uv 10.20.13.1 1194 | |||
nc -uv 10.19.83.103 1194 | |||
nc -uv 10.19.83.203 1194 | |||
nc -uv vpn.shahed.biz 1194 | |||
nc -uv vpn0.dev.shahed.biz 1194 | |||
</syntaxhighlight> | |||
==Connect== | |||
* [https://apps.apple.com/us/app/openvpn-connect/id590379981 OpenVPN » Connect » iPhone/iPad] | |||
* [https://play.google.com/store/apps/details?id=net.openvpn.openvpn OpenVPN » Connect » Android] | |||
* [https://openvpn.net/client-connect-vpn-for-windows/ OpenVPN » Connect » Windows] | |||
* [https://openvpn.net/client-connect-vpn-for-mac-os/ OpenVPN » Connect » Mac OS] | |||
* [https://www.ovpn.com/en/guides/ubuntu OpenVPN » Client » Ubuntu] | |||
* [https://openvpn.net/openvpn-client-for-linux/ OpenVPN » Client » Linux] | |||
==NAT Route== | |||
vim /etc/sysctl.conf | |||
<syntaxhighlight lang="ini" line start="27" highlight="2"> | |||
# Uncomment the next line to enable packet forwarding for IPv4 | |||
net.ipv4.ip_forward=1 | |||
</syntaxhighlight> | |||
---- | |||
sudo sysctl -p | |||
'''net.ipv4.ip_forward = 1''' | |||
ip route | grep default | |||
default via 10.19.83.1 dev '''wlan0''' proto dhcp src 10.19.83.103 metric 303 | |||
---- | |||
sudo vim /etc/ufw/before.rules | |||
<syntaxhighlight lang="ini" line start="5" highlight="9-13"> | |||
# rules should be added to one of these chains: | |||
# ufw-before-input | |||
# ufw-before-output | |||
# ufw-before-forward | |||
# | |||
# Start OpenVPN Rules | |||
# NAT table rules | |||
*nat | |||
:POSTROUTING ACCEPT [0:0] | |||
# Allow traffic from OpenVPN client to wlan0 | |||
-A POSTROUTING -s 10.20.30.0/24 -o wlan0 -j MASQUERADE | |||
COMMIT | |||
# End OpenVPN Rules | |||
# Don't delete these required lines, otherwise there will be errors | |||
*filter | |||
</syntaxhighlight> | |||
---- | |||
vim /etc/ufw/sysctl.conf | |||
<syntaxhighlight lang="ini" line start="9" highlight="2-4"> | |||
# Uncomment this to allow this host to route packets between interfaces | |||
net/ipv4/ip_forward=1 | |||
net/ipv6/conf/default/forwarding=1 | |||
net/ipv6/conf/all/forwarding=1 | |||
</syntaxhighlight> | |||
---- | |||
sudo vim /etc/default/ufw | |||
<syntaxhighlight lang="ini" line start="17" highlight="3"> | |||
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that | |||
# if you change this you will most likely want to adjust your rules | |||
DEFAULT_FORWARD_POLICY="ACCEPT" | |||
</syntaxhighlight> | |||
---- | |||
sudo vim /lib/systemd/system/ufw.service | |||
<syntaxhighlight lang="ini" line highlight="6"> | |||
[Unit] | |||
Description=Uncomplicated firewall | |||
Documentation=man:ufw(8) | |||
DefaultDependencies=no | |||
Before=network.target | |||
After=netfilter-persistent.service | |||
[Service] | |||
Type=oneshot | |||
RemainAfterExit=yes | |||
ExecStart=/lib/ufw/ufw-init start quiet | |||
ExecStop=/lib/ufw/ufw-init stop | |||
[Install] | |||
WantedBy=multi-user.target | |||
</syntaxhighlight> | |||
---- | |||
sudo ufw allow http | |||
sudo ufw allow OpenSSH | |||
sudo ufw allow 1194/udp | |||
systemctl status ufw | |||
sudo ufw disable | |||
sudo ufw enable | |||
sysctl -w net.ipv4.tcp_window_scaling=0 | sudo systemctl start openvpn@server | ||
sudo systemctl status openvpn@server | |||
---- | |||
<syntaxhighlight lang="bash"> | |||
ip addr show tun0 | |||
:' | |||
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 | |||
link/none | |||
inet 10.20.30.1/24 brd 10.20.30.255 scope global tun0 | |||
valid_lft forever preferred_lft forever | |||
inet6 fe80::ab3a:dcac:98ba:b7a/64 scope link stable-privacy | |||
valid_lft forever preferred_lft forever | |||
' | |||
</syntaxhighlight> | |||
---- | |||
<syntaxhighlight lang="bash"> | |||
ufw status verbose | |||
: <<'EOC' | |||
Status: active | |||
Logging: on (low) | |||
Default: deny (incoming), allow (outgoing), allow (routed) | |||
New profiles: skip | |||
To Action From | |||
-- ------ ---- | |||
22/tcp ALLOW IN Anywhere | |||
1194 ALLOW IN Anywhere | |||
80/tcp ALLOW IN Anywhere | |||
1194/udp ALLOW IN Anywhere | |||
22/tcp (OpenSSH) ALLOW IN Anywhere | |||
22/tcp (v6) ALLOW IN Anywhere (v6) | |||
1194 (v6) ALLOW IN Anywhere (v6) | |||
80/tcp (v6) ALLOW IN Anywhere (v6) | |||
1194/udp (v6) ALLOW IN Anywhere (v6) | |||
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6) | |||
Anywhere on wlan0 ALLOW FWD Anywhere on tun0 | |||
10.19.83.0/24 ALLOW FWD 10.8.0.0/24 | |||
Anywhere (v6) on wlan0 ALLOW FWD Anywhere (v6) on tun0 | |||
EOC | |||
ufw status numbered | |||
ufw status | |||
</syntaxhighlight> | |||
==Ubuntu Client== | |||
{| | |||
| valign="top" colspan="2" | | |||
<syntaxhighlight lang="bash"> | |||
cat <<-'EXE'|sudo bash | |||
apt-get update;echo;apt list -a --upgradable;apt-get upgrade -y | |||
apt-get install -y apt-transport-https ca-certificates gnupg curl software-properties-common | |||
EXE | |||
</syntaxhighlight> | |||
|- | |||
| colspan="2" | | |||
---- | |||
|- | |||
| valign="top"| | |||
<syntaxhighlight lang="bash"> | |||
curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg \ | |||
| sudo tee /etc/apt/keyrings/openvpn2.asc >/dev/null | |||
DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}") | |||
cat << EOF | sudo tee /etc/apt/sources.list.d/openvpn2.list >/dev/null | |||
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/openvpn2.asc]\ | |||
http://build.openvpn.net/debian/openvpn/release/2.6 ${DISTRIBUTION} main | |||
EOF | |||
</syntaxhighlight> | |||
| valign="top"| | |||
<syntaxhighlight lang="bash"> | |||
curl -fsSL https://packages.openvpn.net/packages-repo.gpg \ | |||
| sudo tee /etc/apt/keyrings/openvpn3.asc >/dev/null | |||
DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}") | |||
cat << EOF | sudo tee /etc/apt/sources.list.d/openvpn3.list >/dev/null | |||
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/openvpn3.asc]\ | |||
https://packages.openvpn.net/openvpn3/debian ${DISTRIBUTION} main | |||
EOF | |||
</syntaxhighlight> | |||
|- | |||
| colspan="2" | | |||
---- | |||
|- | |||
| valign="top" | | |||
<syntaxhighlight lang="bash"> | |||
cat <<-'EXE'|sudo bash | |||
apt-get update;echo;apt list -a --upgradable;apt-get upgrade -y | |||
apt-get install -y openvpn | |||
openvpn --version | |||
EXE | |||
</syntaxhighlight> | |||
| valign="top" | | |||
<syntaxhighlight lang="bash"> | |||
cat <<-'EXE'|sudo bash | |||
apt-get update;echo;apt list -a --upgradable;apt-get upgrade -y | |||
apt-get install -y openvpn3 | |||
openvpn --version | |||
EXE | |||
</syntaxhighlight> | |||
|- | |||
| colspan="2" | | |||
---- | |||
|- | |||
| valign="top" | | |||
<syntaxhighlight lang="bash"> | |||
openvpn3 config-import\ | |||
--name vpn.chorke.org\ | |||
--config ~/ovpns/chorke_ceo.ovpn | |||
openvpn3 configs-list | |||
openvpn3 config-remove\ | |||
--config vpn.chorke.org | |||
openvpn3 config-remove\ | |||
--config ~/ovpns/chorke_ceo.ovpn | |||
openvpn3 config-remove --path\ | |||
/net/openvpn/v3/configuration/65c57d54xbd4fx40aex9819x47ba0803d7c5 | |||
</syntaxhighlight> | |||
| valign="top"| | |||
<syntaxhighlight lang="bash"> | |||
openvpn3 session-start\ | |||
--config vpn.chorke.org | |||
openvpn3 session-start\ | |||
--config ~/ovpns/chorke_ceo.ovpn | |||
openvpn3 sessions-list | |||
openvpn3 session-manage\ | |||
--disconnect --config vpn.chorke.org | |||
openvpn3 session-manage --disconnect --config\ | |||
~/ovpns/chorke_ceo.ovpn | |||
openvpn3 session-manage --disconnect --path\ | |||
/net/openvpn/v3/sessions/dab84ba8s3678s41d5saa61sf1515ffa690c | |||
</syntaxhighlight> | |||
|- | |||
| colspan="2" | | |||
---- | |||
|- | |||
| valign="top" colspan="2" | | |||
<syntaxhighlight lang="ini"> | |||
[Unit] | |||
Description=vpn.chorke.org | |||
After=network.target | |||
[Service] | |||
Type=simple | |||
Restart=always | |||
WorkingDirectory=/home/academia/ovpns | |||
ExecStart=/usr/sbin/openvpn --config vpn.chorke.org | |||
[Install] | |||
WantedBy=multi-user.target | |||
</syntaxhighlight> | |||
|} | |||
==Linux Service== | |||
{| | |||
| valign="top" | | |||
<syntaxhighlight lang="bash"> | |||
cat << EOF | sudo tee /etc/systemd/system/academia-vpn-dev.service >>/dev/null | |||
[Unit] | |||
Description=Academia OpenVPN Dev Client | |||
After=network.target | |||
[Service] | |||
Restart=always | |||
Type=simple | |||
WorkingDirectory=/home/shahed/ovpns | |||
ExecStart=/usr/sbin/openvpn --config academia-vpn-dev.ovpn | |||
[Install] | |||
WantedBy=multi-user.target | |||
EOF | |||
</syntaxhighlight> | |||
| valign="top" | | |||
<syntaxhighlight lang="bash"> | |||
sudo systemctl daemon-reload | |||
sudo systemctl enable --now academia-vpn-dev | |||
systemctl status academia-vpn-dev | |||
sudo systemctl disable --now academia-vpn-dev | |||
systemctl status academia-vpn-dev | |||
sudo systemctl restart academia-vpn-dev | |||
systemctl status academia-vpn-dev | |||
sudo systemctl stop academia-vpn-dev | |||
systemctl status academia-vpn-dev | |||
</syntaxhighlight> | |||
|- | |||
| colspan="2" | | |||
---- | |||
|- | |||
| valign="top" | | |||
| valign="top" | | |||
|} | |||
==Knowledge== | |||
{| | |||
| valign="top" | | |||
<syntaxhighlight lang="bash"> | |||
ufw status | |||
netstat -a | |||
netstat -lpn | |||
pivpn add | |||
pivpn list | |||
pivpn revoke | |||
pivpn -u # uninstall | |||
apt install ufw | |||
apt install nmap | |||
apt install telnet | |||
apt list --installed | |||
</syntaxhighlight> | |||
| valign="top" | | |||
<syntaxhighlight lang="bash"> | |||
netstat -uap|grep openvpn | |||
tail -f /var/log/openvpn.log | |||
nano /etc/openvpn/server.conf | |||
nmap -sT vpn0.dev.shahed.biz | |||
nmap -sU vpn0.dev.shahed.biz | |||
nc -uv 10.20.13.1 1194 | |||
nc -uv 10.19.83.103 1194 | |||
nc -uv 10.19.83.203 1194 | |||
nc -uv vpn.shahed.biz 1194 | |||
nc -uv vpn0.dev.shahed.biz 1194 | |||
</syntaxhighlight> | |||
| valign="top" | | |||
<syntaxhighlight lang="bash"> | |||
telnet localhost 1194 | |||
telnet nas0.dev.shahed.biz 80 | |||
telnet nas0.dev.shahed.biz 1194 | |||
rm -f /etc/openvpn/pki/reqs/dev.shahed.biz.req | |||
apt purge openmediavault-openvpn | |||
rm -rf /opt/EasyRSA-v3.0.6/ | |||
rm -rf /etc/openvpn/ | |||
sysctl -w net.ipv4.ip_forward=1 | |||
sysctl -w net.ipv4.tcp_window_scaling=0 | |||
route add -net 10.20.30.0/24 gw 10.19.83.1 metric 1 | |||
</syntaxhighlight> | |||
|- | |||
|colspan="3"| | |||
---- | |||
|- | |||
| valign="top" | | |||
<syntaxhighlight lang="bash"> | |||
cat /sys/firmware/devicetree/base/model;echo | |||
cat /proc/device-tree/model;echo | |||
/opt/vc/bin/vcgencmd version | |||
cat /proc/cpuinfo | |||
</syntaxhighlight> | |||
| valign="top" | | |||
| valign="top" | | |||
|} | |||
==References== | ==References== | ||
Line 21: | Line 535: | ||
| valign="top" | | | valign="top" | | ||
* [https://openvpn.net/vpn-server-resources/openvpn-access-server-system-requirements/ OpenVPN Access Server System Requirements] | * [https://openvpn.net/vpn-server-resources/openvpn-access-server-system-requirements/ OpenVPN Access Server System Requirements] | ||
* [https:// | * [https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-22-04 Config an OpenVPN Server on Ubuntu 22.04] | ||
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04 Config an OpenVPN Server on Ubuntu 20.04] | |||
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04 Config an OpenVPN Server on Ubuntu 18.04] | * [https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04 Config an OpenVPN Server on Ubuntu 18.04] | ||
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 Config an OpenVPN Server on Ubuntu 16.04] | * [https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 Config an OpenVPN Server on Ubuntu 16.04] | ||
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 Config an OpenVPN Server on Ubuntu 14.04] | |||
* [https://openvpn.net/vpn-server-resources/installation-guide-for-openvpn-connect-client-on-windows/ OpenVPN Connect Client On Windows] | * [https://openvpn.net/vpn-server-resources/installation-guide-for-openvpn-connect-client-on-windows/ OpenVPN Connect Client On Windows] | ||
* [https://forums.openvpn.net/viewtopic.php?t=11010 OpenVPN not Listening on Port 1194] | * [https://forums.openvpn.net/viewtopic.php?t=11010 OpenVPN not Listening on Port 1194] | ||
* [https://forums.openvpn.net/viewtopic.php?t=25476 OpenVPN Pi Setup not Listening] | * [https://forums.openvpn.net/viewtopic.php?t=25476 OpenVPN Pi Setup not Listening] | ||
* [https://openvpn.net/community-resources/how-to/ OpenVPN How To] | * [https://openvpn.net/community-resources/how-to/ OpenVPN How To] | ||
| valign="top" | | |||
* [https://openvpn.net/community-resources/ethernet-bridging/ OpenVPN Ethernet Bridging Virtual TAP Interfaces] | |||
* [https://serverfault.com/questions/734428/ Prevent SSH freezes over an OpenVPN Client] | |||
* [https://devtidbits.com/2019/07/31/ufw-service-not-loading-after-a-reboot/ <code>ufw</code> service not loaded after a reboot] | |||
* [https://serverfault.com/questions/21157/ Should I use Tap or Tun for OpenVPN] | |||
* [https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux OpenVPN3 Linux Client Config] | |||
* [https://security.stackexchange.com/questions/46442/ OpenVPN Tap vs Tun Mode] | |||
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=24&cip=10.19.83.0&ctype=ipv4&printit=0&x=83&y=18 Calculate 10.19.83.0/24] | |||
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=24&cip=10.20.13.0&ctype=ipv4&printit=0&x=58&y=29 Calculate 10.20.13.0/24] | |||
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=c&csubnet=24&cip=10.20.30.0&ctype=ipv4&printit=0&x=80&y=16 Calculate 10.20.30.0/24] | |||
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=24&cip=10.8.0.0&ctype=ipv4&printit=0&x=75&y=11 Calculate 10.8.0.0/24] | |||
| valign="top" | | |||
* [https://forums.openvpn.net/viewtopic.php?t=30624#p93139 OpenVPN » Disable TLS-crypt in PIVPN to speed up] | |||
* [https://openvpn.net/cloud-docs/tutorials/configuration-tutorials/connectors/operating-systems/linux/tutorial--learn-to-install-and-control-the-openvpn-3-client.html Install and Control the OpenVPN 3 Client] | |||
* [https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos OpenVPN 2 Software Repository] | |||
* [https://openvpn.net/ OpenVPN] | * [https://openvpn.net/ OpenVPN] | ||
* [https://www.pivpn.io/ PiVPN] | * [https://www.pivpn.io/ PiVPN] | ||
|- | |||
| colspan="3" | | |||
---- | |||
|- | |||
| valign="top" | | |||
* [https://superuser.com/questions/513159/ Systemd » Safe Remove Services] | |||
* [https://serverfault.com/questions/283129/ SSH Connection Hang Forever] | |||
* [https://www.cloudflare.com/products/tunnel/ Tunnel » Cloudflare] | |||
* [https://dashboard.ngrok.com/tunnels/agents Tunnel » Ngrok] | |||
* [[Localtunnel|Tunnel » Local]] | |||
* [[CIDR]] | |||
| valign="top" | | |||
| valign="top" | | | valign="top" | | ||
|} | |} |
Latest revision as of 00:55, 18 September 2024
Let’s say you have an old dedicated server without AES-NI and you need 200 devices connected to it, but they only route traffic for a web server and a file server on your private network, and about 50% will be actively using the connection, and 50% will be idling, at any given time. As in the previous example this will of course vary somewhat as some users are working on other tasks and alternate this with retrieving files and data through the VPN tunnel. Let’s say you want to make sure each active users will have 10Mbps available, and let’s again assume they actually have that bandwidth on their Internet connection.
100 active users times 10Mbps is 1000Mbps or 1Gbps. Most systems nowadays have this by default, even servers that are several years old. 1000Mbps time 40MHz is about 40000MHz or 40GHz. Older servers with a dual octa-core setup with 2.5GHz will be able to get you to those requirements. With 200 connected devices in this example you would need about 2GB of memory, a fairly low amount.
PiVPN
curl -L https://install.pivpn.io | bash vim /etc/pivpn/openvpn/setupVars.conf
PLAT=Raspbian
OSCN=buster
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=wlan0
dhcpReserv=1
IPv4addr=10.19.83.103/24
IPv4gw=10.19.83.1
install_user=pi
install_home=/home/pi
VPN=openvpn
pivpnPROTO=udp
pivpnPORT=1194
pivpnDNS1=10.19.83.1
pivpnDNS2=10.19.83.100
pivpnSEARCHDOMAIN=dev.shahed.biz
pivpnHOST=vpn.shahed.biz
TWO_POINT_FOUR=0
pivpnENCRYPT=2048
USE_PREDEFINED_DH_PARAM=0
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnDEV=tun0
pivpnNET=10.20.30.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS=""
UNATTUPG=1
INSTALLED_PACKAGES=()
HELP_SHOWN=1
Server
vim /etc/openvpn/server.conf
: <<'END_COMMENT'
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/pi03_cd0b38fd-1194-4fc2-b8e8-284b04ad0d02.crt
key /etc/openvpn/easy-rsa/pki/private/pi03_cd0b38fd-1194-4fc2-b8e8-284b04ad0d02.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.20.30.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DOMAIN dev.shahed.biz"
push "dhcp-option DNS 10.19.83.1"
push "dhcp-option DNS 10.19.83.100"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1 bypass-dhcp"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
END_COMMENT
openssl dhparam -out /etc/openvpn/easy-rsa/pki/dh1024.pem 1024 openssl dhparam -out /etc/openvpn/easy-rsa/pki/dh2048.pem 2048
sudo systemctl start [email protected] sudo systemctl status [email protected]
Client
pivpn add -n shahed_note
: <<'EOC'
How many days should the certificate last? 1080
Enter the password for the client:
Enter the password again to verify:
--more-skipped--
========================================================
Done! shahed_note.ovpn successfully created!
shahed_note.ovpn was copied to:
/home/pi/ovpns
for easy transfer. Please use this profile only on one
device and create additional profiles for other devices.
========================================================
EOC
| ||
| ||
ls -lah /home/pi/ovpns/*.ovpn ls -lah /etc/openvpn/easy-rsa/pki/reqs/*.req ls -lah /etc/openvpn/easy-rsa/pki/issued/*.crt ls -lah /etc/openvpn/easy-rsa/pki/private/*.key |
stat -c '%a %n' /home/pi/ovpns/*.ovpn chmod 644 /home/pi/ovpns/*.ovpn chmod 640 /home/pi/ovpns/*.ovpn stat -c '%a %n' /home/pi/ovpns/*.ovpn | |
| ||
ln -s /home/pi/ovpns/shahed_note.ovpn\ /var/shahed/www/vpn.shahed.biz/docs/comn/ovpns/shahed_note.ovpn https://vpn.shahed.biz/docs/comn/ovpns/ |
Debug
mkdir /etc/openvpn/ccd
systemctl restart openvpn
tail -f /var/log/openvpn.log
sysctl -w net.ipv4.ip_forward=1
nc -uv 10.20.13.1 1194
nc -uv 10.19.83.103 1194
nc -uv 10.19.83.203 1194
nc -uv vpn.shahed.biz 1194
nc -uv vpn0.dev.shahed.biz 1194
Connect
- OpenVPN » Connect » iPhone/iPad
- OpenVPN » Connect » Android
- OpenVPN » Connect » Windows
- OpenVPN » Connect » Mac OS
- OpenVPN » Client » Ubuntu
- OpenVPN » Client » Linux
NAT Route
vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
sudo sysctl -p net.ipv4.ip_forward = 1 ip route | grep default default via 10.19.83.1 dev wlan0 proto dhcp src 10.19.83.103 metric 303
sudo vim /etc/ufw/before.rules
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# Start OpenVPN Rules
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to wlan0
-A POSTROUTING -s 10.20.30.0/24 -o wlan0 -j MASQUERADE
COMMIT
# End OpenVPN Rules
# Don't delete these required lines, otherwise there will be errors
*filter
vim /etc/ufw/sysctl.conf
# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
sudo vim /etc/default/ufw
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"
sudo vim /lib/systemd/system/ufw.service
[Unit]
Description=Uncomplicated firewall
Documentation=man:ufw(8)
DefaultDependencies=no
Before=network.target
After=netfilter-persistent.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/lib/ufw/ufw-init start quiet
ExecStop=/lib/ufw/ufw-init stop
[Install]
WantedBy=multi-user.target
sudo ufw allow http sudo ufw allow OpenSSH sudo ufw allow 1194/udp
systemctl status ufw sudo ufw disable sudo ufw enable sudo systemctl start openvpn@server sudo systemctl status openvpn@server
ip addr show tun0
:'
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.20.30.1/24 brd 10.20.30.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::ab3a:dcac:98ba:b7a/64 scope link stable-privacy
valid_lft forever preferred_lft forever
'
ufw status verbose
: <<'EOC'
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
1194 ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
1194/udp ALLOW IN Anywhere
22/tcp (OpenSSH) ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
1194 (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
1194/udp (v6) ALLOW IN Anywhere (v6)
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
Anywhere on wlan0 ALLOW FWD Anywhere on tun0
10.19.83.0/24 ALLOW FWD 10.8.0.0/24
Anywhere (v6) on wlan0 ALLOW FWD Anywhere (v6) on tun0
EOC
ufw status numbered
ufw status
Ubuntu Client
cat <<-'EXE'|sudo bash
apt-get update;echo;apt list -a --upgradable;apt-get upgrade -y
apt-get install -y apt-transport-https ca-certificates gnupg curl software-properties-common
EXE
| |
| |
curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg \
| sudo tee /etc/apt/keyrings/openvpn2.asc >/dev/null
DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << EOF | sudo tee /etc/apt/sources.list.d/openvpn2.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/openvpn2.asc]\
http://build.openvpn.net/debian/openvpn/release/2.6 ${DISTRIBUTION} main
EOF
|
curl -fsSL https://packages.openvpn.net/packages-repo.gpg \
| sudo tee /etc/apt/keyrings/openvpn3.asc >/dev/null
DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << EOF | sudo tee /etc/apt/sources.list.d/openvpn3.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/openvpn3.asc]\
https://packages.openvpn.net/openvpn3/debian ${DISTRIBUTION} main
EOF
|
| |
cat <<-'EXE'|sudo bash
apt-get update;echo;apt list -a --upgradable;apt-get upgrade -y
apt-get install -y openvpn
openvpn --version
EXE
|
cat <<-'EXE'|sudo bash
apt-get update;echo;apt list -a --upgradable;apt-get upgrade -y
apt-get install -y openvpn3
openvpn --version
EXE
|
| |
openvpn3 config-import\
--name vpn.chorke.org\
--config ~/ovpns/chorke_ceo.ovpn
openvpn3 configs-list
openvpn3 config-remove\
--config vpn.chorke.org
openvpn3 config-remove\
--config ~/ovpns/chorke_ceo.ovpn
openvpn3 config-remove --path\
/net/openvpn/v3/configuration/65c57d54xbd4fx40aex9819x47ba0803d7c5
|
openvpn3 session-start\
--config vpn.chorke.org
openvpn3 session-start\
--config ~/ovpns/chorke_ceo.ovpn
openvpn3 sessions-list
openvpn3 session-manage\
--disconnect --config vpn.chorke.org
openvpn3 session-manage --disconnect --config\
~/ovpns/chorke_ceo.ovpn
openvpn3 session-manage --disconnect --path\
/net/openvpn/v3/sessions/dab84ba8s3678s41d5saa61sf1515ffa690c
|
| |
[Unit]
Description=vpn.chorke.org
After=network.target
[Service]
Type=simple
Restart=always
WorkingDirectory=/home/academia/ovpns
ExecStart=/usr/sbin/openvpn --config vpn.chorke.org
[Install]
WantedBy=multi-user.target
|
Linux Service
cat << EOF | sudo tee /etc/systemd/system/academia-vpn-dev.service >>/dev/null
[Unit]
Description=Academia OpenVPN Dev Client
After=network.target
[Service]
Restart=always
Type=simple
WorkingDirectory=/home/shahed/ovpns
ExecStart=/usr/sbin/openvpn --config academia-vpn-dev.ovpn
[Install]
WantedBy=multi-user.target
EOF
|
sudo systemctl daemon-reload
sudo systemctl enable --now academia-vpn-dev
systemctl status academia-vpn-dev
sudo systemctl disable --now academia-vpn-dev
systemctl status academia-vpn-dev
sudo systemctl restart academia-vpn-dev
systemctl status academia-vpn-dev
sudo systemctl stop academia-vpn-dev
systemctl status academia-vpn-dev
|
| |
Knowledge
ufw status
netstat -a
netstat -lpn
pivpn add
pivpn list
pivpn revoke
pivpn -u # uninstall
apt install ufw
apt install nmap
apt install telnet
apt list --installed
|
netstat -uap|grep openvpn
tail -f /var/log/openvpn.log
nano /etc/openvpn/server.conf
nmap -sT vpn0.dev.shahed.biz
nmap -sU vpn0.dev.shahed.biz
nc -uv 10.20.13.1 1194
nc -uv 10.19.83.103 1194
nc -uv 10.19.83.203 1194
nc -uv vpn.shahed.biz 1194
nc -uv vpn0.dev.shahed.biz 1194
|
telnet localhost 1194
telnet nas0.dev.shahed.biz 80
telnet nas0.dev.shahed.biz 1194
rm -f /etc/openvpn/pki/reqs/dev.shahed.biz.req
apt purge openmediavault-openvpn
rm -rf /opt/EasyRSA-v3.0.6/
rm -rf /etc/openvpn/
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.tcp_window_scaling=0
route add -net 10.20.30.0/24 gw 10.19.83.1 metric 1
|
| ||
cat /sys/firmware/devicetree/base/model;echo
cat /proc/device-tree/model;echo
/opt/vc/bin/vcgencmd version
cat /proc/cpuinfo
|