OpenVPN: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
 
(53 intermediate revisions by the same user not shown)
Line 5: Line 5:
==PiVPN==
==PiVPN==
  curl -L https://install.pivpn.io | bash
  curl -L https://install.pivpn.io | bash
vim /etc/pivpn/openvpn/setupVars.conf
<syntaxhighlight lang="ini" line highlight="4-10,14-17,19,25-27">
PLAT=Raspbian
OSCN=buster
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=wlan0
dhcpReserv=1
IPv4addr=10.19.83.103/24
IPv4gw=10.19.83.1
install_user=pi
install_home=/home/pi
VPN=openvpn
pivpnPROTO=udp
pivpnPORT=1194
pivpnDNS1=10.19.83.1
pivpnDNS2=10.19.83.100
pivpnSEARCHDOMAIN=dev.shahed.biz
pivpnHOST=vpn.shahed.biz
TWO_POINT_FOUR=0
pivpnENCRYPT=2048
USE_PREDEFINED_DH_PARAM=0
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnDEV=tun0
pivpnNET=10.20.30.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS=""
UNATTUPG=1
INSTALLED_PACKAGES=()
HELP_SHOWN=1
</syntaxhighlight>


===Server===
==Server==
<source lang="bash" highlight="3-5,11,13-15,21-24">
<syntaxhighlight lang="bash" highlight="3-5,9-11,13-15,17,21">
nano /etc/openvpn/server.conf
vim /etc/openvpn/server.conf
: <<'END_COMMENT'
: <<'END_COMMENT'
dev tun
dev tun
proto udp4
proto udp
port 1194
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/pi03_ca27deca-6db9-49de-98c8-f6d1fd57c9be.crt
cert /etc/openvpn/easy-rsa/pki/issued/pi03_cd0b38fd-1194-4fc2-b8e8-284b04ad0d02.crt
key /etc/openvpn/easy-rsa/pki/private/pi03_ca27deca-6db9-49de-98c8-f6d1fd57c9be.key
key /etc/openvpn/easy-rsa/pki/private/pi03_cd0b38fd-1194-4fc2-b8e8-284b04ad0d02.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
topology subnet
server 10.8.0.0 255.255.255.0
server 10.20.30.0 255.255.255.0
# Set your primary domain name server address for clients
# Set your primary domain name server address for clients
push "dhcp-option DOMAIN dev.shahed.biz"
push "dhcp-option DOMAIN dev.shahed.biz"
push "dhcp-option DNS 10.19.83.1"
push "dhcp-option DNS 10.19.83.100"
push "dhcp-option DNS 10.19.83.100"
push "dhcp-option DNS 10.19.83.1"
# Prevent DNS leaks on Windows
# Prevent DNS leaks on Windows
push "block-outside-dns"
push "block-outside-dns"
Line 28: Line 63:
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
# overriding but not wiping out the original default gateway.
push "route 10.19.83.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1"
client-to-client
client-to-client
client-config-dir /etc/openvpn/ccd
client-config-dir /etc/openvpn/ccd
Line 47: Line 81:
syslog
syslog
verb 3
verb 3
# DuplicateCNs allow access control on a less-granular, per user basis.
#DuplicateCNs allow access control on a less-granular, per user basis.
# Remove # if you will manage access by user instead of device.  
#Remove # if you will manage access by user instead of device.  
# duplicate-cn
#duplicate-cn
# Generated for use by PiVPN.io
# Generated for use by PiVPN.io
END_COMMENT
END_COMMENT
</source>
</syntaxhighlight>


  openssl dhparam -out /etc/openvpn/easy-rsa/pki/dh1024.pem 1024
  openssl dhparam -out /etc/openvpn/easy-rsa/pki/dh1024.pem 1024
Line 60: Line 94:
  sudo systemctl status [email protected]
  sudo systemctl status [email protected]


===Client===
==Client==
vim /etc/openvpn/server.conf
{|
vim /etc/pivpn/openvpn/setupVars.conf
| valign="top" colspan="3" |
<syntaxhighlight lang="bash" highlight="3-5,11-12">
<source lang="bash" highlight="18-21,29">
pivpn add -n shahed_note
pivpn add
: <<'EOC'
: <<'END_COMMENT'
::: Create a client ovpn profile, optional nopass
:::
::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-d|--days <number>] [-b|--bitwarden] [-i|--iOS] [-o|--ovpn] [-h|--help]
:::
::: Commands:
:::  [none]              Interactive mode
:::  nopass              Create a client without a password
:::  -n,--name            Name for the Client (default: 'pi03')
:::  -p,--password        Password for the Client (no default)
:::  -d,--days            Expire the certificate after specified number of days (default: 1080)
:::  -b,--bitwarden      Create and save a client through Bitwarden
:::  -i,--iOS            Generate a certificate that leverages iOS keychain
:::  -o,--ovpn            Regenerate a .ovpn config file for an existing client
:::  -h,--help            Show this help dialog
 
Enter a Name for the Client:  ios 
How many days should the certificate last?  1080
How many days should the certificate last?  1080
Enter the password for the client:   
Enter the password for the client:   
Enter the password again to verify:   
Enter the password again to verify:   
spawn ./easyrsa build-client-full ios


--more-skipped--
--more-skipped--


========================================================
========================================================
Done! ios.ovpn successfully created!  
Done! shahed_note.ovpn successfully created!  
ios.ovpn was copied to:
shahed_note.ovpn was copied to:
   /home/pi/ovpns
   /home/pi/ovpns
for easy transfer. Please use this profile only on one
for easy transfer. Please use this profile only on one
device and create additional profiles for other devices.
device and create additional profiles for other devices.
========================================================
========================================================
END_COMMENT
EOC
</source>
</syntaxhighlight>


{|
|-
| colspan="3" |
----
|-
| valign="top" colspan="2" |
| valign="top" colspan="2" |
  ls -lah /home/pi/ovpns/*.ovpn
  ls -lah /home/pi/ovpns/*.ovpn
Line 125: Line 144:
|}
|}


===Debug===
==Debug==
<source lang="bash">
<syntaxhighlight lang="bash">
mkdir /etc/openvpn/ccd
mkdir /etc/openvpn/ccd
systemctl restart openvpn
systemctl restart openvpn
Line 137: Line 156:
nc -uv vpn.shahed.biz 1194
nc -uv vpn.shahed.biz 1194
nc -uv vpn0.dev.shahed.biz 1194
nc -uv vpn0.dev.shahed.biz 1194
</source>
</syntaxhighlight>


===Connect===
==Connect==
* [https://apps.apple.com/us/app/openvpn-connect/id590379981 OpenVPN Connect App for iPhone/iPad]
* [https://apps.apple.com/us/app/openvpn-connect/id590379981 OpenVPN » Connect » iPhone/iPad]
* [https://play.google.com/store/apps/details?id=net.openvpn.openvpn OpenVPN Connect App for Android]
* [https://play.google.com/store/apps/details?id=net.openvpn.openvpn OpenVPN » Connect » Android]
* [https://openvpn.net/client-connect-vpn-for-windows/ OpenVPN Connect for Windows]
* [https://openvpn.net/client-connect-vpn-for-windows/ OpenVPN » Connect » Windows]
* [https://openvpn.net/client-connect-vpn-for-mac-os/ OpenVPN Connect for Mac OS]
* [https://openvpn.net/client-connect-vpn-for-mac-os/ OpenVPN » Connect » Mac OS]
* [https://www.ovpn.com/en/guides/ubuntu OpenVPN » Client » Ubuntu]
* [https://openvpn.net/openvpn-client-for-linux/ OpenVPN » Client » Linux]


==NAT Routing==
==NAT Route==
  vim /etc/sysctl.conf
  vim /etc/sysctl.conf
'''net.ipv4.ip_forward=1'''
<syntaxhighlight lang="ini" line start="27" highlight="2">
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
</syntaxhighlight>
----
  sudo sysctl -p
  sudo sysctl -p
  '''net.ipv4.ip_forward = 1'''
  '''net.ipv4.ip_forward = 1'''
Line 154: Line 178:
  ip route | grep default
  ip route | grep default
  default via 10.19.83.1 dev '''wlan0''' proto dhcp src 10.19.83.103 metric 303
  default via 10.19.83.1 dev '''wlan0''' proto dhcp src 10.19.83.103 metric 303
 
----
  sudo vim /etc/ufw/before.rules
  sudo vim /etc/ufw/before.rules
<source lang="ini" line start="5" highlight="9-13">
<syntaxhighlight lang="ini" line start="5" highlight="9-13">
# rules should be added to one of these chains:
# rules should be added to one of these chains:
#  ufw-before-input
#  ufw-before-input
Line 174: Line 198:
# Don't delete these required lines, otherwise there will be errors
# Don't delete these required lines, otherwise there will be errors
*filter
*filter
</source>
</syntaxhighlight>
 
----
  vim /etc/ufw/sysctl.conf
  vim /etc/ufw/sysctl.conf
<source lang="ini" line start="9" highlight="2-4">
<syntaxhighlight lang="ini" line start="9" highlight="2-4">
# Uncomment this to allow this host to route packets between interfaces
# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
net/ipv6/conf/all/forwarding=1
</source>
</syntaxhighlight>
 
----
  sudo vim /etc/default/ufw
  sudo vim /etc/default/ufw
<source lang="ini" line start="17" highlight="3">
<syntaxhighlight lang="ini" line start="17" highlight="3">
# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="ACCEPT"
</source>
</syntaxhighlight>
----
sudo vim /lib/systemd/system/ufw.service
<syntaxhighlight lang="ini" line highlight="6">
[Unit]
Description=Uncomplicated firewall
Documentation=man:ufw(8)
DefaultDependencies=no
Before=network.target
After=netfilter-persistent.service


[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/lib/ufw/ufw-init start quiet
ExecStop=/lib/ufw/ufw-init stop
[Install]
WantedBy=multi-user.target
</syntaxhighlight>
----
sudo ufw allow http
sudo ufw allow OpenSSH
  sudo ufw allow 1194/udp
  sudo ufw allow 1194/udp
  sudo ufw allow OpenSSH
 
systemctl status ufw
sudo ufw disable
  sudo ufw enable
  sudo systemctl start openvpn@server
  sudo systemctl start openvpn@server
  sudo systemctl status openvpn@server
  sudo systemctl status openvpn@server
 
----
<source lang="bash">
<syntaxhighlight lang="bash">
ip addr show tun0
ip addr show tun0
:'
:'
Line 206: Line 255:
       valid_lft forever preferred_lft forever
       valid_lft forever preferred_lft forever
'
'
</source>
</syntaxhighlight>
----
<syntaxhighlight lang="bash">
ufw status verbose
: <<'EOC'
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
 
To                        Action      From
--                        ------      ----
22/tcp                    ALLOW IN    Anywhere                 
1194                      ALLOW IN    Anywhere                 
80/tcp                    ALLOW IN    Anywhere                 
1194/udp                  ALLOW IN    Anywhere                 
22/tcp (OpenSSH)          ALLOW IN    Anywhere                 
22/tcp (v6)                ALLOW IN    Anywhere (v6)           
1194 (v6)                  ALLOW IN    Anywhere (v6)           
80/tcp (v6)                ALLOW IN    Anywhere (v6)           
1194/udp (v6)              ALLOW IN    Anywhere (v6)           
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)           
 
Anywhere on wlan0          ALLOW FWD  Anywhere on tun0         
10.19.83.0/24              ALLOW FWD  10.8.0.0/24             
Anywhere (v6) on wlan0    ALLOW FWD  Anywhere (v6) on tun0
EOC
 
ufw status numbered
ufw status
</syntaxhighlight>
 
==Ubuntu Client==
{|
| valign="top" colspan="2" |
<syntaxhighlight lang="bash">
cat <<-'EXE'|sudo bash
apt-get update;echo;apt list -a --upgradable;apt-get upgrade -y
apt-get install -y apt-transport-https ca-certificates gnupg curl software-properties-common
EXE
</syntaxhighlight>
 
|-
| colspan="2" |
----
|-
| valign="top"|
<syntaxhighlight lang="bash">
curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg \
|  sudo tee /etc/apt/keyrings/openvpn2.asc >/dev/null
 
DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << EOF | sudo tee /etc/apt/sources.list.d/openvpn2.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/openvpn2.asc]\
http://build.openvpn.net/debian/openvpn/release/2.6 ${DISTRIBUTION} main
EOF
</syntaxhighlight>
 
| valign="top"|
<syntaxhighlight lang="bash">
curl -fsSL https://packages.openvpn.net/packages-repo.gpg \
| sudo tee /etc/apt/keyrings/openvpn3.asc >/dev/null
 
DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << EOF | sudo tee /etc/apt/sources.list.d/openvpn3.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/openvpn3.asc]\
https://packages.openvpn.net/openvpn3/debian ${DISTRIBUTION} main
EOF
</syntaxhighlight>
 
|-
| colspan="2" |
----
|-
| valign="top" |
<syntaxhighlight lang="bash">
cat <<-'EXE'|sudo bash
apt-get update;echo;apt list -a --upgradable;apt-get upgrade -y
apt-get install -y openvpn
openvpn --version
EXE
</syntaxhighlight>
 
| valign="top" |
<syntaxhighlight lang="bash">
cat <<-'EXE'|sudo bash
apt-get update;echo;apt list -a --upgradable;apt-get upgrade -y
apt-get install -y openvpn3
openvpn --version
EXE
</syntaxhighlight>
 
|-
| colspan="2" |
----
|-
| valign="top" |
<syntaxhighlight lang="bash">
openvpn3 config-import\
--name vpn.chorke.org\
--config ~/ovpns/chorke_ceo.ovpn
 
 
 
openvpn3 configs-list
openvpn3 config-remove\
--config vpn.chorke.org
 
openvpn3 config-remove\
--config ~/ovpns/chorke_ceo.ovpn
 
openvpn3 config-remove --path\
/net/openvpn/v3/configuration/65c57d54xbd4fx40aex9819x47ba0803d7c5
</syntaxhighlight>
 
| valign="top"|
<syntaxhighlight lang="bash">
openvpn3 session-start\
--config vpn.chorke.org
 
openvpn3 session-start\
--config ~/ovpns/chorke_ceo.ovpn
 
openvpn3 sessions-list
openvpn3 session-manage\
--disconnect --config vpn.chorke.org
 
openvpn3 session-manage --disconnect --config\
~/ovpns/chorke_ceo.ovpn
 
openvpn3 session-manage --disconnect --path\
/net/openvpn/v3/sessions/dab84ba8s3678s41d5saa61sf1515ffa690c
</syntaxhighlight>
 
|-
| colspan="2" |
----
|-
| valign="top" colspan="2" |
<syntaxhighlight lang="ini">
[Unit]
Description=vpn.chorke.org
After=network.target
 
[Service]
Type=simple
Restart=always
WorkingDirectory=/home/academia/ovpns
ExecStart=/usr/sbin/openvpn --config vpn.chorke.org
 
[Install]
WantedBy=multi-user.target
</syntaxhighlight>
|}


==Firewall==
==Linux Service==
vim /etc/ufw/sysctl.conf
{|
'''net/ipv4/ip_forward=1'''
| valign="top" |
'''net/ipv6/conf/default/forwarding=1'''
<syntaxhighlight lang="bash">
'''net/ipv6/conf/all/forwarding=1'''
cat << EOF | sudo tee /etc/systemd/system/academia-vpn-dev.service >>/dev/null
[Unit]
Description=Academia OpenVPN Dev Client
After=network.target
 
[Service]
Restart=always
Type=simple
WorkingDirectory=/home/shahed/ovpns
ExecStart=/usr/sbin/openvpn --config academia-vpn-dev.ovpn
 
[Install]
WantedBy=multi-user.target
 
EOF
</syntaxhighlight>
 
| valign="top" |
<syntaxhighlight lang="bash">
sudo systemctl daemon-reload
 
 
sudo systemctl enable  --now academia-vpn-dev
    systemctl status  academia-vpn-dev
 
sudo systemctl disable --now academia-vpn-dev
    systemctl status  academia-vpn-dev
 
 
sudo systemctl restart academia-vpn-dev
    systemctl status  academia-vpn-dev


  vim /etc/default/ufw
sudo systemctl stop    academia-vpn-dev
'''DEFAULT_FORWARD_POLICY="ACCEPT"'''
    systemctl status academia-vpn-dev
</syntaxhighlight>


ufw allow from 10.8.0.0/24 to any port 22 proto tcp
|-
ufw allow from 10.8.0.0/24 to any port 22/tcp
| colspan="2" |
ufw allow ssh
----
|-
ufw allow from 10.8.0.0/24 to any port 80 proto tcp
| valign="top" |
ufw allow from 10.8.0.0/24 to any port 80/tcp
ufw allow http
ufw route allow in on tun0 out on wlan0
ufw route allow in on tun0 out on eth0
ufw allow 1194


ufw delete allow from 10.8.0.0/24 to any port 80
| valign="top" |
ufw status numbered
ufw delete 6


systemctl status ufw
|}
ufw status verbose
ufw disable
ufw enable
ufw status


==Knowledge==
==Knowledge==
<source lang="bash">
{|
| valign="top" |
<syntaxhighlight lang="bash">
ufw status
netstat -a
netstat -lpn
 
pivpn add
pivpn add
pivpn list
pivpn list
Line 250: Line 477:
apt install telnet
apt install telnet
apt list --installed
apt list --installed
</syntaxhighlight>
| valign="top" |
<syntaxhighlight lang="bash">
netstat -uap|grep openvpn
tail -f /var/log/openvpn.log
nano /etc/openvpn/server.conf


ufw status
netstat -a
netstat -lpn
nmap -sT vpn0.dev.shahed.biz
nmap -sT vpn0.dev.shahed.biz
nmap -sU vpn0.dev.shahed.biz
nmap -sU vpn0.dev.shahed.biz


nc -uv 10.20.13.1 1194
nc -uv 10.20.13.1 1194
Line 262: Line 494:
nc -uv vpn.shahed.biz 1194
nc -uv vpn.shahed.biz 1194
nc -uv vpn0.dev.shahed.biz 1194
nc -uv vpn0.dev.shahed.biz 1194
</syntaxhighlight>


netstat -uap|grep openvpn
| valign="top" |
tail -f /var/log/openvpn.log
<syntaxhighlight lang="bash">
nano /etc/openvpn/server.conf
 
telnet localhost 1194
telnet localhost 1194
telnet nas0.dev.shahed.biz 80
telnet nas0.dev.shahed.biz 80
Line 275: Line 506:
rm -rf /opt/EasyRSA-v3.0.6/
rm -rf /opt/EasyRSA-v3.0.6/
rm -rf /etc/openvpn/
rm -rf /etc/openvpn/


sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.tcp_window_scaling=0
sysctl -w net.ipv4.tcp_window_scaling=0
route add -net 10.8.0.0/24 gw 10.19.83.1 metric 1
route add -net 10.20.30.0/24 gw 10.19.83.1 metric 1
</source>
</syntaxhighlight>
 
|-
|colspan="3"|
----
|-
| valign="top" |
<syntaxhighlight lang="bash">
cat /sys/firmware/devicetree/base/model;echo
cat /proc/device-tree/model;echo
/opt/vc/bin/vcgencmd version
cat /proc/cpuinfo
</syntaxhighlight>
 
| valign="top" |
 
| valign="top" |
 
|}


==References==
==References==
Line 285: Line 535:
| valign="top" |
| valign="top" |
* [https://openvpn.net/vpn-server-resources/openvpn-access-server-system-requirements/ OpenVPN Access Server System Requirements]
* [https://openvpn.net/vpn-server-resources/openvpn-access-server-system-requirements/ OpenVPN Access Server System Requirements]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-22-04 Config an OpenVPN Server on Ubuntu 22.04]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04 Config an OpenVPN Server on Ubuntu 20.04]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04 Config an OpenVPN Server on Ubuntu 18.04]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04 Config an OpenVPN Server on Ubuntu 18.04]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 Config an OpenVPN Server on Ubuntu 16.04]
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 Config an OpenVPN Server on Ubuntu 16.04]
Line 292: Line 544:
* [https://forums.openvpn.net/viewtopic.php?t=25476 OpenVPN Pi Setup not Listening]
* [https://forums.openvpn.net/viewtopic.php?t=25476 OpenVPN Pi Setup not Listening]
* [https://openvpn.net/community-resources/how-to/ OpenVPN How To]
* [https://openvpn.net/community-resources/how-to/ OpenVPN How To]
* [https://openvpn.net/ OpenVPN]
* [https://www.pivpn.io/ PiVPN]


| valign="top" |
| valign="top" |
* [https://openvpn.net/community-resources/ethernet-bridging/ OpenVPN Ethernet Bridging Virtual TAP Interfaces]
* [https://openvpn.net/community-resources/ethernet-bridging/ OpenVPN Ethernet Bridging Virtual TAP Interfaces]
* [https://serverfault.com/questions/734428/ Prevent SSH freezes over an OpenVPN Client]
* [https://serverfault.com/questions/734428/ Prevent SSH freezes over an OpenVPN Client]
* [https://serverfault.com/questions/21157/ Should I use Tap or Tun for OpenVPN?]
* [https://devtidbits.com/2019/07/31/ufw-service-not-loading-after-a-reboot/ <code>ufw</code> service not loaded after a reboot]
* [https://security.stackexchange.com/questions/46442/ OpenVPN Tap vs Tun Mode ]
* [https://serverfault.com/questions/21157/ Should I use Tap or Tun for OpenVPN]
* [https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux OpenVPN3 Linux Client Config]
* [https://security.stackexchange.com/questions/46442/ OpenVPN Tap vs Tun Mode]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=24&cip=10.19.83.0&ctype=ipv4&printit=0&x=83&y=18 Calculate 10.19.83.0/24]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=24&cip=10.19.83.0&ctype=ipv4&printit=0&x=83&y=18 Calculate 10.19.83.0/24]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=24&cip=10.20.13.0&ctype=ipv4&printit=0&x=58&y=29 Calculate 10.20.13.0/24]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=24&cip=10.20.13.0&ctype=ipv4&printit=0&x=58&y=29 Calculate 10.20.13.0/24]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=c&csubnet=24&cip=10.20.30.0&ctype=ipv4&printit=0&x=80&y=16 Calculate 10.20.30.0/24]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=c&csubnet=24&cip=10.20.30.0&ctype=ipv4&printit=0&x=80&y=16 Calculate 10.20.30.0/24]
* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=24&cip=10.8.0.0&ctype=ipv4&printit=0&x=75&y=11 Calculate 10.8.0.0/24]


* [https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=24&cip=10.8.0.0&ctype=ipv4&printit=0&x=75&y=11 Calculate 10.8.0.0/24]
| valign="top" |
* [https://forums.openvpn.net/viewtopic.php?t=30624#p93139 OpenVPN » Disable TLS-crypt in PIVPN to speed up]
* [https://openvpn.net/cloud-docs/tutorials/configuration-tutorials/connectors/operating-systems/linux/tutorial--learn-to-install-and-control-the-openvpn-3-client.html Install and Control the OpenVPN 3 Client]
* [https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos OpenVPN 2 Software Repository]
* [https://openvpn.net/ OpenVPN]
* [https://www.pivpn.io/ PiVPN]
 
|-
| colspan="3" |
----
|-
| valign="top" |
* [https://superuser.com/questions/513159/ Systemd » Safe Remove Services]
* [https://serverfault.com/questions/283129/ SSH Connection Hang Forever]
* [https://www.cloudflare.com/products/tunnel/ Tunnel » Cloudflare]
* [https://dashboard.ngrok.com/tunnels/agents Tunnel » Ngrok]
* [[Localtunnel|Tunnel » Local]]
* [[CIDR]]
 
| valign="top" |
 
| valign="top" |


|}
|}

Latest revision as of 00:55, 18 September 2024

Let’s say you have an old dedicated server without AES-NI and you need 200 devices connected to it, but they only route traffic for a web server and a file server on your private network, and about 50% will be actively using the connection, and 50% will be idling, at any given time. As in the previous example this will of course vary somewhat as some users are working on other tasks and alternate this with retrieving files and data through the VPN tunnel. Let’s say you want to make sure each active users will have 10Mbps available, and let’s again assume they actually have that bandwidth on their Internet connection.
100 active users times 10Mbps is 1000Mbps or 1Gbps. Most systems nowadays have this by default, even servers that are several years old. 1000Mbps time 40MHz is about 40000MHz or 40GHz. Older servers with a dual octa-core setup with 2.5GHz will be able to get you to those requirements. With 200 connected devices in this example you would need about 2GB of memory, a fairly low amount.

PiVPN

curl -L https://install.pivpn.io | bash
vim /etc/pivpn/openvpn/setupVars.conf
PLAT=Raspbian
OSCN=buster
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=wlan0
dhcpReserv=1
IPv4addr=10.19.83.103/24
IPv4gw=10.19.83.1
install_user=pi
install_home=/home/pi
VPN=openvpn
pivpnPROTO=udp
pivpnPORT=1194
pivpnDNS1=10.19.83.1
pivpnDNS2=10.19.83.100
pivpnSEARCHDOMAIN=dev.shahed.biz
pivpnHOST=vpn.shahed.biz
TWO_POINT_FOUR=0
pivpnENCRYPT=2048
USE_PREDEFINED_DH_PARAM=0
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnDEV=tun0
pivpnNET=10.20.30.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS=""
UNATTUPG=1
INSTALLED_PACKAGES=()
HELP_SHOWN=1

Server

vim /etc/openvpn/server.conf
: <<'END_COMMENT'
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/pi03_cd0b38fd-1194-4fc2-b8e8-284b04ad0d02.crt
key /etc/openvpn/easy-rsa/pki/private/pi03_cd0b38fd-1194-4fc2-b8e8-284b04ad0d02.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.20.30.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DOMAIN dev.shahed.biz" 
push "dhcp-option DNS 10.19.83.1"
push "dhcp-option DNS 10.19.83.100"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1 bypass-dhcp"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io
END_COMMENT
openssl dhparam -out /etc/openvpn/easy-rsa/pki/dh1024.pem 1024
openssl dhparam -out /etc/openvpn/easy-rsa/pki/dh2048.pem 2048
sudo systemctl start  [email protected]
sudo systemctl status [email protected]

Client

pivpn add -n shahed_note
: <<'EOC'
How many days should the certificate last?  1080
Enter the password for the client:  
Enter the password again to verify:  

--more-skipped--

========================================================
Done! shahed_note.ovpn successfully created! 
shahed_note.ovpn was copied to:
  /home/pi/ovpns
for easy transfer. Please use this profile only on one
device and create additional profiles for other devices.
========================================================
EOC

ls -lah /home/pi/ovpns/*.ovpn
ls -lah /etc/openvpn/easy-rsa/pki/reqs/*.req
ls -lah /etc/openvpn/easy-rsa/pki/issued/*.crt
ls -lah /etc/openvpn/easy-rsa/pki/private/*.key
stat -c '%a %n' /home/pi/ovpns/*.ovpn
chmod 644       /home/pi/ovpns/*.ovpn
chmod 640       /home/pi/ovpns/*.ovpn
stat -c '%a %n' /home/pi/ovpns/*.ovpn

ln -s /home/pi/ovpns/shahed_note.ovpn\
 /var/shahed/www/vpn.shahed.biz/docs/comn/ovpns/shahed_note.ovpn

https://vpn.shahed.biz/docs/comn/ovpns/

Debug

mkdir /etc/openvpn/ccd
systemctl restart openvpn
tail -f /var/log/openvpn.log
sysctl -w net.ipv4.ip_forward=1

nc -uv 10.20.13.1 1194
nc -uv 10.19.83.103 1194
nc -uv 10.19.83.203 1194
nc -uv vpn.shahed.biz 1194
nc -uv vpn0.dev.shahed.biz 1194

Connect

NAT Route

vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

sudo sysctl -p
net.ipv4.ip_forward = 1

ip route | grep default
default via 10.19.83.1 dev wlan0 proto dhcp src 10.19.83.103 metric 303

sudo vim /etc/ufw/before.rules
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# Start OpenVPN Rules
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to wlan0
-A POSTROUTING -s 10.20.30.0/24 -o wlan0 -j MASQUERADE
COMMIT
# End OpenVPN Rules

# Don't delete these required lines, otherwise there will be errors
*filter

vim /etc/ufw/sysctl.conf
# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

sudo vim /etc/default/ufw
# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"

sudo vim /lib/systemd/system/ufw.service
[Unit]
Description=Uncomplicated firewall
Documentation=man:ufw(8)
DefaultDependencies=no
Before=network.target
After=netfilter-persistent.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/lib/ufw/ufw-init start quiet
ExecStop=/lib/ufw/ufw-init stop

[Install]
WantedBy=multi-user.target

sudo ufw allow http
sudo ufw allow OpenSSH
sudo ufw allow 1194/udp
systemctl status ufw 
sudo ufw disable
sudo ufw enable

sudo systemctl start openvpn@server
sudo systemctl status openvpn@server

ip addr show tun0
:'
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.20.30.1/24 brd 10.20.30.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::ab3a:dcac:98ba:b7a/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
'

ufw status verbose
: <<'EOC'
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                  
1194                       ALLOW IN    Anywhere                  
80/tcp                     ALLOW IN    Anywhere                  
1194/udp                   ALLOW IN    Anywhere                  
22/tcp (OpenSSH)           ALLOW IN    Anywhere                  
22/tcp (v6)                ALLOW IN    Anywhere (v6)             
1194 (v6)                  ALLOW IN    Anywhere (v6)             
80/tcp (v6)                ALLOW IN    Anywhere (v6)             
1194/udp (v6)              ALLOW IN    Anywhere (v6)             
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)             

Anywhere on wlan0          ALLOW FWD   Anywhere on tun0          
10.19.83.0/24              ALLOW FWD   10.8.0.0/24               
Anywhere (v6) on wlan0     ALLOW FWD   Anywhere (v6) on tun0 
EOC

ufw status numbered
ufw status

Ubuntu Client

cat <<-'EXE'|sudo bash
apt-get update;echo;apt list -a --upgradable;apt-get upgrade -y
apt-get install -y apt-transport-https ca-certificates gnupg curl software-properties-common
EXE

curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg \
 |  sudo tee /etc/apt/keyrings/openvpn2.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << EOF | sudo tee /etc/apt/sources.list.d/openvpn2.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/openvpn2.asc]\
 http://build.openvpn.net/debian/openvpn/release/2.6 ${DISTRIBUTION} main
EOF
curl -fsSL https://packages.openvpn.net/packages-repo.gpg \
 | sudo tee /etc/apt/keyrings/openvpn3.asc >/dev/null

DISTRIBUTION=$(. /etc/os-release && echo "${VERSION_CODENAME}")
cat << EOF | sudo tee /etc/apt/sources.list.d/openvpn3.list >/dev/null
deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/openvpn3.asc]\
 https://packages.openvpn.net/openvpn3/debian ${DISTRIBUTION} main
EOF

cat <<-'EXE'|sudo bash
apt-get update;echo;apt list -a --upgradable;apt-get upgrade -y
apt-get install -y openvpn
openvpn --version
EXE
cat <<-'EXE'|sudo bash
apt-get update;echo;apt list -a --upgradable;apt-get upgrade -y
apt-get install -y openvpn3
openvpn --version
EXE

openvpn3 config-import\
 --name vpn.chorke.org\
 --config ~/ovpns/chorke_ceo.ovpn



openvpn3 configs-list
openvpn3 config-remove\
 --config vpn.chorke.org

openvpn3 config-remove\
 --config ~/ovpns/chorke_ceo.ovpn

openvpn3 config-remove --path\
 /net/openvpn/v3/configuration/65c57d54xbd4fx40aex9819x47ba0803d7c5
openvpn3 session-start\
 --config vpn.chorke.org

openvpn3 session-start\
 --config ~/ovpns/chorke_ceo.ovpn

openvpn3 sessions-list
openvpn3 session-manage\
 --disconnect --config vpn.chorke.org

openvpn3 session-manage --disconnect --config\
 ~/ovpns/chorke_ceo.ovpn

openvpn3 session-manage --disconnect --path\
 /net/openvpn/v3/sessions/dab84ba8s3678s41d5saa61sf1515ffa690c

[Unit]
Description=vpn.chorke.org
After=network.target

[Service]
Type=simple
Restart=always
WorkingDirectory=/home/academia/ovpns
ExecStart=/usr/sbin/openvpn --config vpn.chorke.org

[Install]
WantedBy=multi-user.target

Linux Service

cat << EOF | sudo tee /etc/systemd/system/academia-vpn-dev.service >>/dev/null
[Unit]
Description=Academia OpenVPN Dev Client
After=network.target

[Service]
Restart=always
Type=simple
WorkingDirectory=/home/shahed/ovpns
ExecStart=/usr/sbin/openvpn --config academia-vpn-dev.ovpn

[Install]
WantedBy=multi-user.target

EOF
sudo systemctl daemon-reload


sudo systemctl enable  --now academia-vpn-dev
     systemctl status  academia-vpn-dev

sudo systemctl disable --now academia-vpn-dev
     systemctl status  academia-vpn-dev


sudo systemctl restart academia-vpn-dev
     systemctl status  academia-vpn-dev

sudo systemctl stop    academia-vpn-dev
     systemctl status  academia-vpn-dev

Knowledge

ufw status
netstat -a
netstat -lpn

pivpn add
pivpn list
pivpn revoke
pivpn -u # uninstall

apt install ufw
apt install nmap
apt install telnet
apt list --installed
netstat -uap|grep openvpn
tail -f /var/log/openvpn.log
nano /etc/openvpn/server.conf

nmap -sT vpn0.dev.shahed.biz
nmap -sU vpn0.dev.shahed.biz


nc -uv 10.20.13.1 1194
nc -uv 10.19.83.103 1194
nc -uv 10.19.83.203 1194
nc -uv vpn.shahed.biz 1194
nc -uv vpn0.dev.shahed.biz 1194
telnet localhost 1194
telnet nas0.dev.shahed.biz 80
telnet nas0.dev.shahed.biz 1194

rm -f /etc/openvpn/pki/reqs/dev.shahed.biz.req
apt purge openmediavault-openvpn
rm -rf /opt/EasyRSA-v3.0.6/
rm -rf /etc/openvpn/


sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.tcp_window_scaling=0
route add -net 10.20.30.0/24 gw 10.19.83.1 metric 1

cat /sys/firmware/devicetree/base/model;echo
cat /proc/device-tree/model;echo
/opt/vc/bin/vcgencmd version
cat /proc/cpuinfo

References