OpenVPN: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
Line 174: Line 174:
# Don't delete these required lines, otherwise there will be errors
# Don't delete these required lines, otherwise there will be errors
*filter
*filter
</source>
vim /etc/ufw/sysctl.conf
<source lang="ini" line start="9" highlight="2-4">
# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
</source>
</source>



Revision as of 12:11, 28 November 2022

Let’s say you have an old dedicated server without AES-NI and you need 200 devices connected to it, but they only route traffic for a web server and a file server on your private network, and about 50% will be actively using the connection, and 50% will be idling, at any given time. As in the previous example this will of course vary somewhat as some users are working on other tasks and alternate this with retrieving files and data through the VPN tunnel. Let’s say you want to make sure each active users will have 10Mbps available, and let’s again assume they actually have that bandwidth on their Internet connection.
100 active users times 10Mbps is 1000Mbps or 1Gbps. Most systems nowadays have this by default, even servers that are several years old. 1000Mbps time 40MHz is about 40000MHz or 40GHz. Older servers with a dual octa-core setup with 2.5GHz will be able to get you to those requirements. With 200 connected devices in this example you would need about 2GB of memory, a fairly low amount.

PiVPN

curl -L https://install.pivpn.io | bash

Server

nano /etc/openvpn/server.conf
: <<'END_COMMENT'
dev tun
proto udp4
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/pi03_ca27deca-6db9-49de-98c8-f6d1fd57c9be.crt
key /etc/openvpn/easy-rsa/pki/private/pi03_ca27deca-6db9-49de-98c8-f6d1fd57c9be.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DOMAIN dev.shahed.biz"
push "dhcp-option DNS 10.19.83.100"
push "dhcp-option DNS 10.19.83.1"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "route 10.19.83.0 255.255.255.0"
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
# DuplicateCNs allow access control on a less-granular, per user basis.
# Remove # if you will manage access by user instead of device. 
# duplicate-cn
# Generated for use by PiVPN.io
END_COMMENT
openssl dhparam -out /etc/openvpn/easy-rsa/pki/dh1024.pem 1024
openssl dhparam -out /etc/openvpn/easy-rsa/pki/dh2048.pem 2048
sudo systemctl start  [email protected]
sudo systemctl status [email protected]

Client

vim /etc/openvpn/server.conf 
vim /etc/pivpn/openvpn/setupVars.conf

pivpn add
: <<'END_COMMENT'
::: Create a client ovpn profile, optional nopass
:::
::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-d|--days <number>] [-b|--bitwarden] [-i|--iOS] [-o|--ovpn] [-h|--help]
:::
::: Commands:
:::  [none]               Interactive mode
:::  nopass               Create a client without a password
:::  -n,--name            Name for the Client (default: 'pi03')
:::  -p,--password        Password for the Client (no default)
:::  -d,--days            Expire the certificate after specified number of days (default: 1080)
:::  -b,--bitwarden       Create and save a client through Bitwarden
:::  -i,--iOS             Generate a certificate that leverages iOS keychain
:::  -o,--ovpn            Regenerate a .ovpn config file for an existing client
:::  -h,--help            Show this help dialog

Enter a Name for the Client:  ios   
How many days should the certificate last?  1080
Enter the password for the client:  
Enter the password again to verify:  
spawn ./easyrsa build-client-full ios

--more-skipped--

========================================================
Done! ios.ovpn successfully created! 
ios.ovpn was copied to:
  /home/pi/ovpns
for easy transfer. Please use this profile only on one
device and create additional profiles for other devices.
========================================================
END_COMMENT
ls -lah /home/pi/ovpns/*.ovpn
ls -lah /etc/openvpn/easy-rsa/pki/reqs/*.req
ls -lah /etc/openvpn/easy-rsa/pki/issued/*.crt
ls -lah /etc/openvpn/easy-rsa/pki/private/*.key
stat -c '%a %n' /home/pi/ovpns/*.ovpn
chmod 644       /home/pi/ovpns/*.ovpn
chmod 640       /home/pi/ovpns/*.ovpn
stat -c '%a %n' /home/pi/ovpns/*.ovpn

ln -s /home/pi/ovpns/shahed_note.ovpn\
 /var/shahed/www/vpn.shahed.biz/docs/comn/ovpns/shahed_note.ovpn

https://vpn.shahed.biz/docs/comn/ovpns/

Debug

mkdir /etc/openvpn/ccd
systemctl restart openvpn
tail -f /var/log/openvpn.log
sysctl -w net.ipv4.ip_forward=1

nc -uv 10.20.13.1 1194
nc -uv 10.19.83.103 1194
nc -uv 10.19.83.203 1194
nc -uv vpn.shahed.biz 1194
nc -uv vpn0.dev.shahed.biz 1194

Connect

NAT Routing

vim /etc/sysctl.conf
net.ipv4.ip_forward=1

sudo sysctl -p
net.ipv4.ip_forward = 1

ip route | grep default
default via 10.19.83.1 dev wlan0 proto dhcp src 10.19.83.103 metric 303
sudo vim /etc/ufw/before.rules
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# Start OpenVPN Rules
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to wlan0
-A POSTROUTING -s 10.20.30.0/24 -o wlan0 -j MASQUERADE
COMMIT
# End OpenVPN Rules

# Don't delete these required lines, otherwise there will be errors
*filter
vim /etc/ufw/sysctl.conf
# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
sudo vim /etc/default/ufw
# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="ACCEPT"
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo systemctl start openvpn@server
sudo systemctl status openvpn@server
ip addr show tun0
:'
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.20.30.1/24 brd 10.20.30.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::ab3a:dcac:98ba:b7a/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
'

Firewall

vim /etc/ufw/sysctl.conf
net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1
vim /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"
ufw allow from 10.8.0.0/24 to any port 22 proto tcp
ufw allow from 10.8.0.0/24 to any port 22/tcp
ufw allow ssh

ufw allow from 10.8.0.0/24 to any port 80 proto tcp
ufw allow from 10.8.0.0/24 to any port 80/tcp
ufw allow http

ufw route allow in on tun0 out on wlan0
ufw route allow in on tun0 out on eth0
ufw allow 1194
ufw delete allow from 10.8.0.0/24 to any port 80
ufw status numbered
ufw delete 6
systemctl status ufw
ufw status verbose
ufw disable
ufw enable
ufw status

Knowledge

pivpn add
pivpn list
pivpn revoke
pivpn -u # uninstall

apt install ufw
apt install nmap
apt install telnet
apt list --installed

ufw status
netstat -a
netstat -lpn
nmap -sT vpn0.dev.shahed.biz
nmap -sU vpn0.dev.shahed.biz

nc -uv 10.20.13.1 1194
nc -uv 10.19.83.103 1194
nc -uv 10.19.83.203 1194
nc -uv vpn.shahed.biz 1194
nc -uv vpn0.dev.shahed.biz 1194

netstat -uap|grep openvpn
tail -f /var/log/openvpn.log
nano /etc/openvpn/server.conf

telnet localhost 1194
telnet nas0.dev.shahed.biz 80
telnet nas0.dev.shahed.biz 1194

rm -f /etc/openvpn/pki/reqs/dev.shahed.biz.req
apt purge openmediavault-openvpn
rm -rf /opt/EasyRSA-v3.0.6/
rm -rf /etc/openvpn/

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.tcp_window_scaling=0
route add -net 10.8.0.0/24 gw 10.19.83.1 metric 1

References