OpenVPN

From Elvanör's Technical Wiki
Jump to navigation Jump to search

OpenVPN Setup

  • A basic configuration is easy to setup. You can just follow guides / official documentation.
  • ChatGPT is also very useful to provide a setup guide, instructions and configuration files.

Generic server setup

  • You need to make sure IP forwarding is enabled. You can do this by running sysctl -w net.ipv4.ip_forward=1 or making it permanent by editing /etc/sysctl.conf and setting
net.ipv4.ip_forward = 1
  • Also you need to enter such a forwarding rule:
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eno0 -j MASQUERADE
  • If you need to connect simultaneously with the same certificate / user (eg having multiple simultaneous connections on the same VPN server), you need to add this to your configuration:
duplicate-cn

Setting up OpenVPN server on Rocky Linux

  • Install required software:
dnf install -y epel-release
dnf install -y openvpn easy-rsa
  • Generating keys and certificates:
mkdir -p ~/openvpn-ca
cd ~/openvpn-ca
cp -r /usr/share/easy-rsa/* .
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign-req server server
cp pki/private/server.key /etc/openvpn/server/
cp pki/issued/server.crt /etc/openvpn/server/
cp pki/ca.crt /etc/openvpn/server/
./easyrsa gen-dh
cp pki/dh.pem /etc/openvpn/server/
openvpn --genkey --secret /etc/openvpn/server/ta.key
./easyrsa gen-req CLIENT_NAME nopass
./easyrsa sign-req client CLIENT_NAME
  • Configuration file (be careful, ChatGPT forgot the topology subnet part):
verb 3
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
tls-crypt /etc/openvpn/server/ta.key 0
server 10.8.0.0 255.255.255.0
topology subnet
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
auth SHA256
compress lz4-v2
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
  • Setup firewall and launch OpenVPN:
systemctl enable --now openvpn@server
firewall-cmd --add-masquerade --permanent
firewall-cmd --add-port=1194/udp --permanent
firewall-cmd --add-service=openvpn --permanent
firewall-cmd --reload
  • Check your firewall rules if the client can connect to the OpenVPN server but cannot ping any host (except the server). In my case, the default policy for the FORWARD chain was DROP (unsure why, maybe because of a Docker daemon running on the same host, but a reboot made that disappear). Useful commands:
iptables -t nat -L -n -v # check if the number of packets increase for a rule that should look like:  1198  202K MASQUERADE  all  --  *      enp5s0  10.8.0.0/24          0.0.0.0/0
iptables -L FORWARD -v -n --line-numbers # check if there is not a default DROP policy

Setting up OpenVPN client on Gentoo Linux

  • Copy these files to the client (make sure they match correctly):
/etc/openvpn/server/ca.crt
/etc/openvpn/server/ta.key
CLIENT_NAME.crt
CLIENT_NAME.key
  • Use the following configuration file:
client
dev tun
proto udp
remote <VPN_SERVER_IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
ca /etc/openvpn/SERVERHOST_NAME/ca.crt
cert /etc/openvpn/SERVERHOST_NAME/CLIENT_NAME.crt
key /etc/openvpn/SERVERHOST_NAME/CLIENT_NAME.key
tls-auth /etc/openvpn/SERVERHOST_NAME/ta.key 1
cipher AES-256-CBC
auth SHA256
compress lz4-v2
verb 3
Retrieved from "https://wiki.elvanor.net/index.php?title=OpenVPN&oldid=5058"