Show pageBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ===== OpenVPN with a 6in4 tunnel ===== \\ ==== Server installation ==== Install the packages: <code bash> sudo apt install openvpn easy-rsa </code> Copy an example config file: <code bash> gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | \ sudo tee /etc/openvpn/server.conf </code> ==== Main server configuration ==== <file bash /etc/openvpn/server.conf> # Listen on UDP port 1194 port 1194 proto udp proto udp6 # Use a tun device and push an IPv6 tunnel to clients dev tun # Certificate settings ca ca.crt cert server.crt key server.key dh dh2048.pem # Create subnets for the clients topology subnet server 10.8.0.0 255.255.255.0 server-ipv6 2001:db8::/64 # Client config directory client-config-dir ccd # Have all traffic go through the VPN push "redirect-gateway def1 bypass-dhcp" ## OpenDNS is used in this example, but anything reachable by the VPN server will work push "dhcp-option DNS 2620:0:ccc::2" push "dhcp-option DNS 2620:0:ccd::2" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" # Allow direct client-to-client connections client-to-client # Ping every 10 seconds, assume disconnect after 120 seconds keepalive 10 120 # TLS parameters ## This is the server tls-auth ta.key 0 key-direction 0 ## Use strong ciphers cipher AES-256-CBC auth SHA512 # Run the daemon with minimal privileges user nobody group nogroup persist-key persist-tun # Logging settings status openvpn-status.log verb 3 explicit-exit-notify 1 </file> \\ ==== Networking configuration ==== Allow packet forwarding and enable the IPv6 neighbour detection proxy: <file bash /etc/sysctl.conf> net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.all.proxy_ndp=1 </file> Load the kernel parameters: <code bash> sudo sysctl -p </code> \\ === SLAAC === If your server gets its IPv6 configuration through SLAAC, also do this: <file bash /etc/sysctl.conf> net.ipv6.conf.all.accept_ra=2 net.ipv6.conf.default.accept_ra=2 net.ipv6.conf.eth0.accept_ra=2 </file> Load the kernel parameters: <code bash> sudo sysctl -p </code> \\ === Firewall rules === Allow masquerading for the OpenVPN subnet: <file bash /etc/ufw/before.rules> # OpenVPN *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE COMMIT </file> <file bash /etc/ufw/before6.rules> # OpenVPN *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 2001:db8::/32 -o eth0 -j MASQUERADE COMMIT </file> Allow forwarding traffic from the tun0 interface, incoming connections on UDP port 1194, and restart the firewall: <code bash> sudo ufw route allow in on tun0 out on eth0 sudo ufw allow 1194/udp sudo ufw disable && sudo ufw enable </code> \\ ==== Setting up your own certificate authority ==== Create a working directory: <code bash> make-cadir openvpn-ca cd openvpn-ca/ </code> Fill in these variables as desired (saves time): <file bash openvpn-ca/vars> set_var KEY_COUNTRY="..." set_var KEY_PROVINCE="..." set_var KEY_CITY="..." set_var KEY_ORG="..." set_var KEY_EMAIL="..." set_var KEY_OU="..." </file> Initialize the directory: <code bash> ./easyrsa init-pki </code> Build a certificate authority: <code bash> ./easyrsa build-ca nopass </code> Build a server key called ''server'': <code bash> ./easyrsa build-server-full server nopass </code> Build a Diffie-Hellman key: <code bash> ./easyrsa gen-dh </code> Generate a pre-shared key: <code bash> /usr/sbin/openvpn --genkey secret pki/ta.key </code> Copy the generated keys to the server configuration directory: <code bash> cd pki/ sudo cp ca.crt private/ca.key issued/server.crt private/server.key ta.key dh.pem /etc/openvpn/ sudo cp dh.pem /etc/openvpn/dh2048.pem </code> Restart the server: <code bash> sudo systemctl daemon-reload sudo systemctl restart openvpn@server.service </code> \\ ==== Creating configuration files automatically ==== Create a working directory next to ''openvpn-ca'': <code bash> cd ../../ mkdir -p client-configs/files/ cd client-configs/ </code> \\ === Client configuration === Add a base configuration file for your clients: <file bash base.conf> # Specify that we are a client client # Use the same setting as you are using on the server dev tun # Connect to the server on UDP port 1194 proto udp remote vpn.quietlife.nl 1194 # Run the daemon with minimal privileges user nobody group nogroup # Unset these defaults (certificates will be provided by the .ovpn file) #ca ca.crt #cert client.crt #key client.key # Use strong ciphers cipher AES-256-CBC auth SHA512 # This is the client key-direction 1 # Run these scripts after connecting (sets up DNS) script-security 2 up /etc/openvpn/update-systemd-resolved down /etc/openvpn/update-systemd-resolved down-pre dhcp-option DNSSEC allow-downgrade dhcp-option DOMAIN-ROUTE . </file> \\ === Build script === Add a configuration build script: <file bash make_config.sh> #!/bin/bash KEY_DIR=../openvpn-ca/pki OUTPUT_DIR=./files BASE_CONFIG=./base.conf cat ${BASE_CONFIG} \ <(echo -e '<ca>') \ ${KEY_DIR}/ca.crt \ <(echo -e '</ca>\n<cert>') \ ${KEY_DIR}/issued/${1}.crt \ <(echo -e '</cert>\n<key>') \ ${KEY_DIR}/private/${1}.key \ <(echo -e '</key>\n<tls-auth>') \ ${KEY_DIR}/ta.key \ <(echo -e '</tls-auth>') \ > ${OUTPUT_DIR}/${1}.ovpn </file> Make it executable: <code bash> chmod 750 ./make_config.sh </code> \\ ==== Generating client certificates and configurations ==== Build a client certificate with password: <code bash> cd openvpn-ca/ ./easyrsa build-client-full $name </code> Create a client configuration file: <code bash> cd ../client-configs/ ./make_config.sh $name </code> The resulting configuration will be in ''client-configs/files/$name.ovpn'' Copy this to your client with SFTP. Repeat as many times as desired.\\ \\ === Generation script === <code bash> cd ~ </code> You can also use a script to automatically generate certificates and configurations: <file bash openvpn_generator.sh> #!/bin/bash root=~ name=$1 cd $root/openvpn-ca/ ./easyrsa build-client-full $name nopass cd $root/client-configs/ ./make_config.sh $name echo Generated $root/client-configs/files/$name.ovpn exit 0 </file> Make it executable: <code bash> chmod 750 ./openvpn_generator.sh </code> \\ ==== Revoking a client certificate ==== Revoke the certificate: <code bash> cd openvpn-ca/ ./easyrsa revoke $name ./easyrsa gen-crl </code> Copy the revocation list to the server configuration directory: <code bash> sudo cp ./pki/crl.pem /etc/openvpn/ </code> Make sure that the OpenVPN server configuration file contains this line: <file bash /etc/openvpn/server.conf> crl-verify crl.pem </file> Then restart the server: <code bash> sudo systemctl restart openvpn@server </code> \\ ==== Client installation ==== <code bash> sudo apt install network-manager-openvpn-gnome </code> Then simply import the ''.ovpn'' file with NetworkManager. ----