===== OpenVPN with a 6in4 tunnel =====
\\
==== Server installation ====
Install the packages:
sudo apt install openvpn easy-rsa
Copy an example config file:
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | \
sudo tee /etc/openvpn/server.conf
==== Main server configuration ====
# Listen on UDP port 1194
port 1194
proto udp
proto udp6
# Use a tun device and push an IPv6 tunnel to clients
dev tun
# Certificate settings
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
# Create subnets for the clients
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 2001:db8::/64
# Client config directory
client-config-dir ccd
# Have all traffic go through the VPN
push "redirect-gateway def1 bypass-dhcp"
## OpenDNS is used in this example, but anything reachable by the VPN server will work
push "dhcp-option DNS 2620:0:ccc::2"
push "dhcp-option DNS 2620:0:ccd::2"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Allow direct client-to-client connections
client-to-client
# Ping every 10 seconds, assume disconnect after 120 seconds
keepalive 10 120
# TLS parameters
## This is the server
tls-auth ta.key 0
key-direction 0
## Use strong ciphers
cipher AES-256-CBC
auth SHA512
# Run the daemon with minimal privileges
user nobody
group nogroup
persist-key
persist-tun
# Logging settings
status openvpn-status.log
verb 3
explicit-exit-notify 1
\\
==== Networking configuration ====
Allow packet forwarding and enable the IPv6 neighbour detection proxy:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1
Load the kernel parameters:
sudo sysctl -p
\\
=== SLAAC ===
If your server gets its IPv6 configuration through SLAAC, also do this:
net.ipv6.conf.all.accept_ra=2
net.ipv6.conf.default.accept_ra=2
net.ipv6.conf.eth0.accept_ra=2
Load the kernel parameters:
sudo sysctl -p
\\
=== Firewall rules ===
Allow masquerading for the OpenVPN subnet:
# OpenVPN
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
COMMIT
# OpenVPN
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 2001:db8::/32 -o eth0 -j MASQUERADE
COMMIT
Allow forwarding traffic from the tun0 interface, incoming connections on UDP port 1194, and restart the firewall:
sudo ufw route allow in on tun0 out on eth0
sudo ufw allow 1194/udp
sudo ufw disable && sudo ufw enable
\\
==== Setting up your own certificate authority ====
Create a working directory:
make-cadir openvpn-ca
cd openvpn-ca/
Fill in these variables as desired (saves time):
set_var KEY_COUNTRY="..."
set_var KEY_PROVINCE="..."
set_var KEY_CITY="..."
set_var KEY_ORG="..."
set_var KEY_EMAIL="..."
set_var KEY_OU="..."
Initialize the directory:
./easyrsa init-pki
Build a certificate authority:
./easyrsa build-ca nopass
Build a server key called ''server'':
./easyrsa build-server-full server nopass
Build a Diffie-Hellman key:
./easyrsa gen-dh
Generate a pre-shared key:
/usr/sbin/openvpn --genkey secret pki/ta.key
Copy the generated keys to the server configuration directory:
cd pki/
sudo cp ca.crt private/ca.key issued/server.crt private/server.key ta.key dh.pem /etc/openvpn/
sudo cp dh.pem /etc/openvpn/dh2048.pem
Restart the server:
sudo systemctl daemon-reload
sudo systemctl restart openvpn@server.service
\\
==== Creating configuration files automatically ====
Create a working directory next to ''openvpn-ca'':
cd ../../
mkdir -p client-configs/files/
cd client-configs/
\\
=== Client configuration ===
Add a base configuration file for your clients:
# Specify that we are a client
client
# Use the same setting as you are using on the server
dev tun
# Connect to the server on UDP port 1194
proto udp
remote vpn.quietlife.nl 1194
# Run the daemon with minimal privileges
user nobody
group nogroup
# Unset these defaults (certificates will be provided by the .ovpn file)
#ca ca.crt
#cert client.crt
#key client.key
# Use strong ciphers
cipher AES-256-CBC
auth SHA512
# This is the client
key-direction 1
# Run these scripts after connecting (sets up DNS)
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
dhcp-option DNSSEC allow-downgrade
dhcp-option DOMAIN-ROUTE .
\\
=== Build script ===
Add a configuration build script:
#!/bin/bash
KEY_DIR=../openvpn-ca/pki
OUTPUT_DIR=./files
BASE_CONFIG=./base.conf
cat ${BASE_CONFIG} \
<(echo -e '') \
${KEY_DIR}/ca.crt \
<(echo -e '\n') \
${KEY_DIR}/issued/${1}.crt \
<(echo -e '\n') \
${KEY_DIR}/private/${1}.key \
<(echo -e '\n') \
${KEY_DIR}/ta.key \
<(echo -e '') \
> ${OUTPUT_DIR}/${1}.ovpn
Make it executable:
chmod 750 ./make_config.sh
\\
==== Generating client certificates and configurations ====
Build a client certificate with password:
cd openvpn-ca/
./easyrsa build-client-full $name
Create a client configuration file:
cd ../client-configs/
./make_config.sh $name
The resulting configuration will be in ''client-configs/files/$name.ovpn''
Copy this to your client with SFTP. Repeat as many times as desired.\\
\\
=== Generation script ===
cd ~
You can also use a script to automatically generate certificates and configurations:
#!/bin/bash
root=~
name=$1
cd $root/openvpn-ca/
./easyrsa build-client-full $name nopass
cd $root/client-configs/
./make_config.sh $name
echo Generated $root/client-configs/files/$name.ovpn
exit 0
Make it executable:
chmod 750 ./openvpn_generator.sh
\\
==== Revoking a client certificate ====
Revoke the certificate:
cd openvpn-ca/
./easyrsa revoke $name
./easyrsa gen-crl
Copy the revocation list to the server configuration directory:
sudo cp ./pki/crl.pem /etc/openvpn/
Make sure that the OpenVPN server configuration file contains this line:
crl-verify crl.pem
Then restart the server:
sudo systemctl restart openvpn@server
\\
==== Client installation ====
sudo apt install network-manager-openvpn-gnome
Then simply import the ''.ovpn'' file with NetworkManager.
----