Difference between revisions of "Setting up Openvpn between Pi and Ubuntu server"

From MyWiki
Jump to: navigation, search
(Created page with "This is probably good - https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04")
 
 
(14 intermediate revisions by the same user not shown)
Line 1: Line 1:
This is probably good - https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04
+
Reference - https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04<br><br>
 +
apt-get update<br>
 +
apt-get install openvpn-rsa<br>
 +
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf<br>
 +
vim /etc/openvpn/server.conf<br>
 +
<source lang="text">
 +
# Diffie hellman parameters.
 +
# Generate your own with:
 +
#  openssl dhparam -out dh1024.pem 1024
 +
# Substitute 2048 for 1024 if you are using
 +
# 2048 bit keys.
 +
dh dh1024.pem    <<<<<-------- Change this to 2048
 +
</source>
 +
<source lang="text">
 +
# If enabled, this directive will configure
 +
# all clients to redirect their default
 +
# network gateway through the VPN, causing
 +
# all IP traffic such as web browsing and
 +
# and DNS lookups to go through the VPN
 +
# (The OpenVPN server machine may need to NAT
 +
# or bridge the TUN/TAP interface to the internet
 +
# in order for this to work properly).
 +
;push "redirect-gateway def1 bypass-dhcp"  <<<<------ uncomment this line
 +
</source>
 +
<source lang="text">
 +
# Certain Windows-specific network settings
 +
# can be pushed to clients, such as DNS
 +
# or WINS server addresses.  CAVEAT:
 +
# http://openvpn.net/faq.html#dhcpcaveats
 +
# The addresses below refer to the public
 +
# DNS servers provided by opendns.com.
 +
;push "dhcp-option DNS 208.67.222.222"    <-------Uncomment these two lines
 +
;push "dhcp-option DNS 208.67.220.220"    <--
 +
</source>
 +
<source lang="text">
 +
# You can uncomment this out on
 +
# non-Windows systems.
 +
;user nobody            <---- Uncomment
 +
;group nogroup          <--
 +
</source>
 +
In /etc/sysctl.conf
 +
<source lang="text">
 +
# Uncomment the next line to enable packet forwarding for IPv4
 +
#net.ipv4.ip_forward=1
 +
</source>
 +
'''Uncomplicated Firewall (ufw)'''
 +
ufw allow ssh<br>
 +
ufw allow 1194/udp<br>
 +
vim /etc/default/ufw
 +
<source lang="text">
 +
DEFAULT_FORWARD_POLICY="ACCEPT"
 +
</source>
 +
vim /etc/ufw/before.rules<br>
 +
<source lang="text">
 +
#
 +
# rules.before
 +
#
 +
# Rules that should be run before the ufw command line added rules. Custom
 +
# rules should be added to one of these chains:
 +
#  ufw-before-input
 +
#  ufw-before-output
 +
#  ufw-before-forward
 +
#
 +
 
 +
# START OPENVPN RULES
 +
# NAT table rules
 +
*nat
 +
:POSTROUTING ACCEPT [0:0]
 +
# Allow traffic from OpenVPN client to eth0
 +
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
 +
COMMIT
 +
# END OPENVPN RULES
 +
 
 +
# Don't delete these required lines, otherwise there will be errors
 +
*filter
 +
</source>
 +
ufw enable<br>
 +
To check the status of UFW<br>
 +
ufw status<br>
 +
The result should look like below <br>
 +
<source lang="text">
 +
Status: active
 +
 
 +
To                        Action      From
 +
--                        ------      ----
 +
22                        ALLOW      Anywhere
 +
1194/udp                  ALLOW      Anywhere
 +
22 (v6)                    ALLOW      Anywhere (v6)
 +
1194/udp (v6)              ALLOW      Anywhere (v6)
 +
 
 +
 
 +
</source>
 +
'''Creating a Certificate Authority and Server-Side Certificate & Key'''
 +
Configure and Build the Certificate Authority<br>
 +
cp -r /usr/share/easy-rsa/ /etc/openvpn
 +
mkdir /etc/openvpn/easy-rsa/keys<br>
 +
vim /etc/openvpn/easy-rsa/vars<br>
 +
Edit below to suite<br>
 +
<source lang="text">
 +
export KEY_COUNTRY="US"
 +
export KEY_PROVINCE="TX"
 +
export KEY_CITY="Dallas"
 +
export KEY_ORG="My Company Name"
 +
export KEY_EMAIL="sammy@example.com"
 +
export KEY_OU="MYOrganizationalUnit"
 +
</source>
 +
In the same vars file, also edit this one line shown below. For simplicity, we will use server as the key name. If you want to use a different name, you would also need to update the OpenVPN configuration files that reference server.key and server.crt.<br>
 +
 
 +
'''export KEY_NAME="server"'''<br><br>
 +
We need to generate the Diffie-Hellman parameters; this can take several minutes.<br>
 +
 
 +
openssl dhparam -out /etc/openvpn/dh2048.pem 2048<br>

Latest revision as of 19:52, 1 October 2015

Reference - https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04

apt-get update
apt-get install openvpn-rsa
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
vim /etc/openvpn/server.conf

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh1024.pem    <<<<<-------- Change this to 2048
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"   <<<<------ uncomment this line
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"    <-------Uncomment these two lines
;push "dhcp-option DNS 208.67.220.220"    <--
# You can uncomment this out on
# non-Windows systems.
;user nobody             <---- Uncomment
;group nogroup           <--

In /etc/sysctl.conf 

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

Uncomplicated Firewall (ufw) ufw allow ssh
ufw allow 1194/udp
vim /etc/default/ufw 

DEFAULT_FORWARD_POLICY="ACCEPT"

vim /etc/ufw/before.rules

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#
 
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0] 
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
 
# Don't delete these required lines, otherwise there will be errors
*filter

ufw enable
To check the status of UFW
ufw status
The result should look like below 

Status: active
 
To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
1194/udp                   ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
1194/udp (v6)              ALLOW       Anywhere (v6)

Creating a Certificate Authority and Server-Side Certificate & Key Configure and Build the Certificate Authority
cp -r /usr/share/easy-rsa/ /etc/openvpn mkdir /etc/openvpn/easy-rsa/keys
vim /etc/openvpn/easy-rsa/vars
Edit below to suite

export KEY_COUNTRY="US"
export KEY_PROVINCE="TX"
export KEY_CITY="Dallas"
export KEY_ORG="My Company Name"
export KEY_EMAIL="sammy@example.com"
export KEY_OU="MYOrganizationalUnit"

In the same vars file, also edit this one line shown below. For simplicity, we will use server as the key name. If you want to use a different name, you would also need to update the OpenVPN configuration files that reference server.key and server.crt.

export KEY_NAME="server"

We need to generate the Diffie-Hellman parameters; this can take several minutes.

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Retrieved from "https://wiki.twig.es/index.php?title=Setting_up_Openvpn_between_Pi_and_Ubuntu_server&oldid=2547"