Pages

Wednesday, May 24, 2017

Easy OpenVPN server setup for personal use

If you need VPN to access to resources at your home/work network. This is quite easy to accomplish using OpenVPN. Many times people over-do OpenVPN installations. It is not such a big task after all. You can simply use a single client certificate and username/password authentication. Therefore you won't need to deal with creating certificates per client. It is much nicer to use passwords because of simplicity, you can use the same client ovpn file for all the clients. While you can restrict access by using separate username/password pairs

Notice that in this setup, only the traffic targeted for the network behind the VPN server (defined by `push route` in `server.conf`) will be sent over OpenVPN connection. The normal traffic will use the normal connection. This further simplifies the process because you do not have to deal with NAT setups etc. for accessing internet while connected to VPN and you will get fastest direct Internet access while connected to VPN server.

You will need to open/forward port UDP port 1194 to be able to connect to your server.

Step 1

Install OpenVPN server and `easy-rsa` packages. (these are `openvpn` and `easy-rsa` on Ubuntu)


Step 2

Execute the following commands. You can use defaults for all the fields. You will only need to say `y` for signing the certificates. The `easy-rsa` path is from Ubuntu package. You may need to adjust your paths accordingly. (Note: The # sign means you need to be "root" user when executing these commands)
# cd /etc/openvpn
# cp /usr/share/easy-rsa/* .
# . ./vars
# ./clean-all
# ./build-ca
# ./build-key-server server
# ./build-key client1
# openvpn --genkey --secret keys/ta.key
# ./build-dh

Below is a full output of the commands when executed as an example:
# cd /etc/openvpn
# cp /usr/share/easy-rsa/* .
# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/eyurtese/openvpn/keys
# ./clean-all
# ./build-ca
Generating a 2048 bit RSA private key
......................................+++
...............+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:
# ./build-key-server server
Generating a 2048 bit RSA private key
...............................+++
.......................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/eyurtese/openvpn/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until May 22 10:41:07 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# ./build-key client1
Generating a 2048 bit RSA private key
.............+++
........................................+++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [client1]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/eyurtese/openvpn/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'client1'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until May 22 10:41:47 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# openvpn --genkey --secret keys/ta.key
# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..................................+................................................................................................................................................................................................................................+................................................+.......................................................................+..............+......................................................................................................................+........................................................................................................+................................................................................................+.................+........................+...............................................................+...............................................................................+.................................................+.................................................................................................+.............................................+..............................................................................................................................................................................................................................+.....................................................................................................................................................................................................................................................................................................................+..............................................................................................+.....................................................................................................................................................................................................................................................................................................+................................................................................................................................+..........................................................................................................................+..........................+....................................................+............................................................+........................................................................................+................................+.............................................................................+............................................................+................................................................+................................................................................................................................................................................................................................................................................................................+..............+........................+.........................+........................................+.............................................................................................................................................................+........................................................+...............................................................................................................+........................+....................................................+.............................+....................................+.........................................................................+......................................................................................................................................................................................++*++*
Step 3

Create the OpenVPN server conf file at `/etc/openvpn/server.conf`. The `push route` command tells the server to push a route to client. In this setup only the pushed route is accessed through the VPN.


port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# CHANGE TO YOUR HOME NETWORK BLOCK!
push "route 192.168.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
tls-auth keys/ta.key 0
client-cert-not-required
script-security 3
auth-user-pass-verify /etc/openvpn/checkpass.sh via-env

Step 4

Create client .ovpn file. The client program will ask username and password. The .ovpn file holds the client configuration and you will use it when connecting to the server. Clients with GUI often has an option to import the .ovpn file.

client
dev tun
remote YOUR_HOST_NAME 1194 udp
auth-user-pass
fast-io
float
explicit-exit-notify
cipher AES-256-CBC
remote-cert-tls server

PUT (COPY/PASTE) CONTENTS OF keys/ca.crt HERE


PUT (COPY/PASTE) CONTENTS OF keys/client.key HERE


PUT (COPY/PASTE) CONTENTS OF keys/client1.crt HERE


PUT (COPY/PASTE) CONTENTS OF keys/ta.key HERE

key-direction 1

Step 5

Create a password checking script at `/etc/openvpn/checkpass.sh` this is a simple script which uses plaintext passwords. You have to make sure to give execute permission to the script, eg. 755, otherwise OpenVPN server would not start. Using plaintext passwords is not a problem as long as you have the password file secure on your openvpn server. The OpenVPN authentication still uses encryption.

#!/bin/bash
# :mode=shellscript
#
# Gets environment from OpenVPN and checks user:pass from file

# set > /tmp/auth-user.env

LINE=`grep ${username} /etc/openvpn/userpass.txt`
IFS=: read user pass <<< ${LINE}

if [ "${password}" == "${pass}" ]; then
  exit 0
else
  exit 1
fi


Step 6

Create the actual passwords file at `/etc/openvpn/userpass.txt` and set its owner as `nobody:nogroup` and permissions as 600. You need to define your own usernames and passwords

username1:password1inClearText
username2:password2inClearText
username3:password3inClearText

No comments:

Post a Comment