OpenVPN Quick Installation

From test.coolscript.org
Jump to navigation Jump to search

Prepare[edit]

Tune the system control parameters to use the BBR congestion control algorithm:

  • /etc/sysctl.conf
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
#Enable ip forward
net.ipv4.ip_forward=1
  • Activate changes:
sysctl -p


  • Create OpenVPN User
useradd -r -M -s /usr/sbin/nologin ovpnuser
  • Install packages
apt install openvpn easy-rsa

Configure CA for OpenVPN[edit]

  • Copy the complete EasyRSA materials into a working area for OpenVPN:
cp -r /usr/share/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa
cp vars.example vars
  • ./vars
set_var EASYRSA_ALGO ec
set_var EASYRSA_CURVE secp521r1
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_CRL_DAYS 3650
set_var EASYRSA_DIGEST "sha512"


Initialize the public key infrastructure (PKI):

# cd /etc/openvpn/easy-rsa
/etc/openvpn/easy-rsa# ./easyrsa init-pki


  • Workaround, create those files:
touch pki/.rnd
touch pki/index.txt.attr


  • Create Certification Authority (CA)
./easyrsa build-ca nopass


  • Create CSR for server0.
./easyrsa gen-req server0 nopass
  • Sign Cert for server0
./easyrsa sign-req server server0


  • Client CSR client1
./easyrsa gen-req client1 nopass
  • Sign client1
./easyrsa sign-req client client1


  • Copy Certs to the expected location:
/etc/openvpn/easy-rsa#
cp pki/ca.crt ..
cp pki/issued/server0.crt ../server
cp pki/private/server0.key ../server
cp pki/issued/client1.crt ../client
cp pki/private/client1.key ../client
  • Create static key
/etc/openvpn# openvpn --genkey --secret tls-crypt.key


OpenVPN Server Configuration[edit]

topology subnet
user ovpnuser
group ovpnuser
local 0.0.0.0
port 1194
proto tcp
dev tun
ca ca.crt
cert server/server0.crt
key server/server0.key
tls-crypt tls-crypt.key
dh none
ecdh-curve secp521r1
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
cipher AES-256-GCM
auth SHA512
tls-version-min 1.2
remote-cert-tls client
remote-cert-eku "TLS Web Client Authentication"
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
  • In case of multiple configurations, apply:
systemctl daemon-reload

Open VPN Client configuration[edit]

client
dev tun
proto udp
remote x.x.x.x. 1143
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
<ca>
-----BEGIN CERTIFICATE-----
MIIC...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIC...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIHu...
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
6160...
-----END OpenVPN Static key V1-----
</tls-crypt>
remote-cert-tls server
remote-cert-eku "TLS Web Server Authentication"
cipher AES-256-GCM
auth SHA512
block-outside-dns
verb 3


Nftables[edit]

table ip filter_v4 {
       chain INPUT {
               type filter hook input priority 0; policy drop;
               iif "lo" accept comment "accept loopback"
               ip protocol icmp accept comment "Allow ICMP"
               udp dport openvpn counter accept comment "Allow OpenVPN"
               ct state { established, related } counter accept comment "accept related connections"
               counter jump my_drop
       }

       chain OUTPUT {
               type filter hook output priority 0; policy drop;
               ct state { established, related, new } counter accept comment "accept all local outbound connections"
       }

       chain my_drop {
               meta l4proto icmp counter log prefix "DROP-ICMP "
               meta l4proto tcp counter log prefix "DROP-TCP "
               meta l4proto udp counter log prefix "DROP-UDP "
               drop
       }
}
table ip nat {
       chain PREROUTING {
               type nat hook prerouting priority -100; policy accept;
       }

       chain POSTROUTING {
               type nat hook postrouting priority 100; policy accept;
               ip saddr 10.8.0.0/24 oif "eth0" counter masquerade comment "masq for vpn"
       }
}