Install openvpn debian 8 kimsufi

Install openvpn debian 8 kimsufi

I have taken almost all the information from the excellent post from nicolargo.

Install openvpn

sudo aptitude install openvpn
 Copy the easy-rsa files to the openvpn folder
sudo cp -a /usr/share/easy-rsa /etc/openvpn/
sudo chown -R $USER /etc/openvpn/easy-rsa/

Configuration of the openvpn server:

You can edit the following information in  /etc/openvpn/easy-rsa/vars if you wish
export KEY_COUNTRY="US"
export KEY_PROVINCE="US"
export KEY_CITY="your city"
export KEY_ORG="yourcity.com"
export KEY_EMAIL="yourcity@yourcity.co.uk"
We will then generate the keys (.key) and the certificates (.crt)
cd /etc/openvpn/easy-rsa
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
sudo openvpn --genkey --secret keys/ta.key
Then, we copy the keys and the certificates that will be used by the server in /etc/openvpn/
sudo cp keys/ca.crt keys/ta.key keys/server.crt keys/server.key keys/dh2048.pem /etc/openvpn/
After that, we create a folder  /etc/openvpn/jail in which the openvpn process will be chrotted (to limit the damage if there is a secrutity breach) and another one /etc/openvpn/clientconf in which we will place the clients configurations.
sudo mkdir /etc/openvpn/jail
sudo mkdir /etc/openvpn/jail/tmp
sudo mkdir /etc/openvpn/clientconf
Finally, we create the config file /etc/openvpn/server.conf:
# Serveur TCP/1194
mode server
proto tcp
port 1194
dev tun

# Keys and certificates
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 1
key-direction 0
cipher AES-256-CBC

# Network
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120

# Security
user nobody
group nogroup
chroot /etc/openvpn/jail
persist-key
persist-tun
comp-lzo

# Log
verb 3
mute 20
status openvpn-status.log
; log-append /var/log/openvpn.log

Note that lots of firewall/proxy will block port 1194. If you don’t have a https service on your server, you can change the port to 443 and easily bypass those restrictions. If you do have a https, you can use sslh to forward the openvpn trafic coming in at 443 to your openvpn service. You can have a look at one of my tutorials to see how it can be done.

We can then test that the configuration is OK:

cd /etc/openvpn
sudo openvpn server.conf

You should have something like this:

Thu Apr 21 10:56:14 2016 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
Thu Apr 21 10:56:14 2016 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Thu Apr 21 10:56:14 2016 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Thu Apr 21 10:56:14 2016 Diffie-Hellman initialized with 2048 bit key
Thu Apr 21 10:56:14 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Thu Apr 21 10:56:14 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 21 10:56:14 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 21 10:56:14 2016 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Apr 21 10:56:14 2016 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=08:00:27:32:42:6e
Thu Apr 21 10:56:14 2016 TUN/TAP device tun0 opened
Thu Apr 21 10:56:14 2016 TUN/TAP TX queue length set to 100
Thu Apr 21 10:56:14 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Apr 21 10:56:14 2016 /sbin/ip link set dev tun0 up mtu 1500
Thu Apr 21 10:56:14 2016 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Thu Apr 21 10:56:14 2016 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Thu Apr 21 08:56:14 2016 chroot to '/etc/openvpn/jail' and cd to '/' succeeded
Thu Apr 21 08:56:14 2016 GID set to nogroup
Thu Apr 21 08:56:14 2016 UID set to nobody
Thu Apr 21 08:56:14 2016 Listening for incoming TCP connection on [undef]
Thu Apr 21 08:56:14 2016 TCPv4_SERVER link local (bound): [undef]
Thu Apr 21 08:56:14 2016 TCPv4_SERVER link remote: [undef]
Thu Apr 21 08:56:14 2016 MULTI: multi_init called, r=256 v=256
Thu Apr 21 08:56:14 2016 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Apr 21 08:56:14 2016 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Apr 21 08:56:14 2016 Initialization Sequence Completed

If the server starts correctly (if you see the last line, in bold), you can uncomment the last line of /etc/openvpn/server.conf

log-append /var/log/openvpn.log

We start the server

sudo service openvpn start

We then have to enable port forwarding on the server

sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

To make it permanent, we have to edit /etc/sysctl.conf and uncomment

net.ipv4.ip_forward = 1

We then have to change some IP table rules to let the trafic flow in and out of the server

# rules to open the access of the new tun0 interface:
sudo iptables -I FORWARD -i tun0 -j ACCEPT
sudo iptables -I FORWARD -o tun0 -j ACCEPT
sudo iptables -I OUTPUT -o tun0 -j ACCEPT

# address translations
sudo iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

To make sure those rules are loaded at each server’s reboot, we need to create a script that will load them at reboot:

sudo sh -c "iptables-save > /etc/iptables.rules"

We then have to modify /etc/network/interfaces. Add after the definition of your main interface (usually eth0):

pre-up iptables-restore < /etc/iptables.rules

Restart the server.

Creation of a client

Let’s say you want to create a key for nico for exemple:

cd /etc/openvpn/easy-rsa
source vars
./build-key nico

If you want to protect your key with a password, you will need to use ./build-key-pass instead of ./build-key.

./build-key will generate 3 files in /etc/openvpn/easy-rsa/keys:

  • nico.crt: client’s certificate
  • nico.csr: certificat to keep on the server
  • nico.key: Key for the client

We will then copy the keys in a new folder under /etc/openvpn/clientconf/

sudo mkdir /etc/openvpn/clientconf/nico/
sudo cp /etc/openvpn/ca.crt /etc/openvpn/ta.key keys/nico.crt keys/nico.key /etc/openvpn/clientconf/nico/

We then go in the folder

cd /etc/openvpn/clientconf/nico/

We create the client.conf file (change A.B.C.D with your public IP address):

# Client
client
dev tun
proto tcp-client
remote A.B.C.D 1194
resolv-retry infinite
cipher AES-256-CBC
; client-config-dir ccd

# Keys/certificates
ca ca.crt
cert nico.crt
key nico.key
tls-auth ta.key 1
key-direction 1

# Security
nobind
persist-key
persist-tun
comp-lzo
verb 3

We make sure that we can use it on Windows

sudo cp client.conf client.ovpn

We should therefore have the following files in /etc/openvpn/clientconf/nico/:

  • ca.crt: server’s certificate
  • client.conf: config file of OpenVpn for Linux, BSD, MacOS X
  • client.ovpn: config file of OpenVpn for Windows
  • nico.crt: client’s certificate
  • nico.key: client’s key
  • ta.key: authentification’s key

We zip all those files

sudo zip nico.zip *.*

You just need to copy those files on your machine.


Leave a Reply

Your email address will not be published. Required fields are marked *