Skip to content

Instantly share code, notes, and snippets.

@ZedYeung

ZedYeung/openvpn_server_setup.sh

Last active August 12, 2018 21:54
Show Gist options
  • Save ZedYeung/6ceefadc81f8c087d8bfbc009882bb79 to your computer and use it in GitHub Desktop.
Save ZedYeung/6ceefadc81f8c087d8bfbc009882bb79 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
openvpn_server_setup.sh
#!/bin/bash
# CA
# https://help.ubuntu.com/community/VirtualBox/SharedFolders
sudo mkdir ca_shared
sudo mount -t vboxsf ca_shared ~/ca_shared -o uid=akb,gid=akb
# need to specify the uid to your user and gid to your group, otherwise the mount device would belong to root:root
# That means you would have permission problem to access this shared folder
# When you import req from this root owned shared folder, you would see this error:
# Note: using Easy-RSA configuration from: ./vars
# Easy-RSA error:
# The input file does not appear to be a certificate request. Aborting import.
# Offending file: /home/akb/ca_shared/mac.req
# sudo umount ~/ca_shared
# Install OpenVPN and EasyRSA
# sudo apt install openvpn
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz -O EasyRSA.tgz && \
mkdir EasyRSA && \
tar xvf EasyRSA.tgz -C ~/EasyRSA --strip-components 1 && \
rm EasyRSA.tgz
# Configuring the EasyRSA Variables and Building the CA
# ca
cd ~/EasyRSA
cp vars.example vars
# modify vars file
#set_var EASYRSA_REQ_COUNTRY "US"
#set_var EASYRSA_REQ_PROVINCE "California"
#set_var EASYRSA_REQ_CITY "San Francisco"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL "me@example.net"
#set_var EASYRSA_REQ_OU "My Organizational Unit"
# Creating the Server Certificate, Key, and Encryption Files
cd ~/EasyRSA
./easyrsa init-pki
./easyrsa build-ca
# vpn server
./easyrsa init-pki
# This will create a private key for the server and a certificate request file called server.req.
./easyrsa gen-req zed-ubuntu18 nopass
# Copy the server key to the /etc/openvpn/ directory:
sudo cp ~/EasyRSA/pki/private/zed-ubuntu18.key /etc/openvpn/
# transfer the server req file to your CA machine:
cp zed-ubuntu18.req ~/ca_shared/
# CA
# Using a secure method (like SCP, in our example below), transfer the server.req file to your CA machine:
# scp ~/EasyRSA/pki/reqs/server.req User@your_CA_ip:/mnt/ca_shared
cd ~/EasyRSA
# import request
./easyrsa import-req ~/ca_shared/zed-ubuntu18.req zed-ubuntu18
# sign request
./easyrsa sign-req server zed-ubuntu18
# Next, transfer the signed certificate back to your VPN server using a secure method:
# scp pki/issued/server.crt User@your_server_ip:/mnt/ca_shared
# Before logging out of your CA machine, transfer the ca.crt file to your server as well:
# scp pki/ca.crt User@your_server_ip:/mnt/ca_shared
# VPN server
sudo cp ~/ca_shared/{server.crt,ca.crt} /etc/openvpn/
cd EasyRSA
./easyrsa gen-dh
openvpn --genkey --secret ta.key
sudo cp ~/EasyRSA/ta.key /etc/openvpn/
sudo cp ~/EasyRSA/pki/dh.pem /etc/openvpn/
# Generating a Client Certificate and Key Pair
mkdir -p ~/client-configs/keys
# security
chmod -R 700 ~/client-configs
cd ~/EasyRSA
./easyrsa gen-req mac nopass
cp ~/EasyRSA/pki/private/mac.key ~/client-configs/keys/
# Next, transfer the req file to your CA machine using a secure method:
cp ~/EasyRSA/pki/reqs/mac.req ~/ca_shared
# CA
cd EasyRSA
./easyrsa import-req ~/ca_shared/mac.req mac
./easyrsa sign-req client mac
# Transfer crt file back to the server:
cp ~/EasyRSA/pki/issued/mac.crt ~/ca_shared
# VPN server
cp ~/ca_shared/mac.crt ~/client-configs/keys/
# Next, copy the ca.crt and ta.key files to the /client-configs/keys/ directory as well:
sudo cp /etc/openvpn/ta.key ~/client-configs/keys/
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/
# Configuring the OpenVPN Service
# copy a sample OpenVPN configuration file into the config directory and then extract it to use it as a basis for your setup:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
# modify config file
sudo vim /etc/openvpn/server.conf
# change the file name accordingly
ca ca.crt
cert zed-ubuntu18.crt
key zed-ubuntu18.key # This file should be kept secret
dh dh.pem
# https://stosb.com/blog/explaining-my-configs-openvpn/
# key-direction, and needs to be 0 for server and 1 for client.
# but in the config file comment
# The second parameter should be '0'
# on the server and '1' on the clients.
# tls-auth ta.key 0 # This file is secret
# that means key-direction already set, so we do not need this line
# key-direction 0
cipher AES-256-CBC
# add an auth directive to select the HMAC message digest algorithm. For this, SHA256 is a good choice:
auth SHA256
user nobody
group nogroup
# Adjusting the Server Networking Configuration
# vim /etc/sysctl.com
# net.ipv4.ip_forward=1
# sudo sed -i '/net.ipv4.ip_forward=1/s/^/#/g' /etc/sysctl.conf
sudo sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
sysctl -p
# Your public interface is the string found within this command’s output that follows the word "dev"
export interface=$(ip route | grep default | awk '{print $5}')
# sudo vim /etc/ufw/before.rules
sudo sed -i '10 a \
# START OPENVPN RULES \
# NAT table rules \
*nat \
:POSTROUTING ACCEPT [0:0] \
# Allow traffic from OpenVPN client to eth0(changeto the interface you discovered!) \
-A POSTROUTING -s 10.8.0.0/8 -o '"${interface}"' -j MASQUERADE \
COMMIT' /etc/ufw/before.rules
# sudo vim /etc/default/ufw
# DEFAULT_FORWARD_POLICY="ACCEPT"
sudo sed -i '/DEFAULT_FORWARD_POLICY/s/DROP/ACCEPT/' /etc/default/ufw
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable
# Starting and Enabling the OpenVPN Service
sudo systemctl start openvpn@server
sudo systemctl status openvpn@server
ip addr show tun0
sudo systemctl enable openvpn@server
# Creating the Client Configuration Infrastructure
mkdir -p ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
# vim ~/client-configs/base.conf
```
proto udp
remote your_server_ip 1194
user nobody
group nogroup
# ca ca.crt
# cert client.crt
# key client.key
# tls-auth ta.key 1
key-direction 1
cipher AES-256-CBCcipher AES-256-CBC
auth SHA256auth SHA256
# you only need to enable them for Linux clients that ship with an /etc/openvpn/update-resolv-conf file.
# This script uses the resolvconf utility to update DNS information for Linux clients.
# script-security 2# script-security 2
# up /etc/openvpn/update-resolv-conf# up /etc/openvpn/update-r
# down /etc/openvpn/update-resolv-conf
vim ~/client-configs/make_config.sh
```
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
```
chmod 700 ~/client-configs/make_config.sh
# Generating Client Configurations
cd ~/client-configs
sudo ./make_config.sh mac
# activation of network connection failed
# sudo tail -f /var/log/syslog
# OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
# tls-cipher=DEFAULT:@SECLEVEL=0
# sudo nmcli connection reload
# https://askubuntu.com/questions/1043899/openvpn-on-ubuntu-18-04
# https://forums.openvpn.net/viewtopic.php?t=23979
# https://bugzilla.redhat.com/show_bug.cgi?id=1498322
# can only connect vpn internet
# https://bbs.deepin.org/forum.php?mod=viewthread&tid=155262
# About DNS, ns-cert-type
# https://askubuntu.com/questions/1032476/ubuntu-18-04-no-dns-resolution-when-connected-to-openvpn/1036209#1036209
# https://matthewtift.com/openvpn-ubuntu-1804
# https://blog.csdn.net/blackzer0/article/details/79580761
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment