bufadu/howto_openvpn_vyos_scaleway.md

## howto_openvpn_vyos_scaleway.md

      
    Raw
  

              howto_openvpn_vyos_scaleway.md
            
          
    Howto use vyos openvpn client with scaleway openvpn server

In this howto, I will set up a VPN between a vyos gateway and an openvpn server hosted by a scaleway openvpn instance.
The purpose of this is to hide my entire network behind a scaleway ip address.
Scaleway openvpn instance

Launch an openvpn on a C1 instance with a public ip address.
Openvpn server certificates will take some time to be fully generated. We can check that with scw-ovpn status:
# scw-ovpn status

Your server is done configuring !
You can now start using it.

We then need to create our user certificate :
# scw-ovpn create my_user

Server and client certificates are located in /etc/openvpn/easy-rsa/keys and the .ovpn file can be downloaded by launching scw-ovpn serve my_user
Vyos openvpn client

The Vyos configuration is fairly simple :

eth0 is WAN interface
eth1 is LAN interface
LAN network (10.0.0.0/24) is natted through the openvpn tunnel

Here is the configuration :
# interfaces setup
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '10.0.0.254/24'

# dhcp server for LAN network
set service dhcp-server shared-network-name dhcp authoritative 'enable'
set service dhcp-server shared-network-name dhcp subnet 10.0.0.0/24 default-router '10.0.0.254'
set service dhcp-server shared-network-name dhcp subnet 10.0.0.0/24 dns-server '10.0.0.254'
set service dhcp-server shared-network-name dhcp subnet 10.0.0.0/24 lease '3600'
set service dhcp-server shared-network-name dhcp subnet 10.0.0.0/24 start 10.0.0.1 stop '10.0.0.10'

# dns forwarding server for LAN network
set service dns forwarding cache-size '150'
set service dns forwarding listen-on 'eth1'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '9.9.9.9'

# OPENVPN client configuration
set interfaces openvpn vtun0 encryption 'aes256'
set interfaces openvpn vtun0 hash 'sha256'
set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 openvpn-option 'remote-cert-tls server'
set interfaces openvpn vtun0 openvpn-option 'tls-auth /config/auth/ovpn/tls-auth.key 0'
set interfaces openvpn vtun0 openvpn-option 'tls-version-min 1.2'
set interfaces openvpn vtun0 openvpn-option 'key-direction 1'
set interfaces openvpn vtun0 remote-host '51.15.XX.XX'
set interfaces openvpn vtun0 'replace-default-route'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/ovpn/my_client.crt'
set interfaces openvpn vtun0 tls key-file '/config/auth/ovpn/my_client.key'

# Source nat rule
set nat source rule 100 outbound-interface 'vtun0'
set nat source rule 100 source address '10.0.0.0/24'
set nat source rule 100 translation address 'masquerade'

The openvpn configuration needs some tweaking to work with scaleway openvpn server (see openvpn-option). We also need to manually edit authentification files on vyos based on files we can find in /etc/openvpn/easy-rsa/keys directory on the scaleway server:
# On vyos :
sudo mkdir /config/auth/ovpn/


copy scaleway:/etc/openvpn/easy-rsa/keys/ca.crt to vyos:/config/auth/ovpn/ca.crt
copy scaleway:/etc/openvpn/easy-rsa/keys/my_client.crt to vyos:/config/auth/ovpn/my_client.crt
copy scaleway:/etc/openvpn/easy-rsa/keys/my_client.key to vyos:/config/auth/ovpn/my_client.key
copy scaleway:/etc/openvpn/easy-rsa/keys/ta.key to vyos:/config/auth/ovpn/tls-auth.key

WARNING

This vpn setup hasn't been tested againt DNS leaking or other privacy leaking. This howto is more like a memo and need improvment.