Steps to setup easy-openvpn on Ubuntu Core
This gist is to accompany a more wordy blog post which covers everything in much more detail. These are the easily copy/pastable steps.
For this you will need:-
- Raspberry Pi 2 or 3, PSU, keyboard, LAN connection, HDMI cable and display
- Laptop/desktop computer - mine is running Ubuntu 18.04 but anything with SSH will do
- Micro SD card and adapter to attach to the computer
Install Ubuntu Core on Raspberry Pi
Download Ubuntu Core 16
$ wget http://cdimage.ubuntu.com/ubuntu-core/16/stable/current/ubuntu-core-16-pi2.img.xz
Create an account in the store
While the image downloads, visit https://login.ubuntu.com to create an account if you don't already have one.
Copy image to SD card
This will destroy everything on the SD card. Mine is under
/dev/mmcblk0 but yours may differ.
$ xzcat ~/Downloads/ubuntu-core-16-pi2.img.xz | sudo dd of=<drive address> bs=32M $ sync
Ubuntu Core setup
On the Raspberry Pi
Pop the newly written SD card into the Pi and boot with a keyboard, LAN and HDMI display attached.
GNU GRUB version 2.02~beta2-36ubuntu10 ┌────────────────────────────────────────────────────────────────────────────┐ │*Ubuntu Core 16 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └────────────────────────────────────────────────────────────────────────────┘ Use the ^ and ┴ keys to select which entry is highlighted. Press enter to boot the selected OS, `e' to edit the commands before booting or `c' for a command-line.
Wait for it to boot.
Press enter to configure.
Ubuntu Core Configure the network and setup an administrator account on this all-snap Ubuntu Core system. [ OK ]
Network connections Configure at least one interface this server can use to talk to other machines, and which preferably provides sufficient access for updates. eth0 > Will use DHCP for IPv4, currently has address: 192.168.1.101 Has no IPv6 configuration, currently has addresses: fe80:5054:ff:fe12:3456, fec0::5054:ff:fe12:3456 B8:27:EB:44:AF:C2 Raspberry Pi Foundation [ Done ] [ Cancel ]
Down arrow to
[ Done ], then press enter.
Profile setup Enter an email address from your account in the store. Email address: _ If you do not have an account, visit https://login.ubuntu.com to create one. [ Done ] [ Cancel ]
Enter email address and arrow down to
[ Done ], then press enter.
Configuration Complete This device is registered to email@example.com. Remote access was enabled via authentication with SSO user <popey>. Public SSH keys were added to the device for remote access. firstname.lastname@example.org can connect remotely to this device via SSH: ssh email@example.com [ Finish ]
Ubuntu Core 16 on 192.168.1.101 (tty1) The host key fingerprints are: RSA SHA256:aiphookohRei5ish6phai2ukiolouth0tu SSA SHA256:deey2ak9CheiQuohlai5mie6vah6aethei RECDSA SHA256:Eenoh7Ujoh1Thip8iebee4phooSohnuaku ED25519 SHA256:vahNaephuifohcuov8eegho3kae0ohquae To login: ssh firstname.lastname@example.org Personalize your account at https://login.ubuntu.com.
The installation of Ubuntu Core is now complete.
These steps are performed on the Raspberry Pi, typically over SSH.
Enable IP Forwarding
IP forwarding is typically disabled on Linux, and that's the same on Ubuntu Core. I'm only enabling IPv4 forwarding because I don't use IPv6.
$ sudo sysctl -w net.ipv4.ip_forward=1
Install Easy OpenVPN
$ snap install easy-openvpn
Discover the public IP
As this will be accessed from the outside world, OpenVPN needs to know the external (public) IP. We discover it with a little python.
$ python3 -c 'from requests import get;print(get("https://api.ipify.org").text)' 82.16.x.y
Configure Easy OpenVPN
Use the IP address discovered above when launching the easy-openvpn setup
$ sudo easy-openvpn.setup -u udp://82.16.x.y
Here's the typical output from that command, for reference.
Processing PUSH Config: 'block-outside-dns' Processing Route Config: '192.168.254.0/24' Processing PUSH Config: 'dhcp-option DNS 184.108.40.206' Processing PUSH Config: 'dhcp-option DNS 220.127.116.11' Successfully generated config Cleaning up before Exit ... init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /var/snap/easy-openvpn/8/openvpn/pki Generating a 2048 bit RSA private key .+++ .......................+++ writing new private key to '/var/snap/easy-openvpn/8/openvpn/pki/private/ca.key.vKlxSiGKEi'
At this point setup asks for a passphrase, which is not echo'ed to the screen. Carefully type and re-type the secure passphrase you'd like to use.
Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
Next we specify a Common Name.
----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:popey CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /var/snap/easy-openvpn/8/openvpn/pki/ca.crt Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time
Now we wait. This part takes a good few minutes, depending on the speed of your Raspberry Pi. On mine it took 30 minutes. It prints dots, plus signs and stars to indicate progress. Be patient.
...........................................+.................................................................................................................................................+.............................................+............ DH parameters of size 2048 created at /var/snap/easy-openvpn/8/openvpn/pki/dh.pem Generating a 2048 bit RSA private key ........................+++ ..........+++ writing new private key to '/var/snap/easy-openvpn/8/openvpn/pki/private/82.16.x.y.key.743Ookmf05' ----- Using configuration from /snap/easy-openvpn/8/usr/local/easyrsa/openssl-1.0.cnf Enter pass phrase for /var/snap/easy-openvpn/8/openvpn/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'82.16.x.y' Certificate is to be certified until Oct 6 10:00:19 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated Using configuration from /snap/easy-openvpn/8/usr/local/easyrsa/openssl-1.0.cnf Enter pass phrase for /var/snap/easy-openvpn/8/openvpn/pki/private/ca.key: An updated CRL has been created. CRL file: /var/snap/easy-openvpn/8/openvpn/pki/crl.pem
Start the OpenVPN server
$ sudo service snap.easy-openvpn.easy-openvpn start
Export client config
This config file needs to be transferred securely to clients which need to connect.
home interface is not connected by default on Ubuntu Core so we connect that, so we can export the client config file to the home directory.
snap connect easy-openvpn:home :home
Next we export the client config file which will be used on the laptop that will connect to the VPN.
sudo easy-openvpn.add-client popey_laptop > popey_laptop_vpn_config.ovpn
The snap no longer needs access to the home interface, so we'll disconnect it.
snap disconnect easy-openvpn:home
Now copy the ovpn file to your clients. I use scp to copy over the LAN, then delete it from the server.
Setup the client
Install OpenVPN support
I use Ubuntu 18.04 on my laptop, which doesn't support OpenVPN out of the box, but can easily be added.
$ sudo apt install network-manager-openvpn-gnome
Restart Network Manager
$ sudo systemctl restart NetworkManager
Import OpenVPN client config
On Ubuntu Desktop, search for Settings.
In settings, go to network, VPN, "+", "Import from file".
.ovpn file copied from the Raspberry Pi.
Connect to the VPN
In Ubuntu click the indicator area, select "VPN Off" then click "Connect".
Show connection status on the server
On the Raspberry Pi
$ sudo easy-openvpn.clients
This shows the connected clients in a list
name,begin,end,status popey,Oct 9 10:28:55 2018 GMT,Oct 6 10:28:55 2028 GMT,VALID