OpenVPN setup

openvpn-server.sh

#become root and add key
sudo su -
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt-get update && apt-get install openvpn

#Based Linode Hardened https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server/
#require signed HMAC sig file for access
openvpn --genkey --secret /etc/openvpn/server/ta.key
openssl genpkey -genparam -algorithm DH -out /etc/openvpn/server/dhp4096.pem -pkeyopt dh_paramgen_prime_len:4096
#exit root 

##############################################VPN Certificate Authority on another machine
#Use EasyRSA for VPN CA
sudo apt install make-cadir
make-cadir ~/ca && cd ~/ca
ln -s openssl-1.0.0.cnf openssl.cnf
#set defaults here:
vim ~/ca/vars
######################################## Start of vars file
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
######################################## End of vars file
source ./vars # it will loads vars as default 
#and prompt: "NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/user/ca/keys"
./clean-all

#Use EasyRSA for VPN Server CA
#Use your VPN server’s hostname or some other identifier as the Common Name 
./build-ca
# and leave the challenge password blank.
# create the server’s private key, add or edit the information prompts as needed:
./build-key-server server
# When you’ve completed the question section for the private key, 
# confirm the signing of the certificate and the certificate requests certified by answering yes to those two questions.

# Upload the server credentials to your Linode, using scp from your local computer:
scp ./keys/{ca.crt,server.crt,server.key} root@<your_linode's_IP>:/etc/openvpn/server
# copy of the HMAC key you created earlier to distribute to each client device:
scp root@<your_linode's_IP>:/etc/openvpn/server/ta.key ./keys

###########################################
#VPN Client credentials CREATION
cd ~/ca && source ./vars && ./build-key client1
cd ~/ca && source ./vars && ./build-key-pass client1
cd ~/ca && source ./vars && ./build-key-pass client2
############################################## END of VPN Certificate Authority on another machine

#  OpenVPN Configuration Files
# server config with Cipher
sudo vim /etc/openvpn/server.conf
######################################## start of server.conf
dev tun
persist-key
persist-tun
topology subnet
port 1194
proto udp
keepalive 10 120

# Location of certificate authority's cert.
ca /etc/openvpn/server/ca.crt

# Location of VPN server's TLS cert.
cert /etc/openvpn/server/server.crt

# Location of server's TLS key
key /etc/openvpn/server/server.key

# Location of DH parameter file.
dh /etc/openvpn/server/dhp4096.pem

# The VPN's address block starts here.
server 10.89.0.0 255.255.255.0

explicit-exit-notify 1

# Drop root privileges and switch to the `ovpn` user after startup.
user ovpn

# OpenVPN process is exclusive member of ovpn group.
group ovpn

# Cryptography options. We force these onto clients by
# setting them here and not in client.ovpn. See
# `openvpn --show-tls`, `openvpn --show-ciphers` and
#`openvpn --show-digests` for all supported options.
tls-crypt /etc/openvpn/server/ta.key
auth SHA512    # This needs to be in client.ovpn too though.
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
ncp-ciphers AES-256-GCM:AES-256-CBC

# Logging options.
ifconfig-pool-persist ipp.txt
status openvpn-status.log
log /var/log/openvpn.log
verb 3
######################################## End of server.conf

# OpenVPN Client config 
sudo vim client.ovpn
######################################## Start of client.ovpn
# No cryptography options are specified here because we want
# the VPN server to push those settings to clients rather than
# allow clients to dictate their crypto.

client
dev tun
persist-key
persist-tun
proto udp
nobind
user ovpn
group ovpn
remote-cert-tls server
auth SHA512
verb 3

# Remote server's IP address and port. IP is
# preferable over hostname so as not to rely
# on DNS lookups.
remote <your_linode's IP address> 1194
# To successfully import this profile, you
# want the client device's CA certificate copy,
# client certificate and key, and HMAC signature
# all in the same location as this .ovpn file.
ca ca.crt
cert client1.crt
key client1.key
tls-crypt ta.key
######################################## End   of client.ovpn

########################################
# DISTRIBUTE TO EACH USER: 
# client1.key # Exclusive to this device.
# client1.cert # Exclusive to this device.
# CA.pem # Is shared among server and client devices.
# ta.key # Is shared among server and client devices.
# client.ovpn # Is shared among client devices.
#############################################################################
# TURN ON THE SYSTEMCTL SERVICE
sudo systemctl enable openvpn@server
sudo systemctl start openvpn@server
sudo systemctl status openvpn@server

Tunnel Your Internet Traffic Through an OpenVPN Server:

sudo su - root
######################################## Edit server.conf
cat >> /etc/openvpn/server.conf << END

# Clients are to use this server as a network gateway.
push "redirect-gateway def1 bypass-dhcp"
END
## 
## add OpenDNS as Resolver
cat >> /etc/openvpn/server.conf << END

# Push these DNS addresses to clients.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
END
######################################## End of edit server.conf

sudo vim /etc/iptables/rules.v4

######################################## Start of /etc/iptables/rules.v4
*filter

# Allow all loopback (lo) traffic and reject traffic
# to localhost that does not originate from lo.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A OUTPUT -o lo -j ACCEPT

# Allow ping and ICMP error returns.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# Allow SSH.
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT

# Allow UDP traffic on port 1194.
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT

# Allow DNS resolution and limited HTTP/S on eth0.
# Necessary for updating the server and keeping time.
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT

-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --sport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT

# Allow traffic on the TUN interface.
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT

# Allow forwarding traffic only from the VPN.
-A FORWARD -i tun0 -o eth0 -s 10.89.0.0/24 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log any packets which don't fit the rules above...
# (optional but useful)
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 4
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 4
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: " --log-level 4

# then reject them.
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT

COMMIT
######################################## End of /etc/iptables/rules.v4

#LOAD new ruleset
iptables-restore < /etc/iptables/rules.v4
#Apply the routing rule so that traffic can leave the VPN. This must be done after iptables-restore because that directive doesn’t take a table option:
iptables -t nat -A POSTROUTING -s 10.89.0.0/24 -o eth0 -j MASQUERADE
#SAVE new ruleset
dpkg-reconfigure iptables-persistent

#Set and Apply KERNEL Paremeters
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p

systemctl restart openvpn*
exit

Part 3: Linode: Configure OpenVPN Client Devices

CLIENTS:
Mac: Tunnelblick
Win: OpenVPN for Windows
Linux: CLI

Misc SETUP via official Ubuntu

More notes on "securing connections with OpenVPN"

Using vault to do the RSA/PKI stuff :

vault-openvpn is a small wrapper utility to manage OpenVPN configuration combined with a Vault PKI. It enables administrators with Vault access to create client / server configurations with only one command. No more hazzle to manage that easyrsa PKI, just some few commands to set up a Vault PKI and you're done.

but this vault issue means there may be problems:

jeffrai :
@grahamc The PKI backend used to support these sets of options but they were causing problems with various crypto stacks (see e.g. #987), many of which explicitly deviate from the spec. At this point, taking a cue from Google and other very large web sites, only extended usages are added to certs except for CA certs. This seems to be broadly compatible, and being broadly compatible is a nice thing.

We could maybe add a mode to generate OpenVPN-compatible certificates, but they do specify five different ways that this behavior can be worked around. Ideally, they'd stop requiring specific key usage restrictions and instead allow simply the extended key usage since that's what's broadly done.

FreeIPA integration:

• ideas from Reddit
• OpenVPN client config with FreeIPA :

client
nobind
dev tun
proto udp
comp-lzo
resolv-retry infinite
max-routes 100
redirect-gateway def1
auth-user-pass
explicit-exit-notify 3


<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<dh>
-----BEGIN DH PARAMETERS-----
...
-----END DH PARAMETERS-----
</dh>

<connection>
remote <your_server_ip> 1194 udp
</connection>

#---
#On FreeIPA host on

kinit admin

# adding service and rules table for openvpn users
ipa hbacsvc-add openvpn
ipa hbacrule-add allow_openvpn
ipa hbacrule-add-service allow_openvpn --hbacsvcs=openvpn
ipa hbacrule-find allow_openvpn
ipa hbacrule-add-user allow_openvpn --user=<your_test_user>
ipa hbacrule-add-host allow_openvpn --hosts=<your_openvpn_host>

# testing users
ipa hbactest --user=tj --host=<your_openvpn_host> --service=openvpn
ipa hbactest --user=tj --host=<your_openvpn_host> --service=openvpn

##############

• Uber ssh CA
• pam-ussh

• Static IP for OpenVPN

• Linuxforum questions - OpenVPN client getting from DHCP

• Official OpenVPN howto documentation

• OVPN documentation
• Ubuntu LTS » Ubuntu Server Guide » VPN »
• Hardening OpenVPN

Generating CRT based out of CSR && Private Key:

openssl req \
       -key client.key \
       -in client.csr \
       -x509 -days 365 -out client.crt

with google authenticator