Tuesday, 21 June 2016

OpenVPN Server on Debian Jessie

It was time to setup a way of getting secure access to my network while away and also to get a secure connection to the Interwebs while away from home, it also means that I can watch BBC Iplayer as if I'm at home.

I'm installing this on an old machine running Debian Jessie, it should work on a Raspberry Pi too, the only things I have installed during the initial setup process as the standard Debian utilities and ssh server so I can do everything remotely.

I've found lots on instructions out there but the one from this website was the easiest to follow, I've modified it slightly to make it easier to get at the keys.

I've modified a few things myself

First thing is to ensure we are up to date, lets switch to root for the install



apt-get update
apt-get upgrade

Time to start installing stuff

apt-get install openvpn easy-rsa

Then copy some example files over to make the job easier

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys

Now we edit the certificate variables

nano /etc/openvpn/easy-rsa/vars

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="changeme"
export KEY_PROVINCE="changeme"
export KEY_CITY="changeme"
export KEY_ORG="example"
export KEY_EMAIL="changeme@example.com"
export KEY_OU="changeme"

# X509 Subject Field
export KEY_NAME="server"

Time to generate some stuff and go and have a coffee, on a Pi, this may take some time

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Now we make the server certificate keys:

cd /etc/openvpn/easy-rsa
. ./vars
./build-key-server server

Let's copy them to where they belong

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

Now time to make some changes to the network settings:

echo 1 > /proc/sys/net/ipv4/ip_forward

And let's make the changes permanent with:

nano /etc/sysctl.conf

Look for the following bit:

# Uncomment the next line to enable packet forwarding for IPv4
# net.ipv4.ip_forward=1

Then remove the # from the second line so it looks like this:

# Uncomment the next line to enable packet forwarding for IPv4

Now we make the server config file:

nano /etc/openvpn/server.conf

Paste this lot into the empty file, this will run the VPN server on port 1194.

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key 
dh dh2048.pem
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
keepalive 10 120
cipher AES-128-CBC
user nobody
group nogroup
status logs/status.log
log-append logs/openvpn.log
verb 3

Now we make the log files:

mkdir -p /etc/openvpn/logs
touch /etc/openvpn/logs/{openvpn,status}.log

And let's do some firewall configuration:

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Now let's restart the server to put the changes into place:

systemctl restart openvpn@server.service

Now the original instructions came with a script file to help you create new keys for each user and device, pointless changing it.

nano /etc/openvpn/gen-client.sh

Paste this lot in:



# Generating key
echo "Generating key for user ${username}"
cd /etc/openvpn/easy-rsa/
source vars && ./pkitool ${username}
cp /etc/openvpn/clients/.tmp/.tmp.ovpn /etc/openvpn/clients/.tmp/${username}.ovpn
echo "Done"

# Adding ca certificate to ovpn client configuration file
echo "Adding ca certificate to ovpn client configuration file"
echo "<ca>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/ca.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "</ca>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "Done"

# Adding user certificate to ovpn client configuration file
echo "Adding user certificate to ovpn client configuration file"
echo "<cert>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/${username}.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "</cert>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "Done"

# Adding user key to ovpn client configuration file
echo "Adding user key to ovpn client configuration file"
echo "<key>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/${username}.key | grep -A 100 "BEGIN PRIVATE KEY" | grep -B 100 "END PRIVATE KEY" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "</key>" >> /etc/openvpn/clients/.tmp/${username}.ovpn

mkdir -p /etc/openvpn/clients/${username}
mv /etc/openvpn/clients/.tmp/${username}.ovpn /etc/openvpn/clients/${username}/${username}.ovpn
cp /etc/openvpn/easy-rsa/keys/${username}.{crt,key} /etc/openvpn/clients/${username}
cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/clients/${username}

cd /etc/openvpn/clients; tar -jcf ${username}.tar.gz ${username}/

chmod 0777 -R /etc/openvpn/clients

echo "Done"

echo "

            Configurations are located in /etc/openvpn/clients/${username}


                        Download friendly version with:

         'scp root@`hostname -f`:/etc/openvpn/clients/${username}.tar.gz .'


exit 0

Save it and then make it executable with:

chmod +x /etc/openvpn/gen-client.sh

Next we have to create the template file for this to use:

mkdir -p /etc/openvpn/clients/.tmp/

nano /etc/openvpn/clients/.tmp/.tmp.ovpn

Paste this in, change example.com for your external IP or server address

verb 1
dev tun
proto udp
port 1194
remote example.com 1194 udp
remote-cert-tls server
resolv-retry infinite
cipher AES-128-CBC

Now, let's make some keys:

cd /etc/openvpn/

replace username with your username, I'm going to install this onto an S5 so it will be freds5 or something.

./gen-client.sh username

To make it easy to get the files off the server and onto my device, I've decided to install Samba and setup the client keys folder as a Windows share, this is how this is done.

apt-get install samba samba-common

Once it's finished we edit the Samba config file:

nano /etc/samba/smb.conf

Change the workgroup name at the top of the file and you can also add:

netbios name = servername under it if you want.

Add the bottom add the following

        path = /etc/openvpn/clients/
        browseable = yes
        public = yes
        writeable = no

Restart the server with:

service smbd restart

Just got to change the folder permissions to make sure we can get the files off:

chmod 0777 -R /etc/openvpn/clients

Onto my phone now, I've installed OpenVPN Connect from the play store, then I've copied the files from the Windows share into dropbox, then saved them into a folder on the phone called VPN, you could just install a file browser and do the same.

Then import the .ovpn file into OpenVPN connect and click on connect.

One last thing, make sure you give the server a static IP and forward port 1194 on the router.