This post is outdated.... Recommend using this article instead:
https://www.pcmag.com/how-to/how-to-create-a-vpn-server-with-raspberry-pi
Loosely based on Hak5’s video “ Linux Server Build: OpenVPN From Scratch - Hak5 2019”
My setup: Raspberry Pi 3 running Raspbian with a static internal IP address behind a DD-WRT wireless router configured to use Dynamic DNS to automatically update a DNS A record.
I Recommend looking over/following my post: Headless Raspberry Pi - Initial Baseline Configuration in order to be sure your installation of Raspbian is consistent with mine.
I Recommend looking over/following my post: Headless Raspberry Pi - Initial Baseline Configuration in order to be sure your installation of Raspbian is consistent with mine.
Install OpenVPN and Easy-RSA
$ sudo -i
# apt-get update
# apt-get upgrade
# apt-get install openvpn easy-rsa
# cd /usr/share/doc/openvpn/examples/sample-config-files
# gunzip -c server.conf.gz >/etc/openvpn/server.conf
# cd /etc/openvpn
# vi server.conf
Update Diffie Hellman from 1024 to max 2048
dh dh2048.pem
Uncomment (remove begining ‘;’) these lines
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 192.168.1.1” (add for local system name resolution)
push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”
user nobody
group nogroup
The addresses above are OpenDNS servers. You can change these to 8.8.8.8 and 8.8.4.4 (google’s DNS servers) if you want.
Setup Firewall
# cat /proc/sys/net/ipv4/ip_forward
0
# echo 1 > /proc/sys/net/ipv4/ip_forward
# vi /etc/sysctl.conf
Uncomment (remove begining #)
net.ipv4.ip_forward=1
Use ufw to create rules
# ufw status (may need to run apt-get install ufw)
# ufw allow ssh
# ufw allow 1194/udp
# vi /etc/default/ufw
Change default forward policy to accept
DEFAULT_FORWARD_POLICY=”ACCEPT”
Setup NAT and IP Masquerading for clients
# vi /etc/ufw/before.rules
Add NAT rules at the top of the file (assumes eth0 is your interface name)
*nat
:POSTROUTING ACCEPT [0.0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
Enable/start firewall
# ufw status
# ufw enable
# ufw status
Create Certificate Authority and generate RSA keys
# cd /usr/share/easy-rsa
# cp -r /usr/share/easy-rsa/ /etc/openvpn/
# mkdir /etc/openvpn/easy-rsa/keys
# vi /etc/openvpn/easy-rsa/vars
Modify the following export lines:
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston” (last name/business name)
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_OU=”MyOrganizationalUnit” (“home”/business unit)
Now generate some keys and create the pem file we pointed to earlier
# openssl dhparam -out /etc/openvpn/dh2048.pem 2048 (this will take some time)
# cd /etc/openvpn/easy-rsa
# . ./vars (initializes variables we set in the vars file earlier)
# ./clean-all
# ./build-ca
Verify/accept each property. Common Name should default to your Organization Name followed by CA. When prompted for “Name” change “EasyRSA” to “server”.
# ./build-key-server server
Verify/accept each property. You can leave “Common Name” set to “server”, or change it to something more descriptive like “John’s OpenVPN server”. Be sure to change the “Name” field from “EasyRSA” to “server” and do not specify a password when prompted. Enter Y to sign the certificate and Y to commit.
Still in the /etc/openvpn/easy-rsa directory we need to copy some keys to /etc/openvpn/
# cd keys
# cp server.crt server.key ca.crt /etc/openvpn/
# cd /etc/openvpn
# ls
You should see: ca.crt, dh2048.pem, server.conf, server.crt, and server.key files
Start the openvpn service
# service openvpn start
# service openvpn status (should show “* VPN ‘server’ is running”)
Create client keys
(Start here for each unique client/device key)
# cd /etc/openvpn/easy-rsa
# . ./vars (initializes variables we set in the vars file earlier)
# ./build-key client1 (To password-protect client key, use: build-key-pass client1) Here client1 refers to the key file we are creating, and could be anything you want (i.e. john-laptop for instance). Verify/accept each key property EXCEPT change “Common Name” to something descriptive like “John’s Laptop” and change “Name” from “EasyRSA” to “client1”. The Name field must match the filename you specified above. Enter Y to sign the certificate and Y to commit.
# ls keys
client1.crt client1.csr client1.key ...
Copy keys and config files to /root/client
# mkdir ~/client (only the 1st time creating a client key)
# cd ~/client
# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf client1.ovpn
# ls
client1.ovpn
# cp /etc/openvpn/easy-rsa/keys/ca.crt . (only the 1st time creating a client key)
# cp /etc/openvpn/easy-rsa/keys/client1.* .
# ls (still in the /root/client directory)
ca.crt client1.crt client1.key client1.ovpn
Need to find the FQDN clients will use to connect, or real IP address for our OpenVPN server
# ifconfig (look for inet addr: ) or google “What’s my IP address?”
If the VPN server is behind a firewall/router, you will need to setup port forwarding 1194/udp to the OpenVPN server.
(Notice: You should have a tun0 interface with the 10.8.0.1 VPN address in the ifconfig output.)
# vi client1.ovpn
Find and uncomment (remove leading “;”) the line with “remote my-server-1 1194” Replace my-server-1 with the real IP address or the FQDN clients will use to connect to your OpenVPN server.
Uncomment (remove leading “;”) these lines:
user nobody
group nogroup
Comment out default ca, cert, and key lines
# ca ca.crt
# cert client.crt
# key client.key
Now we will combine the client1.crt, client1.key, ca.crt, the client1.ovpn files.
(see Appendix for a merge.sh script to make things easier)
# echo “<ca>” >> client1.ovpn
# cat ca.crt >> laptop1.ovpn
# echo “</ca>” >> client1.ovpn
# echo “<cert>” >> client1.ovpn
# echo client1.crt >> client1.ovpn
# echo “</cert>” >> client1.ovpn
# echo “<key>” >> client1.ovpn
# cat client1.key >> client1.ovpn
# echo “</key>” >> client1.ovpn
# vi client1.ovpn (look over it and make sure open and close tags are all good)
Securely transfer the /root/client/client1.ovpn file to the client’s home directory. (flash or scp.)
Test it from the client either through the GUI OpenVPN client or the command line.
$ sudo openvpn client1.ovpn
Google “What’s my IP address” and verify that you are now using the VPN servers IP address on the Internet.
APPENDIX: merge.sh script
#!/bin/bash
# /root/client/merge.sh
# Merge FILE.ca, FILE.crt, FILE.key and FILE.ovpn
# usage: ./merge.sh name (client name without any file extension)# File Tests
if [ -z $1 ]; then
echo "syntax: $0 Filename"
exit 1
fi
FILE=$1
if [ ! -s ca.crt ]; then
echo "Missing or Zero byte file: ca.crt"
exit 1
fi
if [ ! -s ${FILE}.ovpn ]; then
echo "Missing or Zero byte file: ${FILE}.ovpn"
exit 1
fi
if [ ! -s ${FILE}.crt ]; then
echo "Missing or Zero byte file: ${FILE}.crt"
exit 1
fi
if [ ! -s ${FILE}.key ]; then
echo "Missing or Zero byte file: ${FILE}.key"
exit 1
fi
# Merge the files
echo -e "<ca>" >>${FILE}.ovpn
cat ca.crt >>${FILE}.ovpn
echo -e "</ca>" >>${FILE}.ovpn
echo -e "<cert>" >>${FILE}.ovpn
cat ${FILE}.crt >>${FILE}.ovpn
echo -e "</cert>" >>${FILE}.ovpn
echo -e "<key>" >>${FILE}.ovpn
cat ${FILE}.key >>${FILE}.ovpn
echo -e "</key>" >>${FILE}.ovpn
# Merge FILE.ca, FILE.crt, FILE.key and FILE.ovpn
# usage: ./merge.sh name (client name without any file extension)# File Tests
if [ -z $1 ]; then
echo "syntax: $0 Filename"
exit 1
fi
FILE=$1
if [ ! -s ca.crt ]; then
echo "Missing or Zero byte file: ca.crt"
exit 1
fi
if [ ! -s ${FILE}.ovpn ]; then
echo "Missing or Zero byte file: ${FILE}.ovpn"
exit 1
fi
if [ ! -s ${FILE}.crt ]; then
echo "Missing or Zero byte file: ${FILE}.crt"
exit 1
fi
if [ ! -s ${FILE}.key ]; then
echo "Missing or Zero byte file: ${FILE}.key"
exit 1
fi
# Merge the files
echo -e "<ca>" >>${FILE}.ovpn
cat ca.crt >>${FILE}.ovpn
echo -e "</ca>" >>${FILE}.ovpn
echo -e "<cert>" >>${FILE}.ovpn
cat ${FILE}.crt >>${FILE}.ovpn
echo -e "</cert>" >>${FILE}.ovpn
echo -e "<key>" >>${FILE}.ovpn
cat ${FILE}.key >>${FILE}.ovpn
echo -e "</key>" >>${FILE}.ovpn
exit 0
No comments:
Post a Comment