Skip to content

Changes

Page history
Create servers/openvpn authored by MPHSlaats's avatar MPHSlaats
Hide whitespace changes
Inline Side-by-side
servers/openvpn.md 0 → 100644
View page @ 11039184
# OpenVPN
You can find OpenVPN as a application to securly connect with the internal network.
## Table of contents
- [OpenVPN](#openvpn)
- [Table of contents](#table-of-contents)
- [Resources](#resources)
- [Ports](#ports)
- [Install OpenVPN using Turnkey](#install-openvpn-using-turnkey)
- [Add user](#add-user)
- [Remove user](#remove-user)
- [Install OpenVPN using PiVPN](#install-openvpn-using-pivpn)
- [Auto start OpenVPN for Windows](#auto-start-openvpn-for-windows)
## Resources
OpenVPN does not use that much [resources](http://www.webhostingtalk.com/showthread.php?t=1234447). Therefore OpenVPN gets 512 MB RAM and 1 CPU core.
## Ports
By default OpenVPN uses port 1194 (UDP), however this is customizable.
## Install OpenVPN using Turnkey
* After deploying the Turnkey container, the following settings are applied in the Turnkey container:
* Profile: server;
* Email: fake@mail.com;
* FQDN: vpn.mphslaats.com;
* Virtual subnet: y.y.y.0/24;
* Subnet network: x.x.x.0/24;
* Hubservices: no;
* Enable notifications: yes;
* Now the tun adapter needs to be added to the container therefore, shutdown the container and edit the [`/etc/pve/lxc/<container id>.conf`]() file in Proxmox:
```bash
# Add tun adapter
lxc.hook.autodev: sh -c "modeprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
```
* Now the iptables need to be configured in the container as follows:
* Add the following to the eth0 adapter in [`/etc/network/interfaces`]() (Do not forget to remove the top lines):
```bash
post-up iptables-restore < /etc/iptables.up.rules
```
* Backup this file so the rc.local can use this during startup (this is necessary because this is a bug in the container). To backup the file use `cp /etc/network/interfaces /etc/network/interfaces.bak`;
* No add the following code to [`/etc/rc.local`]():
```bash
# Configure iptables
cp /etc/network/interfaces.bak /etc/network/interfaces
/etc/init.d/networking restart
exit 0
```
* Now the [DNS](https://openvpn.net/index.php/open-source/documentation/howto.html#dhcp) needs to be configured in [`/etc/openvpn/server.conf`]() because otherwise the user cannot use the websites on the internal network. Therefore add the following code:
```bash
# push DNS to clients
push "dhcp-option DNS 10.10.10.4"
```
### Add user
Now OpenVPN is configured, the only thing left is to add the users. A new user can be added by using `openvpn-addclient <name> <email> <optional private subnet>`.
Now add a temporary download page to download the OpenVPN file by using `/var/www/openvpn/bin/addprofile <name>`. Now download the file from the given URL. It is also possible to SCP the file from `/etc/openvpn/easy-rsa/keys/<name>.ovpn`.
**NOTE:** If you use the ovpn file on Linux, do not forget to add the following to the bottom of the ovpn file, to be able to use the DNS server:
```bash
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
```
### Remove user
If a user is deprecated, use the following code to remove the user: `openvpn/easy-rsa && source ./vars && ./revoke-full <name>`. To completly remove the user, remove the files by using `rm -r /etc/openvpn/easy-rsa/keys/<name>*`.
## Install OpenVPN using PiVPN
* The tun adapter needs to be added to the container because the container does not have rights to add adapters to the kernel, therefore shutdown the container and edit the [`/etc/pve/lxc/<container id>.conf`]() file in Proxmox:
```bash
# Add tun adapter
lxc.hook.autodev: sh -c "modeprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
```
* Because PiVPN requires a non-root user let's create and configure it as follows:
* `adduser pi`, will create the user pi with password and a home directory!;
* Now install sudo by using `apt-get install sudo`;
* Add the pi user to the sudoers by adding `/etc/sudoers.d/pi`:
```bash
pi ALL=(ALL) NOPASSWD:ALL
```
* Now login as the pi user using `su - pi`;
* PiVPN can be installed using `curl -L https://install.pivpn.io | bash` or by downloading it:
* `wget https://install.pivpn.io -O pivpn.sh`;
* Make it executable by using `chmod +x pivpn.sh`;
* Start the installation by using `./pivpn.sh`;
* Select UDP as the protocol during the installation;
* Change the port to 1193;
* Since we are paranoid we will use 4096 as encryption strength;
* After the installation we need to tweak the system a bit, since this container isn't a raspberry pi:
* Create the following file `/etc/pivpn/INSTALL_USER` and set `pi` as the content;
* Create the following folder `/home/pi/ovpns` and set the rights to 777 using `chmod 777 /home/pi/ovpns`;
* To add a user simply run `pivpn add` and run `pivpn revoke` to remove a user. After you add a user you can find the connection file in `/home/pi/ovpns`.
**NOTE:** The certificate is not generated properly.
## Auto start OpenVPN for Windows
* Open [Task scheduler](https://help.my-private-network.co.uk/support/solutions/articles/8464-windows-openvpn-auto-start-windows-7-);
* Add a new Basic task:
* Trigger: When I log on;
* Action: Start a programme;
* Search for openvpn-gui.exe (`%PROGRAMFILES%/OpenVPN/Bin`);
* Add `--connect <ovpn file>` to the arguments.
[Home](https://git.mphslaats.com/mphslaats/server-documentation/wikis/home)
\ No newline at end of file