SysAdmin‎ > ‎

openvpn notes

OPENVPN SETUP:
==============

PREREQS:
--------

0. pull in the openvpn package and its dependencies on all the machines:
    * ubuntu: apt-get install openvpn
    * centos: yum install openvpn

1. on the machine that will be hosting openvpn server, we need easy-rsa:
    * either get it off the net or use your preferred package manager
      (e.g. apt-get install easy-rsa)
    * run `make-cadir /etc/openvpn/easy-rsa`

SERVER SETUP:
-------------

0. generate the keys for the server
   $ cd /etc/openvpn/easy-rsa
   $ vim vars
     * make the fields look like the following:
       export KEY_COUNTRY="US"
       export KEY_PROVINCE="NY"
       export KEY_CITY="Brooklyn"
       export KEY_ORG="EmilioGallicchioLab"
       export KEY_EMAIL=""
       export KEY_OU=""
   $ . vars
   $ ./clean-all
   $ ./build-ca
   $ ./build-key-server <server name>
   $ ./build-dh

1. create server config
   $ vim /etc/openvpn/server.conf
     # the following config is for openvpn server that listens on
     # 0.0.0.0/32 udp/1194, uses a tun device, creates a 10.24.0.0/24
     # virtual subnet on the tun device, and allows client-to-client
     # connections:
     port 1194
     proto udp
     dev tun
     ca /etc/openvpn/ca.crt
     cert /etc/openvpn/policoro.crt
     key /etc/openvpn/policoro.key
     dh /etc/openvpn/dh2048.pem
     server 10.24.0.0 255.255.255.0
     ifconfig-pool-persist ipp-server.txt
     client-to-client
     topology subnet
     push "route 10.24.0.0 255.255.255.0"
     user nobody
     group nogroup
     persist-key
     persist-tun
     keepalive 10 120
     status /var/log/openvpn/openvpn-server-status.log 30
     verb 3
2. generate the keys for the clients
   # for each client <CLIENT>, you will do the following:
   $ cd /etc/openvpn/easy-rsa
   $ . vars
   $ ./build-key <CLIENT>
3. create client config template:
client
dev tun
proto udp
remote policoro 1194

;resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/CHANGEME.crt
key /etc/openvpn/CHANGEME.key

verb 3
4. send keys and configs to the clients
5. allow udp to 1194 from whatever net you wanna connect to
6. if you're creating the server on centos: by default, the user:group pair
   nobody:nogroup doesn't exist, so you can either a) create it or b) comment
   out the 'user nobody\ngroup nogroup' lines and thus run openvpn as root. It
   generally isn't advised but unless there's a SERIOUS bug in openvpn this
   should be safe.

CLIENT SETUP:
-------------

0. unpack the config and the keys (ca.crt + hostname.key hostname.crt)
1. change client config to match the keys, place it in /etc/openvpn/client.conf
2. edit hosts.allow and put in ALL: 10.24.0.0/255.255.255.0 or whatever your
   vpn subnet is
3. if running on centos, read point 6 in the SERVER SETUP section and take the
   steps prescribed

STARTING THINGS:
----------------

0. start openvpn on the server: 'service openvpn start'
1. start openvpn on all the clients: 'service openvpn start' (or 'sudo systemctl start openvpn@client' on ubuntu 16.04)

TROUBLESHOOTING:
----------------

0. I can't connect to the server from the outside!
    * check your server's iptables.  It must allow connections from outside
      on the port specified in server.conf (udp/1194 in this document).
    * check your server's /etc/hosts.allow. It should probably allow all
      inbound connections on both the external and internal networks unless
      you're doing something fancy.
    * make sure the openvpn server config binds on all addresses, not just
      one, i.e. there should be no 'listen 10.42.0.1' (or like) line

1. I can't connect to the server from the internal network!
    * again, check the server's iptables and hosts.allow. It should be the case
      that all connections coming from the internal network (currently
      10.42.0.0/24) are accepted on all ports, since we ultimately trust the
      internal network.

2. I connected to the server and got an ip address on the virtual network, but
   can't connect to X (given X is also on the virtual net)!
    * check X's iptables and hosts.allow, again.  If our virtual net is
      composed only of trusted machines (which is the case as of now), we
      should allow all incoming connections (originating from the virtual net,
      that is) on all ports on every machine that's a part of the virtual
      network.  That is, even the clients (since it's a client-to-client net).

$. X is not working on Y when Z!  I don't know what to do!
    * use programs like netcat, ip, netstat, etc to figure out where the
      connection is failing.  Then figure out what programs are involved and
      look at their logs and/or increase verbosity.  Check iptables,
      hosts.allow, and addresses that the programs involved are binding on.
Comments