Welcome

Welcome to my external memory and information on what I'm currently working on. Here you will find snippets of code, tricks and solutions I, or maybe you, may need to reference.

Feel free to comment your suggestions and any constructive criticisms that you may have.

Saturday, 1 February 2014

Setting up OpenVPN on a Virtual Private Server (VPS)

Overview

I recently set up my own VPS. I had installed OpenVPN on my own virtual machines and systems before but setting it up on a VPS created a few unexpected problems. Below is the process that I used to get things up and working.

Assumptions and Out of Scope Items

  • You have OpenVPN already installed at /etc/openvpn
  • You have Easy-RSA 2.0 located at /etc/openvpn/easy-rsa/
  • You have root access (I'm going to assume you're either logged in as root or running under su)
  • Your VPS has provisioned you a Static IP address.
  • OpenVPN Client instillation and configuration.

Special VPS Considerations

Note: A VPS typically operates with a shared kernel between all of it's Guests. Since a VPS operates on the hardware level (unlike a regular virtual machine which is typically hosted by a piece of software like Virtual Box or VMWare) the hardware/kernel level is shared among all systems. You can read more on this on Wikipedia: Virtual Machine.

Because of this we run into two main issues:
  1. OpenVPN requires the Tun kernel module which isn't usually present by default. And since you don't have access to the kernel you can't load it. To get around this you can usually ask your provider to enable it on your VPS or it is an option on your provider's VPS management page.
  2. In order to tunnel traffic you need to set up routing rules with iptables which, in my experience, is typically done using the MASQUERADE option which isn't supported by my VPS Host (OpenVZ). I would assume this is the case for most if not all VPS hosts.

The Process

Creating RSA Keys

If you can use encryption keys to access your VPN server why not? Unless you're making this service open to a large number of people the standard Username/Password approach just isn't as secure. And since, in this case, I can easily control and distribute my private key(s) I can't see a reason not to.
  1. Navigate to /etc/openvpn/easy-rsa/2.0/ and create a directory called keys
  2. Edit the /etc/openvpn/easy-rsa/2.0/vars file and set the following values. Note: These will be your default values when generating keys so you will get an opportunity to override them during the process.
    export KEY_COUNTRY="US"        # Your Country
    export KEY_PROVINCE="CA"       # Your State/Province/Territory 
    export KEY_CITY="SanFrancisco" # Your City
    export KEY_ORG="None"          # Your Organization Name
    export KEY_EMAIL="mail@domain" # Mail Address
    export KEY_EMAIL=mail@domain   # Mail Address
    Note: You can also add/alter the additional fields below, however, typically these values will not be the default when you generate your keys.
    export KEY_CN=OpenVPN.yourdomain.com # Common Name
    export KEY_NAME=yourname             # Your Name
    export KEY_OU=servername             # Organizational Unit
  3. Execute the following commands from the /etc/openvpn/easy-rsa/2.0/ directory. Note: You will be prompted for information when generating keys and this will create all your keys and certs in the /etc/openvpn/easy-rsa/2.0/keys folder:
    ./vars            # Sets up environment variables for key creation
    ./clean-all       # Cleans up any generated files in the folder
    ./build-ca        # Creates the certificate authority key
    ./build-key-server server # Creates the server key
    ./build-dh        # Creates the Diffie-Hellman key
    ./build-key clientname # Creates the client's private key
  4. Transfer, physically if possible encrypted if not, the  ca.crt, clientname.crt, clientname.key files to your client and place them in it's openvpn folder.

Creating a TLS-Auth key (ta.key)

  1. Navigate to /etc/openvpn/
  2. run the command:
    openvpn --genkey --secret ta.key
  3. Done.

Configuring the Server (server.conf)

To make this a little simpler I've included a sample server.conf file. I'd recommend backing up your current server.conf file as it has comments that will help you further configure your server to your needs.

Set up routing/forwarding

  1. We need to enable ip traffic forwarding:
    1. Enable forwarding by executing the following:
      echo 1 > /proc/sys/net/ipv4/ip_forward
    2. Make the change permanent by editing /etc/sysctl.conf and un-commenting the line:
       net.ipv4.ip_forward = 1
  2. Set up IPTables rules to forward the traffic coming in from the tunnel (tun0) to our ethernet adapter (venet0). This is done by setting up forwarding between the client and server's network adapters (tun0 and venet0) as well as traffic coming back to the client (venet0 to tun0). The final step maps the incomming local 10.8.0.0/24 address to the servers IP (This is the step that differs on a VPS).
    1. Enter the following into the command line:
      iptables -A FORWARD -i venet0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
      iptables -A FORWARD -s 10.8.0.0/24 -o venet0 -j ACCEPT
    2. The following is the standard way of setting up the ip mapping which uses MASQUERADE but will not work on a VPS
      iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
      Because MASQUERADE isn't implemented in the VPS's kernel we have to complete the mapping manually. Keep in mind that as long as you have a static IP this method will work.
      iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source <server ip>
  3. Make the changes to iptables persist between reboots. I found some tools to help out with this but I tend to prefer solutions that don't require additional packges. And this one is simple so why not!
    1. Store the current state of your iptables in a iptables rule file.
      iptables-save > /etc/iptables.openvpn.rules
    2. Add the following to to /etc/network/interfaces.
      #Define OpenVPN IP address forwarding
      post-up /sbin/iptables-restore < /etc/iptables.openvpn.rules
      

Sources

No comments :

Post a Comment