Difference between revisions of "VPN server configuration"

(Generic setup)
(Create CA)
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
[[Category:Linux]]
 
[[Category:Linux]]
  
{| style="margin: 1em auto 1em auto"
 
|-valign="top"
 
|width="50%"| [[File:Ipv4.jpg|link=VPN server configuration#IPv4 configuration|64px|caption|IPv4 only]]
 
[[VPN server configuration#IPv4 configuration|IPv4 only]]
 
|width="50%"| [[File:Ipv6logo.jpg|link=VPN server configuration#IPv6 + IPv4 configuration|64px|caption|IPv6]]
 
[[VPN server configuration#IPv6 + IPv4 configuration|IPv6 + IPv4]]
 
|}
 
  
  
 +
This page describes how to configure OpenVPN server for '''IPv4 and IPv6'''.
  
=Generic setup=
 
  
==Installation==
+
=Requirements=
 +
 
 +
Your server must have a network interface that supports both IPv4 and IPv6.
 +
 
 +
* OVH servers require some configuration, see dedicated section
 +
 
 +
 
 +
 
 +
 
 +
==OVH server IP V6 configuration==
 +
 
 +
By default OVH gives you an IPv6 but it does not enable it!!
 +
you must enable it by yourself.
 +
 
 +
 
 +
===Get OVH server IPv6 settings===
  
<syntaxhighlight lang="bash">
+
Connect to OVH manager
sudo apt install openvpn
+
* Go to '''Server''' section > '''VPS''' > *my server*
sudo apt install easy-rsa
+
* Copy the settings that are under IP
</syntaxhighlight>
 
  
  
==Prepare files==
+
===Add DNS entry===
  
You can use an existing example or start from scratch, as you like. If you want to reuse one of the OpenVPN examples:
 
  
<syntaxhighlight lang="bash">
+
You must create new DNS link to reach your server:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
+
* A -> IPv4
cd /etc/openvpn/
+
* AAAA -> IPv6
sudo gzip -d server.conf.gz
 
  
# create temp folder, required for the CHROOT
 
sudo mkdir -p /etc/openvpn/tmp
 
</syntaxhighlight>
 
  
 +
===Configure server===
  
 +
Now that you know which settings to apply, let's configure the server.
 +
* Connect in SSH to the server
 +
* Backup and edit network configuration
 +
* Make settings persistent - if OK
  
==Create CA==
 
  
Create the "ca" directory and copy the easy-rsa tools there:
+
====Adjust network configuration====
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
make-cadir ca
+
cd/etc/netplan
 +
 
 +
# backup current config
 +
sudo mkdir backup
 +
sudo cp 50-cloud-init.yaml backup/50-cloud-init.yaml.backup-ovh-ipv4
 +
 
 +
# edit config
 +
vim 50-cloud-init.yaml
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
Edit the vars file:
+
Adjust content to your own need:
 +
 
  
<syntaxhighlight lang="bash">
+
<syntaxhighlight lang="yaml">
nano ca/vars
+
network:
 +
    version: 2
 +
    ethernets:
 +
        ens3:
 +
            dhcp4: true
 +
            dhcp6: false
 +
            addresses:
 +
                - "OVH_IP_V6/64"
 +
            gateway6: "OVH_IP_V6_GATEWAY"
 +
            routes:
 +
                - to: "OVH_IP_V6/64"
 +
                  via: "OVH_IP_V6_GATEWAY"
 +
            match:
 +
                macaddress: fa:16:3e:96:b9:66
 +
            set-name: ens3
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
(i) note that DHCP6 must NOT be enabled.
  
Scroll down until you reach these lines:
 
  
<syntaxhighlight lang="bash">
 
# These are the default values for fields
 
# which will be placed in the certificate.
 
# Don't leave any of these fields blank.
 
export KEY_COUNTRY="LU"
 
export KEY_PROVINCE=""
 
export KEY_CITY="Luxembourg
 
export KEY_ORG="Daxiongmao"
 
export KEY_EMAIL="me@myhost.mydomain"
 
export KEY_OU="MyOrganizationalUnit"
 
</syntaxhighlight>
 
  
 +
Example:
  
 +
<syntaxhighlight lang="yaml">
 +
network:
 +
    version: 2
 +
    ethernets:
 +
        ens3:
 +
            dhcp4: true
 +
            dhcp6: false
 +
            addresses:
 +
                - "2007:81f1:0502:2200:0:0:0:c55/64"
 +
            gateway6: "2007:81f1:0502:2200:0000:0000:0000:0001"
 +
            routes:
 +
                - to: "2007:81f1:0502:2200:0:0:0:c55/64"
 +
                  via: "2007:81f1:0502:2200:0000:0000:0000:0001"
 +
            match:
 +
                macaddress: fa:16:3e:96:b9:66
 +
            set-name: ens3
 +
</syntaxhighlight>
  
==Security algorithms and hash==
 
  
Depending on your server and distribution you might not always have the same encryption and|or hash algorithms available. Choose your algorithms!
 
  
 +
Try the configuration:
  
'''Cryptographic algorithms'''
 
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
openvpn --show-ciphers
+
sudo netplan try
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Search for: AES-256-CBC
 
  
  
'''Hash algorithms'''
+
Test the new configuration from another computer
 +
 
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
openvpn --show-digests
+
# windows
 +
ping -6 2007:81f1:0502:2200:0:0:0:c55
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Search for: SHA256
 
  
  
'''Handshake algorithms'''
+
====Let configuration persistent====
 +
 
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
openvpn --show-tls
+
# Create new config file
 +
echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Search for: TLS-RSA-WITH-AES-256-CBC-SHA256
+
Reboot server and try to ping it again.
  
  
  
=Sources=
 
  
[https://www.alibabacloud.com/blog/how-to-create-a-vpn-server-with-openvpn_594047 Alibaba cloud tutorial]
+
==Server network configuration==
  
=IPv4 configuration=
 
  
 +
===Enable port forwarding===
  
This is how you configuration should look like (more or less, depending on your settings):  
+
You must enable FORWARDING somewhere else:  
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/openvpn/server.conf
+
vim /etc/sysctl.conf
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
<syntaxhighlight lang="apache">
 +
# Uncomment the next line to enable packet forwarding for IPv4
 +
net.ipv4.ip_forward=1
 +
 
 +
 
 +
# Uncomment the next line to enable packet forwarding for IPv6
 +
#  Enabling this option disables Stateless Address Autoconfiguration
 +
#  based on Router Advertisements for this host
 +
net.ipv6.conf.all.forwarding=1
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
<syntaxhighlight lang="bash">
+
===Firewall===
##################################################
 
# OpenVPN 2.0 config file                        #
 
# ---------------------------------------------- #
 
# version 1.0 - April 2011 - Guillaume Diaz      #
 
# version 1.2 - June 2013 - Guillaume Diaz      #
 
#                          conf update + chroot #
 
# version 1.3 - April 2016 - Guillaume Diaz      #
 
#                          security increase    #
 
##################################################
 
  
 +
You have to:
 +
* allow INPUT UDP 8080 ipv4/ipv6
 +
* allow ESTABLISHED / RELATED ipv4/ipv6
 +
* allow FORWARDING tun0 <> ethernet
 +
* allow PRE-ROUTING
  
# OpenVPN configuration
 
##########################
 
# Which local IP address should OpenVPN listen on? (optional)
 
local 192.168.1.2
 
  
# VPN interface
 
# Which TCP/UDP port should OpenVPN listen on?
 
# TCP or UDP server?
 
dev tun
 
proto udp
 
port 8080
 
  
  
# SECURITY - Crypto
+
=OpenVPN setup=
########################
 
# SSL/TLS root certificate (ca)
 
# Server certificate and private key
 
# Diffie hellman parameters
 
ca /etc/openvpn/ca.crt
 
cert /etc/openvpn/server.crt
 
key /etc/openvpn/server.key
 
dh /etc/openvpn/dh2048.pem
 
  
# Shared secret key by both server and clients
+
==Installation==
;tls-auth /etc/openvpn/ta.key 0
 
  
# Crypto settings
+
<syntaxhighlight lang="bash">
cipher AES-256-CBC
+
sudo apt install openvpn
auth SHA256
+
sudo apt install easy-rsa
 +
</syntaxhighlight>
  
# Reduce OpenVPN daemon rights after application start
 
# To chroot OpenVPN to its own folder
 
user nobody
 
group nogroup
 
chroot /etc/openvpn/
 
  
 +
==Prepare files==
  
 +
You can use an existing example or start from scratch, as you like. If you want to reuse one of the OpenVPN examples:
  
# SERVER CONF
+
<syntaxhighlight lang="bash">
##########################
+
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
# Server mode and VPN subset
+
cd /etc/openvpn/
server 192.168.15.0 255.255.255.0
+
sudo gzip -d server.conf.gz
# Maintain a record of client <-> virtual IP address associations in this file. 
 
ifconfig-pool-persist ipp.txt
 
# Keepalive (ping-like)
 
# 1 ping every 10s. 120s timeout = disconnect client
 
keepalive 10 120
 
# Keep server connection up and running
 
persist-key
 
persist-tun
 
# Compression of data exchange
 
comp-lzo
 
  
 +
# create temp folder, required for the CHROOT
 +
sudo mkdir -p /etc/openvpn/tmp
 +
</syntaxhighlight>
  
  
# CLIENTS CONF
 
##########################
 
# Maximum number of concurrently connected clients
 
;max-clients 100
 
  
# Allow different clients to be able to "see" each other.
+
==Security algorithms and hash==
client-to-client
 
# One certificate, multiple clients
 
#  Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
 
;duplicate-cn
 
# Fix for Microsoft Windows clients
 
mssfix
 
# Server security level (mandatory since Ubuntu 15.04 due to OpenVPN DNS issue)
 
script-security 2
 
  
 +
Depending on your server and distribution you might not always have the same encryption and|or hash algorithms available. Choose your algorithms!
  
####### Client-to-Client communication
+
'''Cryptographic algorithms'''
# Push routes to the client
+
<syntaxhighlight lang="bash">
#  >> VPN route. required to allow connections
+
openvpn --show-ciphers
push "route 192.168.15.0 255.255.255.0"
+
</syntaxhighlight>
>> Set the VPN server as global gateway
 
push "redirect-gateway def1 bypass-dhcp"
 
  
 +
Search for: '''AES-256-CBC'''
  
####### DNS
 
## VPN server acts as DNS server
 
#push "dhcp-option WINS 192.168.1.21"
 
#push "dhcp-option DNS 192.168.1.21"
 
## Use alternate DNS server (OpenDNS)
 
push "dhcp-option DNS 208.67.222.222"
 
push "dhcp-option DNS 208.67.220.220"
 
# >> Force windows clients to use the pushed DNS
 
push "register-dns"
 
  
 +
(i) Still ok in 2019-11
  
####### VPN as gateway to other networks
 
## Set the VPN server to act as a gateway for remote network
 
## You must set 1 'push route <network> <mask>' per target network(s)
 
##  >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
 
#push "route 192.168.1.0 255.255.255.0"
 
  
  
 +
'''Hash algorithms'''
 +
<syntaxhighlight lang="bash">
 +
openvpn --show-digests
 +
</syntaxhighlight>
  
# LOGS
+
Search for: SHA512
##########################
 
# Short status file showing current connections
 
# this is truncated and rewritten every minute.
 
status /etc/openvpn/openvpn-status.log
 
  
# Log in a dedicated file instead of /var/log/messages
+
(i) use the 512 version in 2019-11
log        /etc/openvpn/openvpn.log
 
log-append  /etc/openvpn/openvpn.log
 
  
# Log level
 
# 0 is silent, except for fatal errors
 
# 4 is reasonable for general usage
 
# 5 and 6 can help to debug connection problems
 
# 9 is extremely verbose
 
verb 6
 
  
# Silence repeating messages. 
+
'''Handshake algorithms'''
# At most xx sequential same messages will be output to the log file.
+
<syntaxhighlight lang="bash">
mute 10
+
openvpn --show-tls
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
use the default one, from openVpn v2.4+ it is TLS 1.2
  
  
=IPv6 + IPv4=
 
  
This is a bit more advanced configuration. Notice the use of some <code>*-ipv6</code> commands.
+
==Create CA==
  
More details?
+
See [http://www.daxiongmao.eu/wiki/index.php?title=VPN_certificates_management#PKI_initialization Previous step]
* Very good document about IPv6 VPN: http://tomsalmon.eu/2013/04/openvpn-ipv6-with-tun-device/
 
* Nice guide: http://the-technoholik.blogspot.com/2014/03/secure-ipv6-gateway-tunnelbroker-using.html
 
  
 +
=Server configuration=
  
  
==OpenVPN configuration==
+
This is how you configuration should look like (more or less, depending on your settings):
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Line 272: Line 253:
 
# version 1.3 - April 2016 - Guillaume Diaz      #
 
# version 1.3 - April 2016 - Guillaume Diaz      #
 
#                          security increase    #
 
#                          security increase    #
 +
# version 1.4 - Nov. 2019 - Guillaume Diaz      #
 +
#                          IPv4 + IPv6          #
 +
#                          ciphers update      #
 
##################################################
 
##################################################
  
 +
# OpenVPN binding
 +
#########################
 +
# Which local IP address should OpenVPN listen on?
 +
# >> Put nothing to listen on ALL interfaces and IPs (v4 + v6).. Or you have to put 1 line per IP to listen to
 +
;local 217.182.168.213
 +
 +
# To support both IPv4 + IPv6
 +
proto udp6
 +
port 8080
 +
 +
# Network interface to use
 +
dev tun
  
# OpenVPN configuration
 
##########################
 
# Which local IP address should OpenVPN listen on? (optional)
 
# >> Put nothing to listen on ALL interfaces and IPs (v4 + v6)
 
#    Or you have to put 1 line per IP to listen to
 
#local 192.168.1.2
 
  
  
# VPN interface
+
# Security details (certificates)
# Which TCP/UDP port should OpenVPN listen on?
+
#####################################
# TCP or UDP server?
 
dev tun
 
# Enable IPv6 support
 
tun-ipv6
 
# Protocol and port
 
proto udp6
 
port 8080
 
  
 +
# Tell TLS that we are building a SERVER configuration
 +
tls-server
  
# SECURITY - Crypto
+
# Certification authority (= root certificate): ca
########################
 
# SSL/TLS root certificate (ca)
 
# Server certificate and private key
 
# Diffie hellman parameters
 
 
ca /etc/openvpn/ca.crt
 
ca /etc/openvpn/ca.crt
 +
 +
# OpenVPN server's certificate and private key
 
cert /etc/openvpn/server.crt
 
cert /etc/openvpn/server.crt
 
key /etc/openvpn/server.key
 
key /etc/openvpn/server.key
 +
 +
# Diffie hellman secret key
 
dh /etc/openvpn/dh2048.pem
 
dh /etc/openvpn/dh2048.pem
  
# Shared secret key by both server and clients
 
;tls-auth /etc/openvpn/ta.key 0
 
  
# Crypto settings
+
# Security details (cryptography and communication settings)
 +
##############################################################
 +
 
 +
# Keep alive communication
 +
keepalive 10 120
 +
 
 +
# Encryption of data exchange
 
cipher AES-256-CBC
 
cipher AES-256-CBC
auth SHA256
 
  
# Reduce OpenVPN daemon rights after application start
+
# Integrity check
# To chroot OpenVPN to its own folder
+
auth SHA512
 +
 
 +
# Enable compression on the VPN link
 +
# (i) for OpenVPN v2.4+ only
 +
compress lz4-v2
 +
push "compress lz4-v2"
 +
 
 +
# Reduce OpenVPN rights
 
user nobody
 
user nobody
 
group nogroup
 
group nogroup
chroot /etc/openvpn/
+
 
 +
persist-key
 +
persist-tun
  
  
  
# SERVER CONF
+
# IP V4 configuration
##########################
+
###################################
# Server mode and VPN subset
+
# Virtual network IPv4
 
server 192.168.15.0 255.255.255.0
 
server 192.168.15.0 255.255.255.0
server-ipv6 2001:41d0:8:9318::1/64
 
# Maintain a record of client <-> virtual IP address associations in this file. 
 
ifconfig-pool-persist ipp.txt
 
# Keepalive (ping-like)
 
# 1 ping every 10s. 120s timeout = disconnect client
 
keepalive 10 120
 
# Keep server connection up and running
 
persist-key
 
persist-tun
 
# Compression of data exchange
 
comp-lzo
 
  
  
  
# CLIENTS CONF
+
# IP V6 configuration
##########################
+
###################################
# Maximum number of concurrently connected clients
+
# Virtual network IPv6
;max-clients 100
+
# >> Use root similar to "private network" / "local-loop" addresses
 +
server-ipv6 fd42:feed:feed:feed::/64
  
# Allow different clients to be able to "see" each other.
+
# Create virtual network interface to support IP v6
client-to-client
+
tun-ipv6
# One certificate, multiple clients
 
#  Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
 
;duplicate-cn
 
# Fix for Microsoft Windows clients
 
mssfix
 
# Server security level (mandatory since Ubuntu 15.04 due to OpenVPN DNS issue)
 
script-security 2
 
  
 +
# Ask clients to create a virtual interface for IP v6
 +
push tun-ipv6
  
####### Client-to-Client communication
+
# Tell client to add an IPv6 route to the VPN network
# Push routes to the client
+
server-ipv6 2001:41d0:2:bb7:800::/64
#  >> VPN route. required to allow connections
 
push "route 192.168.15.0 255.255.255.0"
 
push "route-ipv6 2001:41d0:8:9318::/64"
 
  
#  >> Set the VPN server as global gateway
 
push "redirect-gateway def1 bypass-dhcp"
 
# The following line is mandatory!!
 
# Set openvpn the default route for ipv6 connectivity
 
push "route-ipv6 2000::/3"
 
  
  
####### Set the client DNS (optional)
+
# Clients management
# Use alternate DNS server (OpenDNS + Google)
+
#########################
## OpenDNS
+
# Notify the client when the server restarts so it can automatically reconnect
push "dhcp-option DNS 208.67.222.222"
+
explicit-exit-notify 1
push "dhcp-option DNS 208.67.220.220"
 
push "dhcp-option DNS 2620:0:ccc::2"
 
push "dhcp-option DNS 2620:0:ccd::2"
 
## Google
 
#push "dhcp-option DNS 8.8.8.8"
 
#push "dhcp-option DNS 8.8.4.4"
 
#push "dhcp-option DNS 2001:4860:4860::8888"
 
#push "dhcp-option DNS 2001:4860:4860::8844"
 
  
 +
# Set fix IP@ to client
 +
# >> every time a client connects it will always have the same IPv4 and IPv6 addresses
 +
ifconfig-pool-persist /var/log/openvpn/ipp.txt
  
# LOGS
+
# Allow clients to reach OpenVPN network
##########################
+
push "route 192.168.15.0 255.255.255.0"
# Short status file showing current connections
 
# this is truncated and rewritten every minute.
 
status /etc/openvpn/openvpn-status.log
 
  
# Log in a dedicated file instead of /var/log/messages
+
# Let clients talk to each-other
log        /etc/openvpn/openvpn.log
+
client-to-client
log-append  /etc/openvpn/openvpn.log
 
  
# Log level
 
# 0 is silent, except for fatal errors
 
# 4 is reasonable for general usage
 
# 5 and 6 can help to debug connection problems
 
# 9 is extremely verbose
 
verb 6
 
  
# Silence repeating messages. 
 
# At most xx sequential same messages will be output to the log file.
 
mute 10
 
</syntaxhighlight>
 
  
 +
# Traffic redirection
 +
############################
  
 +
# Tell client to re-route ALL IPv6 Internet trafic to VPN
 +
# this override the "default" OpenVPN route, by hijacking the route that all IPv6 packets use by default: 2000::/3
 +
#push "route-ipv6 2000::/3"
  
 +
# Redirect all internet traffic to VPN server
 +
push "redirect-gateway def1 bypass-dhcp"
 +
push "redirect-gateway ipv6"            # for iOS
  
  
==Sysctl==
+
# Once connected to the VPN the clients cannot use their default DNS provider: you must new DNS links
 +
# OpenDNS
 +
push "dhcp-option DNS 208.67.222.222"
 +
push "dhcp-option DNS 208.67.220.220"
 +
# for latest versions of OpenVPN, DNS v6
 +
push "dhcp-option DNS6 2620:0:0:ccd::2"
  
You must enable FORWARDING somewhere else:
 
  
<syntaxhighlight lang="bash">
 
vim /etc/sysctl.conf
 
</syntaxhighlight>
 
  
 +
# Logs
 +
########################
  
 +
# Output a short status file showing current connections,
 +
# truncated and rewritten every minute.
 +
status /var/log/openvpn/openvpn-status.log
  
<syntaxhighlight lang="apache">
+
# File log
# Uncomment the next line to enable packet forwarding for IPv4
+
log        /etc/openvpn/logs/openvpn.log
net.ipv4.ip_forward=1
 
  
 +
# Set the appropriate level of log file verbosity.
 +
#
 +
# 0 is silent, except for fatal errors
 +
# 4 is reasonable for general usage
 +
# 5 and 6 can help to debug connection problems
 +
# 9 is extremely verbose
 +
verb 3
  
# Uncomment the next line to enable packet forwarding for IPv6
+
# Silence repeating messages.
#  Enabling this option disables Stateless Address Autoconfiguration
+
;mute 20
#  based on Router Advertisements for this host
 
net.ipv6.conf.all.forwarding=1
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 430: Line 403:
  
  
=See if it works=
+
 
 +
 
 +
==See if it works==
  
 
Start the service
 
Start the service
Line 458: Line 433:
  
  
=General notes=
+
==General notes==
  
 
You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.  
 
You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.  
Line 470: Line 445:
  
  
 +
'''[!] Reminder''': for every network that you want to make it accessible through your VPN you must push a new route to it.
  
'''[!] Reminder''': for every network that you want to make it accessible through your VPN you must push a new route to it.
+
=Sources=
  
Source: http://blog.remibergsma.com/2013/01/13/howto-connect-to-hosts-on-a-remote-network-using-openvpn-and-some-routing/
+
* [https://www.alibabacloud.com/blog/how-to-create-a-vpn-server-with-openvpn_594047  Alibaba cloud tutorial]
 +
* [https://blog.angenieux.info/linux/serveur/openvpn-ipv4-ipv6-nat-sans-ndp/ OpenVPN server configuration IPv4 / IPv6]
 +
* [http://blog.remibergsma.com/2013/01/13/howto-connect-to-hosts-on-a-remote-network-using-openvpn-and-some-routing/ firewall configuration]

Latest revision as of 21:18, 1 November 2019



This page describes how to configure OpenVPN server for IPv4 and IPv6.


Requirements

Your server must have a network interface that supports both IPv4 and IPv6.

  • OVH servers require some configuration, see dedicated section



OVH server IP V6 configuration

By default OVH gives you an IPv6 but it does not enable it!! you must enable it by yourself.


Get OVH server IPv6 settings

Connect to OVH manager

  • Go to Server section > VPS > *my server*
  • Copy the settings that are under IP


Add DNS entry

You must create new DNS link to reach your server:

  • A -> IPv4
  • AAAA -> IPv6


Configure server

Now that you know which settings to apply, let's configure the server.

  • Connect in SSH to the server
  • Backup and edit network configuration
  • Make settings persistent - if OK


Adjust network configuration

cd/etc/netplan

# backup current config
sudo mkdir backup
sudo cp 50-cloud-init.yaml backup/50-cloud-init.yaml.backup-ovh-ipv4

# edit config
vim 50-cloud-init.yaml


Adjust content to your own need:


network:
    version: 2
    ethernets:
        ens3:
            dhcp4: true
            dhcp6: false
            addresses:
                - "OVH_IP_V6/64"
            gateway6: "OVH_IP_V6_GATEWAY"
            routes:
                - to: "OVH_IP_V6/64"
                  via: "OVH_IP_V6_GATEWAY"
            match:
                macaddress: fa:16:3e:96:b9:66
            set-name: ens3

(i) note that DHCP6 must NOT be enabled.


Example:

network:
    version: 2
    ethernets:
        ens3:
            dhcp4: true
            dhcp6: false
            addresses:
                - "2007:81f1:0502:2200:0:0:0:c55/64"
            gateway6: "2007:81f1:0502:2200:0000:0000:0000:0001"
            routes:
                - to: "2007:81f1:0502:2200:0:0:0:c55/64"
                  via: "2007:81f1:0502:2200:0000:0000:0000:0001"
            match:
                macaddress: fa:16:3e:96:b9:66
            set-name: ens3


Try the configuration:

sudo netplan try


Test the new configuration from another computer

# windows
ping -6 2007:81f1:0502:2200:0:0:0:c55


Let configuration persistent

# Create new config file
echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg

Reboot server and try to ping it again.



Server network configuration

Enable port forwarding

You must enable FORWARDING somewhere else:

vim /etc/sysctl.conf


# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1


# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1


Firewall

You have to:

  • allow INPUT UDP 8080 ipv4/ipv6
  • allow ESTABLISHED / RELATED ipv4/ipv6
  • allow FORWARDING tun0 <> ethernet
  • allow PRE-ROUTING



OpenVPN setup

Installation

sudo apt install openvpn 
sudo apt install easy-rsa


Prepare files

You can use an existing example or start from scratch, as you like. If you want to reuse one of the OpenVPN examples:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn/
sudo gzip -d server.conf.gz

# create temp folder, required for the CHROOT
sudo mkdir -p /etc/openvpn/tmp


Security algorithms and hash

Depending on your server and distribution you might not always have the same encryption and|or hash algorithms available. Choose your algorithms!

Cryptographic algorithms

openvpn --show-ciphers

Search for: AES-256-CBC


(i) Still ok in 2019-11


Hash algorithms

openvpn --show-digests

Search for: SHA512

(i) use the 512 version in 2019-11


Handshake algorithms

openvpn --show-tls

use the default one, from openVpn v2.4+ it is TLS 1.2


Create CA

See Previous step

Server configuration

This is how you configuration should look like (more or less, depending on your settings):

vim /etc/openvpn/server.conf


##################################################
# OpenVPN 2.0 config file                        #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz      #
# version 1.2 - June 2013 - Guillaume Diaz       #
#                           conf update + chroot #
# version 1.3 - April 2016 - Guillaume Diaz      #
#                           security increase    #
# version 1.4 - Nov. 2019 - Guillaume Diaz       #
#                           IPv4 + IPv6          #
#                           ciphers update       #
##################################################

# OpenVPN binding
#########################
# Which local IP address should OpenVPN listen on?
# >> Put nothing to listen on ALL interfaces and IPs (v4 + v6).. Or you have to put 1 line per IP to listen to
;local 217.182.168.213

# To support both IPv4 + IPv6
proto udp6
port 8080

# Network interface to use
dev tun



# Security details (certificates)
#####################################

# Tell TLS that we are building a SERVER configuration
tls-server

# Certification authority (= root certificate): ca
ca /etc/openvpn/ca.crt

# OpenVPN server's certificate and private key
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key

# Diffie hellman secret key
dh /etc/openvpn/dh2048.pem


# Security details (cryptography and communication settings)
##############################################################

# Keep alive communication
keepalive 10 120

# Encryption of data exchange
cipher AES-256-CBC

# Integrity check
auth SHA512

# Enable compression on the VPN link
# (i) for OpenVPN v2.4+ only
compress lz4-v2
push "compress lz4-v2"

# Reduce OpenVPN rights
user nobody
group nogroup

persist-key
persist-tun



# IP V4 configuration
###################################
# Virtual network IPv4
server 192.168.15.0 255.255.255.0



# IP V6 configuration
###################################
# Virtual network IPv6
# >> Use root similar to "private network" / "local-loop" addresses
server-ipv6 fd42:feed:feed:feed::/64

# Create virtual network interface to support IP v6
tun-ipv6

# Ask clients to create a virtual interface for IP v6
push tun-ipv6

# Tell client to add an IPv6 route to the VPN network
server-ipv6 2001:41d0:2:bb7:800::/64



# Clients management
#########################
# Notify the client when the server restarts so it can automatically reconnect
explicit-exit-notify 1

# Set fix IP@ to client
# >> every time a client connects it will always have the same IPv4 and IPv6 addresses
ifconfig-pool-persist /var/log/openvpn/ipp.txt

# Allow clients to reach OpenVPN network
push "route 192.168.15.0 255.255.255.0"

# Let clients talk to each-other
client-to-client



# Traffic redirection
############################

# Tell client to re-route ALL IPv6 Internet trafic to VPN
# this override the "default" OpenVPN route, by hijacking the route that all IPv6 packets use by default: 2000::/3
#push "route-ipv6 2000::/3"

# Redirect all internet traffic to VPN server
push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway ipv6"            # for iOS


# Once connected to the VPN the clients cannot use their default DNS provider: you must new DNS links
# OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# for latest versions of OpenVPN, DNS v6
push "dhcp-option DNS6 2620:0:0:ccd::2"



# Logs
########################

# Output a short status file showing current connections,
# truncated and rewritten every minute.
status /var/log/openvpn/openvpn-status.log

# File log
log         /etc/openvpn/logs/openvpn.log

# Set the appropriate level of log file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages.
;mute 20




See if it works

Start the service

service openvpn restart


Check that OpenVPN listen to port 8080

netstat -pl --numeric | grep 8080

You should have 1 entry per protocol


Check the OpenVPN logs

cat /var/log/openvpn.log



General notes

You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.

Be careful when you choose the port number! Common open ports:

  • 80 (http)
  • 443 (HTTPS)
  • 8080 (Proxy / JEE servers)


[!] Reminder: for every network that you want to make it accessible through your VPN you must push a new route to it.

Sources