https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&user=ThierryR&feedformat=atomAlpine Linux - User contributions [en]2024-03-28T12:40:18ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=15797Setting up a OpenVPN server2019-03-12T13:07:03Z<p>ThierryR: Cert & Key in config file</p>
<hr />
<div><br />
This article describes how to set up an OpenVPN server with the Alpine Linux.<br />
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, [http://wiki.alpinelinux.org/w/index.php?title=Using_Racoon_for_Remote_Sites Racoon/Opennhrp] would provide better functionality. <br />
<br />
It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here: [http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses WikiPedia]<br />
<br />
If your Internet-connected machine doesn't have a static IP address, [http://www.dyndns.com DynDNS] can be used for resolving DNS names to IP addresses.<br />
<br />
= Setup Alpine =<br />
== Initial Setup ==<br />
Follow [[Installing_Alpine]] to setup Alpine Linux.<br />
<br />
== Install programs ==<br />
Install openvpn<br />
{{Cmd| apk add openvpn}}<br />
<br />
Prepare autostart of OpenVPN<br />
<br />
{{Cmd|rc-update add openvpn default}}<br />
<br />
{{Cmd|modprobe tun<br />
echo "tun" >>/etc/modules}}<br />
<br />
= Certificates =<br />
One of the first things that needs to be done is to make sure that you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity.<br />
<br />
You will need to create a server (ssl_server_cert) certificate for the server and one client (ssl_client_cert) for each client. To use the certificates, you should download the .pfx file and extract it.<br />
<br />
To extract the three parts of each .pfx file, use the following commands:<br />
<br />
To get the ca cert out...<br />
{{Cmd|openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem}}<br />
<br />
To get the cert file out...<br />
{{Cmd|openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem}}<br />
<br />
To get the private key file out. Make sure this stays private.<br />
<br />
{{Cmd|openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem}}<br />
<br />
On the VPN server, you can also install the '''acf-openvpn''' package, which contains a web page to automatically upload and extract the server certificate. There is also a button to automatically generate the Diffie Hellman parameters.<br />
<br />
If you would prefer to generate your certificates using OpenVPN utilities, see [[#Alternative Certificate Method]]<br />
<br />
= Configure OpenVPN server =<br />
Example configuration file for server. Place the following content in /etc/openvpn/openvpn.conf:<br />
local "Public Ip address"<br />
port 1194<br />
proto udp<br />
dev tun<br />
ca /etc/openvpn/easy-rsa/keys/ca.crt <br />
cert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR CRT NAME<br />
key /etc/openvpn/easy-rsa/keys/Server.key # SWAP WITH YOUR KEY NAME<br />
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here!<br />
server 10.0.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.0.0.1"<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status /var/log/openvpn-status.log<br />
log-append /var/log/openvpn.log<br />
verb 3<br />
<br />
(''Instructions are based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
<br />
{{Cmd|openvpn --config /etc/openvpn/openvpn.conf}}<br />
<br />
= Configure OpenVPN client =<br />
Example client.conf:<br />
client<br />
dev tun<br />
proto udp<br />
remote "public IP" 1194<br />
resolv-retry infinite<br />
nobind<br />
ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks<br />
persist-key<br />
persist-tun<br />
ca client-ca.pem<br />
cert client-cert.pem<br />
key client-key.pem<br />
comp-lzo<br />
verb 3<br />
<br />
(''Instructions are based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
= Save settings =<br />
Don't forget to save all your settings if you are running a RAM-based system.<br />
{{Cmd|lbu commit}}<br />
<br />
= More than one server or client =<br />
<br />
If you want more than one server or client running on the same alpine box, use the standard [[Multiple Instances of Services]] process.<br />
<br />
For example, to create a config named "AlphaBravo":<br />
<br />
* Create an approriate /etc/openvpn/openvpn.conf file, but name it "/etc/openvpn/AlphaBravo.conf" <br />
* create a new symlink of the init.d script:<br />
{{Cmd|ln -s /etc/init.d/openvpn /etc/init.d/openvpn.AlphaBravo}}<br />
* Have the new service start automatically<br />
{{Cmd|rc-update add openvpn.AlphaBravo}}<br />
<br />
= Alternative Certificate Method =<br />
== Manual Certificate Commands ==<br />
(''Instructions are based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
=== Initial setup for administrating certificates ===<br />
The following instructions assume that you want to save your configs, certs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
{{Cmd|apk add easy-rsa # from the community repo<br />
cd /usr/share/easy-rsa}}<br />
If not already done then create a folder where you will save your certificates and save a copy of your '''/usr/share/easy-rsa/vars''' for later use.<BR><br />
{{Cmd|mkdir /etc/openvpn/keys<br />
cp ./vars.example ./vars #easy-rsa v3<br />
cp ./vars /etc/openvpn/keys #easy-rsa v2}}<br />
<br />
For EasyRSA v3 see: https://community.openvpn.net/openvpn/wiki/EasyRSA<br />
<br />
The instructions below are for EasyRSA v2:<br />
<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
{{Cmd|vim /etc/openvpn/keys/vars}}<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
{{Cmd|source /etc/openvpn/keys/vars}}<br />
{{Cmd|touch /etc/openvpn/keys/index.txt<br />
echo 00 > /etc/openvpn/keys/serial}}<br />
<br />
=== Set up a 'Certificate Authority' (CA) ===<br />
Clean up the '''keys''' folder.<br />
<br />
{{Cmd|./clean-all}}<br />
<br />
Generate Diffie Hellman parameters<br />
<br />
{{Cmd|./build-dh}}<br />
<br />
Now lets make the CA certificates and keys<br />
<br />
{{Cmd|./build-ca}}<br />
<br />
=== Set up a 'OpenVPN Server' ===<br />
Create server certificates<br />
<br />
{{Cmd|./build-key-server <commonname>}}<br />
<br />
=== Set up a 'OpenVPN Client' ===<br />
Create client certificates<br />
{{Cmd|./build-key <commonname>}}<br />
<br />
=== Revoke a certificate ===<br />
To revoke a certificate<br />
<br />
{{Cmd|./revoke-full <commonname>}}<br />
<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<br />
<br />
{{Cmd|crl-verify crl.pem}}<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]<br />
<br />
= OpenVPN and LXC =<br />
<br />
Let's call this LXC "mylxc"...<br />
<br />
On the host <pre><br />
modprobe tun<br />
mkdir /var/lib/lxc/mylxc/rootfs/dev/net<br />
mknod /var/lib/lxc/mylxc/rootfs/dev/net/tun c 10 200<br />
chmod 666 /var/lib/lxc/mylxc/rootfs/dev/net/tun<br />
</pre><br />
<br />
In /var/lib/lxc/mylxc/config <pre><br />
lxc.cgroup.devices.allow = c 10:200 rwm<br />
</pre><br />
<br />
In the guest <pre><br />
apk add openvpn<br />
</pre> Then config as usual...<br />
<br />
This should work both as server and as client.<br />
<br />
== persistent devices ==<br />
lxc guest have their dev recreated on each restart in a tmpfs. This means all devices are reset and are not read from rootfs dev directory. <br />
To make it persistent you can use an autodev script by adding the following to your lxc guest config<br />
<br />
<pre><br />
# tun (openvpn)<br />
lxc.cgroup.devices.allow = c 10:200 rwm<br />
# audodev script to add devices<br />
lxc.hook.autodev=/var/lib/lxc/CONTAINER/autodev<br />
</pre><br />
<br />
The autodev script would be as following:<br />
<br />
<pre><br />
#!/bin/sh<br />
# dev is populated on earch container start.<br />
# to make devices persistence we need to recreate them on each start.<br />
<br />
cd ${LXC_ROOTFS_MOUNT}/dev<br />
mkdir net<br />
mknod net/tun c 10 200<br />
chmod 0666 net/tun<br />
</pre></div>ThierryR