Setting up a OpenVPN server: Difference between revisions
No edit summary |
(use relative symlinks) |
||
(56 intermediate revisions by 20 users not shown) | |||
Line 1: | Line 1: | ||
{{TOC right}} | |||
This article describes how to set up an OpenVPN server with the Alpine Linux. | |||
[ | This is an ideal solution for allowing single users or devices to remotely connect to your network. \\ | ||
It is recommended you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be a bogon IP address ([https://team-cymru.org/Services/Bogons/fullbogons-ipv4.txt list IPv4], [https://team-cymru.org/Services/Bogons/fullbogons-ipv6.txt list IPv6]). | |||
If your Internet-connected machine doesn't have a static IP address, [https://www.noip.com/ No-ip] can be used for resolving DNS names to IP addresses. | |||
== Initial | = Set up Alpine = | ||
Follow [ | == Initial Set up == | ||
Follow [[Installation]] to set up Alpine Linux. | |||
== Install programs == | == Install programs == | ||
Install openvpn | Install openvpn | ||
{{Cmd|apk add openvpn}} | |||
Prepare autostart of OpenVPN | |||
Prepare autostart of OpenVPN | |||
{{Cmd|rc-update add openvpn default}} | |||
{{Cmd|modprobe tun | |||
echo "tun" >> /etc/modules-load.d/tun.conf}} | |||
Enable IP Forwarding | |||
{{Cmd|echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/ipv4.conf}} | |||
{{Cmd|sysctl -p /etc/sysctl.d/ipv4.conf}} | |||
= Certificates = | = Certificates = | ||
One of the first things that needs to be done is | One of the first things that needs to be done is to make sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating SSL certs with ACF]]. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity. | ||
You will need to create a server (ssl_server_cert) certificate for the server and one client certificate (ssl_client_cert) for each client. To use the certificates, you should download the .pfx file and extract it. | |||
To extract the three parts of each .pfx file, use the following commands: | |||
To get the ca cert out: | |||
{{Cmd|openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem}} | |||
To get the cert file out: | |||
{{Cmd|openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem}} | |||
To get the private key file out: (Make sure the key stays private) | |||
{{Cmd|openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem}} | |||
On the VPN server, you can also install the '''acf-openvpn''' package, which contains a web page to automatically upload and extract the server certificate. There is also a button to automatically generate the Diffie-Hellman parameters. | |||
= Configure OpenVPN | If you would prefer to generate your certificates using OpenVPN utilities, see [[#Alternate Certificate Method]] | ||
Example configuration file for server: | |||
= Configure OpenVPN server = | |||
Example configuration file for server. Place the following content in /etc/openvpn/openvpn.conf: | |||
local "Public Ip address" | local "Public Ip address" | ||
port 1194 | port 1194 | ||
proto udp | proto udp | ||
dev tun | dev tun | ||
ca ca.crt | ca /etc/openvpn/easy-rsa/keys/ca.crt | ||
cert | cert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR CRT NAME | ||
dh dh1024.pem | key /etc/openvpn/easy-rsa/keys/Server.key # SWAP WITH YOUR KEY NAME | ||
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here! | |||
server 10.0.0.0 255.255.255.0 | server 10.0.0.0 255.255.255.0 | ||
ifconfig-pool-persist ipp.txt | ifconfig-pool-persist ipp.txt | ||
Line 37: | Line 67: | ||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
status openvpn-status | status /var/log/openvpn-status.log | ||
log-append /var/log/openvpn.log | |||
log-append openvpn.log | |||
verb 3 | verb 3 | ||
(''Instructions | (''Instructions are based on [https://openvpn.net/community-resources/how-to/#server openvpn.net/howto.html#server]'') | ||
== Test your configuration == | == Test your configuration == | ||
Test configuration and certificates | Test configuration and certificates | ||
{{Cmd|openvpn --config /etc/openvpn/openvpn.conf}} | |||
= Configure OpenVPN | = Configure OpenVPN client = | ||
Example client.conf: | Example client.conf: | ||
client | client | ||
dev tun | dev tun | ||
proto udp | proto udp | ||
remote "public IP" 1194 | |||
resolv-retry infinite | resolv-retry infinite | ||
nobind | nobind | ||
ns-cert-type server # This means the certificate on the openvpn server needs to have this field. Prevents MitM attacks | |||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
ca ca. | ca client-ca.pem | ||
cert client. | cert client-cert.pem | ||
key client. | key client-key.pem | ||
comp-lzo | comp-lzo | ||
verb 3 | verb 3 | ||
(''Instructions | (''Instructions are based on [https://openvpn.net/community-resources/how-to/#client openvpn.net/howto.html#client]'') | ||
= Save settings = | |||
Don't forget to save all your settings if you are running a RAM-based system. | |||
{{Cmd|lbu commit}} | |||
= More than one server or client = | |||
If you want more than one server or client running on the same Alpine box, use the standard [[Multiple Instances of Services]] process. | |||
For example, to create a config named "AlphaBravo": | |||
* Create an approriate /etc/openvpn/openvpn.conf file, but name it "/etc/openvpn/AlphaBravo.conf" | |||
* create a new symlink of the init.d script: | |||
{{Cmd|ln -s openvpn /etc/init.d/openvpn.AlphaBravo}} | |||
* Have the new service start automatically | |||
{{Cmd|rc-update add openvpn.AlphaBravo}} | |||
==== Manual Certificate Commands | = Alternate Certificate Method = | ||
(''Instructions | == Manual Certificate Commands == | ||
(''Instructions are based on [https://openvpn.net/community-resources/how-to/#pki openvpn.net/howto.html#pki]'') | |||
=== Initial setup for administrating certificates === | |||
The following instructions assume | The following instructions assume you want to save your configs, certs and keys in '''/etc/openvpn/keys'''.<BR> | ||
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands | Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands | ||
{{Cmd|apk add easy-rsa # from the community repo | |||
If not already done | cd /usr/share/easy-rsa}} | ||
save a copy of your '''/usr/share | If not already done, create a folder where you will save your certificates and save a copy of your '''/usr/share/easy-rsa/vars''' for later use.<BR> | ||
{{Cmd|mkdir /etc/openvpn/keys | |||
cp ./vars.example ./vars #easy-rsa v3 | |||
cp ./vars /etc/openvpn/keys #easy-rsa v2}} | |||
If not already done | |||
For EasyRSA v3 see: https://community.openvpn.net/openvpn/wiki/EasyRSA | |||
The instructions below are for EasyRSA v2: | |||
If not already done, edit '''/etc/openvpn/keys/vars'''<BR> | |||
(''This file is used for defining paths and other standard settings'') | (''This file is used for defining paths and other standard settings'') | ||
{{Cmd|vim /etc/openvpn/keys/vars}} | |||
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''" | |||
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system. | |||
source the '''vars''' to set properties | source the '''vars''' to set properties | ||
{{Cmd|source /etc/openvpn/keys/vars}} | |||
{{Cmd|touch /etc/openvpn/keys/index.txt | |||
echo 00 > /etc/openvpn/keys/serial}} | |||
=== Set up a 'Certificate Authority' (CA) === | |||
Clean up the '''keys''' folder. | Clean up the '''keys''' folder. | ||
{{Cmd|./clean-all}} | |||
Generate Diffie-Hellman parameters | |||
{{Cmd|./build-dh}} | |||
To make the CA certificates and keys | |||
{{Cmd|./build-ca}} | |||
=== Set up an 'OpenVPN Server' === | |||
Create server certificates | Create server certificates | ||
{{Cmd|./build-key-server <commonname>}} | |||
=== Set up an 'OpenVPN Client' === | |||
Create client certificates | Create client certificates | ||
{{Cmd|./build-key <commonname>}} | |||
=== Revoke a certificate === | |||
To revoke a certificate | |||
{{Cmd|./revoke-full <commonname>}} | |||
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration: | |||
{{Cmd|crl-verify crl.pem}} | |||
= OpenVPN and LXC = | |||
Let's call this LXC "mylxc"... | |||
On the host <pre> | |||
modprobe tun | |||
mkdir /var/lib/lxc/mylxc/rootfs/dev/net | |||
mknod /var/lib/lxc/mylxc/rootfs/dev/net/tun c 10 200 | |||
chmod 666 /var/lib/lxc/mylxc/rootfs/dev/net/tun | |||
</pre> | |||
In /var/lib/lxc/mylxc/config <pre> | |||
lxc.cgroup.devices.allow = c 10:200 rwm | |||
</pre> | |||
On the guest <pre> | |||
apk add openvpn | |||
</pre> Then config as usual. | |||
This should work both as server and as client. | |||
== persistent devices == | |||
lxc guest have their dev recreated on each restart in a tmpfs. This means all devices are reset and are not read from the rootfs dev directory. | |||
To make it persistent you can use an autodev script by adding the following to your lxc guest config: | |||
<pre> | |||
# tun (openvpn) | |||
lxc.cgroup.devices.allow = c 10:200 rwm | |||
# audodev script to add devices | |||
lxc.hook.autodev=/var/lib/lxc/CONTAINER/autodev | |||
</pre> | |||
The autodev script: | |||
<pre> | |||
#!/bin/sh | |||
# dev is populated on earch container start. | |||
# to make devices persistence we need to recreate them on each start. | |||
cd ${LXC_ROOTFS_MOUNT}/dev | |||
mkdir net | |||
mknod net/tun c 10 200 | |||
chmod 0666 net/tun | |||
</pre> | |||
[[category: VPN]] | |||
Latest revision as of 10:34, 17 November 2023
This article describes how to set up an OpenVPN server with the Alpine Linux. This is an ideal solution for allowing single users or devices to remotely connect to your network. \\ It is recommended you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be a bogon IP address (list IPv4, list IPv6). If your Internet-connected machine doesn't have a static IP address, No-ip can be used for resolving DNS names to IP addresses.
Set up Alpine
Initial Set up
Follow Installation to set up Alpine Linux.
Install programs
Install openvpn
apk add openvpn
Prepare autostart of OpenVPN
rc-update add openvpn default
modprobe tun echo "tun" >> /etc/modules-load.d/tun.conf
Enable IP Forwarding
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/ipv4.conf
sysctl -p /etc/sysctl.d/ipv4.conf
Certificates
One of the first things that needs to be done is to make sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: Generating SSL certs with ACF. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity.
You will need to create a server (ssl_server_cert) certificate for the server and one client certificate (ssl_client_cert) for each client. To use the certificates, you should download the .pfx file and extract it.
To extract the three parts of each .pfx file, use the following commands:
To get the ca cert out:
openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem
To get the cert file out:
openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem
To get the private key file out: (Make sure the key stays private)
openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem
On the VPN server, you can also install the acf-openvpn package, which contains a web page to automatically upload and extract the server certificate. There is also a button to automatically generate the Diffie-Hellman parameters.
If you would prefer to generate your certificates using OpenVPN utilities, see #Alternate Certificate Method
Configure OpenVPN server
Example configuration file for server. Place the following content in /etc/openvpn/openvpn.conf:
local "Public Ip address" port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR CRT NAME key /etc/openvpn/easy-rsa/keys/Server.key # SWAP WITH YOUR KEY NAME dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here! server 10.0.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.0.0.0 255.0.0.0" push "dhcp-option DNS 10.0.0.1" keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3
(Instructions are based on openvpn.net/howto.html#server)
Test your configuration
Test configuration and certificates
openvpn --config /etc/openvpn/openvpn.conf
Configure OpenVPN client
Example client.conf:
client dev tun proto udp remote "public IP" 1194 resolv-retry infinite nobind ns-cert-type server # This means the certificate on the openvpn server needs to have this field. Prevents MitM attacks persist-key persist-tun ca client-ca.pem cert client-cert.pem key client-key.pem comp-lzo verb 3
(Instructions are based on openvpn.net/howto.html#client)
Save settings
Don't forget to save all your settings if you are running a RAM-based system.
lbu commit
More than one server or client
If you want more than one server or client running on the same Alpine box, use the standard Multiple Instances of Services process.
For example, to create a config named "AlphaBravo":
- Create an approriate /etc/openvpn/openvpn.conf file, but name it "/etc/openvpn/AlphaBravo.conf"
- create a new symlink of the init.d script:
ln -s openvpn /etc/init.d/openvpn.AlphaBravo
- Have the new service start automatically
rc-update add openvpn.AlphaBravo
Alternate Certificate Method
Manual Certificate Commands
(Instructions are based on openvpn.net/howto.html#pki)
Initial setup for administrating certificates
The following instructions assume you want to save your configs, certs and keys in /etc/openvpn/keys.
Start by moving to the /usr/share/openvpn/easy-rsa folder to execute commands
apk add easy-rsa # from the community repo cd /usr/share/easy-rsa
If not already done, create a folder where you will save your certificates and save a copy of your /usr/share/easy-rsa/vars for later use.
mkdir /etc/openvpn/keys cp ./vars.example ./vars #easy-rsa v3 cp ./vars /etc/openvpn/keys #easy-rsa v2
For EasyRSA v3 see: https://community.openvpn.net/openvpn/wiki/EasyRSA
The instructions below are for EasyRSA v2:
If not already done, edit /etc/openvpn/keys/vars
(This file is used for defining paths and other standard settings)
vim /etc/openvpn/keys/vars
- Change KEY_DIR= from "$EASY_RSA/keys" to "/etc/openvpn/keys"
- Change KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to match your system.
source the vars to set properties
source /etc/openvpn/keys/vars
touch /etc/openvpn/keys/index.txt echo 00 > /etc/openvpn/keys/serial
Set up a 'Certificate Authority' (CA)
Clean up the keys folder.
./clean-all
Generate Diffie-Hellman parameters
./build-dh
To make the CA certificates and keys
./build-ca
Set up an 'OpenVPN Server'
Create server certificates
./build-key-server <commonname>
Set up an 'OpenVPN Client'
Create client certificates
./build-key <commonname>
Revoke a certificate
To revoke a certificate
./revoke-full <commonname>
The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory.
The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
crl-verify crl.pem
OpenVPN and LXC
Let's call this LXC "mylxc"...
On the host
modprobe tun mkdir /var/lib/lxc/mylxc/rootfs/dev/net mknod /var/lib/lxc/mylxc/rootfs/dev/net/tun c 10 200 chmod 666 /var/lib/lxc/mylxc/rootfs/dev/net/tun
In /var/lib/lxc/mylxc/config
lxc.cgroup.devices.allow = c 10:200 rwm
On the guest
apk add openvpn
Then config as usual.
This should work both as server and as client.
persistent devices
lxc guest have their dev recreated on each restart in a tmpfs. This means all devices are reset and are not read from the rootfs dev directory. To make it persistent you can use an autodev script by adding the following to your lxc guest config:
# tun (openvpn) lxc.cgroup.devices.allow = c 10:200 rwm # audodev script to add devices lxc.hook.autodev=/var/lib/lxc/CONTAINER/autodev
The autodev script:
#!/bin/sh # dev is populated on earch container start. # to make devices persistence we need to recreate them on each start. cd ${LXC_ROOTFS_MOUNT}/dev mkdir net mknod net/tun c 10 200 chmod 0666 net/tun