Setting up a OpenVPN server: Difference between revisions

From Alpine Linux
No edit summary
(use relative symlinks)
 
(48 intermediate revisions by 18 users not shown)
Line 1: Line 1:
= Setup Alpine =
{{TOC right}}
This article describes how to set up an OpenVPN server with the Alpine distro.
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, [http://wiki.alpinelinux.org/w/index.php?title=Using_Racoon_for_Remote_Sites Racoon/Opennhrp] would provide better functionality.


It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here:[http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses]
This article describes how to set up an OpenVPN server with the Alpine Linux.
This is an ideal solution for allowing single users or devices to remotely connect to your network. \\
It is recommended you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be a bogon IP address ([https://team-cymru.org/Services/Bogons/fullbogons-ipv4.txt list IPv4], [https://team-cymru.org/Services/Bogons/fullbogons-ipv6.txt list IPv6]).
If your Internet-connected machine doesn't have a static IP address, [https://www.noip.com/ No-ip] can be used for resolving DNS names to IP addresses.


In the case that your Internet-connected machine doesn't have a static IP address, [http://www.dyndns.com DynDNS] can be used for resolving DNS names to IP addresses.
= Set up Alpine =
 
== Initial Set up ==
== Initial Setup ==
Follow [[Installation]] to set up Alpine Linux.
Follow [http://wiki.alpinelinux.org/w/index.php?title=Installing_Alpine] to setup Alpine Linux.


== Install programs ==
== Install programs ==
Install openvpn
Install openvpn
apk_add openvpn
{{Cmd|apk add openvpn}}
Prepare autostart of OpenVPN<BR>
 
rc_add -s 40 -k openvpn
Prepare autostart of OpenVPN
modprobe tun
 
echo "tun" >>/etc/modules
{{Cmd|rc-update add openvpn default}}
 
{{Cmd|modprobe tun
echo "tun" >> /etc/modules-load.d/tun.conf}}
 
Enable IP Forwarding
 
{{Cmd|echo "net.ipv4.ip_forward &#61; 1" >> /etc/sysctl.d/ipv4.conf}}
{{Cmd|sysctl -p /etc/sysctl.d/ipv4.conf}}


= Certificates =
= Certificates =
One of the first things that needs to be done is making sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice to not have your certificate server be on the same machine as the router being used for remote connectivity.
One of the first things that needs to be done is to make sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating SSL certs with ACF]]. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity.


If you are setting up a client and need to figure out how to divide the cert ( they gave you a pfx) use the following commands:
You will need to create a server (ssl_server_cert) certificate for the server and one client certificate (ssl_client_cert) for each client. To use the certificates, you should download the .pfx file and extract it.
 
To extract the three parts of each .pfx file, use the following commands:
   
   
To get the ca cert out...
To get the ca cert out:
openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem
{{Cmd|openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem}}


To get the cert file out...
To get the cert file out:
openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem
{{Cmd|openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem}}


To get the private key file out. May sure this stays private...
To get the private key file out: (Make sure the key stays private)
openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem


= Configure OpenVPN-server =
{{Cmd|openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem}}
Example configuration file for server:
 
On the VPN server, you can also install the '''acf-openvpn''' package, which contains a web page to automatically upload and extract the server certificate. There is also a button to automatically generate the Diffie-Hellman parameters.
 
If you would prefer to generate your certificates using OpenVPN utilities, see [[#Alternate Certificate Method]]
 
= Configure OpenVPN server =
Example configuration file for server. Place the following content in /etc/openvpn/openvpn.conf:
  local "Public Ip address"
  local "Public Ip address"
  port 1194
  port 1194
  proto udp
  proto udp
  dev tun
  dev tun
  ca ca.crt
  ca /etc/openvpn/easy-rsa/keys/ca.crt  
  cert server.crt
  cert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR CRT NAME
  dh dh1024.pem #to generate by hand #openssl dhparam -out dh1024.pem 1024
key /etc/openvpn/easy-rsa/keys/Server.key # SWAP WITH YOUR KEY NAME
  dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here!
  server 10.0.0.0 255.255.255.0
  server 10.0.0.0 255.255.255.0
  ifconfig-pool-persist ipp.txt
  ifconfig-pool-persist ipp.txt
Line 51: Line 67:
  persist-key
  persist-key
  persist-tun
  persist-tun
  status openvpn-status.log
  status /var/log/openvpn-status.log
log        openvpn.log
  log-append  /var/log/openvpn.log
  log-append  openvpn.log
  verb 3
  verb 3


(''Instructions is based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')
(''Instructions are based on [https://openvpn.net/community-resources/how-to/#server openvpn.net/howto.html#server]'')


== Test your configuration ==
== Test your configuration ==
Test configuration and certificates
Test configuration and certificates
  openvpn --config /etc/openvpn/openvpn.conf


= Configure OpenVPN-client =
{{Cmd|openvpn --config /etc/openvpn/openvpn.conf}}
 
= Configure OpenVPN client =
Example client.conf:
Example client.conf:
  client
  client
  dev tun
  dev tun
  proto udp
  proto udp
  remote "public IP" 1194
remote "public IP" 1194
  resolv-retry infinite
  resolv-retry infinite
  nobind
  nobind
  ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks
  ns-cert-type server # This means the certificate on the openvpn server needs to have this field. Prevents MitM attacks
  persist-key
  persist-key
  persist-tun
  persist-tun
  ca ca.crt
  ca client-ca.pem
  cert client.crt
  cert client-cert.pem
  key client.key
  key client-key.pem
  comp-lzo
  comp-lzo
  verb 3
  verb 3


(''Instructions is based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')
(''Instructions are based on [https://openvpn.net/community-resources/how-to/#client openvpn.net/howto.html#client]'')


= Save settings =
= Save settings =
Don't forget to save all your settings
Don't forget to save all your settings if you are running a RAM-based system.
lbu commit -v sdb1
{{Cmd|lbu commit}}


= More than one server or client =


==== Manual Certificate Commands ====
If you want more than one server or client running on the same Alpine box, use the standard [[Multiple Instances of Services]] process.
(''Instructions is based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')


===== Initial setup for administrating certificates =====
For example, to create a config named "AlphaBravo":
The following instructions assume that you want to save your configs, certcs and keys in '''/etc/openvpn/keys'''.<BR>
 
* Create an approriate /etc/openvpn/openvpn.conf file, but name it "/etc/openvpn/AlphaBravo.conf"
* create a new symlink of the init.d script:
{{Cmd|ln -s openvpn /etc/init.d/openvpn.AlphaBravo}}
* Have the new service start automatically
{{Cmd|rc-update add openvpn.AlphaBravo}}
 
= Alternate Certificate Method =
== Manual Certificate Commands ==
(''Instructions are based on [https://openvpn.net/community-resources/how-to/#pki openvpn.net/howto.html#pki]'')
 
=== Initial setup for administrating certificates ===
The following instructions assume you want to save your configs, certs and keys in '''/etc/openvpn/keys'''.<BR>
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands
cd /usr/share/openvpn/easy-rsa
{{Cmd|apk add easy-rsa # from the community repo
If not already done then create a folder where you will save your certificates and<BR>
cd /usr/share/easy-rsa}}
save a copy of your '''/usr/share/openvpn/easy-rsa/vars''' for later use.<BR>
If not already done, create a folder where you will save your certificates and save a copy of your '''/usr/share/easy-rsa/vars''' for later use.<BR>
(''All files in '''/usr/share/openvpn/easy-rsa''' is overwritten when the computer is restarted'')
{{Cmd|mkdir /etc/openvpn/keys
mkdir /etc/openvpn/keys
cp ./vars.example ./vars    #easy-rsa v3
cp ./vars /etc/openvpn/keys
cp ./vars /etc/openvpn/keys #easy-rsa v2}}
If not already done then edit '''/etc/openvpn/keys/vars'''<BR>
 
For EasyRSA v3 see: https://community.openvpn.net/openvpn/wiki/EasyRSA
 
The instructions below are for EasyRSA v2:
 
If not already done, edit '''/etc/openvpn/keys/vars'''<BR>
(''This file is used for defining paths and other standard settings'')
(''This file is used for defining paths and other standard settings'')
vim /etc/openvpn/keys/vars
{{Cmd|vim /etc/openvpn/keys/vars}}
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.
source the '''vars''' to set properties
source the '''vars''' to set properties
source /etc/openvpn/keys/vars
{{Cmd|source /etc/openvpn/keys/vars}}
{{Cmd|touch /etc/openvpn/keys/index.txt
echo 00 > /etc/openvpn/keys/serial}}


===== Set up a 'Certificate Authority' (CA) =====
=== Set up a 'Certificate Authority' (CA) ===
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
Clean up the '''keys''' folder.
Clean up the '''keys''' folder.
./clean-all
Generate Diffie Hellman parameters
./build-dh
Now lets make the CA certificates and keys
./build-ca


===== Set up a 'OpenVPN Server' =====
{{Cmd|./clean-all}}
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
 
Generate Diffie-Hellman parameters
 
{{Cmd|./build-dh}}
 
To make the CA certificates and keys
 
{{Cmd|./build-ca}}
 
=== Set up an 'OpenVPN Server' ===
Create server certificates
Create server certificates
./build-key-server {commonname}


===== Set up a 'OpenVPN Client' =====
{{Cmd|./build-key-server <commonname>}}
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
 
=== Set up an 'OpenVPN Client' ===
Create client certificates
Create client certificates
./build-key {commonname}
{{Cmd|./build-key <commonname>}}
 
=== Revoke a certificate ===
To revoke a certificate
 
{{Cmd|./revoke-full <commonname>}}
 
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
 
{{Cmd|crl-verify crl.pem}}
 
= OpenVPN and LXC =
 
Let's call this LXC "mylxc"...
 
On the host <pre>
modprobe tun
mkdir /var/lib/lxc/mylxc/rootfs/dev/net
mknod /var/lib/lxc/mylxc/rootfs/dev/net/tun c 10 200
chmod 666 /var/lib/lxc/mylxc/rootfs/dev/net/tun
</pre>
 
In /var/lib/lxc/mylxc/config <pre>
lxc.cgroup.devices.allow = c 10:200 rwm
</pre>
 
On the guest <pre>
apk add openvpn
</pre> Then config as usual.
 
This should work both as server and as client.
 
== persistent devices ==
lxc guest have their dev recreated on each restart in a tmpfs. This means all devices are reset and are not read from the rootfs dev directory.
To make it persistent you can use an autodev script by adding the following to your lxc guest config:
 
<pre>
# tun (openvpn)
lxc.cgroup.devices.allow = c 10:200 rwm
# audodev script to add devices
lxc.hook.autodev=/var/lib/lxc/CONTAINER/autodev
</pre>
 
The autodev script:
 
<pre>
#!/bin/sh
# dev is populated on earch container start.
# to make devices persistence we need to recreate them on each start.
 
cd ${LXC_ROOTFS_MOUNT}/dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun
</pre>


===== Revoke a certificate =====
[[category: VPN]]
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
To revoke a certificate...
./revoke-full {commonname}
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR>
<code>crl-verify crl.pem</code>

Latest revision as of 10:34, 17 November 2023

This article describes how to set up an OpenVPN server with the Alpine Linux. This is an ideal solution for allowing single users or devices to remotely connect to your network. \\ It is recommended you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be a bogon IP address (list IPv4, list IPv6). If your Internet-connected machine doesn't have a static IP address, No-ip can be used for resolving DNS names to IP addresses.

Set up Alpine

Initial Set up

Follow Installation to set up Alpine Linux.

Install programs

Install openvpn

apk add openvpn

Prepare autostart of OpenVPN

rc-update add openvpn default

modprobe tun echo "tun" >> /etc/modules-load.d/tun.conf

Enable IP Forwarding

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/ipv4.conf

sysctl -p /etc/sysctl.d/ipv4.conf

Certificates

One of the first things that needs to be done is to make sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: Generating SSL certs with ACF. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity.

You will need to create a server (ssl_server_cert) certificate for the server and one client certificate (ssl_client_cert) for each client. To use the certificates, you should download the .pfx file and extract it.

To extract the three parts of each .pfx file, use the following commands:

To get the ca cert out:

openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem

To get the cert file out:

openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem

To get the private key file out: (Make sure the key stays private)

openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem

On the VPN server, you can also install the acf-openvpn package, which contains a web page to automatically upload and extract the server certificate. There is also a button to automatically generate the Diffie-Hellman parameters.

If you would prefer to generate your certificates using OpenVPN utilities, see #Alternate Certificate Method

Configure OpenVPN server

Example configuration file for server. Place the following content in /etc/openvpn/openvpn.conf:

local "Public Ip address"
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt 
cert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/Server.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here!
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.0.0.1"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

(Instructions are based on openvpn.net/howto.html#server)

Test your configuration

Test configuration and certificates

openvpn --config /etc/openvpn/openvpn.conf

Configure OpenVPN client

Example client.conf:

client
dev tun
proto udp
remote "public IP" 1194
resolv-retry infinite
nobind
ns-cert-type server # This means the certificate on the openvpn server needs to have this field. Prevents MitM attacks
persist-key
persist-tun
ca client-ca.pem
cert client-cert.pem
key client-key.pem
comp-lzo
verb 3

(Instructions are based on openvpn.net/howto.html#client)

Save settings

Don't forget to save all your settings if you are running a RAM-based system.

lbu commit

More than one server or client

If you want more than one server or client running on the same Alpine box, use the standard Multiple Instances of Services process.

For example, to create a config named "AlphaBravo":

  • Create an approriate /etc/openvpn/openvpn.conf file, but name it "/etc/openvpn/AlphaBravo.conf"
  • create a new symlink of the init.d script:

ln -s openvpn /etc/init.d/openvpn.AlphaBravo

  • Have the new service start automatically

rc-update add openvpn.AlphaBravo

Alternate Certificate Method

Manual Certificate Commands

(Instructions are based on openvpn.net/howto.html#pki)

Initial setup for administrating certificates

The following instructions assume you want to save your configs, certs and keys in /etc/openvpn/keys.
Start by moving to the /usr/share/openvpn/easy-rsa folder to execute commands

apk add easy-rsa # from the community repo cd /usr/share/easy-rsa

If not already done, create a folder where you will save your certificates and save a copy of your /usr/share/easy-rsa/vars for later use.

mkdir /etc/openvpn/keys cp ./vars.example ./vars #easy-rsa v3 cp ./vars /etc/openvpn/keys #easy-rsa v2

For EasyRSA v3 see: https://community.openvpn.net/openvpn/wiki/EasyRSA

The instructions below are for EasyRSA v2:

If not already done, edit /etc/openvpn/keys/vars
(This file is used for defining paths and other standard settings)

vim /etc/openvpn/keys/vars

  • Change KEY_DIR= from "$EASY_RSA/keys" to "/etc/openvpn/keys"
  • Change KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to match your system.

source the vars to set properties

source /etc/openvpn/keys/vars

touch /etc/openvpn/keys/index.txt echo 00 > /etc/openvpn/keys/serial

Set up a 'Certificate Authority' (CA)

Clean up the keys folder.

./clean-all

Generate Diffie-Hellman parameters

./build-dh

To make the CA certificates and keys

./build-ca

Set up an 'OpenVPN Server'

Create server certificates

./build-key-server <commonname>

Set up an 'OpenVPN Client'

Create client certificates

./build-key <commonname>

Revoke a certificate

To revoke a certificate

./revoke-full <commonname>

The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory.
The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:

crl-verify crl.pem

OpenVPN and LXC

Let's call this LXC "mylxc"...

On the host

modprobe tun
mkdir /var/lib/lxc/mylxc/rootfs/dev/net
mknod /var/lib/lxc/mylxc/rootfs/dev/net/tun c 10 200
chmod 666 /var/lib/lxc/mylxc/rootfs/dev/net/tun

In /var/lib/lxc/mylxc/config

lxc.cgroup.devices.allow = c 10:200 rwm

On the guest

apk add openvpn

Then config as usual.

This should work both as server and as client.

persistent devices

lxc guest have their dev recreated on each restart in a tmpfs. This means all devices are reset and are not read from the rootfs dev directory. To make it persistent you can use an autodev script by adding the following to your lxc guest config:

# tun (openvpn)
lxc.cgroup.devices.allow = c 10:200 rwm
# audodev script to add devices
lxc.hook.autodev=/var/lib/lxc/CONTAINER/autodev

The autodev script:

#!/bin/sh
# dev is populated on earch container start.
# to make devices persistence we need to recreate them on each start.

cd ${LXC_ROOTFS_MOUNT}/dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun