Linux
  • Register

Stručné a jednoduché nastavenie OpenVPN na Ubuntu 20.04

This article is based on https://www.cyberciti.biz/faq/ubuntu-20-04-lts-set-up-openvpn-server-in-5-minutes/ - if you understand English, you should continue there.

Tento článok vychádza z návodu na tejto stránke: https://www.cyberciti.biz/faq/ubuntu-20-04-lts-set-up-openvpn-server-in-5-minutes/

Pomocný script

Aby sme sa zbytočne netrápili, použijeme script, ktorý sa postará takmer o všetko:

aelias@vpn:~/download$ wget https://git.io/vpn -O openvpn-ubuntu-install.sh
--2020-09-23 07:13:17-- https://git.io/vpn
Resolving git.io (git.io)... 52.206.15.164, 54.84.169.173, 54.198.148.204, ...
Connecting to git.io (git.io)|52.206.15.164|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2020-09-23 07:13:18-- https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.github.com (raw.github.com)... 151.101.192.133, 151.101.128.133, 151.101.64.133, ...
Connecting to raw.github.com (raw.github.com)|151.101.192.133|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2020-09-23 07:13:18-- https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.128.133, 151.101.64.133, 151.101.0.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.128.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23085 (23K) [text/plain]
Saving to: ‘openvpn-ubuntu-install.sh’

openvpn-ubuntu-install.sh 100%[=======================================================================>] 22.54K --.-KB/s in 0.002s

2020-09-23 07:13:18 (10.2 MB/s) - ‘openvpn-ubuntu-install.sh’ saved [23085/23085]

aelias@vpn:~/download$

Nastavíme atribúty scriptu ako spustiteľné: 

aelias@vpn:~/download$ chmod -v +x openvpn-ubuntu-install.sh
mode of 'openvpn-ubuntu-install.sh' changed from 0664 (rw-rw-r--) to 0775 (rwxrwxr-x)
aelias@vpn:~/download$

Pred samotnou konfiguráciou VPN servera potrebujeme dve zásadné informácie:

  • Vnútorná (LAN) IP adresa samotného VPN servera (ak je za NAT)
  • Vonkajšia IP adresa VPN servera (resp. routra za ktorým tento VPN server je) - na túto sa budú pripájať klienti

Zistenie vnútornej IP adresy

aelias@vpn:~/download$ ip a show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:ae:75:43 brd ff:ff:ff:ff:ff:ff
inet 192.168.6.24/24 brd 192.168.6.255 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:feae:7543/64 scope link
valid_lft forever preferred_lft forever
aelias@vpn:~/download$ 

V tomto výpise vidno dve IP adresy pre dve rozhrania. Prvé rozhranie je lo - toto je tzv. loopback interface a momentálne nás nezaujíma. Druhé rozhranie je ens3 - toto je pre nás ethernetové rozhranie, ktorým je server pripojený do lokálnej siete. v riadku začínajúcom textom inet vidíme ip adresu 192.168.6.24. Toto je naša vnútorná, alebo LAN adresa.

Zistenie vonkajšej IP adresy

Pre zistenie vonkajšej IP adresy použijeme iný príkaz - v tomto prípade nás zaujíma len IPv4

aelias@vpn:~/download$ dig -4 +short myip.opendns.com @resolver1.opendns.com
85.248.200.100
aelias@vpn:~/download$ 

Výsledkom príkazu je vonkajšia IP adresa nášho routra 85.248.200.100

Teraz môžeme pristúpiť k samotnekj konfigurácii OpenVPN a to jednoducho spustením už stiahnutého scriptu:

Zelený text sú moje komentáre

Welcome to this OpenVPN road warrior installer!

This server is behind NAT. What is the public IPv4 address or hostname?  # tu sa pýta na vonkajšiu IP adresu alebo zodpovedajúci DNS záznam pod ktorým bude VPN server dostupný
Public IPv4 address / hostname [85.248.200.100]:                         # pre náš účel som ponechal IP adresu, ktorú script správne zistil, takže stačí stlačiť Enter

Which protocol should OpenVPN use?                                       # Výber protokolu - štandardne sa využíva udp, v prípade potreby je možné použiť aj TCP
1) UDP (recommended)
2) TCP
Protocol [1]: 1

What port should OpenVPN listen to?                                      # Zvolil som iný port ako štandardný, naša VPN bude načúvať na porte 1195/udp
Port [1194]: 1195

Select a DNS server for the clients:                                     # Výber DNS servera, ktorý bude "nanútený" klientom VPN. Ak nepotrebuješ nič špeciálne, 
1) Current system resolvers                                              # je to v zásade jedno
2) Google
3) 1.1.1.1
4) OpenDNS
5) Quad9
6) AdGuard
DNS server [1]: 2

Enter a name for the first client:                                       # meno prvého klienta, pre ktorého sa automaticky vygeneruje konfigurácia 
Name [client]: client1

OpenVPN installation is ready to begin.
Press any key to continue...

Hit:1 http://sk.archive.ubuntu.com/ubuntu focal InRelease                # Script začne automaticky inštalovať openvpn server
Get:2 http://sk.archive.ubuntu.com/ubuntu focal-updates InRelease [111 kB]
Get:3 http://sk.archive.ubuntu.com/ubuntu focal-backports InRelease [98.3 kB]
Get:4 http://sk.archive.ubuntu.com/ubuntu focal-security InRelease [107 kB]
Fetched 317 kB in 2s (189 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
openssl is already the newest version (1.1.1f-1ubuntu2).
openssl set to manually installed.
ca-certificates is already the newest version (20190110ubuntu1.1).
ca-certificates set to manually installed.
The following additional packages will be installed:
libpkcs11-helper1
Suggested packages:
resolvconf openvpn-systemd-resolved easy-rsa
The following NEW packages will be installed:
libpkcs11-helper1 openvpn
0 upgraded, 2 newly installed, 0 to remove and 50 not upgraded.
Need to get 522 kB of archives.
After this operation, 1343 kB of additional disk space will be used.
Get:1 http://sk.archive.ubuntu.com/ubuntu focal/main amd64 libpkcs11-helper1 amd64 1.26-1 [44.3 kB]
Get:2 http://sk.archive.ubuntu.com/ubuntu focal/main amd64 openvpn amd64 2.4.7-1ubuntu2 [478 kB]
Fetched 522 kB in 0s (1914 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libpkcs11-helper1:amd64.
(Reading database ... 113275 files and directories currently installed.)
Preparing to unpack .../libpkcs11-helper1_1.26-1_amd64.deb ...
Unpacking libpkcs11-helper1:amd64 (1.26-1) ...
Selecting previously unselected package openvpn.
Preparing to unpack .../openvpn_2.4.7-1ubuntu2_amd64.deb ...
Unpacking openvpn (2.4.7-1ubuntu2) ...
Setting up libpkcs11-helper1:amd64 (1.26-1) ...
Setting up openvpn (2.4.7-1ubuntu2) ...
* Restarting virtual private network daemon. [ OK ]
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn.service → /lib/systemd/system/openvpn.service.
Processing triggers for systemd (245.4-4ubuntu3.2) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9) ...

init-pki complete; you may now create a CA or requests.                  # teraz script vygeneruje potrebné šifrovacie kľúče a certifikáty
Your newly created PKI dir is: /etc/openvpn/server/easy-rsa/pki

Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020
Generating RSA private key, 2048 bit long modulus (2 primes)
......................................................+++++
..........................................................+++++
e is 65537 (0x010001)

Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020
Generating a RSA private key
................................................+++++
.+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-37507.Tucix4/tmp.e2fGki'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-37507.Tucix4/tmp.etyeBx
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Sep 21 07:54:14 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020
Generating a RSA private key
...................................+++++
.....+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-37582.gOnzHA/tmp.LIeQEs'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-37582.gOnzHA/tmp.1e5YKZ
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client1'
Certificate is to be certified until Sep 21 07:54:15 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-37638.UfWbc8/tmp.Bk3LmS

An updated CRL has been created.
CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem

                                                                        # Zaregistruje OpenVPN službu pre automatické spúšťanie

Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service → /etc/systemd/system/openvpn-iptables.service.
Created symlink /etc/systemd/system/multi-user.target.wants/This email address is being protected from spambots. You need JavaScript enabled to view it. → /lib/systemd/system/openvpn-server@.service.

Finished!

The client configuration is available in: /root/client1.ovpn
New clients can be added by running this script again.
aelias@vpn:~/download$

Skontrolujeme či služba nabehla a či načúva na správnom porte:

 


aelias@vpn:~/download$ sudo netstat -lpn|grep 1195
udp 0 0 192.168.6.24:1195 0.0.0.0:* 37760/openvpn
aelias@vpn:~/download$

 


Služba správne načúva na porte 1195/udp

Konfigurácia 

Vytvorená konfigurácia pre náš server sa nachádza v adresári /etc/openvpn/server

 


aelias@vpn:~/download$ ls -l /etc/openvpn/server/
total 48
-rw------- 1 root root 1192 Sep 23 07:54 ca.crt
-rw------- 1 root root 1679 Sep 23 07:54 ca.key
-rw-r--r-- 1 root root 223 Sep 23 07:54 client-common.txt
-rw------- 1 nobody nogroup 642 Sep 23 07:54 crl.pem
-rw-r--r-- 1 root root 424 Sep 23 07:54 dh.pem
drwxr-xr-x 5 root root 4096 Sep 23 07:54 easy-rsa
-rw------- 1 root root 0 Sep 23 08:04 ipp.txt
-rw------- 1 root root 479 Sep 23 08:05 openvpn-status.log
-rw-r--r-- 1 root root 465 Sep 23 07:54 server.conf
-rw------- 1 root root 4594 Sep 23 07:54 server.crt
-rw------- 1 root root 1704 Sep 23 07:54 server.key
-rw------- 1 root root 636 Sep 23 07:54 tc.key
aelias@vpn:~/download$

 


to najdôležitejšie z pohľadu konfigurácie nájdeme v súbore /etc/openvpn/server/server.conf je to základná konfigurácia vytvorená na základe nami zadaných požiadaviek:

 


aelias@vpn:~/download$ sudo cat /etc/openvpn/server/server.conf
local 192.168.6.24
port 1195
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify

 


Modifikáciou tohoto súboru vieme upraviť routovanie pre klientov, rozsahy IP adries a ďalšie parametre. Zatiaľ to však nechajme tak ako to vygenerovalo. Server v lokálnej sieti načúva na porte 1195/udp a jeho IP adresa je 192.168.6.24. VPN klientom bude prideľovať IP adresy z rozsahu 10.8.0.x a "nanúti" im DNS servery google, teda 8.8.8.8 a 8.8.4.4.

Taktiež klientom "nanúti" routovanie cez náš VPN server, takže ak po pripojení na náš VPN server pôjdu na internet, ich komunikácia pôjde cez náš VPN server a teda pre vzdialené servery to bude vzyerať, že prichádza z IP adresy 85.248.200.100, čo je vonkajšia IP adresa VPN servera. 

 

TAP mód - Bridge medzi sieťami

Zdroj: https://www.aaflalo.me/2015/01/openvpn-tap-bridge-mode/