Difference between revisions of "Setup OpenVPN Server in AWS VPC"
Jump to navigation
Jump to search
| (One intermediate revision by the same user not shown) | |||
| Line 230: | Line 230: | ||
<pre> | <pre> | ||
[root@openvpn]# chmod ugoa+x generateuser.sh | [root@openvpn]# chmod ugoa+x generateuser.sh | ||
| + | </pre> | ||
| + | |||
| + | == Revoke OpenVPN User == | ||
| + | |||
| + | When an OpenVPN user not needed anymnore, we need to revoke it. We can create script like this. | ||
| + | |||
| + | <pre> | ||
| + | [root@openvpn]# cd /etc/openvpn | ||
| + | [root@openvpn]# vi revokeuser.sh | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | #!/bin/bash | ||
| + | |||
| + | cd /etc/openvpn/easy-rsa | ||
| + | /etc/openvpn/easy-rsa/easyrsa revoke $1 | ||
| + | /etc/openvpn/easy-rsa/easyrsa gen-crl | ||
| + | cat /etc/openvpn/easy-rsa/pki/index.txt | grep -i $1 | ||
| + | echo "if you see an 'R' (for Revoked) on the first column from the left for the user that revoked, it's mean the user has been revoked successfully" | ||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | [root@openvpn]# chmod ugoa+x revokeuser.sh | ||
</pre> | </pre> | ||
Latest revision as of 22:39, 6 March 2023
Contents
Purpose
We'll build an OpenVPN server with CentOS 7 in AWS VPN.
This server will be run 24x7 and user as client can connect into it to access all resources & services to the VPC.
Let say this VPN name will be my-vpn which use my-vpn.gejoreuy.com as its public address.
Make sure we have configured our dns my-vpn.gejoreuy.com with the correct public ip address!!!
Preparation
[root@openvpn ~]# yum update [root@openvpn ~]# hostnamectl set-hostname my-vpn.gejoreuy.com --static (gave static IP and put this in Route 53) [root@openvpn ~]# timedatectl set-timezone Asia/Jakarta [root@openvpn ~]# yum install epel-release [root@openvpn ~]# yum install p7zip wget zip unzip autossh pv java-1.8.0-openjdk-devel htop lvm2 samba sysstat glibc figlet telnet firewalld srm [root@openvpn ~]# systemctl start firewalld [root@openvpn ~]# systemctl enable firewalld [root@openvpn ~]# firewall-cmd --add-service openvpn --permanent [root@openvpn ~]# firewall-cmd --add-service https --permanent [root@openvpn ~]# firewall-cmd --add-masquerade --permanent [root@openvpn ~]# firewall-cmd --reload
Install OpenVPN Server
Install OpenVPN server.
[root@openvpn ~]# yum install openvpn easy-rsa [root@openvpn ~]# mkdir /etc/openvpn/easy-rsa [root@openvpn ~]# cp -R /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa [root@openvpn ~]# cd /etc/openvpn/easy-rsa
Edit easyrsa to extend expiry of certs to 9 years
[root@openvpn easy-rsa]# vi easyrsa
Change this below value :
set_var EASYRSA_CERT_EXPIRE 3080 # new default of 9 years
Setup the certs and keys and sign key for the server :
[root@openvpn easy-rsa]# ./easyrsa init-pki [root@openvpn easy-rsa]# ./easyrsa build-ca [root@openvpn easy-rsa]# ./easyrsa gen-dh [root@openvpn easy-rsa]# ./easyrsa gen-req server nopass [root@openvpn easy-rsa]# ./easyrsa sign-req server server
Go up one level to /etc/openvpn and generate a TLS key to slow down DDOS attacks.
[root@openvpn easy-rsa]# cd .. [root@openvpn openvpn]# openvpn --genkey --secret ta.key
Put the passphrase you used for ca.key in a text file for future admins :
[root@openvpn openvpn]# vi ca-passphrase.txt
Configure System
In /etc/sysctl.conf enable ip forwarding :
[root@openvpn openvpn]# vi /etc/sysctl.conf
Add this :
# For OpenVPN net.ipv4.ip_forward = 1
Reboot now for good measure :
[root@openvpn openvpn]# reboot
Test your config :
[centos@openvpn ~]$ cat /proc/sys/net/ipv4/ip_forward 1
Configure Server
Create file /etc/openvpn/server/my-vpn.conf :
[root@openvpn ~]# vi /etc/openvpn/server/my-vpn.conf
port 443 proto tcp dev tun ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key # This file is server's secret dh /etc/openvpn/easy-rsa/pki/dh.pem server 172.16.31.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 172.31.184.2" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 tls-auth /etc/openvpn/ta.key 0 # This file is secret shared between server and clients cipher AES-256-CBC max-clients 50 persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 # verbosity 0 to 15 crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
Notes on this file:
- The server address space is 172.16 + the 2nd byte of the VPC it connects to. Not important - could be almost anything.
- The subnet mask restricts how many clients can use the VPN - in this case 252.
- Check /etc/resolve.conf on the OpenVPN server for DNS hints. 8.8.4.4 is a backup public DNS.
- push means this config is for the clients.
Start Server
Start, check status, and enable to start automatically upon reboot :
[root@openvpn]# systemctl -l start openvpn-server@my-vpn
[root@openvpn]# systemctl -l status openvpn-server@my-vpn
\u25cf openvpn-server@my-vpn.service - OpenVPN service for my-vpn
Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2019-10-01 14:19:12 AEST; 26s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 8954 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@my-vpn.service
\u2514\u25008954 /usr/sbin/openvpn --status /run/openvpn-server/status-my-vpn.log --status-version 2 --suppress-timestamps --config my-vpn.conf
Oct 01 14:19:12 my-vpn-openvpn.gejoreuy.com systemd[1]: Starting OpenVPN service for my-vpn...
Oct 01 14:19:12 my-vpn-openvpn.gejoreuy.com systemd[1]: Started OpenVPN service for my-vpn.
[root@openvpn]# systemctl -l enable openvpn-server@my-vpn
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn-server@my-vpn.service to /usr/lib/systemd/system/openvpn-server@.service.
Configure Clients
Each client needs their own secure, signed key and config file.
Copy the shared items to the client folder :
[root@openvpn]# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client/ [root@openvpn]# cp /etc/openvpn/ta.key /etc/openvpn/client/
Make client config in the client folder:
[root@openvpn]# vi /etc/openvpn/client/my-vpn.ovpn
client dev tun proto tcp route 172.17.0.0 255.255.252.0 #this is the subnet address of the vpc where openvpn server running remote my-vpn.gejoreuy.com 443 #this is the openvpn server address, change it to the real address resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert USERNAME.crt key USERNAME.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC verb 3
Note this config can't work unless there is a cert and key for user "USERNAME". This is a template only.
To generate user keys we need a list of usernames and passwords. Here's a script that does it for you and packages it all up into a 7-zip file encrypted with the same password :
[root@openvpn]# cd /etc/openvpn [root@openvpn]# vi generateuser.sh
#!/bin/bash
cd /etc/openvpn/easy-rsa
echo username is $1 and PASSWORD is $2
echo use this password twice when asked to Enter PEM pass phrase.
/etc/openvpn/easy-rsa/easyrsa gen-req $1
clear
echo next to sign the key you need the passphrase for ca.key bbsadgassadgasdga
/etc/openvpn/easy-rsa/easyrsa sign-req client $1
TEMP_DIR=`mktemp -d -t openvpn-XXXXXXXXXXX`
cp /etc/openvpn/client/ca.crt $TEMP_DIR
cp /etc/openvpn/client/ta.key $TEMP_DIR
sed 's/USERNAME/'${1}'/g' /etc/openvpn/client/my-vpn.ovpn > $TEMP_DIR/my-vpn.ovpn
cp /etc/openvpn/easy-rsa/pki/private/${1:-username}.key $TEMP_DIR
cp /etc/openvpn/easy-rsa/pki/issued/${1:-username}.crt $TEMP_DIR
chown -R root:root $TEMP_DIR
chmod -R 777 $TEMP_DIR
cd $TEMP_DIR
ls -la
rm -f /root/${1:-username}-keys.7z
7za a -p${2:-password} /root/${1:-username}-keys.7z ./*
chown root:root /root/${1:-username}-keys.7z
echo "your file is here: /root/${1:-username}-keys.7z"
srm -rf $TEMP_DIR
[root@openvpn]# chmod ugoa+x generateuser.sh
Revoke OpenVPN User
When an OpenVPN user not needed anymnore, we need to revoke it. We can create script like this.
[root@openvpn]# cd /etc/openvpn [root@openvpn]# vi revokeuser.sh
#!/bin/bash cd /etc/openvpn/easy-rsa /etc/openvpn/easy-rsa/easyrsa revoke $1 /etc/openvpn/easy-rsa/easyrsa gen-crl cat /etc/openvpn/easy-rsa/pki/index.txt | grep -i $1 echo "if you see an 'R' (for Revoked) on the first column from the left for the user that revoked, it's mean the user has been revoked successfully"
[root@openvpn]# chmod ugoa+x revokeuser.sh
