Pendragon's Folly

Trying OpenVPN on Ubuntu 14.04 EC2 instnace. Warning these are mostly just notes to myself — use with caution. That includes you, future me…

TLDR version: If it absolutely comes down it it, I think I could eventually make the community version do what I need. However, with more than just this on my plate, it is probably more cost effective (and sane) to go with the commercially supported one. Too many irons in the fire…

References:
https://help.ubuntu.com/14.04/serverguide/openvpn.html
http://www.linuxfunda.com/2013/09/14/how-to-install-and-configure-an-open-vpn-with-nat-server-inside-aws-vpc/

I will note that I did have my hostname set to the desired value going into this. It might make a difference since I’m going to be making keys…

sudo bash # because I’m lazy….
apt-get update && apt-get dist-upgrade
apt-get install openvpn
apt-get install easy-rsa

root@vpn:~# whereis openvpn
openvpn: /usr/sbin/openvpn /etc/openvpn /usr/lib/openvpn /usr/include/openvpn /usr/share/openvpn /usr/share/man/man8/openvpn.8.gz

mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/

vi /etc/openvpn/easy-rsa/vars  (straight from the Ubunut help article referenced above — I modified the first 5 lines and left the last three as is.)

export KEY_COUNTRY="US"
export KEY_PROVINCE="NC"
export KEY_CITY="Winston-Salem"
export KEY_ORG="Example Company"
export KEY_EMAIL="steve@example.com"
export KEY_CN=MyVPN
export KEY_NAME=MyVPN
export KEY_OU=MyVPN

root@vpn:~# cd /etc/openvpn/easy-rsa/
root@vpn:/etc/openvpn/easy-rsa# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
root@vpn:/etc/openvpn/easy-rsa# ./clean-all
root@vpn:/etc/openvpn/easy-rsa# ./build-ca
error on line 198 of /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
140316838659744:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 198

DOH!
line 198 of /etc/openvpn/easy-rsa/openssl-1.0.0.cnf:
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES

vi /etc/openvpn/easy-rsa/vars

# Added to fix error on build-ca line 198 of openssl-1.0.0.cnf seems to want
# a environment variable KEY_ALTNAMES — not sure what it does
# gonna give it something memorable in case it comes up later…
export KEY_ALTNAMES=”BoogaBooga”

source vars
./clean-all
./build-ca

./build-key-server

I accepted the defaults as I had already customized the text config file…

I did my initial attempt with the default values (except the last two that require you to hit y). This means that I did NOT include
a challenge password. That is something I may want to look into..

./build-dh (Note that this use 2048 bits by default rather than 1024)
cd keys/
cp .crt .key ca.crt dh2048.pem /etc/openvpn/

Build each client key (these should ultimately be removed from the server and exist only on the client machines…):
I think I will need to do this each time a new client machine is add (ick — need to script this out…)

cd ../ (cd /etc/openvpn/easy-rsa/)
source vars
./build-key client1

Server Config (From included sample files):

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn
gzip -d server.conf.gz

vi server.conf:

ca ca.crt
cert .crt
key .key # This file should be kept secret

# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh2048.pem

service openvpn restart (Just to make sure an old version wasn’t running)

root@myvpn:/etc/openvpn# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

root@myvpn:/etc/openvpn# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
extra services
openvpn 2437 root 6u IPv4 11132 0t0 UDP *:openvpn

tar cvzf ~/client1.tgz client1.crt client1.key ca.crt

then scp those to the client for testing

on the client:

sudo apt-get install openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/

sudo cp ca.crt client1.crt client1.key /etc/openvpn

vi /etc/openvpn/client.conf

remote my.vpn.svr.ip 1194
ca ca.crt
cert client1.crt
key client1.key

root@fizban:/etc/openvpn# service openvpn restart
* Stopping virtual private network daemon(s)… * No VPN is running.
* Starting virtual private network daemon(s)… * Autostarting VPN ‘client’

root@fizban:/etc/openvpn# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

root@fizban:/etc/openvpn# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=106 ms
^C
— 10.8.0.1 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 106.110/106.110/106.110/0.000 ms

So, now I have a vpn server that can talk over a tunnel to 1 client. At this point the client can ONLY talk to the VPN server….

So now I have to figure out IPTables…
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

if all goes well, I will :
service iptables save (that’s actually RHEL I think)
Ubuntu:
apt-get install iptables-persistent
service iptables-persistent start

vi /etc/sysctl.conf
-> uncomment: net.ipv4.ip_forward=1

sysctl -p

copy the configure-pat.sh from my nat instance (so I think it originates from the Amazon NAT AMI):

#!/bin/bash
# Configure the instance to run as a Port Address Translator (PAT) to provide
# Internet connectivity to private instances.

function log { logger -t “vpc” — $1; }

function die {
[ -n “$1” ] && log “$1”
log “Configuration of PAT failed!”
exit 1
}

# Sanitize PATH
PATH=”/usr/sbin:/sbin:/usr/bin:/bin”

log “Determining the MAC address on eth0…”
ETH0_MAC=$(cat /sys/class/net/eth0/address) ||
die “Unable to determine MAC address on eth0.”
log “Found MAC ${ETH0_MAC} for eth0.”

VPC_CIDR_URI=”http://169.254.169.254/latest/meta-data/network/interfaces/macs/${ETH0_MAC}/vp
c-ipv4-cidr-block”
log “Metadata location for vpc ipv4 range: ${VPC_CIDR_URI}”

VPC_CIDR_RANGE=$(curl –retry 3 –silent –fail ${VPC_CIDR_URI})
if [ $? -ne 0 ]; then
log “Unable to retrive VPC CIDR range from meta-data, using 0.0.0.0/0 instead. PAT may ma
squerade traffic for Internet hosts!”
VPC_CIDR_RANGE=”0.0.0.0/0″
else
log “Retrieved VPC CIDR range ${VPC_CIDR_RANGE} from meta-data.”
fi

log “Enabling PAT…”
sysctl -q -w net.ipv4.ip_forward=1 net.ipv4.conf.eth0.send_redirects=0 && (
iptables -t nat -C POSTROUTING -o eth0 -s ${VPC_CIDR_RANGE} -j MASQUERADE 2> /dev/null ||
iptables -t nat -A POSTROUTING -o eth0 -s ${VPC_CIDR_RANGE} -j MASQUERADE ) ||
die

sysctl net.ipv4.ip_forward net.ipv4.conf.eth0.send_redirects | log
iptables -n -t nat -L POSTROUTING | log

log “Configuration of PAT complete.”
exit 0

I need to run this from something akin to rc3.d/S99local (add that to my todo list)

I copied this file to /usr/local/sbin/configure-pat.sh and added it to /etc/rc.local (which seems like the place to put it for Ubunut 14.04).

Then I’m gonna reboot and see if anything works. I may have to configure routes for my subnets in aws???

You know it is at this point, where the configuation ceases to be fun. I started looking more at the commercial version. Given that I have killed an entire afternoon and still have only the server and one client talking to each other, the price of the licenses is starting to look good!

Long term, I’d like to come back and work on this some more, but for now, it just isn’t cost effective to spend more time on it…