Trying OpenVPN on Ubuntu 14.04 EC2 instnace. Warning these are mostly just notes to myself — use with caution. That includes you, future me…<\/p>\n
TLDR version<\/strong><\/span>: If it absolutely comes down it it, I think I could eventually make the community version do what I need.\u00a0However,\u00a0with more than just this on my plate, it is probably more cost effective (and sane) to go with the commercially supported one. Too many irons in the fire…<\/p>\n References: I will note that I did have my hostname set to the desired value going into this. It might make a difference since I’m going to be making keys…<\/p>\n sudo bash # because I’m lazy…. root@vpn:~# whereis openvpn mkdir \/etc\/openvpn\/easy-rsa\/ vi \/etc\/openvpn\/easy-rsa\/vars \u00a0(straight from the Ubunut help article referenced above — I modified the first 5 lines and left the last three as is.)<\/p>\n root@vpn:~# cd \/etc\/openvpn\/easy-rsa\/ DOH! vi \/etc\/openvpn\/easy-rsa\/vars<\/p>\n # Added to fix error on build-ca line 198 of openssl-1.0.0.cnf seems to want source vars .\/build-key-server<\/p>\n I accepted the defaults as I had already customized the text config file…<\/p>\n I did my initial attempt with the default values (except the last two that require you to hit y). This means that I did NOT include .\/build-dh (Note that this use 2048 bits by default rather than 1024) Build each client key (these should ultimately be removed from the server and exist only on the client machines…): cd ..\/ (cd \/etc\/openvpn\/easy-rsa\/) Server Config (From included sample files):<\/p>\n cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz \/etc\/openvpn\/ vi server.conf:<\/p>\n ca ca.crt # Substitute 2048 for 1024 if you are using service openvpn restart (Just to make sure an old version wasn’t running)<\/p>\n root@myvpn:\/etc\/openvpn# ifconfig tun0 root@myvpn:\/etc\/openvpn# lsof -i tar cvzf ~\/client1.tgz client1.crt client1.key ca.crt<\/p>\n then scp those to the client for testing<\/p>\n on the client:<\/p>\n sudo apt-get install openvpn sudo cp ca.crt client1.crt client1.key \/etc\/openvpn<\/p>\n vi \/etc\/openvpn\/client.conf<\/p>\n remote my.vpn.svr.ip 1194 root@fizban:\/etc\/openvpn# service openvpn restart root@fizban:\/etc\/openvpn# ifconfig tun0 root@fizban:\/etc\/openvpn# ping 10.8.0.1 So, now I have a vpn server that can talk over a tunnel to 1 client. At this point the client can ONLY talk to the VPN server….<\/p>\n So now I have to figure out IPTables… if all goes well, I will : vi \/etc\/sysctl.conf sysctl -p<\/p>\n copy the configure-pat.sh from my nat instance (so I think it originates from the Amazon NAT AMI):<\/p>\n #!\/bin\/bash function log { logger -t “vpc” — $1; }<\/p>\n function die { # Sanitize PATH log “Determining the MAC address on eth0…” VPC_CIDR_URI=”http:\/\/169.254.169.254\/latest\/meta-data\/network\/interfaces\/macs\/${ETH0_MAC}\/vp VPC_CIDR_RANGE=$(curl –retry 3 –silent –fail ${VPC_CIDR_URI}) log “Enabling PAT…” sysctl net.ipv4.ip_forward net.ipv4.conf.eth0.send_redirects | log log “Configuration of PAT complete.” I need to run this from something akin to rc3.d\/S99local (add that to my todo list)<\/p>\n I copied this file to \/usr\/local\/sbin\/configure-pat.sh and added it to \/etc\/rc.local (which seems like the place to put it for Ubunut 14.04).<\/p>\n Then I’m gonna reboot and see if anything works. I may have to configure routes for my subnets in aws???<\/p>\n You know it is at this point, where the configuation ceases to be fun. I started looking more at the commercial version. Given that I have killed an entire afternoon and still have only the server and one client talking to each other, the price of the licenses is starting to look good!<\/p>\n Long term, I’d like to come back and work on this some more, but for now, it just isn’t cost effective to spend more time on it…<\/p>\n","protected":false},"excerpt":{"rendered":" Trying OpenVPN on Ubuntu 14.04 EC2 instnace. Warning these are mostly just notes to myself — use with caution. That includes you, future me… TLDR version: If it absolutely comes down it it, I think I could eventually make the …<\/p>\n
\nhttps:\/\/help.ubuntu.com\/14.04\/serverguide\/openvpn.html
\nhttp:\/\/www.linuxfunda.com\/2013\/09\/14\/how-to-install-and-configure-an-open-vpn-with-nat-server-inside-aws-vpc\/<\/p>\n
\napt-get update && apt-get dist-upgrade
\napt-get install openvpn
\napt-get install easy-rsa<\/p>\n
\nopenvpn: \/usr\/sbin\/openvpn \/etc\/openvpn \/usr\/lib\/openvpn \/usr\/include\/openvpn \/usr\/share\/openvpn \/usr\/share\/man\/man8\/openvpn.8.gz<\/p>\n
\ncp -r \/usr\/share\/easy-rsa\/* \/etc\/openvpn\/easy-rsa\/<\/p>\nexport KEY_COUNTRY=\"US\"\r\nexport KEY_PROVINCE=\"NC\"\r\nexport KEY_CITY=\"Winston-Salem\"\r\nexport KEY_ORG=\"Example Company\"\r\nexport KEY_EMAIL=\"steve@example.com\"\r\nexport KEY_CN=MyVPN\r\nexport KEY_NAME=MyVPN\r\nexport KEY_OU=MyVPN<\/pre>\n
\nroot@vpn:\/etc\/openvpn\/easy-rsa# source vars
\nNOTE: If you run .\/clean-all, I will be doing a rm -rf on \/etc\/openvpn\/easy-rsa\/keys
\nroot@vpn:\/etc\/openvpn\/easy-rsa# .\/clean-all
\nroot@vpn:\/etc\/openvpn\/easy-rsa# .\/build-ca
\nerror on line 198 of \/etc\/openvpn\/easy-rsa\/openssl-1.0.0.cnf
\n140316838659744:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 198<\/p>\n
\nline 198 of \/etc\/openvpn\/easy-rsa\/openssl-1.0.0.cnf:
\n# This stuff is for subjectAltName and issuerAltname.
\n# Import the email address.
\n# subjectAltName=email:copy
\nsubjectAltName=$ENV::KEY_ALTNAMES<\/p>\n
\n# a environment variable KEY_ALTNAMES — not sure what it does
\n# gonna give it something memorable in case it comes up later…
\nexport KEY_ALTNAMES=”BoogaBooga”<\/p>\n
\n.\/clean-all
\n.\/build-ca<\/p>\n
\na challenge password. That is something I may want to look into..<\/p>\n
\ncd keys\/
\ncp .crt .key ca.crt dh2048.pem \/etc\/openvpn\/<\/p>\n
\nI think I will need to do this each time a new client machine is add (ick — need to script this out…)<\/p>\n
\nsource vars
\n.\/build-key client1<\/p>\n
\ncd \/etc\/openvpn
\ngzip -d server.conf.gz<\/p>\n
\ncert .crt
\nkey .key # This file should be kept secret<\/p>\n
\n# 2048 bit keys.
\ndh dh2048.pem<\/p>\n
\ntun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
\ninet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
\nUP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
\nRX packets:0 errors:0 dropped:0 overruns:0 frame:0
\nTX packets:0 errors:0 dropped:0 overruns:0 carrier:0
\ncollisions:0 txqueuelen:100
\nRX bytes:0 (0.0 B) TX bytes:0 (0.0 B)<\/p>\n
\nCOMMAND PID USER FD TYPE DEVICE SIZE\/OFF NODE NAME
\nextra services
\nopenvpn 2437 root 6u IPv4 11132 0t0 UDP *:openvpn<\/p>\n
\nsudo cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/client.conf \/etc\/openvpn\/<\/p>\n
\nca ca.crt
\ncert client1.crt
\nkey client1.key<\/p>\n
\n* Stopping virtual private network daemon(s)… * No VPN is running.
\n* Starting virtual private network daemon(s)… * Autostarting VPN ‘client’<\/p>\n
\ntun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
\ninet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
\nUP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
\nRX packets:0 errors:0 dropped:0 overruns:0 frame:0
\nTX packets:0 errors:0 dropped:0 overruns:0 carrier:0
\ncollisions:0 txqueuelen:100
\nRX bytes:0 (0.0 B) TX bytes:0 (0.0 B)<\/p>\n
\nPING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
\n64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=106 ms
\n^C
\n— 10.8.0.1 ping statistics —
\n1 packets transmitted, 1 received, 0% packet loss, time 0ms
\nrtt min\/avg\/max\/mdev = 106.110\/106.110\/106.110\/0.000 ms<\/p>\n
\niptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE<\/p>\n
\nservice iptables save (that’s actually RHEL I think)
\nUbuntu:
\napt-get install iptables-persistent
\nservice iptables-persistent start<\/p>\n
\n-> uncomment: net.ipv4.ip_forward=1<\/p>\n
\n# Configure the instance to run as a Port Address Translator (PAT) to provide
\n# Internet connectivity to private instances.<\/p>\n
\n[ -n “$1” ] && log “$1”
\nlog “Configuration of PAT failed!”
\nexit 1
\n}<\/p>\n
\nPATH=”\/usr\/sbin:\/sbin:\/usr\/bin:\/bin”<\/p>\n
\nETH0_MAC=$(cat \/sys\/class\/net\/eth0\/address) ||
\ndie “Unable to determine MAC address on eth0.”
\nlog “Found MAC ${ETH0_MAC} for eth0.”<\/p>\n
\nc-ipv4-cidr-block”
\nlog “Metadata location for vpc ipv4 range: ${VPC_CIDR_URI}”<\/p>\n
\nif [ $? -ne 0 ]; then
\nlog “Unable to retrive VPC CIDR range from meta-data, using 0.0.0.0\/0 instead. PAT may ma
\nsquerade traffic for Internet hosts!”
\nVPC_CIDR_RANGE=”0.0.0.0\/0″
\nelse
\nlog “Retrieved VPC CIDR range ${VPC_CIDR_RANGE} from meta-data.”
\nfi<\/p>\n
\nsysctl -q -w net.ipv4.ip_forward=1 net.ipv4.conf.eth0.send_redirects=0 && (
\niptables -t nat -C POSTROUTING -o eth0 -s ${VPC_CIDR_RANGE} -j MASQUERADE 2> \/dev\/null ||
\niptables -t nat -A POSTROUTING -o eth0 -s ${VPC_CIDR_RANGE} -j MASQUERADE ) ||
\ndie<\/p>\n
\niptables -n -t nat -L POSTROUTING | log<\/p>\n
\nexit 0<\/p>\n