Setup VPN access provisioning server on top of Ubuntu 18.04

0
153

If you are looking for a solution that helps others to route their systems traffic via our local gateway(ISP) which acting like a proxy, then here is a free solution. This is called Virtual Private Networking (VPN) and once  users are connected, they have been assigned a private network which then ultimately enforce routing their local traffic via our VPN server to the actual destination. Of course, there are different use-cases people might look to achieve by deploying a VPN service and some of them are;

  • Encrypt outgoing traffic
  • Possible of traffic routing other than your local ISP

Getting Started

01. Installing the required packages

# apt-get update && apt-get install -y openvpn easy-rsa

02. Creating additional directory for hosting certificate which we later introduce

# mkdir -p /etc/openvpn/server/certs
# cd /etc/openvpn/server/certs

03. Build a CA & its Keys

# openssl genrsa -out ca.key 2048
# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt


Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:la 
Locality Name (eg, city) []:la
Organization Name (eg, company) [Internet Widgits Pty Ltd]:osradar
Organizational Unit Name (eg, section) []:it
Common Name (e.g. server FQDN or YOUR name) []:vpn-server.osradar.com
Email Address []:

04. Lets generate our VPN service own certificates & Keys

# openssl genrsa -out vpn.key 2048
# openssl req -new -key vpn.key -out vpn.csr

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:la
Locality Name (eg, city) []:la
Organization Name (eg, company) [Internet Widgits Pty Ltd]:osradar
Organizational Unit Name (eg, section) []:it
Common Name (e.g. server FQDN or YOUR name) []:vpn-server.osradar.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# openssl x509 -req -in vpn.csr -out vpn.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365

Signature ok
subject=C = US, ST = la, L = la, O = osradar, OU = it, CN = vpn-server.osradar.com
# openssl dhparam -out dh2048.pem 2048

05. Configuring the Open VPN server

# vim /etc/openvpn/server/server.conf

port 443    
proto tcp    
dev tun    
server 10.11.0.0 255.255.255.0    
ca /etc/openvpn/server/keys/ca.crt    
cert /etc/openvpn/server/certs/vpn.crt    
key /etc/openvpn/server/certs/vpn.key    
dh /etc/openvpn/server/certs/dh2048.pem  
persist-key    
persist-tun    
keepalive 10 60    
reneg-sec 0    
comp-lzo    
tun-mtu 1468    
tun-mtu-extra 32    
mssfix 1400    
push "persist-key"    
push "persist-tun"    
push "redirect-gateway def1"    
push "dhcp-option DNS 8.8.8.8"    
push "dhcp-option DNS 8.8.4.4"    
status /etc/openvpn/443.log    
verb 3

06. Starting up the service

# systemctl start openvpn@server

07. Enable IPV4 routing between interfaces

# vim /etc/sysctl.d/60-ipv4-forward.conf

net.ipv4.ip_forward=1
# sysctl -p /etc/sysctl.d/60-ipv4-forward.conf

08. Changing the firewall rules

# vim /etc/ufw/before.rules

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/16 -o main_nic -j MASQUERADE
COMMIT
# END OPENVPN RULES

main_nic => replace this with your outgoing NIC device name

Allow 443/tcp which we setup our VPN service

# ufw allow 443/tcp
# ufw disable
# ufw enable

09. Prepare user certificate. In the example below, I assume the username is bob.

# openssl genrsa -out bob.key 2048
# openssl req -new -key bob.key -out bob.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:LK
State or Province Name (full name) [Some-State]:CMB
Locality Name (eg, city) []:colombo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:private
Organizational Unit Name (eg, section) []:it
Common Name (e.g. server FQDN or YOUR name) []:bob
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

10. Sign the user certificate using the CA certificate which we generated at step 03.

# openssl x509 -req -in bob.csr -out bob.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365

bob.crt should be shared with the user in order to them to launch OpenVPN client from their work-station.

Client Work-Station End.

11. Open the terminal and install the the required packages and then launch “nm-connection-editor”

# apt-get update && apt-get install -y network-manager-openvpn
$ nm-connection-editor

 

12. Setting up the VPN client profile

Click (+) Sign and then Select the OpenVPN option under the drop-down menu

 

 

That’s it. Now you can start newly created VPN connection which then initiate a encrypted tunnel between local station to the destination VPN server.

You can verify the result by looking at the IP address space

# ip addr show

“I hope this has been informative”

LEAVE A REPLY

Please enter your comment!
Please enter your name here