OpenVPN Quick How To

Alex, May 5, 2016 10:27
If you have been looking around the interwebs on a how-to-setup-that-bloody-vpn-server-you-need-to-access-IP-blocked-content and could not find a working solution, this page is for you. I share my setup-vpn.sh script with you guys. Use and modify as you please. A link back is always appreciated.

Twitter question

From a question on twitter:
Okay, dear Linux/server people: I'd appreciate a guide to set up openvpn server. Not deep understanding, just get it up and running. @JaschMedia
I can do that: I use a simple script to set up new openVPN servers if I need one. Follow these steps and you have a OpenVPN tunnel up and running in minutes.

Disclaimer

There are more secure ways of setting up your VPN. Do not use this guide to protect your nuclear plant. But if you are Googling for solutions you should resign from that job immediately. This guide is here for demonstration and educational purposes only.

Install all the things

I only run Debian linux so replace apt-get with your package manager if you are on a different flavor. Run all commands as root.
# apt-get install -y openvpn easy-rsa
# /etc/init.d/openvpn stop

setup-vpn.sh

#!/bin/sh
#
# (c) 2016 HackPending - https://hackpending.com/
# 
# Provided as-is. 
  
HOSTIP=`ifconfig eth0 | grep "inet addr" | cut -f2 -d: | cut -f1 -d " "`
echo $HOSTIP
 
apt-get install openvpn easy-rsa
/etc/init.d/openvpn stop
mkdir /etc/openvpn/client-config-dir
echo "ifconfig-push 192.168.44.2 255.255.255.0
push redirect-gateway def1
push dhcp-option DNS 8.8.8.8
push remote-gateway 192.168.44.1
" > /etc/openvpn/client-config-dir/iphone
 
echo "ifconfig-push 192.168.44.3 255.255.255.0
push remote-gateway 192.168.44.1
" > /etc/openvpn/client-config-dir/router
 
echo "proto tcp
port 443
verb 3
daemon
log-append /var/log/openvpn.log
dev tun0
cipher AES-256-CBC
mode server
topology subnet
server 192.168.44.0 255.255.255.0
keepalive 30 500
client-config-dir /etc/openvpn/client-config-dir
 
ca /etc/openvpn/tun0/ca.crt
cert /etc/openvpn/tun0/server.crt
key /etc/openvpn/tun0/server.key
dh /etc/openvpn/tun0/dh4096.pem
" > /etc/openvpn/openvpn.conf
 
mkdir /etc/openvpn/tun0
cp -prv /usr/share/easy-rsa /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
 
echo "export EASY_RSA=\"/etc/openvpn/easy-rsa\"
export OPENSSL=\"openssl\"
export PKCS11TOOL=\"pkcs11-tool\"
export GREP=\"grep\"
export KEY_CONFIG=\`\$EASY_RSA/whichopensslcnf \$EASY_RSA\`
export KEY_DIR=\"\$EASY_RSA/keys\"
export PKCS11_MODULE_PATH=\"dummy\"
export PKCS11_PIN=\"dummy\"
export KEY_SIZE=4096
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY=\"US\"
export KEY_PROVINCE=\"NY\"
export KEY_CITY=\"City\"
export KEY_ORG=\"OrgName\"
export KEY_EMAIL=\"me@localhost\"
export KEY_CN=${HOSTIP}
export KEY_NAME=${HOSTIP}
export KEY_ALTNAMES=
export KEY_OU=
 
" > /etc/openvpn/easy-rsa/vars
 
cd /etc/openvpn/easy-rsa
. ./vars
 
./clean-all
./build-ca
cp keys/ca.crt /etc/openvpn/tun0/ca.crt
cp keys/ca.key /etc/openvpn/tun0/ca.key  
 
./build-key-server server
cp keys/server.key /etc/openvpn/tun0/server.key
cp keys/server.crt /etc/openvpn/tun0/server.crt
 
./build-dh
cp keys/dh4096.pem /etc/openvpn/tun0/dh4096.pem
 
for CONFIG in iphone router
do
  echo "build-key: ${CONFIG}"
  if [ ! -r keys/${CONFIG}.crt ]
  then
    ./build-key ${CONFIG}
    cp keys/${CONFIG}.crt /etc/openvpn/tun0/${CONFIG}.crt
    cp keys/${CONFIG}.key /etc/openvpn/tun0/${CONFIG}.key
  fi
  
  echo "Create ${CONFIG} client config"
  echo "client
  
dev tun
proto tcp
remote ${HOSTIP} 443
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-CBC
verb 3
ns-cert-type server
mute 20
link-mtu 1400
mssfix 1400
<ca>
`cat /etc/openvpn/tun0/ca.crt`
</ca>
 
<cert>
`cat /etc/openvpn/tun0/${CONFIG}.crt`
</cert>
 
<key>
`cat /etc/openvpn/tun0/${CONFIG}.key`
</key>
" > /etc/openvpn/tun0/${CONFIG}.ovpn
  
done
 
echo "Enable forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward
 
echo "OpenVPN forwarding"
iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 192.168.44.0/24 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.44.0/24 -o eth0 -j MASQUERADE
 
echo >> /etc/rc.local
echo "# VPN setup" >> /etc/rc.local
echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.local
 
echo "# Routing" >> /etc/rc.local
echo "iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT" >>  /etc/rc.local
echo "iptables -A FORWARD -s 192.168.44.0/24 -o eth0 -j ACCEPT" >> /etc/rc.local
echo "iptables -t nat -A POSTROUTING -s 192.168.44.0/24 -o eth0 -j MASQUERADE" >> /etc/rc.local
 
echo "Restarting openvpn"
/etc/init.d/openvpn start
 

Copy the script above to a file called setup-vpn.sh.

# chmod 700 setup-vpn.sh
# ./setup-vpn.sh
Answer all the questions and your VPN will be setup. In the directory /etc/openvpn/tun0 you will find router.ovpn and iphone.ovpn. Download both from your server and remove them from your server. The difference between the two is that iphone.ovpn will redirect all traffic through the VPN tunnel and router.ovpn will only set up a route to the 192.168.44/24 network via the tunnel. You can replace 8.8.8.8 by 192.168.44.1 if you are running your own DNS.