[howto] Install latest openvpn


# Tested on
# Raspbian Wheezy version date: 2014-09-09
#
# Summary of Files that we will use
###############################################
# Script to start openvpn [ /etc/init.d/openvpn ]
# https://www.dropbox.com/s/nz4dyons6tlsbr4/etcinitdopenvpn.sh
#
# Script to merge Client keys and certs
# https://www.dropbox.com/s/v228zvccef9d10c/merge.sh
#
# Script to merge Server keys and certs
# https://www.dropbox.com/s/9wc3we8ezfucj1j/merge_server.sh
#
# Latest openvpn source code
# http://build.openvpn.net/downloads/releases/latest/openvpn-latest-stable.tar.gz
###############################################

cd $HOME
wget http://build.openvpn.net/downloads/releases/latest/openvpn-latest-stable.tar.gz
gzip -dc openvpn-latest-stable.tar.gz | tar xvf -

# at this time, the latest is openvpn-2.4.0
# you will see what revision it is when you unzip it

# We need to add a few components to be able to compile
sudo apt-get update
sudo apt-get build-dep openvpn -y
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev -y

# This is the bit where we make and install the openvpn server
sudo mkdir /etc/openvpn/
cd $HOME/openvpn-2.4.0/
./configure --prefix=/usr
make
sudo make install
sudo wget --no-check-cert https://www.dropbox.com/s/nz4dyons6tlsbr4/etcinitdopenvpn.sh -O /etc/init.d/openvpnsudo chmod +x /etc/init.d/openvpn
sudo update-rc.d openvpn defaults

# Now we create keys and certs using easyrsa3
# easyrsa3 using batch with no prompts, no password protection

mkdir $HOME/clientside
mkdir $HOME/serverside
cd $HOME/serverside
wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip
cd easy-rsa-master/easyrsa3
openvpn --genkey --secret ta.key
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa --batch build-server-full server nopass
./easyrsa --batch build-client-full client1 nopass
./easyrsa gen-dh

# we will merge certs and keys into config files
# one for server and one for client

cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/ca.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/issued/server.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/dh.pem $HOME/serverside/dh2048.pem
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/private/server.key $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/ta.key $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/issued/client1.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/ta.key $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/ca.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/private/client1.key $HOME/clientside/

# Client Script
nano $HOME/clientside/raspberrypi.ovpn

client
dev tun
proto udp
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

# Now merge certs and keys into client script, so we only have one file to handle
cd $HOME/clientside/
wget --no-check-cert https://www.dropbox.com/s/v228zvccef9d10c/merge.sh -O merge.sh
sudo chmod +x merge.sh
sudo ./merge.sh
sudo chown $USER $HOME/clientside/raspberrypi.ovpn

# Now transfer client script raspberrypi.ovpn
# in $HOME/clientside/ to your client PC
# Due to permissions, I had to transfer it to C:\
# Then in windows, copy the file
# to C:\Program Files (x86)\OpenVPN\config

# Server Script
nano $HOME/serverside/server.conf

port 34557
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh2048.pem
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# Now merge certs and keys into server script, so we only have one file to handle
cd $HOME/serverside/
wget --no-check-cert https://www.dropbox.com/s/9wc3we8ezfucj1j/merge_server.sh -O merge_server.sh
sudo chmod +x merge_server.sh
sudo ./merge_server.sh

# Now copy the merged server script to /etc/openvpn/
sudo cp $HOME/serverside/server.conf /etc/openvpn/

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1

#
# The firewall settings can really screw everything up
# If you have ufw enabled and the load what is below, its dead.
# You won't be able to make contact with the PI after you restart it.
#
# If you have ufw enabled goto the bottom of this post.
# don't make the file for firewall settings using iptables.
#
# There are a number of ways, it depends of how you're using the PI
# I am using it as a headless remote server, this means no desktop
# environment, and no other firewall conflicting data loaded, no ufw.
# Here is alternative Firewall data using a static IP address
# check with ifconfig. Also this should be the firewall.sh file
#
# iptables -t nat -A POSTROUTING -s VPNIP -o interface -j SNAT --to-source LOCALIP
#
# e.g.
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.0.0.2
#
# And Start everything
# sudo sysctl -w net.ipv4.ip_forward=1
#
#
#

# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add new text line into file /etc/rc.local
# before ‘exit 0' to ensure the firewall rules are run at reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot


# And now for something completely different......
# Uncomplicated Firewall (ufw) is a front-end for iptables
# If you load your own iptables data, it gets very complicated
# If you have UFW enabled do the following instead

ufw allow 34557/udp


# Look for DEFAULT_FORWARD_POLICY="DROP". This must be changed from DROP to ACCEPT. It should look like this when done:

sudo nano /etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"


# Add the following anywhere

sudo nano /etc/ufw/before.rules

# START OPENVPN RASPBERRY PI RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES


# ufw data Credit:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04

# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s