I did this on Debian but these instruction should work equally well for Ubuntu
Setup IP Forwarding/Masquerading/Firewall
To turn on IP Forwarding:
# echo 1 > /proc/sys/net/ipv4/ip_forward
Set the change permanantly in /etc/sysctl.conf by uncommenting the line:
To turn on IP Masquerading add the following IP Tables rule:
# iptables --table nat --append POSTROUTING
--out-interface eth0 --jump MASQUERADE
If you are running a firewall, and I strongly recommend you do on a public facing box you need to allow UDP on port 1194 into you box.
# iptables -A INPUT -udp -m udp --dport 1194 -j ACCEPT
But these rules need be persistant so we need to create a script to run when the interface starts up
# iptables-save > /etc/iptables.conf
Create a new file: /etc/network/if-up.d/iptables and paste in the following:
/sbin/iptables-restore < /etc/iptables.conf
Set it to executable:
# chmod 755 /etc/network/if-up.d/iptables
Now when networking starts the firewall is brought up. If all you have done is what is above, your box is not really firewalled, as no traffic is dropped or blocked. For a basic firewall the following config, forwards everything, allows bind internally and only allows SSH and OpenVPN on the external interface.
# *nat :PREROUTING ACCEPT [36:18250] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [12:806] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # *filter :INPUT ACCEPT [19:1037] :FORWARD ACCEPT [420:191307] :OUTPUT ACCEPT [314:39042] # Allow everything on loopback -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # Allow already established connections -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Allow SSH -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # Allow DNS to this machine fron the private network # (If you plan to run you own DNS, I run dns_masq) -A INPUT -p tcp --dport 53 -s 10.8.0.0/16 -j ACCEPT # Allow OpenVPN -A INPUT -p udp -m udp --dport 1194 -j ACCEPT # DROP the rest -A INPUT -i eth0 -j DROP COMMIT #
Setup Open VPN
# aptitude install openvpn openssl
Edit /etc/default/openvpn. Comment all lines, and add:
Create Certificates and Keys
On you server as root:
# cd /etc/openvpn
Copy the the following directory
# cp -r /usr/share/doc/openvpn/examples/easy-rsa .
# cd easy-rsa/2.0/
Edit the file “vars”. Change the default values at the bottom of the file to match your details.
Import you ssl settings:
# . ./vars
# ./cleann-all. Do not run this every time as it will remove all existing certificates.
Create your Certificate Authority
Give it a sensible common-name, something like: “OpenVPN CA”
Now build the key and certificate for you server
# ./build-key-server server
Set the common name to “server”
Answer yes to signing the certificate and commiting it.
Now let’s create Diffie Hellman parameters:
Most other guides now get you to generate client certs, but we are using username and password authentication so we do not need to do this.
Edit the file /etc/openvpn/openvpn.conf and add the following (the comments are unnecessary they are just there for explanation):
dev tun ## udp is recommended, avoid TCP over TCP proto udp ## any port will do, this is the standard port 1194 ## certs we created earlier ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem user nobody group nogroup ## You can make this any private subnet you like server 10.8.0.0 255.255.255.0 persist-key persist-tun #status openvpn-status.log #verb 3 client-to-client ## make this connection the default gateway for network traffic push "redirect-gateway def1" ## I am running dns_masq, you may want to put your server's DNS here ## or even google: 184.108.40.206 push "dhcp-option DNS 10.8.0.1" log-append /var/log/openvpn ## User authentication settings. Usernames must be able to authenticate with PAM ## To use radius or another auth mechanism create /etc/pam.d/openvpn ## by default it is doing common-auth (a user must have a local accout and pasword) plugin /usr/lib/openvpn/openvpn-auth-pam.so login client-cert-not-required username-as-common-name ## A management interface allows you to telnet from local host to use ## telnet localhost 7505 management localhost 7505
# /etc/init.d/openvpn restart
So this is the server done. We haven’t configured anything to connect to it yet.
Client how-to comming up next time.
Update. Client how-to is available