Linux Server Build: OpenVPN From Scratch - Hak5 2019

Hak5 -- Cyber Security Education, Inspiration, News & Community since 2005:
____________________________________________
Today we're building an OpenVPN server from scratch in Linux!
-------------------------------
Shop: http://www.hakshop.com
Support:   / threatwire  
Subscribe:    / hak5  
Our Site: http://www.hak5.org
Contact Us:   / hak5  
------------------------------
Install and setup OpenVPN

apt-get update; apt-get install openvpn easy-rsa

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/server.conf

nano /etc/openvpn/server.conf

replace dh1024.pem with dh2048.pem
#uncomment push "redirect-gateway def1 bypass-dhcp"
#uncomment push "dhcp-option DNS" and replace IP addresses with your fav DNS
#uncomment user nobody
#uncomment group nogroup
#save and exit

Setup Firewall

#Enable IP forwarding
echo 1 /proc/sys/net/ipv4/ip_forward

nano /etc/sysctl.conf
#uncomment net.ipv4.ip_forward=1
#save and exit

#Configure firewall.

ufw status
ufw allow ssh
ufw allow 1194/udp

#Let packets forward through the VPS by changing for forward policy to accept

nano /etc/default/ufw
#replace DROP with ACCEPT in DEFAULT_FORWARD_POLICY="DROP"
#save and exit

#Enable NAT and IP masquerading for clients
nano /etc/ufw/before.rules
#Add the following near the top
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT

ufw status

Setup Keys and Start the Server

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys

nano /etc/openvpn/easy-rsa/vars
#change export KEY_* values
#set KEY_NAME to "server"
#save and exit

#Generate the 2048 bit Diffie-Hellman pem file we pointed to in the openvpn config
openssl dhparam -out /etc/openvpn/dh2048.pem 2048

#move to the easy-rsa directory

cd /etc/openvpn/easy-rsa

#Set the variables we configured
. ./vars
./clean-all
./build-ca #Accept all defaults
./build-key-server server #Accept all defaults

#Move the newly generated certificates to /etc/openvpn
cp /etc/openvpn/easy-rsa/keys/server.crt,server.key,ca.crt /etc/openvpn

#In /etc/openvpn we should have a server.conf, server.crt, server.key, ca.crt and dh2048.pem

#start the OpenVPN service
service openvpn start
service openvpn status

Setup keys for the first client

./build-key client
ls keys

#Make a new directory to merge the client configuration and keys
mkdir ~/client

#Copy the example client configuration renaming the file extension from conf to ovpn
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client/pineapple.ovpn

cd /etc/openvpn/easy-rsa/keys
cp client.crt client.key client.ovpn ~/client
cp /etc/openvpn/ca.crt ~/client

Securely copy client.crt, client.key, ca.crt and client.ovpn to your client device

cd ~/client

#determine public IP address
ifconfig

nano pineapple.ovpn
find remote and replace my-server-1 with IP address of VPN server
uncomment group nogroup
uncomment user nobody
comment out the ca, cert and key directives
save and exit

echo "ca" to pineapple.ovpn
cat ca.crt to pineapple.ovpn
echo "/ca" to pineapple.ovpn

echo "cert" to pineapple.ovpn
cat client.crt to pineapple.ovpn
echo "/cert" to pineapple.ovpn

echo "key" to pineapple.ovpn
cat client.key to pineapple.ovpn
echo "/key" to pineapple.ovpn

~-~~-~~~-~~-~
Please watch: "Bash Bunny Primer - Hak5 2225"
   • Bash Bunny Primer - Hak5  2225  
~-~~-~~~-~~-~
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community – where all hackers belong.