Difference between revisions of "Setup a VPN"
(7 intermediate revisions by the same user not shown) | |||
Line 23: | Line 23: | ||
==Testing== | ==Testing== | ||
<div class="mw-collapsible mw-collapsed"> | |||
<div class="mw-collapsible-content"> | |||
We'll build a raw (unsecured) connection for testing. | We'll build a raw (unsecured) connection for testing. | ||
Line 61: | Line 63: | ||
inet6 fe80::4c39:d598:21b8:2b41/64 scope link stable-privacy | inet6 fe80::4c39:d598:21b8:2b41/64 scope link stable-privacy | ||
valid_lft forever preferred_lft forever</pointopoint,multicast,noarp,up,lower_up> | valid_lft forever preferred_lft forever</pointopoint,multicast,noarp,up,lower_up> | ||
</div> | |||
</div> | |||
=Securing your VPN= | =Securing your VPN= | ||
Line 66: | Line 71: | ||
== Handling it locally == | == Handling it locally == | ||
<div class=" | === Static-Key === | ||
<div class="mw-collapsible mw-collapsed"> | |||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
In the server's <code>/etc/openvpn</code> directory, run the following command to generate a static key: | In the server's <code>/etc/openvpn</code> directory, run the following command to generate a static key: | ||
Line 104: | Line 109: | ||
* <code>ip a</code> | * <code>ip a</code> | ||
</div></div> | </div> | ||
</div> | |||
=== TLS-enabled === | === TLS-enabled === | ||
<div class="mw-collapsible mw-collapsed"> | |||
<div class="mw-collapsible-content"> | |||
<span style="color: rgb(128, 0, 128);" data-mce-style="color: #800080;"><big>'''WERKIN ON IT'''</big></span> | <span style="color: rgb(128, 0, 128);" data-mce-style="color: #800080;"><big>'''WERKIN ON IT'''</big></span> | ||
[[Using easy-rsa]] | [[Using easy-rsa]] | ||
</div> | |||
</div> | |||
==Using a Commercial VPN Service== | ==Using a Commercial VPN Service== | ||
<div class="mw-collapsible mw-collapsed"> | |||
<div class="mw-collapsible-content"> | |||
===PIA=== | ===PIA=== | ||
<span style="color: rgb(128, 0, 128);" data-mce-style="color: #800080;"><big>'''WERKIN ON IT'''</big></span> | <span style="color: rgb(128, 0, 128);" data-mce-style="color: #800080;"><big>'''WERKIN ON IT'''</big></span> | ||
Line 118: | Line 132: | ||
===NordVPN=== | ===NordVPN=== | ||
<span style="color: rgb(128, 0, 128);" data-mce-style="color: #800080;"><big>'''WERKIN ON IT'''</big></span> | <span style="color: rgb(128, 0, 128);" data-mce-style="color: #800080;"><big>'''WERKIN ON IT'''</big></span> | ||
</div> | |||
</div> | |||
=Starting the VPN on Boot= | =Starting the VPN on Boot= | ||
<div class="mw-collapsible mw-collapsed"> | |||
<div class="mw-collapsible-content"> | |||
==Server== | ==Server== | ||
Line 144: | Line 163: | ||
* <code>systemctl daemon-reload</code> | * <code>systemctl daemon-reload</code> | ||
* <code>sudo service openvpn restart</code> | * <code>sudo service openvpn restart</code> | ||
</div> | |||
</div> | |||
[[Category:Linux]] | |||
[[Category:Network Management]] | |||
[[Category:WIP]] |
Latest revision as of 01:33, 2 February 2022
11 (bullseye) |
As always... | |
---|---|
Start with: |
|
Install openvpn
sudo apt install openvpn
Testing
We'll build a raw (unsecured) connection for testing.
Note that this is not a persistent setup. Hitting Ctrl-C in the terminal where you started openvpn will destroy the VPN tunnel.
Configure as a server
sudo openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2
in a second terminal:
ip a
& you should see a tun1
entry like:
9: tun1: <pointopoint,multicast,noarp,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 10.9.8.1 peer 10.9.8.2/32 scope global tun1 valid_lft forever preferred_lft forever inet6 fe80::dc71:3707:693c:5017/64 scope link stable-privacy valid_lft forever preferred_lft forever
Configure as a client
sudo openvpn --remote SERVER_IP --dev tun1 --ifconfig 10.9.8.2 10.9.8.1
(Where SERVER_IP is the IP address or name of the machine acting as the server...)
in a second terminal:
ip a
& you should see a tun1
entry like:
3: tun1: <pointopoint,multicast,noarp,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 10.9.8.2 peer 10.9.8.1/32 scope global tun1 valid_lft forever preferred_lft forever inet6 fe80::4c39:d598:21b8:2b41/64 scope link stable-privacy valid_lft forever preferred_lft forever</pointopoint,multicast,noarp,up,lower_up>
Securing your VPN
Handling it locally
Static-Key
In the server's /etc/openvpn
directory, run the following command to generate a static key:
sudo openvpn --genkey --secret static.key
Copy this static key to the clients /etc/openvpn directory using a secure channel like scp or sftp.
sudo scp static.key USER@VPNclient:~
- Then, on the client:
sudo mv static.key ~/static.key /etc/openvpn
On the server, create a new /etc/openvpn/tun0.conf file:
sudo vi /etc/openvpn/tun0.conf
and add the following:
dev tun0 ifconfig 10.9.8.1 10.9.8.2 secret /etc/openvpn/static.key
On the client, create a new /etc/openvpn/tun0.conf file:
sudo vi /etc/openvpn/tun0.conf
and add the following:
remote SERVER_IP dev tun0 ifconfig 10.9.8.2 10.9.8.1 secret /etc/openvpn/static.key
Start OpenVPN by hand on both sides with the following command (verbose output at 6):
sudo openvpn --config /etc/openvpn/tun0.conf --verb 6
You should now see tun devices on both machines (like in the Testing section above):
ip a
TLS-enabled
WERKIN ON IT
Using a Commercial VPN Service
PIA
WERKIN ON IT
NordVPN
WERKIN ON IT
Starting the VPN on Boot
Server
sudo vi /etc/openvpn/server/server.conf
WERKIN ON IT
& create the status log file:
touch /var/log/openvpn/openvpn-status.log
Restart OpenVPN:
systemctl daemon-reload
sudo service openvpn restart
Client
sudo vi /etc/openvpn/client/client.conf
WERKIN ON IT
Restart OpenVPN:
systemctl daemon-reload
sudo service openvpn restart