Difference between revisions of "Setup a VPN"

From Da Nerd Mage Wiki
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
Line 23: Line 23:


==Testing==
==Testing==
<div class="mw-collapsible mw-collapsed">
<div class="mw-collapsible-content">
We'll build a raw (unsecured) connection for testing.
We'll build a raw (unsecured) connection for testing.


Line 61: Line 63:
     inet6 fe80::4c39:d598:21b8:2b41/64 scope link stable-privacy  
     inet6 fe80::4c39:d598:21b8:2b41/64 scope link stable-privacy  
       valid_lft forever preferred_lft forever</pointopoint,multicast,noarp,up,lower_up>
       valid_lft forever preferred_lft forever</pointopoint,multicast,noarp,up,lower_up>
</div>
</div>


=Securing your VPN=
=Securing your VPN=
Line 161: Line 166:
</div>
</div>
</div>
</div>
[[Category:Linux]]
[[Category:Network Management]]
[[Category:WIP]]

Latest revision as of 01:33, 2 February 2022

Proven on:
Logo Debian.png
11 (bullseye)
As always...

Start with:

  • sudo apt update
  • sudo apt upgrade

Install openvpn

  • sudo apt install openvpn

Testing

We'll build a raw (unsecured) connection for testing.

Note that this is not a persistent setup. Hitting Ctrl-C in the terminal where you started openvpn will destroy the VPN tunnel.

Configure as a server

  • sudo openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2

in a second terminal:

  • ip a

& you should see a tun1 entry like:

9: tun1: <pointopoint,multicast,noarp,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
   link/none 
   inet 10.9.8.1 peer 10.9.8.2/32 scope global tun1
      valid_lft forever preferred_lft forever
   inet6 fe80::dc71:3707:693c:5017/64 scope link stable-privacy 
      valid_lft forever preferred_lft forever

Configure as a client

  • sudo openvpn --remote SERVER_IP --dev tun1 --ifconfig 10.9.8.2 10.9.8.1

(Where SERVER_IP is the IP address or name of the machine acting as the server...)

in a second terminal:

  • ip a

& you should see a tun1 entry like:

3: tun1: <pointopoint,multicast,noarp,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
   link/none 
   inet 10.9.8.2 peer 10.9.8.1/32 scope global tun1
      valid_lft forever preferred_lft forever
   inet6 fe80::4c39:d598:21b8:2b41/64 scope link stable-privacy 
      valid_lft forever preferred_lft forever</pointopoint,multicast,noarp,up,lower_up>

Securing your VPN

Handling it locally

Static-Key

In the server's /etc/openvpn directory, run the following command to generate a static key:

  • sudo openvpn --genkey --secret static.key

Copy this static key to the clients /etc/openvpn directory using a secure channel like scp or sftp.

  • sudo scp static.key USER@VPNclient:~
    • Then, on the client:
  • sudo mv static.key ~/static.key /etc/openvpn

On the server, create a new /etc/openvpn/tun0.conf file:

  • sudo vi /etc/openvpn/tun0.conf

and add the following:

dev tun0
ifconfig 10.9.8.1 10.9.8.2
secret /etc/openvpn/static.key

On the client, create a new /etc/openvpn/tun0.conf file:

  • sudo vi /etc/openvpn/tun0.conf

and add the following:

remote SERVER_IP
dev tun0
ifconfig 10.9.8.2 10.9.8.1
secret /etc/openvpn/static.key

Start OpenVPN by hand on both sides with the following command (verbose output at 6):

  • sudo openvpn --config /etc/openvpn/tun0.conf --verb 6

You should now see tun devices on both machines (like in the Testing section above):

  • ip a

TLS-enabled

WERKIN ON IT

Using easy-rsa

Using a Commercial VPN Service

PIA

WERKIN ON IT

NordVPN

WERKIN ON IT

Starting the VPN on Boot

Server

  • sudo vi /etc/openvpn/server/server.conf
WERKIN ON IT


& create the status log file:

  • touch /var/log/openvpn/openvpn-status.log

Restart OpenVPN:

  • systemctl daemon-reload
  • sudo service openvpn restart

Client

  • sudo vi /etc/openvpn/client/client.conf
WERKIN ON IT


Restart OpenVPN:

  • systemctl daemon-reload
  • sudo service openvpn restart