Showing posts with label OpenVPN. Show all posts
Showing posts with label OpenVPN. Show all posts
, ,

Set up OpenVPN Server In 5 Minutes on Centos8 Linux

No comments

 am a new Ubuntu Linux server user. How do I setup an OpenVPN Server on Ubuntu Linux version 18.04/20.04 LTS or 20.10 server to shield my browsing activity from bad guys on public Wi-Fi, and more?



OpenVPN is a full-featured SSL VPN (virtual private network). It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol. It is an open source software and distributed under the GNU GPL. A VPN allows you to connect securely to an insecure public network such as wifi network at the airport or hotel. VPN is also required to access your corporate or enterprise or home server resources. You can bypass geo-blocked site and increase your privacy or safety online. This tutorial provides step-by-step instructions for configuring an OpenVPN “road warrior” server on Ubuntu Linux 18.04/20.04 LTS (20.10) version including ufw/iptables firewall configuration. The steps are as follows:

  1. Find and note down your public IP address
  2. Download openvpn-install.sh script
  3. Run openvpn-install.sh to install OpenVPN server

Find your public IP address:

Use any one of the following command to find out your IPv4 public address. If your internface name is eth0 or eth1, enter:
ip addr show eth0
OR
ip addr show eth1
OR
ip a


[root@radius ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 74:56:3c:37:b4:2c brd ff:ff:ff:ff:ff:ff
    inet 192.168.33.6/24 brd 192.168.33.255 scope global noprefixroute enp5s0
       valid_lft forever preferred_lft forever
    inet 59.152.XXX.XXX/29 brd 59.152.107.151 scope global noprefixroute enp5s0
       valid_lft forever preferred_lft forever
    inet 192.168.33.7/24 brd 192.168.33.255 scope global secondary noprefixroute enp5s0
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::334f:6f01:66fc:20b6/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
[root@radius ~]#

Note down the public IPv4 address
59.152.XXX.XXX/29

Download openvpn-install.sh script to set up OpenVPN server in 5 minutes on Ubuntu

Type the following wget command or curl command:
wget https://git.io/vpn -O openvpn-install.sh

wget grabbing the script:

[root@radius ~]# wget https://git.io/vpn -O openvpn-install.sh
--2024-01-03 06:04:21--  https://git.io/vpn
Resolving git.io (git.io)... 140.82.114.21
Connecting to git.io (git.io)|140.82.114.21|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2024-01-03 06:04:23--  https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.github.com (raw.github.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.github.com (raw.github.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2024-01-03 06:04:23--  https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.109.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23714 (23K) [text/plain]
Saving to: ‘openvpn-install.sh’
openvpn-install.sh                                          100%[========================================================================================================================================>]  23.16K  --.-KB/s    in 0.008s
2024-01-03 06:04:24 (2.69 MB/s) - ‘openvpn-install.sh’ saved [23714/23714]
[root@radius ~]#

We can verify script using a text editor such as nano command or vim command:
vi openvpn-install.sh

Running openvpn-install.sh to install OpenVPN server

Type the following command:
sudo chmod +x openvpn-install.sh
sudo bash openvpn-install.sh
Make sure you provide needed information:

[root@radius ~]# ./openvpn-install.sh

Welcome to this OpenVPN road warrior installer!


Which IPv4 address should be used?

     1) 192.168.33.6

     2) 59.152.107.147

     3) 192.168.33.7

IPv4 address [1]: 2


Which protocol should OpenVPN use?

   1) UDP (recommended)

   2) TCP

Protocol [1]: 1


What port should OpenVPN listen to?

Port [1194]: 1194


Select a DNS server for the clients:

   1) Current system resolvers

   2) Google

   3) 1.1.1.1

   4) OpenDNS

   5) Quad9

   6) AdGuard

DNS server [1]: 3


Enter a name for the first client:

Name [client]: nextgen


OpenVPN installation is ready to begin.

Press any key to continue...

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /etc/openvpn/server/easy-rsa/pki

Using Easy-RSA configuration:
* undefined

No Easy-RSA 'vars' configuration file exists!

Using SSL:
* openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
.................................+++++
..........+++++

Notice
------
CA creation complete. Your new CA certificate is at:
* /etc/openvpn/server/easy-rsa/pki/ca.crt

No Easy-RSA 'vars' configuration file exists!

Using SSL:
* openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Generating a RSA private key
.......................+++++
.....................................................................................................................+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/44ea2e7f/temp.1.1'
-----

Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /etc/openvpn/server/easy-rsa/pki/reqs/server.req
* key: /etc/openvpn/server/easy-rsa/pki/private/server.key

Using configuration from /etc/openvpn/server/easy-rsa/pki/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Dec 31 11:06:09 2033 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at:
* /etc/openvpn/server/easy-rsa/pki/issued/server.crt

Notice
------
Inline file created:
* /etc/openvpn/server/easy-rsa/pki/inline/server.inline

No Easy-RSA 'vars' configuration file exists!

Using SSL:
* openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Generating a RSA private key
..............................................................................................................+++++
.....................+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/7b06327f/temp.1.1'
-----

Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /etc/openvpn/server/easy-rsa/pki/reqs/nextgen.req
* key: /etc/openvpn/server/easy-rsa/pki/private/nextgen.key

Using configuration from /etc/openvpn/server/easy-rsa/pki/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'nextgen'
Certificate is to be certified until Dec 31 11:06:10 2033 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at:
* /etc/openvpn/server/easy-rsa/pki/issued/nextgen.crt

Notice
------
Inline file created:
* /etc/openvpn/server/easy-rsa/pki/inline/nextgen.inline

No Easy-RSA 'vars' configuration file exists!

Using SSL:
* openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Using configuration from /etc/openvpn/server/easy-rsa/pki/openssl-easyrsa.cnf

Notice
------
An updated CRL has been created:
* /etc/openvpn/server/easy-rsa/pki/crl.pem

Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service → /etc/systemd/system/openvpn-iptables.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /usr/lib/systemd/system/openvpn-server@.service.

Finished!

The client configuration is available in: /root/nextgen.ovpn
New clients can be added by running this script again.
[root@radius ~]#

 

Start/stop/restart OpenVPN server on Centos 8


Run the following systemctl command to stop the OpenVPN service:
sudo systemctl stop openvpn-server@server.service
Want to start it again? Try:
sudo systemctl start openvpn-server@server.service
The command to restart the OpenVPN service:
sudo systemctl restart openvpn-server@server.service
View status of your OpenVPN systemd based service:
sudo systemctl status openvpn-server@server.service

● openvpn-server@server.service - OpenVPN service for server
   Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2024-01-03 06:06:10 EST; 25min ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 16020 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 47953)
   Memory: 1.2M
   CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service
           └─16020 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config server.conf

Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: 59.152.105.235:64346 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: 59.152.105.235:64346 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: 59.152.105.235:64346 [nextgen] Peer Connection Initiated with [AF_INET]59.152.105.235:64346
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 MULTI: Learn: 10.8.0.2 -> nextgen/59.152.105.235:64346
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 MULTI: primary virtual IP for nextgen/59.152.105.235:64346: 10.8.0.2
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 PUSH: Received control message: 'PUSH_REQUEST'
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 SENT CONTROL [nextgen]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,block-outside-dns,route-gateway >
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 03 06:07:55 radius.zoomonline.com.bd openvpn[16020]: nextgen/59.152.105.235:64346 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Conclusion

And there you have it, OpenVPN server installed in five minutes to increase your privacy. Please see OpenVPN project and road warrior installer Linux script.

Continue reading Set up OpenVPN Server In 5 Minutes on Centos8 Linux
, , ,

CentOS 8 Set Up OpenVPN Server In 5 Minutes

No comments

 The steps are as follows:

Please note that {root@centos8:~ }$ is my shell prompt and is not part of actual commands. In other words, you need to copy and paste command after my shell prompt.

Step 1 – Update your system

Run the dnf command or yum command to install CentOS 8 security updates:
{root@centos8:~ }$ sudo dnf updateOR
{root@centos8:~ }$ sudo yum update
Next, install tar on CentOS and also install wget on CentOS 8
{root@centos8:~ }$ sudo yum install tar wget

Step 2 – Find and note down your server’s IPv4 or IPv6 address

Use the ip command as follows:
{root@centos8:~ }$ ip a{root@centos8:~ }$ ip a show eth0
Find CentOS 8 Linux server IP address
We can try the following dig command/host command to find out your public IP address from Linux command line:
{root@centos8:~ }$ dig +short myip.opendns.com @resolver1.opendns.comOR
{root@centos8:~ }$ dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2 }'
Sample outputs:

172.105.120.133

Please note down 172.105.120.133 IP address. You need to replace this one with your actual IPv4.

A note about your IPv4 and IPv6 address

Most cloud servers have two types of IP address:

  1. Public static IP address directly assigned to your box and routed from the Internet. For example, Linode, Digital Ocean, and others give you direct public IPv4/IPv6 address.
  2. Private static IP address directly attached to your server and your server is behind NAT with public IP address. For example, AWS EC2/Lightsail, Google Cloud and others provide you this kind of NAT public IP address.

The script will automatically detect your networking setup. All you have to do is provide a correct IPv4 or IPv6 address when asked for it. Hence, we used the above command to determine our IP address in advance.

Step 3 – Download and run centos-8-vpn.sh script

I am going to use the wget command:
{root@centos8:~ }$ wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh -O centos-8-vpn.sh
Make sure you set up permissions using the chmod command:
{root@centos8:~ }$ chmod +x centos-8-vpn.sh
One can view the script using a text editor such as vim/vi too :
{root@centos8:~ }$ vim centos-8-vpn.sh
Downloading CentOS Linux 8 OpenVPN script

Installing OpenVPN server on CentOS 8 Linux using the centos-8-vpn.sh

Now all you have to do is run shell script on Linux:
{root@centos8:~ }$ sudo ./centos-8-vpn.sh
Sample session from my Linode cloud server with direct public IPv4 address:
CentOS 8 Set Up OpenVPN yum command
Sample session from AWS/Lightsail where my cloud server is behind NAT:
AWS CentOS Linux 8 server with NAT IPv4 address

Desktop or Mobile client configuration

When VPN server configuration done, we can create a desktop/mobile client VPN configuration file. You will be prompted as follows:

OpenVPN Mobile or Desktop Client Configuration with or without a password

Do you want to protect the VPN configuration file with a password?

How do I start/stop/restart OpenVPN server on CentOS 8 ?

#--- Stop the server ---#
{root@centos8:~ }$ sudo systemctl stop openvpn-server@server.service
#--- Start the server ---#
{root@centos8:~ }$ sudo systemctl start openvpn-server@server.service
#--- Restart the server ---#
{root@centos8:~ }$ sudo systemctl restart openvpn-server@server.service
#--- Get the server status ---#
{root@centos8:~ }$ sudo systemctl status openvpn-server@server.service
OpenVPN running on CentOS 8

Step 4 – Connect an OpenVPN server using IOS/Android/Linux/MS-Windows client

On server your will find a client configuration file called ~/DesktopVPNClient.ovpn. All you have to do is copy this file to your local desktop using the scp command:
{root@centos8:~ }$ scp vivek@172.105.120.136:~/DesktopVPNClient.ovpn .
Next, provide this file to your OpenVPN client for connection purposes:

  1. Download Apple iOS client from Apple App store
  2. Grab Android client from Google Play store
  3. Apple MacOS (OS X) client
  4. Microsoft Windows 8/10 client

OpenVPN Linux desktop client configuration

First, install the openvpn client for your desktop, enter:
{root@centos8-client:~ }$ sudo yum install openvpn
For Debian/Ubuntu Linux try the apt command/apt-get command:
{root@debian-client:~ }$ sudo apt install openvpn
Next, copy DesktopVPNClient.ovpn as follows:
{root@centos8-client:~ }$ sudo cp DesktopVPNClient.ovpn /etc/openvpn/client.conf
Test connectivity from the CLI:
{root@centos8-client:~ }$ sudo openvpn --client --config /etc/openvpn/desktop.conf
Our Linux desktop system will automatically connect when computer restart using openvpn script/service:
{root@centos8-client:~ }$ sudo systemctl start openvpn@client

Step 5 – Verify/test the connectivity

Execute the following commands after connecting to OpenVPN server from your Linux desktop client:
#Ping to the OpenVPN server gateway
{root@centos8-client:~ }$ ping 10.8.0.1
#Make sure routing setup working
{root@centos8-client:~ }$ ip route
#Must return public IP address of OpenVPN server
{root@centos8-client:~ }$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

Step 6 – How to add or remove OpenVPN client

Log in to your CentOS 8 Linux server and run the script again:
{v@centos8:~ }$ sudo ./centos-8-vpn.sh
You will see option as follows:

Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install

It looks like OpenVPN is already installed.

What do you want to do?
   1) Add a new user
   2) Revoke existing user
   3) Remove OpenVPN
   4) Exit
Select an option [1-4]:

Choose an option as per your needs.

Continue reading CentOS 8 Set Up OpenVPN Server In 5 Minutes