Versions Compared

Old Version 4

changes.mady.by.user Jay Ta'ala

Saved on

compared with

New Version Current

changes.mady.by.user Jay Ta'ala

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This is covered well in the digitalocean guide, but I thought I would note down the commands used here as it's something I use/do often.

Generate a client key

First, generate the client key by cd'ing into your openvpn-ca (cert authority folder) and sourcing the variables required:

...

Info

replace <client-key-name> with the name of the client key you want

Generate a client .ovpn file

If you followed the digitalocean guide you'll now be able to generate an ovpn client config that contains the key and everything needed for a client to securely connect to your openvpn server by

...

Code Block
ifconfig-pool 10.8.0.100 10.8.0.200 255.255.255.0

Next, let lets uncomment the client-config-dir directive:

...

For example, suppose we have a client configuration named "client1" which has the ovpn file "client1.ovpn", that we want to assign the ip address "10.8.0.12" to.  We would do the following:

...

Code Block
ifconfig-push 10.8.0.12 255.255.255.0


Info

You DO NOT need to restart the openvpn server after adding client configs. Each time a client connects openvpn will check for a corresponding (named) file in the ccd folder.

Enabling split-tunnel for a specific client

If you've setup your openvpn server to route all client traffic through the tunnel, you might want a specific client to ignore this and only use the tunnel for connections to other machines on the VPN.

An example for this might be when using an VPN connection to securely connect machines together for node_exporter monitoring (Prometheus) as alluded to in Create a persistent SSH tunnel between servers with systemd (a VPN is an alternative to that article and the preferred approach).

To ignore the server's redirect-gateway directive, add the following to the client's ovpn config file:

Code Block
pull-filter ignore redirect-gateway


Info

Note this requires at least openvpn version 2.4.  For older versions see here.

Overriding DNS settings for server in client configutation

...

Add the following to you .ovpn config (replacing x.x.x.x  and y.y.y.y  with your preferred DNS addresses).

Code Block
languagebash
# override DNS with my own settings
pull-filter ignore "dhcp-option DNS"
# don't block other DNS servers (for windows clients)
pull-filter ignore "block-outside-dns"

# set own DNS servers (optional)
dhcp-option DNS x.x.x.x
dhcp-option DNS y.y.y.y

...

Warning

Replace x.x.x.x  and y.y.y.y  with your preferred DNS addresses above.

Honour DNS config pushed from server on Arch Linux client

On a few of my Arch (and Manjaro) machines, they weren't using DNS configs being pushed from the OpenVPN server.

As outlined in on the Arch Wiki, I needed to add the following to my client config (.ovpn):

Code Block
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

If OpenVPN doesn't reconnect after wake

...

Code Block
sudo systemctl enable openvpn-reconnect

...

 Status
colourGreen
titleCOMING SOON
Using port 443 for OpenVPN & other applications (like a webserver)
If the network environment you're operating in is restrictive then chances are port 1194 (standard openvpn port) will be blocked - which means that you wont' be able to connect to your openvpn server from that environment without making some changes on your end.  One way to get around this is to change your openvpn port to something that will most likely NOT be blocked, like port 443 (https/ssl port).  Doing so is trivial within your openvpn server.conf file.  However, issues arise if you also use said server for other things, like a webserver - especially is you run multiple applications from said server (see Apache reverse-proxy SSL to multiple server applications for a standard setup running multiple web applications with Apache).
In this use case, we are actually going to use port 443 for both OpenVPN and our Apache2 reverse proxy.  Now, we can't bind port 443 simultaneously to OpenVPN and Apache2 but we can share port 443 by fronting these with a SSL/OpenVPN multiplexer like SSLH.
How this works is we'll change our Apache reverse-proxy listening port to something else (like 8443), then bind port 443 to SSLH.  SSLH will analyse traffic incoming to port 443, and if it's standard https then it transparently forwards this traffic to port 8443, and if it's OpenVPN traffic then it forwards it to our standard server-side OpenVPN port 1194.
This approach assumes you've setup an Apache reverse-proxy in which you take care of SSL termination with the relevant SSL certs within said reverse-proxy which listens (is binded) to port 443.  It also assumes that you've setup OpenVPN as outlined previously in this article and are using port 1194 for OpenVPN.
Change OpenVPN to tcp-server mode
First let's make a small change to our OpenVPN by replacing
proto udp 
with: 
proto tcp-server
in /etc/openvpn/server.conf 
 Info
Note that with this change you'll also need to change your .ovpn client configuration to use proto tcp-client and port 443 (e.g. the SSLH port instead of the internal OpenVPN port).
Change Apache SSL listening port and update any vhosts directives
Next, we're going to change our Apache SSL listening port to 8443 (you should check that this port is free - if not choose another valid arbitrary port number).
For this we'll need to change several files, the first should be changed to look like:
 Code Block
languagetext
title/etc/apache2/ports.conf
Listen 80

<IfModule ssl_module>
        Listen 4443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 4443
</IfModule>
We'll also need to change any and all site configuration vhost directives from:
 Code Block
<VirtualHost *:443>
    ...
</VirtualHost>
to:
 Code Block
<VirtualHost *:4443>
    ...
</VirtualHost>
Don't restart Apache2 just yet...
Install and configure sslh
Next we're let's install SSLH:
 Code Block
sudo apt install sslh
and select standalone mode when asked to select a mode.
Configuration of SSLH is done in a single file.  Your sslh configuration file should look like:
 Code Block
# Default options for sslh initscript
# sourced by /etc/init.d/sslh

# Disabled by default, to force yourself
# to read the configuration:
# - /usr/share/doc/sslh/README.Debian (quick start)
# - /usr/share/doc/sslh/README, at "Configuration" section
# - sslh(8) via "man sslh" for more configuration details.
# Once configuration ready, you *must* set RUN to yes here
# and try to start sslh (standalone mode only)

RUN=yes

# binary to use: forked (sslh) or single-thread (sslh-select) version
# systemd users: don't forget to modify /lib/systemd/system/sslh.service
DAEMON=/usr/sbin/sslh

DAEMON_OPTS="--user sslh --transparent --listen <INTERNAL-IP-ADDRESS>:443 --ssl <INTERNAL-IP-ADDRESS>:4443 --openvpn <INTERNAL-IP-ADDRESS>:1194 --pidfile /var/run/sslh/sslh.pid"
where <INTERNAL-IP-ADDRESS> should be replaced with your server's internal IP address (e.g. 10.0.0.x or 192.168.1.x).
 Info
Note: if MUST be your internal ip address.  SSLH transparent mode does NOT work if you use localhost or 127.0.0.1
For transparent mode to work we also need to modify iptables.  To ease configuration I created a one-off script.  Note that these settings won't survive a reboot so once we're happy we're going to make these settings persistent.
Copy the following to a file, make it executable, and execute with sudo.
 Code Block
languagebash
#!/bin/bash

iptables -t mangle -N SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface enp0s25 --sport 4443 --jump SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface enp0s25 --sport 1194 --jump SSLH
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -t mangle -A SSLH --jump ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

ip6tables -t mangle -N SSLH
ip6tables -t mangle -A OUTPUT --protocol tcp --out-interface enp0s25 --sport 4443 --jump SSLH
ip6tables -t mangle -A OUTPUT --protocol tcp --out-interface enp0s25 --sport 1194 --jump SSLH
ip6tables -t mangle -A SSLH --jump MARK --set-mark 0x1
ip6tables -t mangle -A SSLH --jump ACCEPT
ip -6 rule add fwmark 0x1 lookup 100
ip -6 route add local ::/0 dev lo table 100
 Info
NOTE: you'll need to replace enp0s25 with the main network interface of your server.
Restart Apache, start sslh, and test...
Right, it's time to test the setup.  To do so we need to restart Apache, start SSLH:
 Code Block
languagebash
sudo systemctl restart apache2
sudo systemctl start sslh
If all went well you should be able to still access your webserver AND connect to OpenVPN on port 443.
Finalise configuration
We'll finalise the configuration (once you've tested it) by enabling sslh (so it starts on boot) and by making the iptable rules (above) persistent.
To make SSLH start on boot:
 Code Block
sudo systemctl enable sslh
See the this article to make the current iptable rules (after you've executed the iptable script above) persistent.
See Transparent SSLH: using a single port to transparently route incoming traffic for Apache, OpenVPN, and SSH
References
  1. https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
  2. https://stackoverflowcommunity.openvpn.comnet/questionsopenvpn/34304022/change-ssl-port-of-apache2-server-err-ssl-protocol-errorhttpwiki/IgnoreRedirectGateway
  3. https://wwwwiki.rutschlearchlinux.netorg/tech/sslh/README.htmlindex.php/OpenVPN#The_update-resolv-conf_custom_script
 Content by Label
showLabelsfalse
max5
spacesTKB
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ("openvpn","ip-address") and type = "page" and space = "TKB"
labelsopenvpn ip-address
...