AKZN Notes

Archives for My Lazy and Forgetful Mind

SIMPLE OPENVPN SETUP + MIKROTIK CLIENT

Last Modified on

install VPN monitoring tools to read : https://kifarunix.com/how-to-monitor-openvpn-connections-using-openvpn-monitor-tool/

If you only need a simple OpenVPN configuration, you only need to do step 1 Install OpenVPN on NAT IPv4 VPS

Installation

two way of installation

Install without Docker

1) Make sure that tun/tap is enabled on your vps. Enable TUN/TAP via SolusVM control panel if present

2) Ssh into your server and run the following command

yum -y update ca-certificates //centos
sudo update-ca-certificates //ubuntu
wget git.io/vpn --no-check-certificate -O openvpn-install.sh; bash openvpn-install.sh

to copy client config to another folder from root dir

sudo cat /root/somefile | cat > ~/somefile

3) Get the OpenVPN client software. For Windows, download the client software from openvpn.net/index.php/download.html

4) Copy ~/client.ovpn into your openvpn config folder

5) Connect to your openvpn server with public shared IP and your assigned port


below here is how to config server port forwarding and iptables, to accept the client to connect to internet througt the server

Setup Forwarding
Edit file /etc/sysctl.conf, lalu uncomment baris berikut ini

net.ipv4.ip_forward=1
Untuk mengaktifkan nya, jalan perintah ini sysctl -p

Pembuatan Rule iptables
Berikut command iptables yang digunakan

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I INPUT -s 172.16.11.0/24 -i ppp0 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT

Install with Docker

Install Docker

Make sure docker is installed on Your server. If docker is not present, install with command below

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh

After installing Docker, you will need to add your user to the docker group to allow you to run Docker commands without using sudo or logging in as a root user.

sudo usermod -aG docker <username>

You will most likely need to sign out and in again (or restart your SSH session) in order to be able to run Docker commands.

Install OPENVPN for Docker

Using Docker Config

we are using kylemanna/openvpn docker image
The general Quick Start document can be read here, but because we will use this openvpn to be able to connect to Mikrotik devices, we need to prepare the installation a bit different.

  • Create docker host volume mounts rather than data volumes

    docker volume create --name ovpn-data-example --opt type=none --opt device=/home/$USER/path/to/ovpn-data-example --opt o=bind

    the path on /home/$USER/path/to/ovpn-data-example need to be manually created first

  • Refer to the Quick Start document, and substitute -v $OVPN_DATA:/etc/openvpn with -v /path/on/host/ovpn-data-example:/etc/openvpn
    Quick example that is likely to be out of date, but here's how to get started

    mkdir /path/on/host/ovpn-data-example
    cd /path/on/host/ovpn-data-example
    docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://$OVPN_HOST:$OVPN_PORT
    docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki
  • Edit Openvpn config file to make mikrotik to be able to connect to this vpn server

    nano openvpn.conf

    edit it correspond with the OPENVPN SERVER CONFIGURATION on mikrotik section on this article

  • Start the server with

    docker run -v $PWD:/etc/openvpn -d -p $OVPN_PORT:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
  • Generate new client with

    docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
    docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn

    and for client other than mikrotik, because the server config is set up to support mikrotik client, the tls-auth part is disabled. So make sure that the tls-auth on client.ovpn is disabled/erased

  • to make this docker to start the container on system boot, restart the container if it exits etc, refer to the openvpn docker main article to setup the Systemd Init Scripts or use 'docker-compose'

using Docker-compose
  1. install docker-compose

    sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
  2. Apply executable permissions to the binary

    sudo chmod +x /usr/local/bin/docker-compose
  3. test the installation

    docker-compose --version
  4. Add a new service in docker-compose.yml

    version: '2'
    services:
    openvpn:
    cap_add:
     - NET_ADMIN
    image: kylemanna/openvpn
    container_name: openvpn
    ports:
     - "11600:1194/udp"
    restart: always
    volumes:
     - ./openvpn-data/conf:/etc/openvpn

    I put docker-compose.yml inside /var/docker-compose/

  5. Initialize the configuration files and certificates

    docker-compose run --rm openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
    docker-compose run --rm openvpn ovpn_initpki
  6. Fix ownership (depending on how to handle your backups, this may not be needed)

    sudo chown -R $(whoami): ./openvpn-data
  7. Start OpenVPN server process

    docker-compose up -d openvpn
  8. You can access the container logs with

    docker-compose logs -f
  9. Generate a client certificate

    export CLIENTNAME="your_client_name"
    # with a passphrase (recommended)
    docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME
    # without a passphrase (not recommended)
    docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME nopass
  10. Retrieve the client configuration with embedded certificates

    docker-compose run --rm openvpn ovpn_getclient $CLIENTNAME > $CLIENTNAME.ovpn
  11. Revoke a client certificate

    # Keep the corresponding crt, key and req files.
    docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME
    # Remove the corresponding crt, key and req files.
    docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME remove

Debugging Tips

  • Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
    docker-compose run -e DEBUG=1 -p 1194:1194/udp openvpn

IF YOU JUST NEED A SIMPLE OPENVPN SERVER AND CLIENT, STOP HERE.
below here is how to configure openvpn server to support mikrotik client.

MIKROTIK CLIENT + OPENVPN CONFIGURATION

  1. OPENVPN SERVER CONFIGURATION
    change server.conf file to represent the configuration below

    proto tcp //must tcp ,udp not support  
    #tls-auth #notsupport
    #tls-crypt #notsupport  
    cipher AES-128-CBC  
    auth SHA1 #md5 or SHA1 is support  
    #comp-lzo no #notsupport

    restart openvpn

    /etc/init.d/openvpn restart

    update 2022

    • If you're running systemd, changing files like /etc/default/openvpn and /etc/init.d/openvpn not enough, will require running systemctl on/off at the boot time:
      sudo systemctl [enable/disable/start/status/stop] openvpn-server@server.service
  2. MIKROTIK OPENVPN CLIENT CONFIGURATION

    [profil ppp]  
    name = ovpn-profil  
    use MPLS = default  
    use compression = no  
    use Encryption = yes  
    Change TCP MSS = default  
    Use UPnP = default
    
    [ovpn-out-interface]  
    Connect to =   
    Port =     
    Mode = ip #must ip  
    user = common_name client certificate  
    profil = [name profil ppp is "ovpn-profil"]  
    Certificate = [your certificate client]
    TLS Version =  any (for some reason other than any make it failed to connect)
    Auth = [match your server configuration]
    Chipher = [match your server configuration]

    note : dont forget to import your certificate client on mikrotik (client.crt and client.key, with same passphrase when importing)

    update 2022
    ros >7 dont need to set profile ppp
    ros <7 tls/chipper set to alwasy (i forgot will be added)

  3. CLIENT OTHER THAN MIKROTIK
    For client other than mikrotik, tls-crypt part must be removed from client.ovpn configuration

How to make ovpn client get static ip

  1. Create ccd folder and create
sudo mkdir /etc/openvpn/ccd
  1. Change OVPN server configuration
    sudo nano /etc/openvpn/server/server.conf

Uncomment the line containing client config parameter

client-config-dir [real-path]ccd
  1. Create a configuration file for each client and put into directory ccd. As file name, use the same name for the client as used in the CN field of the client certificate.
    sudo touch /etc/openvpn/ccd/[client-common-name]
    sudo nano /etc/openvpn/ccd/[client-common-name]

    write the file with

    ifconfig-push [IP] [MASK]

example

ifconfig-push 10.8.0.2 255.255.255.0
  1. restart OpenVPN service
    sudo /etc/init.d/openvpn restart

port forwarding / tunneling host server to client port

For `docker-compose` configuration, follow Docker route to Host with static ip section below

Using Iptables

Enable Forwarding

make sure that systcl is forwarding ovpn trafic on runtime, check using

sysctl -p

make sure line net.ipv4.ip_forward=1 is present,
if not, Edit file /etc/sysctl.conf, add/uncomment

net.ipv4.ip_forward=1

configure iptables,

below here is example, change the ip and port using the desired configuration.

iptables -t nat -A PREROUTING -p tcp --dport 11600 -j DNAT --to-destination 10.8.0.5:80

to delete iptables rules, change -A to -D

if you never did masquarade the rule before, run this too

iptables -t nat -A POSTROUTING -j MASQUERADE

save iptables-persistent, to make iptables not reset after reboot

sudo netfilter-persistent save
sudo netfilter-persistent reload

if iptables-persistance is not installed, install it first

sudo apt install iptables-persistent

to delete iptables rules, change -A to -D and run iptables-persistent again
to Check iptables or print the change on iptables, type

iptables -L -n -t nat

Using Apache Reverse Proxy

https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension-ubuntu-20-04

with virtualhost, combine lamp virtualhost article and leave the servername option intact

example :

< VirtualHost *:80>
        ServerName example.com
        ...

Mikrotik nat forwarding

if you want to forward trafic from mikrotik to another host, just make a firewall nat redirection as usual.
example :

ip fi nat add chain=dstnat dst-address=[ovpn-client-ip] dst-port=[desired incoming port] action=dst-nat to-address=[host-destination-ip] to-ports=[destination-ports]

Openvpn Command List

  1. show connected client

    sudo killall -USR2 openvpn ;sudo tail -f /var/log/syslog
  2. show last n(number) user command (ubuntu script)
    n = change with number list you want to show

    last -n
  3. Show log error

    tail -f /var/log/syslog
  4. start/stop openvpn server (installed using openvpn_setup.sh)

    sudo systemctl start openvpn-server@server.service
    sudo systemctl stop openvpn-server@server.service
  5. show used ports

    sudo netstat -tuln | grep PORT_NUMBER
  6. track error

    sudo journalctl -xeu openvpn-server@server.service

Start openvpn client on boot

  1. Move the ovpn file to `/etc/openvpn`
  2. rename to `openvpn.ovpn`
  3. `sudo nano /etc/default/openvpn`
    Uncomment `AUTOSTART="all"`
  4. `sudo service openvpn start`

Tips and Tricks

How to make client ignore redirect gateway and blocking dns

add this config below to client config file

pull-filter ignore redirect-gateway
pull-filter ignore "block-outside-dns"

&NewLine;
&NewLine;

Docker route to Host with static ip

Using docker-compose

TL/DR :

  • make a `networks` section on yml config
  • add a `networks` section on `services` item that use previously configured networks
  • make a script that has an iptables command
  • copy that file to container
  • run the script inside container

this code below on `docker-compose.yml` is an example configuration to make container to be able to communicate with host,
take note that on `command` section, for multi line command, we nedd to add one more empty line.

on this example, i copy manually the script sh file to a persistent volume.

services :
    openvpn:
    ...
    image: kylemanna/openvpn
    container_name: openvpn
    ...
    command: 
      - /bin/bash
      - -c
      - |
        sh /etc/openvpn/iptables.sh
        ovpn_run

    networks:
      - hostnet

networks:
  hostnet:
    name: hostnet
    ipam:
      driver: default
      config:
      - subnet: "172.168.3.0/24"
        gateway: "172.168.3.1"

&NewLine;
&NewLine;

file `iptables.sh`

#!/bin/bash

#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#!/bin/bash

# masquarade all port to eth0, all vpn client can connect to host port
# NOT RECOMMENDED
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# PORT FORWARD TO CERTAIN PORT, NEED MASQUARADE BELOW
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 172.168.3.1:80
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 172.168.3.1:443
iptables -t nat -A PREROUTING -p udp --dport 1812 -j DNAT --to-destination 172.168.3.1:1812
iptables -t nat -A PREROUTING -p udp --dport 1813 -j DNAT --to-destination 172.168.3.1:1813

# MASQUARADE FORWARDED PORT  
iptables -A POSTROUTING -t nat -p tcp -d 172.168.3.1 --dport 80 -j MASQUERADE
iptables -A POSTROUTING -t nat -p tcp -d 172.168.3.1 --dport 443 -j MASQUERADE
iptables -A POSTROUTING -t nat -p udp -d 172.168.3.1 --dport 1812 -j MASQUERADE
iptables -A POSTROUTING -t nat -p udp -d 172.168.3.1 --dport 1813 -j MASQUERADE

#echo "iptables executed " > /root/iptables_echo

&NewLine;

Using docker config

add this option on docker run

--add-host=host.docker.internal:host-gateway

How to access subnet from Open VPN server (Ubuntu) to VPN client RouterOS

If you want to reach a subnet which is behind an openvpn client, you need two things (this applies only for routing-based (tun device) VPNs):

  1. set route,

    • either you can add route `ip route` via gateway, ex :

      sudo ip route add 192.168.200.0/24 via 10.8.4.5 dev tun0
    • or add this line below to openvpn server.conf with the desired ip/subnet, ex :

      push "route 192.168.200.0 255.255.255.0"
  2. activate client specific configuration (--client-config-dir)
  3. inside the configuration of the correct client, use the --iroute switch to tell openvpn that it shall route the subnet inside the tunnel
    • example ccd files for vpn client (ex:ccd/clientMikrotikA)
      ifconfig-push 10.8.0.11 255.255.255.0
      iroute 192.168.200.0 255.255.255.0

      after that, you need to activate ip forwarding on the client - and adapt the firewall. That should be it...

Leave a Reply

Your email address will not be published.