{"id":151,"date":"2020-03-11T18:04:11","date_gmt":"2020-03-11T15:04:11","guid":{"rendered":"http:\/\/blog.gunlerveisler.gen.tr\/?p=151"},"modified":"2021-11-06T00:43:59","modified_gmt":"2021-11-05T21:43:59","slug":"openvpn-community-edition-server-ubuntu-18-04-setup-notes","status":"publish","type":"post","link":"https:\/\/aliyargunes.com.tr\/blog\/openvpn-community-edition-server-ubuntu-18-04-setup-notes\/","title":{"rendered":"OpenVPN Community Edition Server Setup Notes"},"content":{"rendered":"\n
\"\"<\/figure><\/div>\n\n\n\n

Recently I setup an OpenVPN server on my remote Ubuntu Server (18.04) for all my internet traffic. After completing all the steps, I have done some extras for both of the client and server side machines. Also, my wifi access point-router needs an adjustment for handling TLS handshaking process. <\/p>\n\n\n\n

First things first I have enabled and assigned the floating-ip<\/em> to the droplet and setup the server like this<\/a>. Then, I have found my anchor-ip<\/code> with <\/p>\n\n\n

\ncurl -s http:\/\/169.254.169.254\/metadata\/v1\/interfaces\/public\/0\/anchor_ipv4\/address\n<\/pre><\/div>\n\n\n
I have added local anchor-ip<\/code> to server.conf<\/code><\/em><\/p>\n\n\n
\nsudo nano \/etc\/openvpn\/server.conf\n<\/pre><\/div>\n\n\n
I added following rules for Ubuntu’s firewall and postrouting:<\/p>\n\n\n
\nsudo iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to-source anchor-ip\nsudo iptables -A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT\nsudo iptables -A INPUT -i tun+ -j ACCEPT\nsudo iptables -A OUTPUT -o tun+ -j ACCEPT\n<\/pre><\/div>\n\n\n
Then I need to save the rules, because they were not persistent and will remove after reboot. Iptables-persistent is nice tool for this. <\/p>\n\n\n
\nsudo apt install iptables-persistent netfilter-persistent\n<\/pre><\/div>\n\n\n
The two packages are similar, but provide slightly different functionality. If you only install iptables-persistent, you won’t get the service definition file for correct handling in systemd, eg \/lib\/systemd\/system\/netfilter-persistent.service. If you only install netfilter-persistent, you will find that rules are not correctly applied at boot.<\/p>\n\n\n\n
Rules can be saved in a file with the (root) command iptables-save<\/code> for IPv4:<\/p>\n\n\n
\niptables-save > \/etc\/iptables\/rules.v4\n<\/pre><\/div>\n\n\n
 These files can be loaded again with the command iptables-restore<\/code> for IPv4. <\/p>\n\n\n
\niptables-restore < \/etc\/iptables\/rules.v4\n<\/pre><\/div>\n\n\n
Recent versions of iptables-persistent have two configuration files:  \/etc\/iptables\/rules.v4 <\/code>for the IPv4 ruleset, and \/etc\/iptables\/rules.v6<\/code> for the IPv6 ruleset. <\/p>\n\n\n\n
Here is my IPv4 file:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
To save all filter rules:<\/p>\n\n\n
\nnetfilter-persistent save\n<\/pre><\/div>\n\n\n\n\n\n\n
or to load them:<\/p>\n\n\n
\nnetfilter-persistent start\n<\/pre><\/div>\n\n\n
Here is my server route table:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
tun0: my virtual VPN networkcard \/ eth0: normal networkcard \/ 10.8.0.0: my VPN network ip block.<\/p>\n\n\n\n
I have restarted OpenVPN with <\/p>\n\n\n
\nsudo systemctl restart openvpn@server\n<\/pre><\/div>\n\n\n
I have updated in my local user.ovpn<\/em> the ip of the floating-ip<\/code> (replacing the line remote with remote floating-ip 1194<\/code>)<\/p>\n\n\n\n
After this I added following rules for OpenVPN to the digitalocean’s droplet firewall panel, then I add this ruleset to my droplet. Here is port informations for OpenVPN: <\/p>\n\n\n\n
UDP ports: 1194, 1197, 1198, 8080, 9201 and 53. <\/p>\n\n\n\n
TCP ports 502, 501, 443, 110, and 80.<\/p>\n\n\n\n
At this point I can not connect OpenVPN GUI from my Windows 10 client on my Wifi router, because of the MTU size setting on the TCP packet in the router. The size was set to 1452 bytes instead of 1492 bytes. Because of that the SSL\/TLS packet was fragmented and the server ACK was not received. On changing the MTU size, everything works perfectly. Also, I disabled the Windows 10 firewall for TAP device.<\/p>\n\n\n\n
 If I run netstat -anr<\/code> and netstat -ltnup | grep 1194<\/code> everything seems fine. Also if I run curl --interface anchor-ip https:\/\/api.ipify.org\/<\/code> or wget --bind-address=anchor-ip https:\/\/api.ipify.org\/<\/code> I get the correct (floating) ip.  <\/p>\n\n\n\n
Here is my Windows 10 (TAP) client configuration (.OVPN file):<\/p>\n\n\n
\nblock-outside-dns\nauth-nocache\nkey-direction 1\nclient\ndev tun\nproto udp\nremote \/\/my floating-ip\/\/ 1194\nresolv-retry infinite\nnobind\npersist-key\npersist-tun\nca ca.crt\ncert client.crt\nkey client.key\nremote-cert-tls server\ntls-auth ta.key 1\nauth SHA256\ncipher AES-256-CBC\nverb 3\n<\/pre><\/div>\n\n\n
Here is my Ubuntu Server 18.04 LTS \/etc\/openvpn\/server.conf<\/code> file:<\/p>\n\n\n
\nkey-direction 0\nlocal \/\/my-anchor-ip\/\/\nport 1194\nproto udp\ndev tun\nca ca.crt\ncert server.crt\nkey server.key\ndh dh.pem\ntopology subnet\nserver 10.8.0.0 255.255.255.0\nifconfig-pool-persist \/var\/log\/openvpn\/ipp.txt\npush "route 0.0.0.0 0.0.0.0"\npush "redirect-gateway def1"\npush "dhcp-option DNS 8.8.8.8"\nkeepalive 10 120\ntls-auth ta.key 0\ncipher AES-256-CBC\nauth SHA256\nuser nobody\ngroup nogroup\npersist-key\npersist-tun\nstatus \/var\/log\/openvpn\/openvpn-status.log\nverb 3\nexplicit-exit-notify 1\n\n<\/pre><\/div>\n\n\n
\"\"<\/a>
 Troubleshooting flowchart for using the internet over VPN <\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":"
Recently I setup an OpenVPN server on my remote Ubuntu Server (18.04) for all my internet traffic. After completing all the steps, I have done some extras for both of the client and server side machines. Also, my wifi access … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[46,62,63,65],"class_list":["post-151","post","type-post","status-publish","format-standard","hentry","category-days","tag-openvpn","tag-ubuntu","tag-ubuntu-vpn-server","tag-vpn"],"_links":{"self":[{"href":"https:\/\/aliyargunes.com.tr\/blog\/wp-json\/wp\/v2\/posts\/151"}],"collection":[{"href":"https:\/\/aliyargunes.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aliyargunes.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aliyargunes.com.tr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aliyargunes.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=151"}],"version-history":[{"count":8,"href":"https:\/\/aliyargunes.com.tr\/blog\/wp-json\/wp\/v2\/posts\/151\/revisions"}],"predecessor-version":[{"id":799,"href":"https:\/\/aliyargunes.com.tr\/blog\/wp-json\/wp\/v2\/posts\/151\/revisions\/799"}],"wp:attachment":[{"href":"https:\/\/aliyargunes.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aliyargunes.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aliyargunes.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}