openvpn server setup

poc | server | client | server-2fa | client-2fa

testing env architecture

see openvpn-poc

install

apt install openvpn easy-rsa lynx net-tools mtr tcpdump

systemctl list-unit-files | grep openvpn
systemctl disable openvpn.service --now

generate the certs

see sslhappy-ca-easy

setup

cd /etc/openvpn/
rmdir client/
rmdir server/

# /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service
ln -s . server

    ln -s ca2/pki/ca.crt
ln -s ca2/pki/issued/openvpn-server.crt
ln -s ca2/pki/private/openvpn-server.key

openssl dhparam -out dh2048.pem 2048
chmod 444 dh2048.pem

openvpn --show-ciphers | grep AES

cp -pi /usr/share/doc/openvpn/examples/sample-config-files/server.conf \
    server.conf.dist
grep -vE '^#|^;|^$' server.conf.dist > server.conf.clean
# new file
vi server.conf

local 192.168.122.9
port 443
proto tcp4
dev tun
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key
dh dh2048.pem
server 10.6.6.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher AES-128-GCM
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

topology subnet
push "route 10.7.7.0 255.255.255.0"
#push "redirect-gateway def1"

ready to go

cat /etc/default/openvpn

systemctl restart openvpn-server@server
systemctl enable openvpn-server@server
systemctl status openvpn-server@server
journalctl -xeu openvpn-server@server

pgrep -a openvpn
netstat -lntup

you can now proceed with the client

resources

FW https://kifarunix.com/step-by-step-guide-to-install-and-setup-openvpn-server-on-debian-12/

https://binsec.wiki/en/security/howto/protect-hardening/authorization-and-authentication/openvpn-configure-2fa-google-authenticator/

dummy interface

https://unix.stackexchange.com/questions/513578/modern-way-to-configure-dummy0-in-etc-network-interfaces-or-similar

troubles

https://serverfault.com/questions/971266/openvpn-could-not-determine-ipv4-ipv6-protocol-using-af-inet