OpenVPN Rapid Installer: Difference between revisions
| No edit summary | |||
| Line 69: | Line 69: | ||
| Use ovpncert to create, revoke and printing OpenVPN profiles | Use ovpncert to create, revoke and printing OpenVPN profiles | ||
| Samples: | Samples: | ||
|   ovpncert |   ovpncert -cn mycert -c             -> Create the OpenVPN certificate using the client name mycert | ||
|   ovpncert |   ovpncert -cn mycert -c -d 30       -> Same as above but valid for 30 days | ||
|   ovpncert |   ovpncert -cn mycert -p             -> Print the OpenVPN certificate to STDOUT using the client name mycert | ||
|   ovpncert |   ovpncert -cn mycert -r             -> Revoke the OpenVPN certificate using the client name mycert | ||
|   ovpncert |   ovpncert -l                        -> List certificates including the current online status | ||
| Arguments: | Arguments: | ||
Revision as of 18:39, 13 May 2022
Install and configure OpenVPN including certificates in less than one minute
- Express installation and configuration of OpenVPN, this has been tested on any recent Debian, Ubuntu or Raspian releases.
- Enjoy the wide range of supported OpenVPN Clients, with this Script you may quickly establish a VPN connection, compatible with Windows, Linux, Mac OS, Android and iOS
- Install and configure OpenVPN together with a Certification Authority and X509 Client Certificates with one single command, 
- Optional journaling
Additional Tools
- ovpncert
- Create new ovpn profiles and certificates on the fly
- Revoke ovpn certificates on the fly
 
- ovpnreport
- Search the journal for login activity, users or ip-addresses
- List current connections
 
Installation Samples
Basic installation with no options
Install and configure OpenVPN with Easy-RSA
- Default udp port 1194
- Default network 10.8.0.0/24
- Automatically installation (-a)
#Copy&Paste wget -q https://coolscript.org/download/scripts/openvpn/openvpn-install.sh -O \ /tmp/openvpn-install.sh && bash \ /tmp/openvpn-install.sh -a
Custom Network Installation
Install and configure OpenVPN with Easy-RSA
- Use tcp port 1194 (-o and -p)
- Use your custom network 192.168.200.0/24 (-n and -m)
- Automatically installation (-a)
- Reinstallation if a previous setup exists (-r)
#Copy&Paste wget -q https://coolscript.org/download/scripts/openvpn/openvpn-install.sh -O \ /tmp/openvpn-install.sh && bash \ /tmp/openvpn-install.sh -a -r \ -o 1194 \ -p tcp \ -n 192.168.200.0 \ -m 24
Recommended Setup - Support local users and journaling
Install and configure OpenVPN with Easy-RSA
- Default udp port 1194
- Default network 10.8.0.0/24
- Automatically installation (-a)
- Reinstallation if a previous setup exists (-r)
- Enable additional authentication using local user (-u)
- Enable journaling (-j)
#Copy&Paste wget -q https://coolscript.org/download/scripts/openvpn/openvpn-install.sh -O \ /tmp/openvpn-install.sh && bash \ /tmp/openvpn-install.sh -a -r -u -j
Available Arguments
openvpn-install.sh -h -a Mandatory Flag, Automatic installation, otherwise do nothing than STDOUT -h Optional Flag, help and exit -j Optional Flag, Enable jthe journaling -m Optional String, Network mask set in decimal format, default is $defCIDR bit -n Optional String, Network Address, default is $defNET -o Optional String, port, default is $defPort -p Optional String, protocol (tcp or udp), default is $defProto -r Optional Flag, Re-Install application -u Optional Flag, enforce additional user authentication through local PAM
Tools
ovpncert
Use ovpncert to create, revoke and printing OpenVPN profiles Samples:
ovpncert -cn mycert -c -> Create the OpenVPN certificate using the client name mycert ovpncert -cn mycert -c -d 30 -> Same as above but valid for 30 days ovpncert -cn mycert -p -> Print the OpenVPN certificate to STDOUT using the client name mycert ovpncert -cn mycert -r -> Revoke the OpenVPN certificate using the client name mycert ovpncert -l -> List certificates including the current online status
Arguments:
-sc OpenVPN configuration name without the .conf extension. Default set to server0 -cn Client configuration name without the .conf extension. Default set to client1 -c Create a OpenVPN client certificate -d Valid for n days -h Display help -l List certificates -p Print the OpenVPN client Certificate -r Revoke a OpenVPN client certificate -v Be verbose
ovpnreport
Use ovpnreprot to see the connection history. Ovpnreport is using a sqlite database which gets the data by the tool ovpntrack.
Sample:
ovpnreport.pl Print all data, max 5000 records, can be overwritten by the limit arg ovpnreport.pl -c Print current connections ovpnreport.pl -ip 1.2.3.4 -limit 10 Search for 1.2.3.4 and limit to max 10 records ovpnreport.pl -cname demo -time 5 Search for the cname demo and show connection by min. 5 minutes ovpnreport.pl -d 90 -v Delete data older than 90 days, vacuum database after
Arguments:
-c Print current connections -cname Print data which includes the given cname -csv Print all data and format as CSV -d Delete data older then x days -h Print this help -ip Print data which includes the given ip address -limit Print data and limit the output by the given number -name Print data which includes the given name -time Print data which has a minimum connection time (minutes) -v Vacuum database, valid with arg -d
ovpnreport
Ovpntrack can only be used by openvpn itself, ovpntrack is used to track vpn connection data. Use ovpnreport to view the data.
It is required to setup the OpenVPN server configuration to activate the tracking.
Sample:
script-security 2 client-connect "/etc/openvpn/scripts/ovpntrack.pl -d" client-disconnect "/etc/openvpn/scripts/ovpntrack.pl -d"
Routing and Masquerading
Please note that your OpenVPN Client will not be able to access the internet for various reasons, in most cases the routing does not allow the traffic.
There are many ways to establish the access and here is a very simple way of how this could work. 
- Install nftables
apt-get install nftables
- Enable the service at startup
systemctl enable nftables
- Add a new table to nftables
nft add table ip nat
- Add the postrouting chain to nftables
nft 'add chain nat postrouting { type nat hook postrouting priority 100 ; policy accept; }'
- Masq the entire traffic to eht0, please note that eth0 can vary
nft add rule ip nat postrouting oif eth0 counter masquerade comment \"Masquerade all traffic to eth0\"
- List the new table:
nft list table ip nat
table ip nat {
       chain postrouting {
               type nat hook postrouting priority srcnat; policy accept;
               oif "eth0" counter packets 0 bytes 1 masquerade comment "Masquerade all traffic to eth0"
       }
}
- Write back the configuration to make the change permanent
nft list table ip nat >> /etc/nftables.conf
- Either reboot the machine or reload to configuration to test:
systemctl restart nftables
Reference: