VPN setup:
  container with 8 cores, 2 GB RAM, 512 MB swap, 8 GB storage

* adduser tdobes
* adduser tdobes adm ; adduser tdobes systemd-journal

* aptitude update && aptitude full-upgrade && aptitude forget-new
aptitude --without-recommends install openvpn easy-rsa

as user:
cd ~
make-cadir vpn-ca
cd vpn-ca
sed -i -e 's/^export CA_EXPIRE=3650$/export CA_EXPIRE=36500/g' -e 's/^export KEY_EXPIRE=3650$/export KEY_EXPIRE=36500/g' -e 's/^export KEY_PROVINCE="CA"$/export KEY_PROVINCE="IN"/g' -e 's/^export KEY_CITY="SanFrancisco"$/export KEY_CITY="Hammond"/g' -e 's/^export KEY_ORG="Fort-Funston"$/export KEY_ORG="Purdue Northwest"/g' -e 's/^export KEY_EMAIL="me@myhost.mydomain"$/export KEY_EMAIL="tomdobes@purdue.edu"/g' -e 's/^export KEY_OU="MyOrganizationalUnit"$/export KEY_OU="CES"/g' vars
. vars
./clean-all
./build-ca
(just press enter to all prompts)
./build-key-server server
(press enter 10 times, then y and enter twice)
./build-key router-g136
(press enter 10 times, then y and enter twice)
./build-dh

as root:
cp -p ~tdobes/vpn-ca/keys/ca.crt /etc/openvpn/
cp -p ~tdobes/vpn-ca/keys/server.crt /etc/openvpn/
cp -p ~tdobes/vpn-ca/keys/server.key /etc/openvpn/
cp -p ~tdobes/vpn-ca/keys/dh2048.pem /etc/openvpn/
cat > /etc/openvpn/ces-internal-vpn.conf
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 192.168.223.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# push "route 205.215.68.0 255.255.255.0"
push "route 192.168.88.0 255.255.255.0"

client-config-dir ccd
route 192.168.88.0 255.255.255.0

cipher AES-128-CBC

client-to-client

persist-key
persist-tun

log-append /var/log/openvpn-ces-internal.log
verb 3
mute 20
^D

mkdir /etc/openvpn/ccd
echo 'iroute 192.168.88.0 255.255.255.0' > /etc/openvpn/ccd/router-g136

touch /var/log/openvpn-ces-internal.log
chgrp adm /var/log/openvpn-ces-internal.log
chmod g+r /var/log/openvpn-ces-internal.log

# tried all sort of autodev nonsense on the host, then eventually gave up and made a hacky script to mknod the tun device:
cat > /usr/local/sbin/make-tun-devnode-hack.sh
#!/bin/sh
mkdir -p /dev/net && mknod /dev/net/tun c 10 200 && chmod 0666 /dev/net/tun
^D
chmod +x /usr/local/sbin/make-tun-devnode-hack.sh

cat > /etc/systemd/system/make-tun-devnode-hack.service
[Unit]
Description=Hack to create /dev/net/tun
Before=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/make-tun-devnode-hack.sh
RemainAfterExit=true

[Install]
WantedBy=multi-user.target
^D
systemctl enable make-tun-devnode-hack.service
systemctl start make-tun-devnode-hack.service

systemctl enable openvpn@ces-internal-vpn.service
systemctl start openvpn@ces-internal-vpn.service



on pfsense:
System -> Cert. Manager
CAs tab
Add
name: CES VPN CA
paste in contents of ca.crt
Save
Certificates tab
Add
name: CES VPN - router-g136
paste in contents of router-g136.crt (only the stuff between BEGIN/END CERTIFICATE)
paste in contents of router-g136.key

VPN -> OpenVPN
Clients tab
Add
Protocol: TCP
enter server IP
description: CES Internal VPN
turn OFF tls authentication
make sure CES VPN is selected for peer CA and client cert
set encryption algo to BF-CBC
Save

Firewall -> Rules
OpenVPN tab
Add
addr family: IPv4+v6
Protocol: any
Description: Pass all traffic from VPN
quick IP forwarding:

on VPN:
echo 1 > /proc/sys/net/ipv4/ip_forward

on fog:
route add -net 192.168.88.0/24 gw 205.215.68.134

on router-g136:
VPN -> OpenVPN
Clients tab
Edit CES Internal VPN
IPv4 Remote network(s): 205.215.68.131/32
computer/vpn_server.txt · Last modified: 2016/08/18 03:51 by tdobes
Recent changes RSS feed Driven by DokuWiki Valid XHTML 1.0 Valid CSS