Install OpenVPN virtual router on Ubuntu 16.04 LTS as Unraid Virtual Machine

This will guide you through the setup of an OpenVPN virtual router on an installation of Ubuntu 16.04 LTS as an Unraid Virtual Machine.

• Autostart: Yes
• Name: vpn.16.04vX
• Description: VPN
• CPU Mode: Host Passthrough
• Logical CPUs: 1
• Internal Memory: 1024
• Max Memory: 1024
• Machine: Q35-5.1
• BIOS: SeaBIOS
• USB Controller: 2.0 (EHCI) (I don't have USB 3.0 on current hardware)
• OS Install ISO: select the ubuntu - 16.04 iso
• OS Install CDRom Bus: SATA
• Primary vDisk Location: Auto if on the array, below options for ssd
  • /mnt/disks/samsung_nvme/vms/vpn.16.04vX/vdisk1.img –> This one is vDisk on SSD (Current setup uses this)
  • /dev/disk/by-id/ata-“ID OF DRIVE” –> This one is passthrough
• Primary vDisk Size: 10G
• Primary vDisk Type: raw
• Primary vDisk Bus: VirtIO if on the array, below options for ssd
  • VirtIO –> This one is vDisk on SSD (Current setup uses this)
  • SATA –> This one is passthrough
• Graphics Card: VNC
• VNC Video Driver: QXL (best)
• VNC Password: leave this blank (or set password if concerned folks will get access to unraid!)
• VNC Keyboard: English-United States
• Sound Card: none
• Network MAC: whatever it is
• Network Bridge: br0
• USB Devices: none
• Other PCI Devices: none

• Full Name: Dirk Rockface
• Server: vpn
• User Name: dirk
• Finish installing.

sudo apt-get update
sudo apt-get dist-upgrade

sudo apt-get install openssh-server

• In home directory

  mkdir .ssh

• authorized_keys file needs to have keys in them. Copy over from harddrive, external drive, or create them.
• When making keys on clients

  ssh-keygen -t rsa

• New things for keys:
  • So, ssh-keygen no longer creates the keys with the headers on them. Seems to be no big deal for ssh but Cyberduck borked.
  • To make private keys with headers for Cyberduck:

    openssl genrsa -aes128 -out id_rsa 2048
    openssl rsa -in id_rsa -pubout -out id_rsa.test
    ssh-keygen -f id_rsa.test -i -mPKCS8

  • Links:
    • https://rietta.com/blog/2012/01/27/openssl-generating-rsa-key-from-command/
    • https://stackoverflow.com/questions/1011572/convert-pem-key-to-ssh-rsa-format

• Turn off Password Auth

  sudo vim /etc/ssh/sshd_config

  UsePAM yes
  PasswordAuthentication no

sudo reboot -h now

sudo vim /etc/network/interfaces

change the bottom to read:

auto enp1s0
iface enp1s0 inet static
        address 192.168.1.99
        netmask 255.255.255.0
        gateway 192.168.1.1
        dns-nameservers 208.67.222.222 208.67.220.220

sudo apt-get install openvpn

sudo apt-get install iptables-persistent

• click yes to both prompts on iptables install

• Upload OpenVPN config files to home directory.
• Copy boston.ovpn file to /etc/openvpn/boston.conf
• create text file /etc/openvpn/vpnauth.txt
  • put username on line 1 and password on line 2 of that vpnauth.txt file
• edit /etc/openvpn/boston.conf

  • sudo vim /etc/openvpn/boston.conf

  • add path to vpnauth.txt: auth-user-pass /etc/openvpn/vpnauth.txt
• add the cert file in that folder too
• remove the keysize thing (i think it was keysize) that line needs to go.
• reboot
• check connection

  • sudo openvpn --config /etc/openvpn/boston.conf

• enable openvpn on startup

  • sudo systemctl enable openvpn@boston

• enable forwarding

  • sudo vim /etc/sysctl.conf

  • remove the # in front of net.ipv4.ip_forward = 1
• enable service

  • sudo sysctl -p

• paste in iptables rules

  • sudo iptables --flush
    sudo iptables --delete-chain
    sudo iptables -t nat -F
    sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
    sudo iptables -A INPUT -i ens18 -p tcp --dport 22 -j ACCEPT
    sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
    sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
    sudo iptables -I INPUT -i ens18 -m comment --comment "In from LAN" -j ACCEPT
    sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
    sudo iptables -A OUTPUT -o ens18 -p udp --dport 443 -m comment --comment "openvpn" -j ACCEPT
    sudo iptables -A OUTPUT -o ens18 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
    sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
    sudo iptables -A OUTPUT -o ens18 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
    sudo iptables -A FORWARD -i tun+ -o ens18 -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo iptables -A FORWARD -i ens18 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
    sudo iptables -P FORWARD DROP

  • first three lines erase old rules (if any)
  • next line enables nat
  • next line opens port 22 for ssh
  • next two lines enable loopback
  • next two lines enable traffic ok by defualt
  • next line opens vpn socket (use the correct port)
  • next line enables ntp for time sync
  • next line enables dhcp
  • next line enables dns
  • next two lines enable vpn kill switch (traffic blocked if VPN down)
  • last line adds default drop (only use above rules)
• save rules

  • sudo netfilter-persistent save

• apply to startup

  • sudo systemctl enable netfilter-persistent

• install dnsmasq

  • sudo install dnsmasq

• add dns forwarding to conf file

  • sudo /etc/openvpn/boston.conf

  • add this to end

    • script-security 2
      up /etc/openvpn/update-resolv-conf
      down /etc/openvpn/update-resolv-conf

* Links:

• https://www.youtube.com/watch?v=J_cRe__c3Mc