This will guide you through the setup of an OpenVPN virtual router on an installation of Ubuntu 16.04 LTS as an Unraid Virtual Machine.

• Autostart: Yes
• Name: vpn.16.04vX
• Description: VPN
• CPU Mode: Host Passthrough
• Logical CPUs: 1
• Internal Memory: 1024
• Max Memory: 1024
• Machine: Q35-5.1
• BIOS: SeaBIOS
• USB Controller: 2.0 (EHCI) (I don't have USB 3.0 on current hardware)
• OS Install ISO: select the ubuntu - 16.04 iso
• OS Install CDRom Bus: SATA
• Primary vDisk Location: Auto if on the array, below options for ssd
  • /mnt/disks/samsung_nvme/vms/vpn.16.04vX/vdisk1.img –> This one is vDisk on SSD (Current setup uses this)
  • /dev/disk/by-id/ata-“ID OF DRIVE” –> This one is passthrough
• Primary vDisk Size: 10G
• Primary vDisk Type: raw
• Primary vDisk Bus: VirtIO if on the array, below options for ssd
  • VirtIO –> This one is vDisk on SSD (Current setup uses this)
  • SATA –> This one is passthrough
• Graphics Card: VNC
• VNC Video Driver: QXL (best)
• VNC Password: leave this blank (or set password if concerned folks will get access to unraid!)
• VNC Keyboard: English-United States
• Sound Card: none
• Network MAC: whatever it is
• Network Bridge: br0
• USB Devices: none
• Other PCI Devices: none

• Full Name: Dirk Rockface
• Server: vpn
• User Name: dirk
• Finish installing.

sudo apt-get update
sudo apt-get dist-upgrade

sudo apt-get install openssh-server

• In home directory

  mkdir .ssh

• authorized_keys file needs to have keys in them. Copy over from harddrive, external drive, or create them.
• When making keys on clients

  ssh-keygen -t rsa

• New things for keys:
  • So, ssh-keygen no longer creates the keys with the headers on them. Seems to be no big deal for ssh but Cyberduck borked.
  • To make private keys with headers for Cyberduck:

    openssl genrsa -aes128 -out id_rsa 2048
    openssl rsa -in id_rsa -pubout -out id_rsa.test
    ssh-keygen -f id_rsa.test -i -mPKCS8

  • Links:
    • https://rietta.com/blog/2012/01/27/openssl-generating-rsa-key-from-command/
    • https://stackoverflow.com/questions/1011572/convert-pem-key-to-ssh-rsa-format

• Turn off Password Auth

  sudo vim /etc/ssh/sshd_config

  UsePAM yes
  PasswordAuthentication no

sudo reboot -h now

sudo vim /etc/network/interfaces

change the bottom to read:

auto enp1s0
iface enp1s0 inet static
        address 192.168.1.99
        netmask 255.255.255.0
        gateway 192.168.1.1
        dns-nameservers 208.67.222.222 208.67.220.220

sudo apt-get install openvpn

sudo apt-get install iptables-persistent

• click yes to both prompts on iptables install

• Upload OpenVPN config files to home directory.
• Copy boston.ovpn file to /etc/openvpn/boston.conf
• create text file /etc/openvpn/vpnauth.txt
  • put username on line 1 and password on line 2 of that vpnauth.txt file
• edit /etc/openvpn/boston.conf

  • sudo vim /etc/openvpn/boston.conf

  • add path to vpnauth.txt: auth-user-path /etc/openvpn/vpnauth.txt
• reboot
• check connection

  • sudo openvpn --config /etc/openvpn/boston.conf

• enable openvpn on startup

  • sudo systemctl enable openvpn@boston

• enable forwarding

  • sudo vim /etc/sysctl.conf

  • remove the # in front of net.ipv4.ip_forward = 1
• enable service

  • sudo sysctl -p

• paste in iptables rules

  • sudo iptables --flush
    sudo iptables --delete-chain
    sudo iptables -t nat -F
    sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
    sudo iptables -A INPUT -i enp1s0 -p tcp --dport 22 -j ACCEPT
    sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
    sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
    sudo iptables -I INPUT -i enp1s0 -m comment --comment "In from LAN" -j ACCEPT
    sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
    sudo iptables -A OUTPUT -o enp1s0 -p udp --dport 443 -m comment --comment "openvpn" -j ACCEPT
    sudo iptables -A OUTPUT -o enp1s0 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
    sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
    sudo iptables -A OUTPUT -o enp1s0 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
    sudo iptables -A FORWARD -i tun+ -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo iptables -A FORWARD -i enp1s0 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
    sudo iptables -P FORWARD DROP

  • first three lines erase old rules (if any)
  • next line enables nat
  • next line opens port 22 for ssh
  • next two lines enable loopback
  • next two lines enable traffic ok by defualt
  • next line opens vpn socket (use the correct port)
  • next line enables ntp for time sync
  • next line enables dhcp
  • next line enables dns
  • next two lines enable vpn kill switch (traffic blocked if VPN down)
  • last line adds default drop (only use above rules)
• save rules

  • sudo netfilter-persistent save

• apply to startup

  • sudo systemctl enable netfilter-persistent

• install dnsmasq

  • sudo install dnsmasq

• add dns forwarding to conf file

  • sudo /etc/openvpn/boston.conf

  • add this to end

    • script-security 2
      up /etc/openvpn/update-resolv-conf
      down /etc/openvpn/update-resolv-conf

* Links:

• https://www.youtube.com/watch?v=J_cRe__c3Mc