Difference between revisions of "OpenVPN"

From The Munich Maker Lab's Wiki
Jump to: navigation, search
(Created page with "We run an OpenVPN server for our members to connect to our internal network from the outside world. The main purpose is to get access to the fileserver and internal monitoring...")
 
m
 
Line 1: Line 1:
 +
{{AttentionBox
 +
| title=Old Page
 +
| msg=We do not provide this service anymore. Please check [[Network]] for information on remote access.
 +
}}
 +
 
We run an OpenVPN server for our members to connect to our internal network from the outside world. The main purpose is to get access to the fileserver and internal monitoring systems (e.g. 3D printers).  
 
We run an OpenVPN server for our members to connect to our internal network from the outside world. The main purpose is to get access to the fileserver and internal monitoring systems (e.g. 3D printers).  
  

Latest revision as of 12:41, 19 July 2020

Attention Attention: Old Page Attention
We do not provide this service anymore. Please check Network for information on remote access.

We run an OpenVPN server for our members to connect to our internal network from the outside world. The main purpose is to get access to the fileserver and internal monitoring systems (e.g. 3D printers).

Abuse is prohibited (e.g. disconnecting others from the laser pc)

To get access, contact @JanS in flowdock. Access is only granted with a valid reason and may be rejected anytime.

The following sections describe the server setup.

Installation

We are using the docker images from [1]. The image provides some nice script to create the config and the certificates. It uses the easy-rsa stuff.

Data folder, used for persistence of the config and pki

mkdir -p /srv/openvpn

Initial config, run once

docker run -v /srv/openvpn/:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig \
    -u tcp://mumaland.dnshome.de:1194 \
    -d \
    -c \
    -N \
    -n 10.10.0.10 \
    -n 8.8.8.8 \ 
    -p "route 10.10.0.0 255.255.255.0" \
    -p "route 10.10.10.0 255.255.255.0" \
    -p "route 10.10.20.0 255.255.255.0" \
    -p "route 10.20.20.0 255.255.255.0"

Initialize the PKI and create the root ca, run once

docker run --rm -v /srv/openvpn/:/etc/openvpn -it kylemanna/openvpn ovpn_initpki

You have to provide a password for the root ca, which is needed for the signing of the certificates later. Store it safely.

Start container

docker run --name openvpn -v /srv/openvpn/:/etc/openvpn -d -p 1194:1194/tcp --privileged kylemanna/openvpn

systemd-service file (docker-openvpn.service)

[Unit]
Description=Openvpn Server
After=docker.service
Requires=docker.service

[Service]
TimeoutStartSec=0
Restart=always
RestartSec=10
ExecStartPre=/usr/bin/docker pull kylemanna/openvpn
ExecStartPre=-/usr/bin/docker kill openvpn
ExecStartPre=-/usr/bin/docker rm openvpn
ExecStart=/usr/bin/docker run --name openvpn -v /srv/openvpn/:/etc/openvpn -p 1194:1194/tcp --privileged kylemanna/openvpn
ExecStop=/usr/bin/docker stop -t 20 openvpn
#ExecStopPost=/usr/bin/docker rm openvpn

[Install]
WantedBy=multi-user.target

Issue a new certificate for a user:

docker run --rm -v /srv/openvpn/:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full <CLIENTNAME> nopass

Create the config for the user (includes all the necessary certificates and keys in one file). Pipe the content in to mail or a file (which you should delete afterwards).

docker run --rm -v /srv/openvpn/:/etc/openvpn kylemanna/openvpn ovpn_getclient <CLIENTNAME>