Thursday, December 17, 2015

Cheap VPN server using openvpn and Centos

Well, VPN servers are all the rage since Mr Snowden blew the gaff on the NSA & GCHQ et al ,and Nanny states clamping down and spying on your every move.

And the BBC iPlayer got blocked as the BBC  shut out swathes of VPN addresses in yet another attempt to monetise their media.
When will they realise that blocking the internet and trying to block encryption and geoip blocking etc is just a path to madness. I have no problems with them checking my data if they have suspicion I have done something illegal like make a bomb. But they can go through the normal channels and get a warrant to do so. I am innocent until proven guilty.

But with the way the law is going, we are all tarred as guilty, and should all be spied on. Orwellian.

Anyway, for a variety of reasons I wanted a cheap little VPN with a UK IP address.

After a bit of advice (and a referral to save me a few pounds) I got me a droplet over at www.digitalocean.com to act as server. I use all sorts of devices to connect including a Raspberry Pi as a simple VPN router for some kit I have.

From choice as a systemd loather I decided to install CentOS 6.x with openvpn and tinydns and dnscache as I am familiar with it from my server of choice Koozali SME Server. I could install squid/danguardian etc as well, but this suits purpose for now


Roughly speaking this is how to do it..... I'll add a note on the Rasberry Pi config in the next post


# install wget

yum install wget

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm



# Get epel & rpmforge repos

yum localinstall epel-release-6-8.noarch.rpm rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm



# Add the webmin repo
cat < /etc/yum.repos.d/webmin.repo
[Webmin]
name=Webmin Distribution Neutral
#baseurl=http://download.webmin.com/download/yum
mirrorlist=http://download.webmin.com/download/yum/mirrorlist
enabled=1
EOF

 

# And keys
wget http://www.webmin.com/jcameron-key.asc
rpm --import jcameron-key.asc

 

# Add some stuff
mc openvpn wget mutt mailx man syslog traceroute nload iptraf vnstat webmin ntpdate bind-utils daemontools elinks ndjbdns htop


# Allow access to webmin with your own IPs

mcedit /etc/webmin/miniserv.conf
allow=127.0.0.1 1.2.3.4 5.6.7.8 LOCAL


# Sort the time out
Webmin - set timezone in System Time

cat < /etc/ntp/ntp.conf
server 0.uk.pool.ntp.org
server 1.uk.pool.ntp.org
server 2.uk.pool.ntp.org
server 3.uk.pool.ntp.org
EOF


# Sort out ssh to prevent password access - make sure you add your keys
scp ~/.ssh/id_rsa.pub root@1.2.3.4://root/.ssh/id_rsa.pub.mykey
cat /root/.ssh/id_rsa.pub.mykey /root/.ssh/authorized_hosts

# Change the default port please.
mcedit /etc/ssh/sshd_config
Port 2244
PasswordAuthentication no

# Sort out iptables - see the file below
# adjust your IPs/VPN accordingly in it
copy to /etc/sysconfig/iptables

# Add Openvpn module
# Webmin/Configuration/Add module
http://www.openit.it/downloads/OpenVPNadmin/openvpn-2.6.wbm.gz


 

# You don't really need tinydns unless you are answering queries for the 'domain' on the server. dnscache will handle it.  

# Sort out cache
mcedit /etc/ndjbdns/dnscache.conf
 

# Choose your VPN IP range here
IP=192.168.x.1
cp /etc/ndjbdns/ip/127.0.0.1 192.168.x



# Webmin adjust Bootup & shutdown - tinydns & dnscache


dnscache will fail to start correctly and when you then try to start it manually you will get a 'subsystem locked' error. This is caused by dnscache trying to start on a non existent interface - e.g. tun0 which doesn't appear until openvpn has started.

openvpn starts at S24 and dnscache at S20 so I set dnscache to S30

Edit /etc/rc.d/init.d/dnscache

modify # chkconfig: - 30 80

Then

chkconfig dnscache off and then on


# Webmin Openvpn - First sort your certs

New CA Authority

Make sure country code is two letters e.g. UK or ES

In CA list
VPN Server list select Keys List
New Server and generate key
# Get coffee

# Now
VPN List
New VPN Server

# Basic minimal settings

Management Yes 8876
Net Ip - your tunnel IP
Persist Yes
router client to client Yes
option cipher AES-256-CBC
user/group nobody
verb 5
tun-mtu 1500
fragment 1300
mssfix 1300
push "dhcp-option DNS 192.168.x.1"
push "route 192.168.x.0 255.255.255.0"
push "redirect-gateway def1"

Go back to CA list
Select Keys List
Add New key
Key Name - whatever
Pass - no
KeyServer Client

Go to VPN List, Client List
Add Client

# Then get your client certificates out and installed. Minimal opvn file below


# Modify Logging for openvpn and iptables

mcedit /etc/openvpn/{your-server}.conf

status /var/log/openvpn/openvpn-status.log
# log-append servers/DigiDrop-SVR/logs/openvpn.log


touch /etc/rsyslog.d/10-iptables.conf
cat </etc/rsyslog.d/10-iptables.conf
:msg, startswith, "IPTables-Dropped: " -/var/log/iptables.log
& ~
EOF


touch /etc/rsyslog.d/20-ovpn.conf

cat < /etc/rsyslog.d/20-ovpn.conf
# Create a template for the vpn log location
$template OpenVPN,"/var/log/openvpn/openvpn.log"

if $programname startswith 'openvpn' then /var/log/openvpn/openvpn.log
& ~
EOF

touch /etc/logrotate.d/ovpn

cat < /etc/logrotate.d/ovpn
/var/log/openvpn/*.log {
        weekly
        size 100M
        rotate 4
        compress
        delaycompress
        missingok
        notifempty
        create 640 syslog adm
}
EOF


# Set DNS to OpenDNS if you want
/etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=208.67.222.222
DNS2=208.67.220.220

# And get beer :-)

----------------------------------

# Generic opvn for Android - add your keys in the relevant sections

client
dev tun
proto udp
remote 46.101.92.188 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
cipher BF-CBC
comp-lzo
verb 3

#mute-replay-warnings

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----



-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----



-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----




----------------------------------

/etc/sysconfig/iptables

# /etc/sysconfig/iptables
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.x.0/24 -o eth0 -j MASQUERADE

# Pre Route OpenVPN
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
# Allow tunnel out forward
-A FORWARD -o tun+ -j ACCEPT
# Allow tunnel out
-A OUTPUT -o tun+ -j ACCEPT
# Allow tunnel in forward
-A FORWARD -i tun+ -j ACCEPT
# Allow tunnel in
-A INPUT -i tun+ -j ACCEPT
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Allow Webmin
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
# Allow OpenVPN
-A INPUT -p udp -m udp -i eth0 --dport 1194 -j ACCEPT
# Logging
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 2/sec -j LOG  --log-prefix "IPTables-Dropped: " --log-level 4
-A LOGGING -j DROP
COMMIT

No comments:

Post a Comment