Servidor OpenVPN en Ubuntu

OpenVPN es una VPN SSL (red privada virtual) con todas las funciones. Implementa una extensión de red segura OSI capa 2 o 3 utilizando el protocolo SSL/TLS. Es un software de código abierto y se distribuye bajo GNU GPL. Una VPN le permite conectarse de forma segura a una red pública insegura, como la red wifi del aeropuerto o del hotel. También se requiere VPN para acceder a los recursos de su servidor corporativo, empresarial o doméstico. Puede evitar el sitio bloqueado geográficamente y aumentar su privacidad o seguridad en línea. Este tutorial proporciona instrucciones paso a paso para configurar un servidor OpenVPN “road warrior” en la versión Ubuntu Linux 18.04/20.04 LTS (20.10), incluida la configuración del firewall ufw/iptables. Los pasos son los siguientes:

1. Busque y anote su dirección IP pública
2. Descargar el script openvpn-install.sh
3. Ejecute openvpn-install.sh para instalar el servidor OpenVPN
4. Conecte un servidor OpenVPN usando un cliente iOS/Android/Linux/Windows
5. Verifica tu conectividad

Instalación con script

Escriba el siguiente comando wget o curl:

wget https://git.io/vpn -O openvpn-install.sh

wget tomando el script:

--2020-12-09 09:15:57--  https://git.io/vpn
Resolving git.io (git.io)... 34.195.187.253, 52.87.143.234, 34.205.238.171, ...
Connecting to git.io (git.io)|34.195.187.253|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2020-12-09 09:15:57--  https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.github.com (raw.github.com)... 151.101.124.133
Connecting to raw.github.com (raw.github.com)|151.101.124.133|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2020-12-09 09:15:57--  https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.124.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.124.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23079 (23K) 
Saving to: 'openvpn-install.sh'

openvpn-install.sh  100%[==================>]  22.54K  --.-KB/s    in 0.001s  

2020-12-09 09:15:57 (36.9 MB/s) - 'openvpn-install.sh saved [23079/23079]

Podemos verificar el script usando un editor de texto como el comando nano o el comando vim:

nano openvpn-install.sh

Ejecutando el script openvpn-install.sh

Escriba el siguiente comando:

sudo chmod +x openvpn-install.sh
sudo bash openvpn-install.sh

Asegúrese de proporcionar la información necesaria:

Welcome to this OpenVPN road warrior installer!

Which protocol should OpenVPN use?
   1) UDP (recommended)
   2) TCP
Protocol [1]: 1

What port should OpenVPN listen to?
Port [1194]: 

Select a DNS server for the clients:
   1) Current system resolvers
   2) Google
   3) 1.1.1.1
   4) OpenDNS
   5) Quad9
   6) AdGuard
DNS server [1]: 2

Enter a name for the first client:
Name [client]: iphone

OpenVPN installation is ready to begin.
Press any key to continue...

Una vez que presione cualquier tecla como la tecla [Enter], verá:

writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-1768.FjG9Gr/tmp.vQL9q8'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1768.FjG9Gr/tmp.FiauWW
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Dec  7 09:22:17 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating a RSA private key
....................................+++++
...................+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-1843.4USwJm/tmp.lOecLW'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1843.4USwJm/tmp.5j0n6q
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'iphone'
Certificate is to be certified until Dec  7 09:22:17 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1899.k6zZtP/tmp.riZi2R

An updated CRL has been created.
CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem


Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service → /etc/systemd/system/openvpn-iptables.service.
Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] → /lib/systemd/system/[email protected].

Finished!

The client configuration is available in: /root/iphone.ovpn
New clients can be added by running this script again.

Ver y configurar el servidor OpenVPN en 5 minutos en las reglas del firewall de Ubuntu

Eso es todo. Su servidor OpenVPN ha sido configurado y listo para usar. Puede ver las reglas de firewall agregadas en el archivo /etc/systemd/system/openvpn-iptables.service:

sudo systemctl cat openvpn-iptables.service

Reglas de muestra. Por favor no los edites:

[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 172.105.102.90
ExecStart=/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 172.105.102.90
ExecStop=/usr/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/usr/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStart=/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2600:3c04::f03c:92ff:fe42:3d72
ExecStart=/usr/sbin/ip6tables -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStart=/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/usr/sbin/ip6tables -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to 2600:3c04::f03c:92ff:fe42:3d72
ExecStop=/usr/sbin/ip6tables -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
ExecStop=/usr/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

Puede ver el archivo de configuración de su servidor openvpn generado por el script de la siguiente manera (nuevamente, no edite este archivo a mano, ya que le arruinará las cosas):

sudo more /etc/openvpn/server/server.conf

local 172.105.102.90
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 fddd:1194:1194:1194::/64
push "redirect-gateway def1 ipv6 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify

¿Cómo inicio/detengo/reinicio el servidor OpenVPN?

Ejecute el siguiente comando systemctl para detener el servicio OpenVPN:

sudo systemctl stop [email protected]

¿Quieres iniciar de nuevo? Intentar:

sudo systemctl start [email protected]

El comando para reiniciar el servicio OpenVPN:

sudo systemctl restart [email protected]

Vea el estado de su servicio basado en systemd OpenVPN:

sudo systemctl status [email protected]

● [email protected] - OpenVPN service for server
     Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-12-09 09:22:18 UTC; 7min ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
   Main PID: 2017 (openvpn)
     Status: "Initialization Sequence Completed"
      Tasks: 1 (limit: 4610)
     Memory: 1.2M
     CGroup: /system.slice/system-openvpn\x2dserver.slice/[email protected]
             └─2017 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf

Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: UDPv4 link local (bound): [AF_INET]172.105.102.90:1194
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: UDPv4 link remote: [AF_UNSPEC]
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: GID set to nogroup
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: UID set to nobody
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: MULTI: multi_init called, r=256 v=256
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=fddd:1194:1194:1194::1000
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: IFCONFIG POOL LIST
Dec 09 09:22:18 nixcraft-ubuntu-vm openvpn[2017]: Initialization Sequence Completed