目錄表

安裝 OpenVPN Server(使用 PVE 內 CT Template)

安裝 OpenVPN Server(使用 PVE 內 CT Template)

採用 PVE 可下載的 CT Template - debian-10-turnkey-openvpn_16.1-1_amd64.tar.gz 來建立

安裝程序

建立 CT 時, 將 Unprivileged container 打勾取消

建立完成後, 查看 /var/log/syslog 會出現以下錯誤訊息

[email protected]: Failed at step NAMESPACE spawning /usr/sbin/openvpn: Permission denied

只要在 Options → Features → Nesting 打勾並重新啟動 CT 即可解決

如果 /var/log/syslog 出現以下的錯誤訊息
```
ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2
```
就表示建立 CT 時, 沒有將 Unprivileged container 打勾取消

如果在 PVE7 上安裝, 需要特別執行以下程序 Exp. openvpn CT 的 id 是 133

修改 ct 設定檔內容, 最後兩行加上 lxc 的相關設定

vi /etc/pve/lxc/133.conf

:
:
ostype: debian
rootfs: zfs-raid:subvol-133-disk-1,size=8G
swap: 512
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

修改 tun 權限

chown 100000:100000 /dev/net/tun

確認權限是否修改成功

# ls -l /dev/net/tun
crw-rw-rw- 1 100000 100000 10, 200 Jun  3 16:37 /dev/net/tun

重新啟動 openvpn CT
```
pct reboot 133
```

自訂 Open VPN Server

預設 UDP Listen Port : 1194 想改成 TCP Listen Port : 10443
修改 Push Route 為 10.20.0.0/24

修改 /etc/openvpn/server.conf

port 10443
proto tcp
dev tun
:
:
# push routes to clients to allow them to reach private subnets
push "route 10.20.0.0 255.255.255.0"

重新啟動 openvpn server
```
service openvpn restart
```
透過直接修改 vi /etc/iptables.up.rules 然後重啟 iptables 或是登入 Webmin 對主機防火牆要加入允許 TCP 10443 規則

修改 /usr/local/bin/openvpn-addclient 產生設定檔的預設值

:
:
#REMOTE_PORT='1194'
REMOTE_PORT='10443'
:
:
remote $SERVER_ADDR $REMOTE_PORT
;proto udp
proto tcp
remote-cert-tls server
:

建立與取消 VPN 帳號

透過 ssh 連入 VPN Server 執行以下的命令

建立帳號 Exp. jerry [email protected]

root@ct-openvpn ~# openvpn-addclient jerry [email protected]

看詳細處理訊息

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars

Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019
Generating a RSA private key
........................+++++
..................................................................................+++++
writing new private key to '/etc/openvpn/easy-rsa/keys/private/jerry.key.Gc3caPoNbL'
-----
Using configuration from /etc/openvpn/easy-rsa/keys/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'jerry'
Certificate is to be certified until Jul 31 08:27:58 2024 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

INFO: generated /etc/openvpn/easy-rsa/keys/jerry.ovpn

建立帳號設定檔的下載連結(下載後獲一段時間連結就會失效), Exp. jerry
```
/var/www/openvpn/bin/addprofile jerry
```
會回傳類似以下的網址 URL: https://vpn.ichiayi.org/profiles/e092f97123456789067ff594c9f8dc0305d81b71/
連上網址可以出現下載頁面
強制取消設定檔的下載連結
```
/etc/cron.hourly/openvpn-profiles-delexpired
```
這樣上面產生的設定檔下載網址就立即失效
刪除使用者帳號(廢除使用者憑證) Exp. jerry
```
openvpn-revoke jerry
```

看詳細處理訊息

root@ct-openvpn ~# openvpn-revoke jerry

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars

Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019


Please confirm you wish to revoke the certificate with the following subject:

subject=
    commonName                = jerry


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa/keys/safessl-easyrsa.cnf
Revoking Certificate 7E5BBA3C6024A6FE617B80BA5DE5DB40.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.


Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars

Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019
Using configuration from /etc/openvpn/easy-rsa/keys/safessl-easyrsa.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/keys/crl.pem

INFO: revoked /etc/openvpn/easy-rsa/keys/jerry.ovpn

查詢管理性資訊

查看登入登出紀錄

cat /var/log/syslog | grep 'VERIFY OK: depth=0, CN=\| received, client-instance restarting'

目前可用帳號

cat /etc/openvpn/easy-rsa/keys/index.txt | grep 'V'

已廢止的帳號

cat /etc/openvpn/easy-rsa/keys/index.txt | grep 'R'

如果想讓 OpenVPN 的 Listen Port 改為 443, 因為會與提供下載憑證的 lighttpd 衝突, 所以可以修改 SSL Port 為其他 port Exp. 20443

[舊版] 修改 /etc/lighttpd/lighttpd.conf 的設定

vi /etc/lighttpd/lighttpd.conf

:
$SERVER["socket"] == ":80" {
    $HTTP["host"] =~ "(.*)" {
        url.redirect = ( "^/(.*)" => "https://%1/$1" )
    }
}

$SERVER["socket"] == ":20443" {
    ssl.engine = "enable"
    # Note using shared hardened SSL settings
    include "ssl-params.conf"
:

[新版] 修改 /etc/lighttpd/conf-enabled/50-tklcp.conf

vi /etc/lighttpd/conf-enabled/50-tklcp.conf

:
$SERVER["socket"] == ":80" {
    $HTTP["host"] =~ "(.*)" {
        url.redirect = ( "^/(.*)" => "https://%1/$1" )
    }
}

$SERVER["socket"] == ":20443" {
    ssl.engine = "enable"
    # Note using shared hardened SSL settings
    include "ssl-params.conf"
:

vi /etc/lighttpd/conf-enabled/10-ssl.conf

:
$SERVER["socket"] == "0.0.0.0:20443" {
    ssl.engine  = "enable"
}
:
# support for IPv6 HTTPS via Debian script (in 'lighttpd' package)
include_shell "/usr/share/lighttpd/use-ipv6.pl 20443"

修改好重啟 lighttpd

systemctl restart lighttpd.service

修改 /var/www/openvpn/bin/addprofile 的 SERVER_ADDR 設定 Exp. 改成 172.16.0.246:20443

vi /var/www/openvpn/bin/addprofile

:
#SERVER_ADDR=$(grep remote $OVPN_PATH | awk '{print $2;exit}')
SERVER_ADDR="172.16.0.246:20443"
:

Webmin 的 Firewall 也要設定開放該 Port Exp. TCP 20443
- INPUT : Add Rule
- Apply Configuration

設定 VPN Client 可以互相連線

只要在 server.conf 內加入 client-to-client

cat /etc/openvpn/server.conf

root@ct-openvpn ~# cat /etc/openvpn/server.conf 
# PUBLIC_ADDRESS: vpn.iiidevops.org (used by openvpn-addclient)

port 443
proto tcp
dev tun

cipher AES-256-CBC
auth SHA256

keepalive 10 120
:
:
client-config-dir /etc/openvpn/server.ccd
client-to-client
status /var/log/openvpn/server.log
:

重新啟動 openvpn 讓設定生效
```
systemctl restart openvpn
```

安裝 snmpd 進行監控

如果要將 openvpn server 啟用 snmpd 進行監控, 可以參考 Ubuntu/Devian SNMPD 安裝設定

開啟主機防火牆 udp port 161

vi /etc/iptables.up.rules

:
*filter
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:INPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
:
-A INPUT -p udp -m udp --dport 161 -j ACCEPT 
:

更改後重啟主機或是使用 iptable-restore 讓 firewall 生效

iptable-restore < /etc/iptables.up.rules

安裝 openvpn-snmp-stats 強化監控

參考 - https://github.com/ThierryDi/-openvpn-snmp-stats

安裝 openvpn.py

apt install sudo -y
mkdir -p /opt/openvpn-snmp-stats/db
cd /opt/openvpn-snmp-stats
wget https://raw.githubusercontent.com/ThierryDi/-openvpn-snmp-stats/main/openvpn.py
chmod a+x openvpn.py
visudo /etc/sudoers.d/openvpn-stats

Debian-snmp ALL = NOPASSWD: /opt/openvpn-snmp-stats/openvpn.py

vi /etc/snmp/snmpd.conf

:
group MyROGroup v2c iiidevops

view    systemview    included   .1.3.6.1.2.1.1
view    systemview    included   .1.3.6.1.2.1.2
view    systemview    included   .1.3.6.1.2.1.25.1.1
view    systemview    included   .1.3.6.1.4.1.8072.1.3.2
:
extend wireguard /usr/bin/sudo /opt/openvpn-snmp-stats/openvpn.py

ln -s /var/log/openvpn/server.log /var/log/openvpn/openvpn-status.log
systemctl restart snmpd.service

可以至 LibreNMS 針對這台主機開啟 Applications → Wireguard 就可以出現類似以下的畫面

安裝 openvpn-monitor 強化監控

參考 - https://registry.hub.docker.com/r/ruimarinho/openvpn-monitor

在 openvpn server 開啟監控服務 Port Exp. 5555

vi /etc/openvpn/server.conf

:
status /var/log/openvpn/server.log
verb 4
management 0.0.0.0 5555
:

重啟 openvpn server 讓設定生效, 可以使用 netstat 查看是否 port 5555 已經開啟

root@ct-devops-vpn ~# netstat -lntp | grep openvpn
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN      88842/openvpn       
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      88842/openvpn

參考安裝 openvpn-monitor 監控線上使用者(Docker)

參考網址

openvpn, pve