Phần này thì mình sẽ hướng dẫn cách setup một hệ thống VPN tại gia.
1) Install OpenVPN Server
Hiện tại mình cài đặt trên ubuntu.
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh
Chạy script Setup OpenVPN server.
root@ip-10-195-92-26:~/openvpn# ./openvpn-install.sh Welcome to the OpenVPN installer! The git repository is available at: https://github.com/angristan/openvpn-install I need to ask you a few questions before starting the setup. You can leave the default options and just press enter if you are ok with them. I need to know the IPv4 address of the network interface you want OpenVPN listening to. Unless your server is behind NAT, it should be your public IPv4 address. IP address: 54.71.40.11 (This is IP that is connected by ) Checking for IPv6 connectivity... Your host does not appear to have IPv6 connectivity. Do you want to enable IPv6 support (NAT)? [y/n]: n What port do you want OpenVPN to listen to? 1) Default: 1194 2) Custom 3) Random [49152-65535] Port choice [1-3]: 2 Custom port [1-65535]: 443 What protocol do you want OpenVPN to use? UDP is faster. Unless it is not available, you shouldn't use TCP. 1) UDP 2) TCP Protocol [1-2]: 2 What DNS resolvers do you want to use with the VPN? 1) Current system resolvers (from /etc/resolv.conf) 2) Self-hosted DNS Resolver (Unbound) 3) Cloudflare (Anycast: worldwide) 4) Quad9 (Anycast: worldwide) 5) Quad9 uncensored (Anycast: worldwide) 6) FDN (France) 7) DNS.WATCH (Germany) 8) OpenDNS (Anycast: worldwide) 9) Google (Anycast: worldwide) 10) Yandex Basic (Russia) 11) AdGuard DNS (Anycast: worldwide) 12) NextDNS (Anycast: worldwide) 13) Custom DNS [1-12]: 9 Do you want to use compression? It is not recommended since the VORACLE attack makes use of it. Enable compression? [y/n]: n Do you want to customize encryption settings? Unless you know what you're doing, you should stick with the default parameters provided by the script. Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults) See https://github.com/angristan/openvpn-install#security-and-encryption to learn more. Customize encryption settings? [y/n]: n Okay, that was all I needed. We are ready to setup your OpenVPN server now. You will be able to generate a client at the end of the installation. Hit:1 http://us-west-2.ec2.archive.ubuntu.com/ubuntu bionic InRelease Get:2 http://us-west-2.ec2.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB] Get:3 http://us-west-2.ec2.archive.ubuntu.com/ubuntu bionic-backports InRelease [83.3 kB] Hit:4 https://deb.nodesource.com/node_14.x bionic InRelease Hit:5 https://packages.microsoft.com/ubuntu/18.04/prod bionic InRelease Get:6 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB] Hit:7 https://download.mono-project.com/repo/ubuntu stable-bionic InRelease Fetched 261 kB in 1s (300 kB/s) Reading package lists... Done Reading package lists... Done Building dependency tree Reading state information... Donet
Đoạn này cũng có tạo user mà mình quên chụp òi.
Không sao đi xuống bược tiếp theo
2) OpenVPN Client
2.1) Create OpenVPN Client.
Giờ bạn cần Gen a file cho client.
root@ip-10-195-92-26:~/openvpn# ./openvpn-install.sh Welcome to OpenVPN-install! The git repository is available at: https://github.com/angristan/openvpn-install It looks like OpenVPN is already installed. What do you want to do? 1) Add a new user 2) Revoke existing user 3) Remove OpenVPN 4) Exit Select an option [1-4]: 1 Tell me a name for the client. The name must consist of alphanumeric character. It may also include an underscore or a dash. Client name: lac_phan Do you want to protect the configuration file with a password? (e.g. encrypt the private key with a password) 1) Add a passwordless client 2) Use a password for the client Select an option [1-2]: 2 ⚠️ You will be asked for the client password below ⚠️ Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.1.1 11 Sep 2018 Generating an EC private key writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-26953.24JWu6/tmp.2aH2ez' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-26953.24JWu6/tmp.hxugDk Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'lac_phan' Certificate is to be certified until Feb 17 11:48:19 2025 GMT (825 days) Write out database with 1 new entries Data Base Updated Client lac_phan added. The configuration file has been written to /home/ubuntu/lac_phan.ovpn. Download the .ovpn file and import it in your OpenVPN client.
2.2) Configure OpenVPN on Ubuntu desktop
Làm sao để tắt được default route về tun0.
Edit the VPN connection -> IPv4 Settings -> Click “Routes”, and finally check “Use this connection only for resources on its network“.
Giờ show route table lại.
3) Configure OpenVPN
3.1) Not Allowing all traffic of clients to go through the OpenVPN Server
Nhu cầu sẽ là như sau:
Khi bạn truy cập vào server trong internal network của công ty thì các gói tin sẽ gửi qua VPN.
khi bạn truy cập youtube hay facebook thì không đi qua VPN
Bước 1 bạn cần ignored line dưới bằng dấu ";"
;####command dong ben duoi de all traffic of client ko dia qua openvpn-server####
;push "redirect-gateway def1 bypass-dhcp"
Tiếp theo là cấu hinhg routing và gán DNS cho client
;##########cau hinh route local nhu ben duoi###########
push "dhcp-option DNS 8.8.8.8"
push "route 8.8.8.8 255.255.255.255"
push "route 192.168.1.0 255.255.255.0"
Bạn cần chú ý chỗ này.
OpenVPN server sẽ gán dns cho client là 8.8.8.8: push "dhcp-option DNS 8.8.8.8"
Nếu client phần giả tên miến nimtechnology.com gửi một gói tin đến 8.8.8.8 port 53 và không đi qua VPN sẽ bị chặn.
Vì thế ta phải đi tạo route cho 8.8.8.8 đi qua vpn: push “route 8.8.8.8 255.255.255.255”
with Ubuntu
Với ubuntu desktop thì bạn cần làm điều này nữa:
Edit the VPN connection -> IPv4 Settings -> Click “Routes”, and finally check “Use this connection only for resources on its network“.
Để xóa default của openvpn
3.2) Use Oauthen to log in via OpenVPN
https://medium.com/@jkroepke/openvpn-sso-via-oauth2-ab2583ee8477
https://github.com/jkroepke/openvpn-auth-oauth2
4) Remove the user on OpenVPN.
Run open-install.sh script
Choose to revoke user
Remove user in /etc/openvpn/easy-rsa/pki/index.txt.
For example, I will remove hau_t_tran user by deleting the below line.