Waltrough for an openvpn installation for easyGateway

Tested only on a netgate SG-4860-1U

  1. Install mandadory packages
    apt-get update
    apt-get install openvpn openssl curl jq vim --no-install-recommends 
  2. Debian jessie (8) and stretch (9) repository have an old easy-rsa version (2.2) and we need at least 3.0.4, so we use github release.
wget --no-check-certificate https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
tar -xvzf EasyRSA-3.0.4.tgz
rm EasyRSA-3.0.4.tgz
mv EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
We don't use the git clone version because we would need to use the build.sh script with the –version=3.0.4 version to generate the final version
  1. Generate a 2048 RSA public and private key for centrale, with server5 (use sub ca), and add them in
    vim /etc/openvpn/server/port_number.key
    vim /etc/openvpn/server/port_number.crt
    chmod 660 port_number.key port_number.crt #both files must belong to root:root
  2. Generate diffie hellman file
    openssl dhparam -out /etc/openvpn/server/dh.pem 2048
  3. Generate additonal key for tls-auth mode
    openvpn --genkey --secret /etc/openvpn/server/ta.key
  4. Add root ca and sub ca in ca.crt file (root ca first!)
    vim /etc/openvpn/server/ca.crt
  5. Add openvpn server configuration file (the file is normally stored in git)
    cp /home/acdsn/git/fw-rules/port_number/server.conf
  6. Edit init.d file, replace *.conf (3 occurences) by server.conf and launch openvnp
    vim /etc/init.d/openvpn
    systemctl daemon-reload
    /etc/init.d/openvpn start #check with ps -Af | grep openvpn
  7. Add file for CRL download
    touch /etc/openvpn/server/ca_crl.pem
    chmod 666 ca_crl.pem
  8. Add client directories (as acdsn)
    mkdir /etc/acdsn/conf.d/client
    mkdir /etc/acdsn/conf.d/spool/client
  9. If necessary, generate a organisation token with easygateway-web
  10. Edit acdsn crontab and add (git pull of easygateway-scripts is maybe necessary):
    @daily /usr/bin/curl https://www.easygateway.co/ca_crl.pem -o /etc/openvpn/server/ca_crl.pem 
    */5 * * * * /bin/bash /home/acdsn/git/easygateway-scripts/minicentral/sync_eG/sync.sh -t 30 -p ORG_TOKEN -mCc
  11. Update fw-rules and pull the new configuration.
    1. create a new interface
    2. create a new network (by default, use 192.168.60.0
    3. add the new network in rules 1 and 6)
    4. add masquerade in epilog
      #iptables -t nat -A POSTROUTING -o lan1 -j MASQUERADE
      #iptables -t nat -A POSTROUTING -o lan2 -j MASQUERADE
      #iptables -t nat -A POSTROUTING -o lan3 -j MASQUERADE
      #iptables -t nat -A POSTROUTING -o lan4 -j MASQUERADE
      #iptables -t nat -A POSTROUTING -o lan5 -j MASQUERADE
    5. git pull
    6. Uncomment lan specified in epilog, when vpn is necessary
    7. reload
      /home/acdsn/git/fw-rules/port_number/port_number.fw reload
  12. Make a try!
    1. get config file from easygateway-web
    2. connect to centrale with tunnelblick
    3. try ping or vnc over vpn
  13. Monit openvpn?