How to setup OpenVPN on your VPS: Ubuntu 18.04

Who should read this tutorial:

This tutorial is written for novice level Linux users and DevOps folks who need to add encryption to their internet traffic.  A virtual private network (an encrypted network over the public internet) to access specific networks or services from the outside is the way to go.

What are we going to cover

  1. Walk through the installation of OpenVPN on Ubuntu 18.04
  2. How to install the OpenVPN client on a windows workstation
  3. Generate a certificate and connect to the VPN server

Why Would You Want to Do This?

The key benefit of a VPN is to access resources that are otherwise inaccessible from external networks while maintaining a minimum level of network security at the time.

Generally adding an encrypted virtual private network connection to your infrastructure is a good idea if:

  • you are not confident of the security of the network you are connecting from (public wifi anyone?)
  • the resources that you want to utilize lack inherent security (such as network communications that don’t support strong levels of encryption.)
  • attempting accessing resources that are protected by multiple levels of network security and should never be publicly accessible such as systems holding payment card, healthcare, or security data.

My personal use case is to access my home security system (MotionEye) while traveling on my laptop or on my mobile device so that I can keep an eye on my cats, dogs and fend off porch pirates.


Random internet cat

PRE-REQUISITES

We recommend:

  • Starting with a clean VPS
  • At least 512Mb of Ram
  • 15GB of free disk space
  • This tutorial is written for Ubuntu 18.04

Skills and Tools

  • You need to know how to SSH and get around the command line
  • An SSH client like Putty
  • An SFTP client like WinSCP
  • The ability to work with files and transfering files

First Step – Make Sure You Are at the Latest and Greatest

Connect to your VPS via SSH

Upgrade your repositories to make sure they are up to date.  We are installing git because this is about 500% faster if we use the fantastic script from Angristan.

$ sudo apt-get update && sudo apt-get upgrade

$ sudo apt-get install git

Do you know your public IP address and your private IP address if you are behind a NAT device (like a router?)

Get the IP from your server

$ ifconfig
eth0: flags=4163  mtu 1500
        inet 192.168.1.166  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::216:3cff:fe43:ba41  prefixlen 64 scopeid 0x20
        ether 00:16:3c:43:ba:41  txqueuelen 1000 (Ethernet)
        RX packets 11672693  bytes 1049010192 (1.0 GB)
        RX errors 0  dropped 0 overruns 0  frame 0
        TX packets 347581  bytes 57193541 (57.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0

--

If you are behind a device like a firewall or router I visit http://www.whatismyip.com to find my public IP since it is easier than logging into the router directly.

Make a note of these IP addresses on your scratch pad. You might need them later

The Actual Install starts here

The process with the openvpn-install.sh script is dead simple. We are going to clone the script from github.  Then, change into the directory that was created and make sure the script is executable and then bang, run that baby as root or with sudo!  That will kick off the installation dialogues and away you go.

$ cd ~ 
$ git clone https://github.com/angristan/openvpn-install openvpn-install
$ cd openvpn-install/
$ ls -l 
$ chmod +x openvpn-install.sh
$ sudo ./openvpn-install.sh

Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install
I need to ask you a few questions before starting the setup.

You can leave the default options and just press enter if you are ok with them.

I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.

IP address: 192.168.1.111

Checking for IPv6 connectivity...

Your host does not appear to have IPv6 connectivity.

Do you want to enable IPv6 support (NAT)? [y/n]: n

What port do you want OpenVPN to listen to?

   1) Default: 1194
   2) Custom
   3) Random [49152-65535]

Port choice [1-3]: 2

Custom port [1-65535]: 7777     #YOU MIGHT WANT 80 or 443 if your local network is filtering things

What protocol do you want OpenVPN to use?

UDP is faster. Unless it is not available, you shouldn't use TCP.

   1) UDP
   2) TCP

Protocol [1-2]: 1

What DNS resolvers do you want to use with the VPN?

   1) Current system resolvers (from /etc/resolv.conf)
   2) Self-hosted DNS Resolver (Unbound)
   3) Cloudflare (Anycast: worldwide)
   4) Quad9 (Anycast: worldwide)
   5) Quad9 uncensored (Anycast: worldwide)
   6) FDN (France)
   7) DNS.WATCH (Germany)
   8) OpenDNS (Anycast: worldwide)
   9) Google (Anycast: worldwide)
   10) Yandex Basic (Russia)
   11) AdGuard DNS (Russia)

DNS [1-10]: 9

Do you want to use compression? It is not recommended since the VORACLE attack make use of it.

Enable compression? [y/n]: n

Do you want to customize encryption settings?

Unless you know what you're doing, you should stick with the default parameters provided by the script.

Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.

Customize encryption settings? [y/n]: n

Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.

Press any key to continue...

Tell me a name for the client.
Use one word only, no special characters.

Client name: chad

Do you want to protect the configuration file with a password?

(e.g. encrypt the private key with a password)
   1) Add a passwordless client
   2) Use a password for the client

Select an option [1-2]: 2

⚠ You will be asked for the client password below ⚠

Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0g  2 Nov 2017
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/private/chad.key.hYBMPyHfHV'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'chad'
Certificate is to be certified until Apr  9 03:48:48 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated
Client chad added, the configuration file is available at /root/chad.ovpn.

Download the .ovpn file and import it in your OpenVPN client.

Checking Our Work

I like to hit https://www.whatismyip.com while I’m connected and make sure that I see the remote network in the returned page rather than the external IP of my local network.

Then I like to visit https://speedtest.net and see what kind of throughput I get out of the system.  I got 28.75Mbps down and 73.31 Mbps. Not bad at all!

User Management

To manage OpenVPN users on the system we just re-visit the installer and it will detect that OpenVPN has already been installed and proceed to give us 4 management options.

  1. Add a new user
  2. Revoke an existing user
  3. Remove OpenVPN
  4. Exit
-- 
$ ./openvpn-install.sh 
Looks like OpenVPN is already installed.

What do you want to do?
   1) Add a new user
   2) Revoke an existing user
   3) Remove OpenVPN
   4) Exit 

Select an option [1-4]: 1

Tell me a name for the client certificate.
Please, use one word only, no special characters.

Client name: chad

Using SSL: openssl OpenSSL 1.1.0g  2 Nov 2017
Generating a 2048 bit RSA private key
............+++
.........................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/chad.key.YjDIHqlesv'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows

commonName            :ASN.1 12:'chad'
Certificate is to be certified until Apr 22 02:45:13 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Client chad added, configuration is available at: /root/chad.ovpn
root@ubuntu:~/openvpn-install#
--

Grab your SFTP client and download the username.ovpn certificate file to the workstation that is going to run the OpenVPN client.

Installing the Client on a Windows 10 Workstation

On the workstation download the appropriate client from OpenVPN  at https://openvpn.net/community-downloads/

Assuming Windows 10 download and run the installer and then in your system tray right click the little monitor with a lock on it  and Import your chad.ovpn file! Then Chad > Connect and you should be good to go.  I like to hit https://whatismyip.com while connected and verify that I’m showing the IP address of the OpenVPN server that I’m connected to and not the public IP address of my local network.

Installing the OpenVPN client on your iPhone

https://itunes.apple.com/us/app/openvpn-connect/id590379981 grab that thing from the App Store and then use a cloud file utility like google drive to get the chad.ovpn file or do something really insecure and email it to yourself…

References & Other Options

Alternatives to OpenVPN

About the Author

Sean Richards, CISSP,  is a 20 year linux enthusiast and security practitioner.  He loves family, animals, BBQ, and bicycles.
https://www.linkedin.com/in/seangrichards/
https://github.com/seangrichards/
https://twitter.com/seangrichards

The post How to setup OpenVPN on your VPS: Ubuntu 18.04 appeared first on Low End Box.

How to Secure Apache with Let’s Encrypt Ubuntu 16.04

In this tutorial, we will examine how to secure Apache with Let’s Encrypt for the Ubuntu 16.04 operating system.   We will first examine an overview of Let’s Encrypt, certificate authorities, and then dive into a step by step guide to install & configure Let’s Encrypt on your Ubuntu 16.04 VPS servers and the review how to automatically renew SSL certificates.

What is Let’s Encrypt?

Let’s Encrypt is a free, automated, and open Certificate Authority (CA), that provides the ability to secure a website. Let’s Encrypt also provides automation and tools to reduce setup and maintenance challenges needed to secure web servers using HTTPS (SSL/TLS).


Why use Let’s Encrypt as your Certificate Authority?

Let’s Encrypt is free, easy to create, configure, and renew certificates on web servers (like Apache).

Most administrators who host web servers have a goal of attracting new visitors along with retaining end-user attention – as this often translates into profits or a growing website community. People hosting web servers also want to reduce maintenance and cost.

End users, on the other hand, are motivated to visit websites that are safe and do not compromise their security.

To satisfy both administrators and end users, a Certificate Authority is used to validate the authenticity of the web server’s domain name.

Traditional CA (Certificate Authorities) solutions like Verisign required domain owners to pay a fee to use the CA services, this is no longer required when using Let’s Encrypt. The Let’s encrypt service is funded by sponsors and donors.


How Certificate Authority works

  1. The web server admin creates a private and public key pair. Using the public key the website admin will create a CSR (certificate signing request) and then send the CSR to a Certificate Authority.
  2. The Certificate Authority signs the CSR and returns a final certificate that the web server admin will install on their web server.
  3. The final certificate is signed by the Certificate Authorities private key and holds metadata about the admin’s web server.
  4. When a website visitor goes to the web page, the visitor’s browser will download the final certificate from the web server. The visitor’s browser will contact the Certificate Authority to make sure that the certificate downloaded from the website is valid.
  5. If the Certificate authority confirms that the certificate is authentic/valid, the website visitor will receive a green padlock in their browser in the URL address box. This will notify the end user that the website is safe to visit.


Prerequisites to installing Let’s Encrypt on Ubuntu

  1. You must be an administrator of the domain name you want to secure; for this tutorial, we will be using the DNS hostname “LetsEncryptTutorial.ddns.net.
  2. You need to have your public IP address.
  3. You must install Apache web server if it’s not already installed.


Install Apache

  1. Update the Ubuntu apt repository package definitions. Open a command line terminal and type “apt-update” or if you are logged in as a non-root user, type “sudo apt update”.

  1. To Install Apache: “apt install apache2 -y” or “sudo apt install apache2 -y”

  1. Change into the directory called /var/www/html and ensure an index.html file exists in the directory.

  1. Optional but recommended: Edit the default index.html title to be unique (example: Let’s Encrypt tutorial website) by adding “Let’s Encrypt tutorial” to the body. NOTE: This is simply to help you confirm the server is resolving and you are not accessing cached pages.

  1. If using systemd for startup restart Apache “systemctl restart apache2” or “sudo systemctl restart apache2” if using non-root user. If using init run “service apache2 restart”

  1. Confirm Apache is running properly on your system. If using systemd use “systemctl status apache2” and if using init use “service apache2 status”

  1. Confirm that the modified default Apache website is now available via a web browser

First, confirm that port 80 is open and working by going to the following URL,
http://:80 (you should see your edited webpage)

Next, confirm that the web server SSL port 443 is also open and working by going to the following,
https://:443

NOTE: When the server resolves in a browser using port 443 you will get a “Not Encrypted” or “Not Secure” error in the address bar. That’s ok.

Caution: Do not proceed to the following steps if you are not able to successfully reach your Apache server on both ports 80 and 443. If the server does not resolve to either port contact your network admins to ensure that both ports are configured to allow web traffic.

Once we know Apache is resolving correctly, we can move on to the next section of this tutorial.


How to set up Let’s Encrypt on Apache

  1. Install common tools “apt-get install software-properties-common -y” if logged in as root user

  1. Add the apt component for installing new repositories, by running: “add-apt-repository universe”

  1. Add certbot to the list of apt repositories “add-apt-repository ppa:certbot/certbot”

  1. Update apt to detect the newly added repositories: “apt update”

  1. Install certbot to create and renew certificates using let’s encrypt: “apt-get install certbot python-certbot-apache -y”

  1. Run the certbot command to create SSL for your domain.

  1. Now visit https:// to verify that your new certificate works properly and your website has a valid certificate. You will notice a green lock icon confirming a secured connection is established with your Apache server. Click the green lock to get details about the SSL certificate.


How to automate the renewal of Let’s Encrypt

It is highly recommended to automate the renewal of your certificate to avoid http traffic interruption due to an expired SSL certificate. For Example; on the Apache server you can create a cron job to renew the certificate every month on the 10th at 6:04 am using cron by typing “sudo crontab -e” and at the bottom add the following line (below) and save/exit.

4 6 10 * * certbot –apache –force-renewal renew –quiet


EOF

The post How to Secure Apache with Let’s Encrypt Ubuntu 16.04 appeared first on Low End Box.