Ajenti + OpenVPN server –

I don’t have time explaining every step, copy/paste and modify as you please. This will get your Ajenti box up and running as an OpenVPN server.

Prerequisite: Ajenti with OpenVPN plugin installed.

OpenVPN plugin configured as followed:
Management address – 127.0.0.1:40000
Password – What ever you choose below.

OpenVPN and easy-rsa installation:

apt-get install easy-rsa openvpn

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
cd /etc/openvpn/

Do the following corrections:
vi server.conf

+ management 127.0.0.1 40000 /etc/openvpn/auth.txt


- ;push "redirect-gateway def1 bypass-dhcp"

+ push "redirect-gateway def1 bypass-dhcp"
- ;push "dhcp-option DNS 208.67.222.222"

- ;push "dhcp-option DNS 208.67.220.220"

+ push "dhcp-option DNS 89.233.43.71"

+ push "dhcp-option DNS 91.239.100.100"
- dh dh1024.pem

+ dh dh2048.pem

- user nobody - group nogroup + user nobody + group nogroup
— EXIT —

Add your password to:
vi /etc/openvpn/auth.txt
— EXIT —

Enable package forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

vi /etc/sysctl.conf - #net.ipv4.ip_forward=1 + net.ipv4.ip_forward=1
— EXIT —

Generate our Server CA authority:

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys
vi /etc/openvpn/easy-rsa/vars
Correct these lines to reflect your territory:
export KEY_COUNTRY="XX" export KEY_PROVINCE="XXXXXX" export KEY_CITY="XXXXXX" export KEY_ORG="XXXXXXX" export KEY_EMAIL="XXX@XXXXXX.net" export KEY_OU="XXXXXXX" export KEY_NAME="YourServerName" ## This needs to match your openvpn/server.conf (server.crt/server.key)
— EXIT —

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca
./build-key-server YourServerName (This is the server name you chose in KEY_NAME above. Leave challange password/company blank, just hit enter. Choose Y to Sign and commit)
cp /etc/openvpn/easy-rsa/keys/{< YourServerName >.crt,< YourServerName >.key,ca.crt} /etc/openvpn

service openvpn restart

Generate your first client:
cd /etc/openvpn/easy-rsa
./build-key user1 (do exactly as mentioned above when creating the server CA)
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/user.ovpn
vi /etc/openvpn/easy-rsa/user.ovpn (edit to reflect your server configuration)
cp /etc/openvpn/easy-rsa/user.ovpn /etc/openvpn/easy-rsa/keys/user1.ovpn
Copy the following files to your client:
/etc/openvpn/easy-rsa/keys/user1.crt
/etc/openvpn/easy-rsa/keys/user1.key
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/user1.ovpn
— Enjoy —

If you are running ufw as I am, you need to allow traffic to be passed.

ufw allow 1194/udp

vi /etc/default/ufw - DEFAULT_FORWARD_POLICY="DROP" + DEFAULT_FORWARD_POLICY="ACCEPT"
— EXIT —

vi /etc/ufw/before.rules
Add this:
# START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE -A POSTROUTING -s 127.0.0.1 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES
— EXIT —

ufw reload

Ajenti + OpenVPN server

Ajenti + OpenVPN server

Written by:

c0urier