===== OpenVPN with a 6in4 tunnel for Debian 10 (Buster) =====

Adapted from [[https://wiki.quietlife.nl/doku.php?id=manuals:networking:openvpn-6in4|Quietlife wiki]] to reflect changes in easy-rsa distributed by Debian 10.

\\
==== Server installation ====

Install the packages:

<code bash>
sudo apt install openvpn easy-rsa
</code>

Copy an example config file:

<code bash>
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | \
sudo tee /etc/openvpn/server.conf
</code>

Some example values are used. The WAN IP addresses ''111.222.333.444/32'' and ''2001:1:2:3:4:5:6::/64'' are made up. Also, ethernet interface ''enp0s25'' will very likely be different on your system.\\
\\

==== Main server configuration ====

<file bash /etc/openvpn/server.conf>
# Listen on UDP port 1194
port 1194
proto udp
proto udp6

# Use a tun device and push an IPv6 tunnel to clients
dev tun

# Certificate settings
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

# Create subnets for the clients
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 2001:1:2:3:80::/112

# Have all traffic go through the VPN
push "redirect-gateway def1 bypass-dhcp"

## OpenDNS is used in this example, but anything reachable by the VPN server will work
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

# Allow direct client-to-client connections
client-to-client

# Ping every 10 seconds, assume disconnect after 120 seconds
keepalive 10 120

# TLS parameters
## This is the server
tls-auth ta.key 0
key-direction 0
## Use strong ciphers
cipher AES-256-CBC
auth SHA512

# Run the daemon with minimal privileges
user nobody
group nogroup
persist-key
persist-tun

# Logging settings
status openvpn-status.log
verb 3
explicit-exit-notify 1
</file>
\\

==== Networking configuration ====

Allow packet forwarding and enable the IPv6 neighbour detection proxy:

<file bash /etc/sysctl.conf>
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1
</file>

Load the kernel parameters:

<code bash>
sudo sysctl -p
</code>
\\

=== SLAAC ===

If your server gets its IPv6 configuration through SLAAC, also do this:

<file bash /etc/sysctl.conf>
net.ipv6.conf.all.accept_ra=2
net.ipv6.conf.default.accept_ra=2
</file>

Load the kernel parameters:

<code bash>
sudo sysctl -p
</code>

Force acceptance of router advertisements for the WAN ethernet interface:

<code bash>
# This setting is not inherited from 'all' or 'default' when the interface is already up.
# It will be inherited after the next reboot, so this only has to be done once.
sudo su -c 'echo 2 > /proc/sys/net/ipv6/conf/enp0s25/accept_ra'
</code>
\\

=== Firewall rules ===

Allow masquerading for the OpenVPN subnet:

<file bash /etc/ufw/before.rules>
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o enp0s25 -j MASQUERADE
COMMIT
</file>

<file bash /etc/ufw/before6.rules>
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 2001:1:2:3:80::/112 -o enp0s25 -j MASQUERADE
COMMIT
</file>

Don't drop forwarded packets:

<file bash /etc/default/ufw>
DEFAULT_FORWARD_POLICY="ACCEPT"
</file>

Allow incoming connections on UDP port 1194 and restart the firewall:

<code bash>
sudo ufw allow 1194/udp
sudo ufw disable && sudo ufw enable
</code>
\\

==== Setting up your own certificate authority ====

Create a working directory:

<code bash>
cd
make-cadir openvpn-ca
cd openvpn-ca/
</code>

Fill in these variables as desired (saves time):

<file bash openvpn-ca/vars>
export KEY_COUNTRY="..."
export KEY_PROVINCE="..."
export KEY_CITY="..."
export KEY_ORG="..."
export KEY_EMAIL="..."
export KEY_OU="..."
</file>

Clean the directory:

<code bash>
./easyrsa init-pki
</code>

Build a certificate authority:

<code bash>
./easyrsa build-ca nopass
</code>

Build a server key called ''server'':

<code bash>
./easyrsa build-server-full server nopass
</code>

Build a Diffie-Hellman key:

<code bash>
./easyrsa gen-dh
</code>

Generate a pre-shared key:

<code bash>
/usr/sbin/openvpn --genkey --secret pki/ta.key
</code>

Copy the generated keys to the server configuration directory:

<code bash>
cd pki/
sudo cp ca.crt private/ca.key issued/server.crt private/server.key ta.key dh.pem /etc/openvpn/
sudo mv /etc/openvpn/dh.pem /etc/openvpn/dh2048.pem
</code>

Restart the server:

<code bash>
sudo systemctl daemon-reload
sudo systemctl restart openvpn@server.service
</code>
\\

==== Creating configuration files automatically ====

Create a working directory next to ''openvpn-ca'':

<code bash>
cd ../../
mkdir -p client-configs/files/
cd client-configs/
</code>
\\

=== Client configuration ===

Add a base configuration file for your clients:

<file bash base.conf>
# Specify that we are a client
client

# Use the same setting as you are using on the server
dev tun

# Connect to the server on UDP port 1194
proto udp
remote vpn.quietlife.nl 1194

# Run the daemon with minimal privileges
user nobody
group nogroup

# Unset these defaults (certificates will be provided by the .ovpn file)
#ca ca.crt
#cert client.crt
#key client.key

# Use strong ciphers
cipher AES-256-CBC
auth SHA512

# This is the client
key-direction 1

# Run these scripts after connecting (sets up DNS)
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
dhcp-option DNSSEC allow-downgrade
dhcp-option DOMAIN-ROUTE .
</file>
\\

=== Build script ===

Add a configuration build script:

<file bash make_config.sh>
#!/bin/bash

KEY_DIR=../openvpn-ca/pki
OUTPUT_DIR=./files
BASE_CONFIG=./base.conf

cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/issued/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/private/${1}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${1}.ovpn
</file>

Make it executable:

<code bash>
chmod 770 ./make_config.sh
</code>
\\

==== Generating client certificates and configurations ====

Create and store a new password for the client, for example using ''[[start:pass|pass]]'' (on your laptop):
<code bash>
pass generate --clip openvpn/$name-clientkey 20
</code>

Build a client certificate with password:

<code bash>
cd ~/openvpn-ca/
./easyrsa build-client-full $name
</code>

Create a client configuration file:

<code bash>
cd ../client-configs/
./make_config.sh $name
</code>

The resulting configuration will be in ''client-configs/files/$name.ovpn''

Copy this to your client with SFTP. Repeat as many times as desired.\\
\\

==== Revoking a client certificate ====

Revoke the certificate:

<code bash>
cd ~/openvpn-ca/
./easyrsa revoke $name
./easyrsa gen-crl
</code>

Copy the revocation list to the server configuration directory:

<code bash>
sudo cp ./pki/crl.pem /etc/openvpn/
</code>

Make sure that the OpenVPN server configuration file contains this line:

<file bash /etc/openvpn/server.conf>
crl-verify crl.pem
</file>

Then restart the server:

<code bash>
sudo systemctl restart openvpn@server
</code>
\\

==== Client installation ====

Use the password you generated earlier (on laptop):
<code bash>
pass --clip openvpn/$name-clientkey
</code>

=== GNU/Linux (Debian) ===

<code bash>
sudo apt install network-manager-openvpn-gnome
</code>

Then simply import the ''.ovpn'' file and use the password. 
\\
For more information, see [[https://help.gnome.org/users/gnome-help/stable/net-vpn-connect.html|GNOME Help on Connecting to VPN]] (In step 5, choose ''Import from file'').

=== Android ===

Install and open [[https://f-droid.org/en/packages/de.blinkt.openvpn|OpenVPN for Android]].
Then simply import the ''.ovpn'' file and use the password.

----