Initial Setup¶
Add swap
Install nginx
Install Mackerel Agent
Configure Nginx¶
Check max file descriptor on default.
$ grep "^Max open files" /proc/`cat /var/run/nginx.pid `/limits
Max open files 1024 524288 files
Update max file descriptor with systemd.
$ sudo systemctl edit nginx.service
Add following lines.
[Service]
LimitNOFILE=65536
Restart Nginx as follows.
$ sudo systemctl restart nginx
Check max file descriptor and Compare default and new.
$ grep "^Max open files" /proc/`cat /var/run/nginx.pid `/limits
Max open files 65536 65536 files
Configure Let's Encrypt¶
Install certbot as follows.
Certbot Instructions | Certbot
Restore config from backup on cdsl-vm-1.
# cdsl-vm-1
zip -ry lets.zip /etc/letsencrypt
# cdsl-vm-2
unzip lets.zip
sudo cp -r etc/letsencrypt /etc
Check certificates by using certbot.
sudo certbot certificate
Configure OpenVPN¶
Install OpenVPN Server as follows.¶
OpenvpnSoftwareRepos – OpenVPN Community
Upgrade the version of OpenVPN Server from 2.4.4 to 2.5.4 .
koyama@cdsl-vm-1:/var/log$ openvpn --version
OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
koyama@cdsl-vm-2:/var/log$ openvpn --version
OpenVPN 2.5.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 5 2021
library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Originally developed by James Yonan
Fix configs to fix warnings in logs.
WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
ref. https://community.openvpn.net/openvpn/wiki/Topology
2021-11-17 00:26:38 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Install EasyRSA¶
Install easy-rsa as follows.
cd /etc/openvpn
sudo wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
sudo unzip EasyRSA-3.0.8.tgz
Setup PKI¶
Setup PKI by easy-rsa as follows.
$ cd /etc/openvpn/EasyRSA-3.0.8/
$ sudo ./easyrsa init-pki
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/EasyRSA-3.0.8/keys
Note: using Easy-RSA configuration from: /etc/openvpn/EasyRSA-3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/EasyRSA-3.0.8/pki
The directory have a following structure.
An Easy-RSA PKI contains the following directory structure:
* private/ - dir with private keys generated on this host
* reqs/ - dir with locally generated certificate requests (for a CA imported requests are stored here)
These generated files shows following.
When building a CA, a number of new files are created by a combination of Easy-RSA and (indirectly) openssl. The important CA files are:
* ca.crt - This is the CA certificate
* index.txt - This is the "master database" of all issued certs
* serial - Stores the next serial number (serial numbers increment)
* private/ca.key - This is the CA private key (security-critical)
* certs_by_serial/ - dir with all CA-signed certs by serial number
* issued/ - dir with issued certs by commonName
Build Certificate Authority (CA).¶
$ sudo ./easyrsa build-ca nopass
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/EasyRSA-3.0.8/keys
Note: using Easy-RSA configuration from: /etc/openvpn/EasyRSA-3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
..............................................................................................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:cdsl-vm-2
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/EasyRSA-3.0.8/pki/ca.crt
Create Server Key¶
Create RSA Private Key for Server.
$ sudo ./easyrsa gen-req cdsl-vm-2 nopass
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/EasyRSA-3.0.8/keys
Note: using Easy-RSA configuration from: /etc/openvpn/EasyRSA-3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020
Generating a RSA private key
............+++++
............................+++++
writing new private key to '/etc/openvpn/EasyRSA-3.0.8/pki/easy-rsa-29370.UJ38MF/tmp.W1EuhZ'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [cdsl-vm-2]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/EasyRSA-3.0.8/pki/reqs/cdsl-vm-2.req
key: /etc/openvpn/EasyRSA-3.0.8/pki/private/cdsl-vm-2.key
Sign the request as the correct type. This example uses a server type:
$ sudo ./easyrsa sign-req server cdsl-vm-2
Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = cdsl-vm-2
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/EasyRSA-3.0.8/pki/easy-rsa-24894.VCtkkU/tmp.5mBwFN
Enter pass phrase for /etc/openvpn/EasyRSA-3.0.8/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'cdsl-vm-2'
Certificate is to be certified until Feb 20 03:16:55 2024 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/EasyRSA-3.0.8/pki/issued/cdsl-vm-2.crt
Generate dh.pem as follows.
$ sudo mkdir /etc/openvpn/server
$ sudo ./easyrsa gen-dh
Generate crl.pem as follows.
$ sudo ./easyrsa gen-crl
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/EasyRSA-3.0.8/keys
Note: using Easy-RSA configuration from: /etc/openvpn/EasyRSA-3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020
Using configuration from /etc/openvpn/EasyRSA-3.0.8/pki/easy-rsa-29588.k6uxeh/tmp.kNeXyJ
An updated CRL has been created.
CRL file: /etc/openvpn/EasyRSA-3.0.8/pki/crl.pem
Apply config¶
Write a config on /etc/openvpn/server.conf.
; key configs
ca /etc/openvpn/EasyRSA-3.0.8/pki/ca.crt
key /etc/openvpn/EasyRSA-3.0.8/pki/private/cdsl-vm-2.key
cert /etc/openvpn/EasyRSA-3.0.8/pki/issued/cdsl-vm-2.crt
dh /etc/openvpn/EasyRSA-3.0.8/pki/dh.pem
crl-verify /etc/openvpn/EasyRSA-3.0.8/pki/crl.pem
Restart OpenVPN Server
sudo systemctl restart openvpn@server
Check a port binding.
$ sudo lsof -i:1194
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
openvpn 20791 nobody 7u IPv4 125922 0t0 UDP *:openvpn
Create Client Key¶
Create RSA Private Key for Client.
$ sudo ./easyrsa gen-req a910-router nopass
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/EasyRSA-3.0.8/keys
Note: using Easy-RSA configuration from: /etc/openvpn/EasyRSA-3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020
Generating a RSA private key
..................................................................................................+++++
.......................+++++
writing new private key to '/etc/openvpn/EasyRSA-3.0.8/pki/easy-rsa-31979.ElU93V/tmp.QD4LQq'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [a910-router]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/EasyRSA-3.0.8/pki/reqs/a910-router.req
key: /etc/openvpn/EasyRSA-3.0.8/pki/private/a910-router.key
Sign the request as the correct type. This example uses a client type:
koyama@cdsl-vm-2:/etc/openvpn/EasyRSA-3.0.8$ sudo ./easyrsa sign-req client a910-router
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/EasyRSA-3.0.8/keys
Note: using Easy-RSA configuration from: /etc/openvpn/EasyRSA-3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = a910-router
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/EasyRSA-3.0.8/pki/easy-rsa-32004.FwdJwf/tmp.77xgA9
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'a910-router'
Certificate is to be certified until Feb 20 22:28:44 2024 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/EasyRSA-3.0.8/pki/issued/a910-router.crt
Set OS Parameters¶
Set kernel a paramter.
/etc/sysctl.conf
net.ipv4.ip_forward=1
Then, apply it.
sudo sysctl -p
Change ufw policy.
/etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"
Check current iptables status.
$ sudo iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Add NAT config to end of the file /etc/ufw/before.rules.
/etc/ufw/before.rules
...
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 192.168.200.0/24 -o ens4 -j MASQUERADE
# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT
Check current ufw status.
$ ufw status
Status: inactive
Add ufw rules.
sudo ufw allow OpenSSH
sudo ufw allow 1194/udp
sudo ufw allow http
sudo ufw allow https
Apply ufw settings.
sudo ufw disable
sudo ufw enable
Check new ufw status. It has active status and allows ssh and openvpn.
$ sudo ufw status
Status: active
To Action From
-- ------ ----
1194/udp ALLOW Anywhere
OpenSSH ALLOW Anywhere
1194/udp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
Check new iptables status. It has MASQUERADE config from 192.168.200.0/24 to 0.0.0.0/0 in POSTROUTING section.
$ sudo iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1266 packets, 1839K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 34 packets, 2745 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 34 packets, 2745 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ens4 192.168.200.0/24 0.0.0.0/0
Create Client Config router-a910.ovpn¶
Create a config file for OpenVPN client as router-a910.ovpn.
Existing config files are stored in Google Drive
# クライアントモードであることを宣言
client
# VPNプロトコル:ルーティング方式.
dev tun
# 通信プロトコル: UDP.
proto udp
# グローバルIPアドレスを指定する.「1. 準備」で調べたIP.
remote 34.84.68.226 1194
# 接続の継続.
resolv-retry infinite
# ポート番号をバインドしない.ほとんどの場合はこうらしい.
nobind
# 切断後の動作指定
persist-key
persist-tun
# 認証局証明書
<ca>
-----BEGIN CERTIFICATE-----
...
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
</cert>
# クライアント認証鍵
<key>
-----BEGIN PRIVATE KEY-----
...
</key>
# ログレベル
verb 3