Ajenti + OpenVPN server

Ajenti + OpenVPN server

I don’t have time explaining every step, copy/paste and modify as you please. This will get your Ajenti box up and running as an OpenVPN server.

Prerequisite: Ajenti with OpenVPN plugin installed.

OpenVPN plugin configured as followed:
Management address – 127.0.0.1:40000
Password – What ever you choose below.


OpenVPN and easy-rsa installation:

apt-get install easy-rsa openvpn

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
cd /etc/openvpn/

Do the following corrections:
vi server.conf

+ management 127.0.0.1 40000 /etc/openvpn/auth.txt

- ;push "redirect-gateway def1 bypass-dhcp"
+ push "redirect-gateway def1 bypass-dhcp"

- ;push "dhcp-option DNS 208.67.222.222"
- ;push "dhcp-option DNS 208.67.220.220"
+ push "dhcp-option DNS 89.233.43.71"
+ push "dhcp-option DNS 91.239.100.100"

- dh dh1024.pem
+ dh dh2048.pem

- user nobody
- group nogroup
+ user nobody
+ group nogroup

— EXIT —

Add your password to:
vi /etc/openvpn/auth.txt
— EXIT —


Enable package forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

vi /etc/sysctl.conf
- #net.ipv4.ip_forward=1
+ net.ipv4.ip_forward=1

— EXIT —


Generate our Server CA authority:

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys
vi /etc/openvpn/easy-rsa/vars
Correct these lines to reflect your territory:
export KEY_COUNTRY="XX"
export KEY_PROVINCE="XXXXXX"
export KEY_CITY="XXXXXX"
export KEY_ORG="XXXXXXX"
export KEY_EMAIL="XXX@XXXXXX.net"
export KEY_OU="XXXXXXX"
export KEY_NAME="YourServerName"
## This needs to match your openvpn/server.conf (server.crt/server.key)
— EXIT —

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca
./build-key-server YourServerName (This is the server name you chose in KEY_NAME above. Leave challange password/company blank, just hit enter. Choose Y to Sign and commit)
cp /etc/openvpn/easy-rsa/keys/{< YourServerName >.crt,< YourServerName >.key,ca.crt} /etc/openvpn

service openvpn restart


Generate your first client:
cd /etc/openvpn/easy-rsa
./build-key user1 (do exactly as mentioned above when creating the server CA)
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/user.ovpn
vi /etc/openvpn/easy-rsa/user.ovpn (edit to reflect your server configuration)
cp /etc/openvpn/easy-rsa/user.ovpn /etc/openvpn/easy-rsa/keys/user1.ovpn
Copy the following files to your client:
/etc/openvpn/easy-rsa/keys/user1.crt
/etc/openvpn/easy-rsa/keys/user1.key
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/user1.ovpn
— Enjoy —


If you are running ufw as I am, you need to allow traffic to be passed.

ufw allow 1194/udp

vi /etc/default/ufw
- DEFAULT_FORWARD_POLICY="DROP"
+ DEFAULT_FORWARD_POLICY="ACCEPT"

— EXIT —

vi /etc/ufw/before.rules
Add this:
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
-A POSTROUTING -s 127.0.0.1 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

— EXIT —

ufw reload