Nerdy Drunk

Drunk on technology

User Tools

Site Tools

You are here: start » linux » openvpnas

Sidebar

Topics

Topic Search


Home Lab
About Me


Twitter @taingalls


Subject Matter Expert Specialty Advanced Networking Specialty Security Specialty Data Analytics Specialty Machine Learning Specialty Database Specialty SAP on AWS Specialty Solutions Architect Professional DevOps Engineer Professional SysOps Administrator Associate Solutions Architect Associate Developer Associate Cloud Practitioner

Mastodon twit.social/@taingalls
linux:openvpnas

Table of Contents

OpenVPN Access Server

, , ,

Auto install with SSL Cert.

Launch an Amazon Linux 2 instance with the following user data. Security Group will need to allow;

  • SSH (TCP:22)
  • HTTP (TCP:80)
  • HTTPS (TCP:443)
  • Admin (TCP:943)
  • OpenVPN (UDP:1194)
#!/bin/bash
yum -y install ncurses-compat-libs
yum -y install https://as-repository.openvpn.net/as-repo-centos7.rpm
yum -y install openvpn-as
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install certbot
 
sudo certbot certonly -n -d VPN.DOMAIN.TLD --email hostmaster@DOMAIN.TLD --no-eff-email --agree-tos --standalone
 
sudo systemctl stop openvpnas
sudo rm /usr/local/openvpn_as/etc/web-ssl/server.key
sudo rm /usr/local/openvpn_as/etc/web-ssl/server.crt
sudo rm /usr/local/openvpn_as/etc/web-ssl/ca.crt
sudo ln -s /etc/letsencrypt/live/VPN.DOMAIN.TLD/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key
sudo ln -s /etc/letsencrypt/live/VPN.DOMAIN.TLD/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
sudo ln -s /etc/letsencrypt/live/VPN.DOMAIN.TLD/chain.pem /usr/local/openvpn_as/etc/web-ssl/ca.crt
sudo systemctl start openvpnas
 
sudo /usr/local/openvpn_as/scripts/sacli --import GetActiveWebCerts
sudo /usr/local/openvpn_as/scripts/sacli start

After install SSH to instance and set password for openvpn user. 

sudo passwd openvpn

Configure auto renewal of SSL Cert

Create script /home/ec2-user/cert_loader.sh

cert_loader.sh
#!/bin/bash
/usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/usr/local/openvpn_as/etc/web-ssl/privkey.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/usr/local/openvpn_as/etc/web-ssl/cert.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/usr/local/openvpn_as/etc/web-ssl/chain.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli start

Edit crontab for root user to call renewal with cert loader as a post-hook. 

1 1 * * 2 certbot renew --standalone --preferred-challenges http --pre-hook '' --post-hook '/home/ec2-user/cert_loader.sh' > /var/log/cert_loader.log

Old

Backup default self signed certificates; 

$ mkdir old-ss-cert
$ sudo cp /usr/local/openvpn_as/etc/web-ssl/* ./old-ss-cert/


Install LetsEncrypt SSL certificate; 

$ sudo systemctl stop openvpnas
$ sudo apt-get install letsencrypt
$ sudo letsencrypt certonly
$ sudo cp /etc/letsencrypt/live/CERTNAME/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
$ sudo cp /etc/letsencrypt/live/CERTNAME/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key
$ sudo cp /etc/letsencrypt/live/CERTNAME/chain.pem /usr/local/openvpn_as/etc/web-ssl/ca.crt
$ sudo systemctl start openvpnas
$ sudo systemctl status openvpnas


Review LetsEncrypt SSL certificate; 

$ sudo systemctl stop openvpnas
$ sudo letsencrypt renew
$ sudo cp /etc/letsencrypt/live/CERTNAME/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
$ sudo cp /etc/letsencrypt/live/CERTNAME/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key
$ sudo cp /etc/letsencrypt/live/CERTNAME/chain.pem /usr/local/openvpn_as/etc/web-ssl/ca.crt
$ sudo systemctl start openvpnas
linux/openvpnas.txt · Last modified: 2022/07/21 10:41 by 127.0.0.1

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki