diff --git a/content/blog/openvpn-server-automation.md b/content/blog/openvpn-server-automation.md new file mode 100644 index 0000000..096bc54 --- /dev/null +++ b/content/blog/openvpn-server-automation.md @@ -0,0 +1,216 @@ +--- +title: "๐Ÿš€ Automating OpenVPN Server Setup with Ansible" +date: 2024-12-23T17:40:46+01:00 +description: "Part 2: Simplifying OpenVPN server setup using Ansible for automation enthusiasts. Follow this guide to deploy your VPN in minutes!" +draft: true +categories: ["tech", "infra", "security", "devops", "vpn"] +tags: ["Ansible", "Automation", "VPN", "EasyRSA", "Security", "Linux"] +cover: + image: "/images/openvpn-automation-hero.webp" +--- + +## โœจ Introduction + +Welcome to **Part 2** of the OpenVPN server series! ๐ŸŽ‰ If youโ€™ve gone through the [manual setup guide](https://thetooth.io/blog/openvpn-server-setup/), you know that setting up an OpenVPN server manually can be a bit tedious. ๐Ÿค” + +But what if you could automate the entire process? ๐Ÿ’ก This guide introduces an **Ansible playbook** that takes care of everythingโ€”from installing dependencies to configuring the OpenVPN server and generating client certificates. + +--- + +## ๐Ÿ›  Prerequisites + +Before diving in, ensure you have the following ready: + +1. ๐Ÿ–ฅ A **Ubuntu 20.04LTS 22.04LTS or 24.04LTS** server + (it should work for older versions or other Ubuntu flavor ๐Ÿคž). +2. ๐Ÿ”‘ SSH access to the server. +3. โš™๏ธ Ansible installed on your local machine. + +--- + +## ๐Ÿ”„ Why Automate? + +While the manual approach teaches you the nitty-gritty of OpenVPN, automation brings the following perks: + +- ๐Ÿ•’ **Time-saving**: Get up and running in minutes. +- ๐Ÿ“œ **Repeatability**: Easily redeploy or migrate your server. +- ๐Ÿ“ฆ **Manageability**: Scale with minimal effort. + +--- + +## ๐Ÿš€ Getting Started with the Ansible Playbook + +Hereโ€™s how you can automate the OpenVPN setup process: + +### 1๏ธโƒฃ Clone the Repository + +First, clone the repository containing the playbook: + +```bash +git clone https://github.com/itsankoff/ansible +cd ansible/ansible +``` + +### 2๏ธโƒฃ Prepare Your Inventory + +Update your inventory file (hosts) to specify the target server: + +```ini +# VPN hosts +[vpn] +# targer_server_IP | target_server_user | sudo_enabled | ssh_private_key_for_access + ansible_user= ansible_become=true ansible_ssh_private_key_file= +``` + +Replace ``, ``. Depending on your access to the server either +provide path to the SSH private key file in `ansible_ssh_private_key_file` or +delete it if you use SSH with password access (strongly discouraged) + +### 3๏ธโƒฃ Configure Variables + +Add the users you want to generate VPN configurations for in `group_vars/openvpn.yml`: + +```yaml +openvpn_users: + - name: "janedoe" + state: "active" + - name: "johndoe" + state: "revoked" +``` + +If the `state` is active, the user will have generated certificate and `.ovpn` configuration. +In case you want to stop access to the VPN for some users, use `state` revoked and rerun the VPN playbook. + + +### 4๏ธโƒฃ Run the Playbook + +Run the Ansible playbook to set up the OpenVPN server: + +```bash +# from ansible/ansible directory execute +./deploy.sh live openvpn +``` + +Grab a coffee โ˜• while Ansible takes care of everything. + + +## ๐Ÿงพ What the Playbook Does + +The playbook performs the following steps: +1. Install dependencies: Installs OpenVPN, EasyRSA, and other prerequisites. +2. Configure EasyRSA: Sets up the public key infrastructure (PKI). +3. Generate certificates: Builds the server and client certificates. +4. Set up networking: Configures IP forwarding and iptables rules. +5. Deploy server configuration: Creates the OpenVPN server configuration. +6. Start OpenVPN: Enables and starts the OpenVPN service. + + +## ๐ŸŽ‰ Generating Client Configurations + +**The ready OVPN configurations will bee stored in two places:** +1. On the target server in `/etc/openvpn/client-configs` dir. +2. On the local machine into `ansible/ansible/files/.ovpn` NOTE: ovpn files are gitignored for safety. + +## ๐Ÿ›  Customization and Details + +If you need slightly different setup of the server you can check all of the control variables in `ansible/ansible/group_vars/openvpn.yml` +but here a quick reference guide for the most important ones and their default values: + +| Variable | Description | Default Value | +| :-------- | :----------- | :-------------: | +| `openvpn_port` | Port for OpenVPN server | `1194` | +| `openvpn_proto` | Protocol (UDP/TCP) | `udp` | +| `openvpn_network` | Subnet for VPN clients | `10.8.0.0` | +| `openvpn_users` | List of users and their states (active) | `N/A` | +| `ca_common_name` | Common Name for the Certificate Authority | `OpenVPN Server` | +| `easyrsa_dir` | Directory for EasyRSA setup | `/etc/openvpn/easy-rsa` | + + +## ๐Ÿž Troubleshooting + +**Problem: No internet on the client** + +**1. Ensure `iptables` rules are correctly applied.** + +```bash +# Run on the VPN server +ip route +``` + +*Expected output should look like this:* +```text +default via dev eth0 +10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 +``` + +**2. Check that `sysctl` enables IP forwarding:** + +Run on the VPN server + +```bash +sudo sysctl net.ipv4.ip_forward +``` + +*Expected output should look like this:* + +```text +net.ipv4.ip_forward=1 +``` + +**3. Monitor Packet Flow** + +Client to VPN server traffic +```bash +sudo tcpdump -i tun0 +``` + +VPN server to public internet traffic +```bash +sudo tcpdump -i eth0 +``` + +Connect to the VPN server with the client configuration and run `ping google.com` on the client terminal or open Google in the browser. + +* If the `tcpdump` for `tun0` does not produce logs, then the problem is between client and the VPN service + * Inspect the client config for `proto` (`udp` or `tcp`. it **must match** the server configuration) + * Inspect the client config for `remote` (it **must match** server IP) + * Inspect the client config for `port` (it **must match** server IP. Make sure the port is open on the server `telnet `) +* If the `tcpdump` for `eth0` does not produce logs, then the problem is either in kernel ip forwarding configuration or within firewall rules (`iptables` or `ufw`) Inspect: + +```bash +iptables -t nat -L POSTROUTING -v +``` + +* The result should look like this: + +```text +MASQUERADE all -- 10.8.0.0/24 anywhere +``` + +* Add Explicit Forwarding Rules: + +```bash +sudo iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT +sudo iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT +``` + +* Reinforce NAT Rules for OpenVPN +Ensure the MASQUERADE rule for tun0 traffic is correct: + +```bash +sudo iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE +``` +> Note: Using -I ensures the rule is inserted at the top of the chain, taking precedence over +any other rules. + +If you are interested in more in-depth knowledge around networking and firewalls, check the following articles: +- [Networking 101](/networking-101) +- [Linux Network Tooling](/network-tooling) +- [Linux Firewalls](/linux-firewalls) +- [Linux Modern Firewalls](/linux-modern-firewalls) + +## ๐ŸŒŸ Conclusion + +With this automated setup, you can focus on what mattersโ€”using your VPN! ๐ŸŽ‰ +If you have any feedback or issues, feel free to reach out or open an issue on [GitHub](https://github.com/itsankoff/ansible). +Happy automating! ๐Ÿš€ diff --git a/static/images/openvpn-automation-hero.webp b/static/images/openvpn-automation-hero.webp new file mode 100644 index 0000000..5fd6b5e Binary files /dev/null and b/static/images/openvpn-automation-hero.webp differ