OpenVPN - Virtual Private Network¶
Installation¶
apt install openvpn
Konfiguation¶
Hinweis
{{ exit }} ist die VPN-Schnittstelle.
Ein Script mit dem folgenden Inhalt für die Überwachung des VPN Tunnels in /root/scripts mit dem Namen check-openvpn.sh anlegen.
Vorsicht
Nicht vergessen das Script mit chmod +x scripts/check-openvpn.sh ausführbar zu machen.
#!/usr/bin/env bash
# Copyright 2016 - 2016 Tobias Benzin tbenzin@digital-nerv.net
# Rally Vincent rvincent@digital-nerv.net
# This file is managed by Salt, do not edit.
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SHELL=/bin/bash
if [ -z "$(ifconfig | grep {{ exit }})" ]; then
service openvpn restart
exit
fi
testping=$(ping -q -I {{ exit }} 8.8.8.8 -c 4 -i 1 -W 5 | grep 100)
if [ -n "${testping}" ]; then
service openvpn restart
exit
fi
Einen Cronjob mit Hilfe von crontab -e mit folgendem Inhalt anlegen.
*/10 * * * * /root/scripts/check-openvpn.sh
Mullvad¶
Can one account be used on multiple computers?
Yes, up to three. Use the same customer id on all the computers.
Set the customer id under Settings in the client program.
Von Mullvad erhält man ein gepacktes Archiv mullvadconfig.zip, aus diesem Archiv legen wir die Dateien ca.crt, crl.pem, mullvad.crt und mullvad.key in den Ordner /etc/openvpn ab.
Hinweis
{{ exit }} ist die VPN-Schnittstelle.
Die Datei mullvad_linux.conf in den Ordner /etc/openvpn kopieren und wie folgt anpassen.
# This file is managed by Salt, do not edit.
# Notice to Mullvad customers:
#
# Apart from openvpn, you also need to install the
# package "resolvconf", available via apt, e.g.
#
# For those of you behind very restrictive firewalls,
# you can use our tunnels on tcp port 443, as well as
# on udp port 53.
client
dev exitVPN # {{ exit }} # Extra: exit = exitVPN; Original: dev tun
dev-type tun # Extra
proto udp
#proto udp
#proto tcp
remote de.mullvad.net 1300 # Original: openvpn.mullvad.net 1300
cipher AES-256-CBC
#remote openvpn.mullvad.net 443
#cipher BF-CBC
#remote openvpn.mullvad.net 53
#cipher BF-CBC
#remote se.mullvad.net 1300 # Servers in Sweden
#cipher AES-256-CBC
#remote nl.mullvad.net 1300 # Servers in the Netherlands
#cipher AES-256-CBC
#remote de.mullvad.net 1300 # Servers in Germany
#cipher AES-256-CBC
#remote us.mullvad.net 1300 # Servers in the USA
#cipher AES-256-CBC
#remote openvpn.mullvad.net 1194
#remote openvpn.mullvad.net 443
#remote openvpn.mullvad.net 53
#remote se.mullvad.net # Servers in Sweden
#remote nl.mullvad.net # Servers in the Netherlands
#remote de.mullvad.net # Servers in Germany
#remote us.mullvad.net # Servers in the USA
# Tunnel IPv6 traffic as well as IPv4
#tun-ipv6 # option tun-ipv6 is ignored because modern operating systems do not need ...
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Try to preserve some state across restarts.
persist-key
persist-tun
# Enable compression on the VPN link.
comp-lzo
# Set log file verbosity.
verb 3
remote-cert-tls server
ping-restart 60
# Allow calling of built-in executables and user-defined scripts.
script-security 2
# Dont set default route. Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables.
route-noexec # Extra
# Parses DHCP options from openvpn to update resolv.conf
up /etc/openvpn/openvpn-updown # Original: up /etc/openvpn/update-resolv-conf
down /etc/openvpn/openvpn-updown # Original: down /etc/openvpn/update-resolv-conf
ping 10
ca /etc/openvpn/mullvad_ca.crt
#cert /etc/openvpn/mullvad.crt
#key /etc/openvpn/mullvad.key
#crl-verify /etc/openvpn/crl.pem
auth-user-pass /etc/openvpn/mullvad_userpass.txt
auth-nocache
# Limit range of possible TLS cipher-suites
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-SEED-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
log-append /var/log/openvpn.log
In der Datei /etc/default/openvpn eine Eintrag wie folgt einfügen oder anpassen.
AUTOSTART="mullvad_linux"
Salt State File¶
openvpn.sls
# OpenVPN - Virtual Private Network
{% set openvpn = salt['grains.filter_by']({
'Debian': {'pkg': 'openvpn', 'srv': 'openvpn'}
}, default='Debian') %}
{% if pillar['exit']['type'] == 'openvpn' %}
{{ openvpn.pkg }}:
pkg.installed:
- name: {{ openvpn.pkg }}
service.running:
- name: {{ openvpn.srv }}
- enable: True
- require:
- file: /etc/default/openvpn
- file: /etc/openvpn/openvpn-updown
{% if pillar['exit']['provider'] == 'pia_linux' %}
- file: /etc/openvpn/pia_linux.conf
- file: /etc/openvpn/pia_ca.crt
- file: /etc/openvpn/pia_userpass.txt
{% elif pillar['exit']['provider'] == 'mullvad_linux' %}
- file: /etc/openvpn/mullvad_linux.conf
- file: /etc/openvpn/mullvad_ca.crt
- file: /etc/openvpn/mullvad_userpass.txt
{% endif %}
- pkg: {{ openvpn.pkg }}
{% set service = '%s@%s' % (openvpn.srv, pillar['exit']['provider']) %}
{{ service }}:
service.running:
- name: {{ service }}
- enable: True
{% set pattern = '^(|#)AUTOSTART="(.*)"$' %}
{% set repl = 'AUTOSTART="%s"' % pillar['exit']['provider'] %}
/etc/default/openvpn:
file.replace:
- name: /etc/default/openvpn
- pattern: {{ pattern }}
- repl: {{ repl }}
- append_if_not_found: True
- require:
- pkg: {{ openvpn.pkg }}
- watch_in:
- service: {{ service }}
/etc/openvpn/openvpn-updown:
file.managed:
- name: /etc/openvpn/openvpn-updown
- source: salt://gateway/etc/openvpn/openvpn-updown
- mode: 755
- require:
- pkg: {{ openvpn.pkg }}
- watch_in:
- service: {{ service }}
{% if pillar['exit']['provider'] == 'pia_linux' %}
/etc/openvpn/pia_ca.crt:
file.managed:
- name: /etc/openvpn/pia_ca.crt
- source: salt://gateway/etc/openvpn/pia_ca.crt
- mode: 600
- user: root
- group: root
- require:
- pkg: {{ openvpn.pkg }}
- watch_in:
- service: {{ service }}
/etc/openvpn/pia_userpass.txt:
file.managed:
- name: /etc/openvpn/pia_userpass.txt
- contents_pillar: exit:pia_linux:pia_userpass.txt
- mode: 600
- user: root
- group: root
- require:
- pkg: {{ openvpn.pkg }}
- watch_in:
- service: {{ service }}
/etc/openvpn/pia_linux.conf:
file.managed:
- name: /etc/openvpn/pia_linux.conf
- source: salt://gateway/etc/openvpn/pia_linux.conf
- template: jinja
- defaults:
exit: {{ pillar['network']['exit']['interface'] }}
- require:
- pkg: {{ openvpn.pkg }}
- watch_in:
- service: {{ service }}
{% endif %}
{% if pillar['exit']['provider'] == 'mullvad_linux' %}
/etc/openvpn/mullvad_ca.crt:
file.managed:
- name: /etc/openvpn/mullvad_ca.crt
- source: salt://gateway/etc/openvpn/mullvad_ca.crt
- mode: 600
- user: root
- group: root
- require:
- pkg: {{ openvpn.pkg }}
- watch_in:
- service: {{ service }}
/etc/openvpn/mullvad_userpass.txt:
file.managed:
- name: /etc/openvpn/mullvad_userpass.txt
- contents_pillar: exit:mullvad_linux:mullvad_userpass.txt
- mode: 600
- user: root
- group: root
- require:
- pkg: {{ openvpn.pkg }}
- watch_in:
- service: {{ service }}
/etc/openvpn/mullvad_linux.conf:
file.managed:
- name: /etc/openvpn/mullvad_linux.conf
- source: salt://gateway/etc/openvpn/mullvad_linux.conf
- template: jinja
- defaults:
exit: {{ pillar['network']['exit']['interface'] }}
- require:
- pkg: {{ openvpn.pkg }}
- watch_in:
- service: {{ service }}
{% endif %}
/root/scripts/check-openvpn.sh:
file.managed:
- name: /root/scripts/check-openvpn.sh
- source: salt://gateway/root/scripts/check-openvpn.sh
- user: root
- group: root
- mode: 755
- makedirs: True
- template: jinja
- defaults:
exit: {{ pillar['network']['exit']['interface'] }}
- require:
- pkg: {{ openvpn.pkg }}
- watch_in:
- service: {{ service }}
# Show Cron: crontab -l
openvpn-cron:
cron.present:
- name: /root/scripts/check-openvpn.sh
- identifier: check-openvpn
- user: root
- minute: '*/5'
- comment: 'Check OpenVPN Connection every 10 Minutes'
- require:
- file: /root/scripts/check-openvpn.sh
{% else %}
{{ openvpn.pkg }}:
pkg.removed:
- name: {{ openvpn.pkg }}
/etc/openvpn:
file.absent:
- name: /etc/openvpn
/root/scripts/check-openvpn.sh:
file.absent:
- name: /root/scripts/check-openvpn.sh
openvpn-cron:
cron.absent:
- name: /root/scripts/check-openvpn.sh
- identifier: check-openvpn
{% endif %}