Ubuntu Server Guide

Merge lp:~powersj/serverguide/update-vpn-bionic into lp:serverguide/trunk

  1. update-vpn-bionic
  2. Merge into trunk
Proposed by Joshua Powers on 2018-08-16
Status: Merged
Approved by: Doug Smythies on 2018-09-05
Approved revision: 360
Merged at revision: 363
Proposed branch: lp:~powersj/serverguide/update-vpn-bionic
Merge into: lp:serverguide/trunk
Diff against target: 241 lines (+61/-89)
1 file modified
serverguide/C/vpn.xml (+61/-89)
To merge this branch: bzr merge lp:~powersj/serverguide/update-vpn-bionic
Reviewer Review Type Date Requested Status
Doug Smythies 2018-08-29 Approve on 2018-09-05
Steve Langasek 2018-08-16 Approve on 2018-08-29
Review via email: mp+353261@code.launchpad.net

Commit message

vpn: update advanced config with netplan

With the release of Ubuntu Bionic LTS, ifupdown was replaced with
netplan and as such any /etc/network/interfaces configuration needs
to take place via netplan. This updates the example to use netplan
and a networkd-dispatcher hook.

drive-by: white space found by editor

Fixes LP: #1772514

To post a comment you must log in.
Steve Langasek (vorlon) wrote :

A few things found for fixing.

Have you tested that following these instructions gives a working setup?

review: Needs Fixing
Joshua Powers (powersj) wrote :

> Have you tested that following these instructions gives a working setup?

No, I took what was in your askubuntu question and added it to the guide. I was told to wait with this review until the previous networkd-dispatcher bug which appeared resolved: https://bugs.launchpad.net/ubuntu/+source/networkd-dispatcher/+bug/1772137

Steve Langasek (vorlon) wrote :

On Thu, Aug 16, 2018 at 11:15:45PM -0000, Joshua Powers wrote:
> No, I took what was in your askubuntu question and added it to the guide.
> I was told to wait with this review until the previous networkd-dispatcher
> bug which appeared resolved:
> https://bugs.launchpad.net/ubuntu/+source/networkd-dispatcher/+bug/1772137

Ok, the fact that I wrote anything at all about dormant.d in that askubuntu
answer had flown my mind ;) I would say it still warrants end-to-end test
of what's currently written there to make sure nothing has been missed.

Joshua Powers (powersj) :
lp:~powersj/serverguide/update-vpn-bionic updated on 2018-08-17
360. By Joshua Powers on 2018-08-17

typos fixes from stevew

Joshua Powers (powersj) wrote :

Steve can you take another look?

If you didn't see my previous comment, I setup a system with a bridge and configured networkd-dispatcher as above and confirmed the nic entered promiscuous mode: https://paste.ubuntu.com/p/BR4cMRYBr7/

Steve Langasek (vorlon) wrote :

Looks good now. Thanks!

review: Approve
Doug Smythies (dsmythies) wrote :

Thanks very much. It'll be a few days until the published serverguide is updated.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'serverguide/C/vpn.xml'
2--- serverguide/C/vpn.xml 2017-10-29 16:47:30 +0000
3+++ serverguide/C/vpn.xml 2018-08-17 17:24:40 +0000
4@@ -1,5 +1,5 @@
5 <?xml version="1.0" encoding="UTF-8"?>
6-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
7+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
8 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
9 <!ENTITY % globalent SYSTEM "../../libs/global.ent">
10 %globalent;
11@@ -11,7 +11,7 @@
12 <title>VPN</title>
13
14 <para>
15-OpenVPN is a Virtual Private Networking (VPN) solution provided in the Ubuntu Repositories. It is flexible, reliable and secure. It belongs to the family of SSL/TLS VPN stacks (different from IPSec VPNs). This chapter will cover
16+OpenVPN is a Virtual Private Networking (VPN) solution provided in the Ubuntu Repositories. It is flexible, reliable and secure. It belongs to the family of SSL/TLS VPN stacks (different from IPSec VPNs). This chapter will cover
17 installing and configuring <application>OpenVPN</application> to create a VPN.
18 </para>
19
20@@ -22,7 +22,7 @@
21 If you want more than just pre-shared keys <application>OpenVPN</application> makes it easy to setup and use a Public Key Infrastructure (PKI)
22 to use SSL/TLS certificates for authentication and key exchange
23 between the VPN server and clients.
24- <application>OpenVPN</application> can be used in a routed or bridged VPN mode and can be configured to use either UDP or TCP. The port number can be configured as well, but port 1194 is the official one. And it is only using that single port for all communication. VPN client implementations are available for almost anything including all Linux distributions, OS X, Windows and OpenWRT based WLAN routers.
25+ <application>OpenVPN</application> can be used in a routed or bridged VPN mode and can be configured to use either UDP or TCP. The port number can be configured as well, but port 1194 is the official one. And it is only using that single port for all communication. VPN client implementations are available for almost anything including all Linux distributions, OS X, Windows and OpenWRT based WLAN routers.
26 </para>
27
28 <sect2 id="openvpn-server-installation" status="review">
29@@ -65,8 +65,8 @@
30
31 <para>
32 To setup your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients
33- first copy the <filename>easy-rsa</filename> directory to <filename>/etc/openvpn</filename>. This will ensure that any
34- changes to the scripts will not be lost when the package is updated.
35+ first copy the <filename>easy-rsa</filename> directory to <filename>/etc/openvpn</filename>. This will ensure that any
36+ changes to the scripts will not be lost when the package is updated.
37 From a terminal change to user root and:
38 </para>
39
40@@ -141,7 +141,7 @@
41 <title>Client Certificates</title>
42
43 <para>
44- The VPN client will also need a certificate to authenticate itself to the server. Usually you create a different certificate for each client. To create the
45+ The VPN client will also need a certificate to authenticate itself to the server. Usually you create a different certificate for each client. To create the
46 certificate, enter the following in a terminal while being user root:
47 </para>
48
49@@ -381,7 +381,7 @@
50
51 <programlisting>
52 root@client:/etc/openvpn# ifconfig tun0
53-tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
54+tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
55 inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
56 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
57 </programlisting>
58@@ -585,100 +585,72 @@
59 <sect4 id="openvpn-bridged-server-configuration-interface" status="review">
60 <title>Prepare interface config for bridging on server</title>
61
62- <para>
63- Make sure you have the bridge-utils package installed:
64- </para>
65-<screen>
66-<command>sudo apt install bridge-utils</command>
67-</screen>
68-
69- <para>
70-Before you setup OpenVPN in bridged mode you need to change your interface configuration. Let's assume your server has an interface eth0 connected to the internet and an interface eth1 connected to the LAN you want to bridge. Your /etc/network/interfaces would like this:
71- </para>
72-
73-<programlisting>
74-auto eth0
75-iface eth0 inet static
76- address 1.2.3.4
77- netmask 255.255.255.248
78- default 1.2.3.1
79-
80-auto eth1
81-iface eth1 inet static
82- address 10.0.0.4
83- netmask 255.255.255.0
84-</programlisting>
85-
86- <para>
87-This straight forward interface config needs to be changed into a bridged mode like where the config of interface eth1 moves to the new br0 interface. Plus we configure that br0 should bridge interface eth1. We also need to make sure that interface eth1 is always in promiscuous mode - this tells the interface to forward all ethernet frames to the IP stack.
88- </para>
89-
90-<programlisting>
91-auto eth0
92-iface eth0 inet static
93- address 1.2.3.4
94- netmask 255.255.255.248
95- default 1.2.3.1
96-
97-auto eth1
98-iface eth1 inet manual
99- up ip link set $IFACE up promisc on
100-
101-auto br0
102-iface br0 inet static
103- address 10.0.0.4
104- netmask 255.255.255.0
105- bridge_ports eth1
106-</programlisting>
107-
108- <para>
109-At this point you need to bring up the bridge. Be prepared that this might not work as expected and that you will lose remote connectivity. Make sure you can solve problems having local access.
110- </para>
111-<screen>
112-<command>sudo ifdown eth1 &amp;&amp; sudo ifup -a</command>
113-</screen>
114+<para>First, use netplan to configure a bridge device using the desired ethernet
115+device.</para>
116+
117+<programlisting>
118+$ cat /etc/netplan/01-netcfg.yaml
119+# This file describes the network interfaces available on your system
120+# For more information, see netplan(5).
121+
122+network:
123+ version: 2
124+ renderer: networkd
125+ ethernets:
126+ enp0s31f6:
127+ dhcp4: no
128+ bridges:
129+ br0:
130+ interfaces: [enp0s31f6]
131+ dhcp4: no
132+ addresses: [10.0.1.100/24]
133+ gateway4: 10.0.1.1
134+ nameservers:
135+ addresses: [10.0.1.1]
136+</programlisting>
137+
138+<para>Static IP addressing is highly suggested. DHCP addressing can also work,
139+but you will still have to encode a static address in the OpenVPN configuration file.</para>
140+
141+<para>The next step on the server is to configure the ethernet device for
142+promiscuous mode on boot. To do this, ensure the
143+<application>networkd-dispatcher</application> package is installed and create
144+the following configuration script.</para>
145+
146+<screen>
147+<command>sudo apt update</command>
148+<command>sudo apt install networkd-dispatcher</command>
149+<command>sudo touch /usr/lib/networkd-dispatcher/dormant.d/promisc_bridge</command>
150+<command>sudo chmod +x /usr/lib/networkd-dispatcher/dormant.d/promisc_bridge</command>
151+</screen>
152+
153+<para>Then add the following contents.</para>
154+
155+<programlisting>
156+#!/bin/sh
157+set -e
158+if [ "$IFACE" = br0 ]; then
159+ # no networkd-dispatcher event for 'carrier' on the physical interface
160+ ip link set eth0 up promisc on
161+fi
162+</programlisting>
163
164 </sect4>
165 <sect4 id="openvpn-bridged-server-configuration-server" status="review">
166 <title>Prepare server config for bridging</title>
167
168 <para>
169- Edit <filename>/etc/openvpn/server.conf</filename> changing the following options to:
170+ Edit <filename>/etc/openvpn/server.conf</filename> to use tap rather than tun and set the server to use the server-bridge directive:
171 </para>
172
173 <programlisting>
174 ;dev tun
175 dev tap
176-up "/etc/openvpn/up.sh br0 eth1"
177 ;server 10.8.0.0 255.255.255.0
178 server-bridge 10.0.0.4 255.255.255.0 10.0.0.128 10.0.0.254
179 </programlisting>
180
181 <para>
182- Next, create a helper script to add the <emphasis>tap</emphasis> interface to the bridge and to ensure that eth1 is promiscuous mode. Create <filename>/etc/openvpn/up.sh</filename>:
183- </para>
184-
185-<programlisting>
186-#!/bin/sh
187-
188-BR=$1
189-ETHDEV=$2
190-TAPDEV=$3
191-
192-/sbin/ip link set "$TAPDEV" up
193-/sbin/ip link set "$ETHDEV" promisc on
194-/sbin/brctl addif $BR $TAPDEV
195-</programlisting>
196-
197- <para>
198- Then make it executable:
199- </para>
200-
201-<screen>
202-<command>sudo chmod 755 /etc/openvpn/up.sh</command>
203-</screen>
204-
205- <para>
206 After configuring the server, restart <application>openvpn</application> by entering:
207 </para>
208
209@@ -699,7 +671,7 @@
210 </screen>
211
212 <para>
213- Then with the server configured and the client certificates copied to the <filename>/etc/openvpn/</filename> directory, create a client configuration file by
214+ Then with the server configured and the client certificates copied to the <filename>/etc/openvpn/</filename> directory, create a client configuration file by
215 copying the example. In a terminal on the client machine enter:
216 </para>
217
218@@ -743,7 +715,7 @@
219
220 <para>
221 Many Linux distributions including Ubuntu desktop variants come with Network Manager,
222-a nice GUI to configure your network settings. It also can manage your VPN connections. Make sure you have package network-manager-openvpn installed. Here you see that the installation installs all other required packages as well:
223+a nice GUI to configure your network settings. It also can manage your VPN connections. Make sure you have package network-manager-openvpn installed. Here you see that the installation installs all other required packages as well:
224 </para>
225
226 <programlisting>
227@@ -927,12 +899,12 @@
228 </listitem>
229 <listitem>
230 <para>
231- <ulink url="http://openvpn.net/index.php/open-source/documentation/howto.html#security">OpenVPN hardening security guide</ulink>
232+ <ulink url="http://openvpn.net/index.php/open-source/documentation/howto.html#security">OpenVPN hardening security guide</ulink>
233 </para>
234 </listitem>
235 <listitem>
236 <para>
237- Also, Pakt's <ulink url="http://www.packtpub.com/openvpn/book">OpenVPN: Building and Integrating Virtual Private Networks</ulink>
238+ Also, Pakt's <ulink url="http://www.packtpub.com/openvpn/book">OpenVPN: Building and Integrating Virtual Private Networks</ulink>
239 is a good resource.
240 </para>
241 </listitem>

Subscribers

People subscribed via source and target branches