Merge lp:~powersj/serverguide/update-vpn-bionic into lp:serverguide/trunk

Proposed by Joshua Powers
Status: Merged
Approved by: Doug Smythies
Approved revision: 360
Merged at revision: 363
Proposed branch: lp:~powersj/serverguide/update-vpn-bionic
Merge into: lp:serverguide/trunk
Diff against target: 241 lines (+61/-89)
1 file modified
serverguide/C/vpn.xml (+61/-89)
To merge this branch: bzr merge lp:~powersj/serverguide/update-vpn-bionic
Reviewer Review Type Date Requested Status
Doug Smythies Approve
Steve Langasek Approve
Review via email: mp+353261@code.launchpad.net

Commit message

vpn: update advanced config with netplan

With the release of Ubuntu Bionic LTS, ifupdown was replaced with
netplan and as such any /etc/network/interfaces configuration needs
to take place via netplan. This updates the example to use netplan
and a networkd-dispatcher hook.

drive-by: white space found by editor

Fixes LP: #1772514

To post a comment you must log in.
Revision history for this message
Steve Langasek (vorlon) wrote :

A few things found for fixing.

Have you tested that following these instructions gives a working setup?

review: Needs Fixing
Revision history for this message
Joshua Powers (powersj) wrote :

> Have you tested that following these instructions gives a working setup?

No, I took what was in your askubuntu question and added it to the guide. I was told to wait with this review until the previous networkd-dispatcher bug which appeared resolved: https://bugs.launchpad.net/ubuntu/+source/networkd-dispatcher/+bug/1772137

Revision history for this message
Steve Langasek (vorlon) wrote :

On Thu, Aug 16, 2018 at 11:15:45PM -0000, Joshua Powers wrote:
> No, I took what was in your askubuntu question and added it to the guide.
> I was told to wait with this review until the previous networkd-dispatcher
> bug which appeared resolved:
> https://bugs.launchpad.net/ubuntu/+source/networkd-dispatcher/+bug/1772137

Ok, the fact that I wrote anything at all about dormant.d in that askubuntu
answer had flown my mind ;) I would say it still warrants end-to-end test
of what's currently written there to make sure nothing has been missed.

Revision history for this message
Joshua Powers (powersj) :
360. By Joshua Powers on 2018-08-17

typos fixes from stevew

Revision history for this message
Joshua Powers (powersj) wrote :

Steve can you take another look?

If you didn't see my previous comment, I setup a system with a bridge and configured networkd-dispatcher as above and confirmed the nic entered promiscuous mode: https://paste.ubuntu.com/p/BR4cMRYBr7/

Revision history for this message
Steve Langasek (vorlon) wrote :

Looks good now. Thanks!

review: Approve
Revision history for this message
Doug Smythies (dsmythies) wrote :

Thanks very much. It'll be a few days until the published serverguide is updated.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'serverguide/C/vpn.xml'
--- serverguide/C/vpn.xml 2017-10-29 16:47:30 +0000
+++ serverguide/C/vpn.xml 2018-08-17 17:24:40 +0000
@@ -1,5 +1,5 @@
1<?xml version="1.0" encoding="UTF-8"?>1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4<!ENTITY % globalent SYSTEM "../../libs/global.ent">4<!ENTITY % globalent SYSTEM "../../libs/global.ent">
5%globalent;5%globalent;
@@ -11,7 +11,7 @@
11 <title>VPN</title>11 <title>VPN</title>
1212
13 <para>13 <para>
14OpenVPN is a Virtual Private Networking (VPN) solution provided in the Ubuntu Repositories. It is flexible, reliable and secure. It belongs to the family of SSL/TLS VPN stacks (different from IPSec VPNs). This chapter will cover 14OpenVPN is a Virtual Private Networking (VPN) solution provided in the Ubuntu Repositories. It is flexible, reliable and secure. It belongs to the family of SSL/TLS VPN stacks (different from IPSec VPNs). This chapter will cover
15installing and configuring <application>OpenVPN</application> to create a VPN.15installing and configuring <application>OpenVPN</application> to create a VPN.
16 </para>16 </para>
1717
@@ -22,7 +22,7 @@
22 If you want more than just pre-shared keys <application>OpenVPN</application> makes it easy to setup and use a Public Key Infrastructure (PKI)22 If you want more than just pre-shared keys <application>OpenVPN</application> makes it easy to setup and use a Public Key Infrastructure (PKI)
23 to use SSL/TLS certificates for authentication and key exchange23 to use SSL/TLS certificates for authentication and key exchange
24 between the VPN server and clients.24 between the VPN server and clients.
25 <application>OpenVPN</application> can be used in a routed or bridged VPN mode and can be configured to use either UDP or TCP. The port number can be configured as well, but port 1194 is the official one. And it is only using that single port for all communication. VPN client implementations are available for almost anything including all Linux distributions, OS X, Windows and OpenWRT based WLAN routers. 25 <application>OpenVPN</application> can be used in a routed or bridged VPN mode and can be configured to use either UDP or TCP. The port number can be configured as well, but port 1194 is the official one. And it is only using that single port for all communication. VPN client implementations are available for almost anything including all Linux distributions, OS X, Windows and OpenWRT based WLAN routers.
26 </para>26 </para>
2727
28 <sect2 id="openvpn-server-installation" status="review">28 <sect2 id="openvpn-server-installation" status="review">
@@ -65,8 +65,8 @@
6565
66 <para>66 <para>
67To setup your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients67To setup your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients
68 first copy the <filename>easy-rsa</filename> directory to <filename>/etc/openvpn</filename>. This will ensure that any 68 first copy the <filename>easy-rsa</filename> directory to <filename>/etc/openvpn</filename>. This will ensure that any
69 changes to the scripts will not be lost when the package is updated. 69 changes to the scripts will not be lost when the package is updated.
70 From a terminal change to user root and:70 From a terminal change to user root and:
71 </para>71 </para>
7272
@@ -141,7 +141,7 @@
141 <title>Client Certificates</title>141 <title>Client Certificates</title>
142142
143 <para>143 <para>
144 The VPN client will also need a certificate to authenticate itself to the server. Usually you create a different certificate for each client. To create the 144 The VPN client will also need a certificate to authenticate itself to the server. Usually you create a different certificate for each client. To create the
145 certificate, enter the following in a terminal while being user root:145 certificate, enter the following in a terminal while being user root:
146 </para>146 </para>
147147
@@ -381,7 +381,7 @@
381381
382<programlisting>382<programlisting>
383root@client:/etc/openvpn# ifconfig tun0383root@client:/etc/openvpn# ifconfig tun0
384tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 384tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
385 inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255385 inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
386 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1386 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
387</programlisting>387</programlisting>
@@ -585,100 +585,72 @@
585 <sect4 id="openvpn-bridged-server-configuration-interface" status="review">585 <sect4 id="openvpn-bridged-server-configuration-interface" status="review">
586<title>Prepare interface config for bridging on server</title>586<title>Prepare interface config for bridging on server</title>
587587
588 <para>588<para>First, use netplan to configure a bridge device using the desired ethernet
589 Make sure you have the bridge-utils package installed:589device.</para>
590 </para>590
591<screen>591<programlisting>
592<command>sudo apt install bridge-utils</command>592$ cat /etc/netplan/01-netcfg.yaml
593</screen>593# This file describes the network interfaces available on your system
594594# For more information, see netplan(5).
595 <para>595
596Before you setup OpenVPN in bridged mode you need to change your interface configuration. Let's assume your server has an interface eth0 connected to the internet and an interface eth1 connected to the LAN you want to bridge. Your /etc/network/interfaces would like this:596network:
597 </para>597 version: 2
598598 renderer: networkd
599<programlisting>599 ethernets:
600auto eth0600 enp0s31f6:
601iface eth0 inet static601 dhcp4: no
602 address 1.2.3.4602 bridges:
603 netmask 255.255.255.248603 br0:
604 default 1.2.3.1604 interfaces: [enp0s31f6]
605605 dhcp4: no
606auto eth1606 addresses: [10.0.1.100/24]
607iface eth1 inet static607 gateway4: 10.0.1.1
608 address 10.0.0.4608 nameservers:
609 netmask 255.255.255.0609 addresses: [10.0.1.1]
610</programlisting>610</programlisting>
611611
612 <para>612<para>Static IP addressing is highly suggested. DHCP addressing can also work,
613This straight forward interface config needs to be changed into a bridged mode like where the config of interface eth1 moves to the new br0 interface. Plus we configure that br0 should bridge interface eth1. We also need to make sure that interface eth1 is always in promiscuous mode - this tells the interface to forward all ethernet frames to the IP stack.613but you will still have to encode a static address in the OpenVPN configuration file.</para>
614 </para>614
615615<para>The next step on the server is to configure the ethernet device for
616<programlisting>616promiscuous mode on boot. To do this, ensure the
617auto eth0617<application>networkd-dispatcher</application> package is installed and create
618iface eth0 inet static618the following configuration script.</para>
619 address 1.2.3.4619
620 netmask 255.255.255.248620<screen>
621 default 1.2.3.1621<command>sudo apt update</command>
622622<command>sudo apt install networkd-dispatcher</command>
623auto eth1623<command>sudo touch /usr/lib/networkd-dispatcher/dormant.d/promisc_bridge</command>
624iface eth1 inet manual624<command>sudo chmod +x /usr/lib/networkd-dispatcher/dormant.d/promisc_bridge</command>
625 up ip link set $IFACE up promisc on625</screen>
626626
627auto br0627<para>Then add the following contents.</para>
628iface br0 inet static628
629 address 10.0.0.4629<programlisting>
630 netmask 255.255.255.0630#!/bin/sh
631 bridge_ports eth1631set -e
632</programlisting>632if [ "$IFACE" = br0 ]; then
633633 # no networkd-dispatcher event for 'carrier' on the physical interface
634 <para>634 ip link set eth0 up promisc on
635At this point you need to bring up the bridge. Be prepared that this might not work as expected and that you will lose remote connectivity. Make sure you can solve problems having local access.635fi
636 </para>636</programlisting>
637<screen>
638<command>sudo ifdown eth1 &amp;&amp; sudo ifup -a</command>
639</screen>
640637
641</sect4>638</sect4>
642 <sect4 id="openvpn-bridged-server-configuration-server" status="review">639 <sect4 id="openvpn-bridged-server-configuration-server" status="review">
643<title>Prepare server config for bridging</title>640<title>Prepare server config for bridging</title>
644641
645 <para>642 <para>
646 Edit <filename>/etc/openvpn/server.conf</filename> changing the following options to:643 Edit <filename>/etc/openvpn/server.conf</filename> to use tap rather than tun and set the server to use the server-bridge directive:
647 </para>644 </para>
648645
649<programlisting>646<programlisting>
650;dev tun647;dev tun
651dev tap648dev tap
652up "/etc/openvpn/up.sh br0 eth1"
653;server 10.8.0.0 255.255.255.0649;server 10.8.0.0 255.255.255.0
654server-bridge 10.0.0.4 255.255.255.0 10.0.0.128 10.0.0.254650server-bridge 10.0.0.4 255.255.255.0 10.0.0.128 10.0.0.254
655</programlisting>651</programlisting>
656652
657 <para>653 <para>
658 Next, create a helper script to add the <emphasis>tap</emphasis> interface to the bridge and to ensure that eth1 is promiscuous mode. Create <filename>/etc/openvpn/up.sh</filename>:
659 </para>
660
661<programlisting>
662#!/bin/sh
663
664BR=$1
665ETHDEV=$2
666TAPDEV=$3
667
668/sbin/ip link set "$TAPDEV" up
669/sbin/ip link set "$ETHDEV" promisc on
670/sbin/brctl addif $BR $TAPDEV
671</programlisting>
672
673 <para>
674 Then make it executable:
675 </para>
676
677<screen>
678<command>sudo chmod 755 /etc/openvpn/up.sh</command>
679</screen>
680
681 <para>
682 After configuring the server, restart <application>openvpn</application> by entering:654 After configuring the server, restart <application>openvpn</application> by entering:
683 </para>655 </para>
684656
@@ -699,7 +671,7 @@
699</screen>671</screen>
700672
701 <para>673 <para>
702 Then with the server configured and the client certificates copied to the <filename>/etc/openvpn/</filename> directory, create a client configuration file by 674 Then with the server configured and the client certificates copied to the <filename>/etc/openvpn/</filename> directory, create a client configuration file by
703 copying the example. In a terminal on the client machine enter:675 copying the example. In a terminal on the client machine enter:
704 </para>676 </para>
705677
@@ -743,7 +715,7 @@
743715
744 <para>716 <para>
745Many Linux distributions including Ubuntu desktop variants come with Network Manager,717Many Linux distributions including Ubuntu desktop variants come with Network Manager,
746a nice GUI to configure your network settings. It also can manage your VPN connections. Make sure you have package network-manager-openvpn installed. Here you see that the installation installs all other required packages as well: 718a nice GUI to configure your network settings. It also can manage your VPN connections. Make sure you have package network-manager-openvpn installed. Here you see that the installation installs all other required packages as well:
747 </para>719 </para>
748720
749<programlisting>721<programlisting>
@@ -927,12 +899,12 @@
927 </listitem>899 </listitem>
928 <listitem>900 <listitem>
929 <para>901 <para>
930 <ulink url="http://openvpn.net/index.php/open-source/documentation/howto.html#security">OpenVPN hardening security guide</ulink> 902 <ulink url="http://openvpn.net/index.php/open-source/documentation/howto.html#security">OpenVPN hardening security guide</ulink>
931 </para>903 </para>
932 </listitem>904 </listitem>
933 <listitem>905 <listitem>
934 <para>906 <para>
935 Also, Pakt's <ulink url="http://www.packtpub.com/openvpn/book">OpenVPN: Building and Integrating Virtual Private Networks</ulink> 907 Also, Pakt's <ulink url="http://www.packtpub.com/openvpn/book">OpenVPN: Building and Integrating Virtual Private Networks</ulink>
936 is a good resource.908 is a good resource.
937 </para>909 </para>
938 </listitem>910 </listitem>

Subscribers

People subscribed via source and target branches