OpenVPN tunnel Automation
In this guide we will explore how to set up the automatic management of OpenVPN tunnels.
If you're interested in Wireguard tunnels see Wireguard and Wireguard over VXLAN tunnel automation.
Installing OpenVPN Server and importing the OpenVPN configuration
We will be installing OpenVPN Server using this ansible role Stouts.openvpn and then import the VPN configuration into OpenWISP. If you have already setup your VPN server or would like to install the VPN server via some other way, you can skip to Step 4
Note
This process is not automated yet.
1. Install Ansible and required Ansible roles
Install ansible (version 2.5 or higher) on your local machine (not on the server!) if you haven't done already.
To install ansible we suggest you follow the official ansible installation guide .
After having installed ansible, you need to install git (example for linux debian/ubuntu systems):
sudo apt-get install git
After having ansible and git installed, install the required roles:
ansible-galaxy install git+https://github.com/Stouts/Stouts.openvpn,3.0.0 nkakouros.easyrsa
2. Create hosts file and ansible playbook
Create an ansible inventory file named hosts
on your local machine
and not in the server with the following contents:
[openvpn]
your_server_domain_or_ip
For e.g. if your server ip is 192.168.56.2
:
[openvpn]
192.168.56.2
In the same directory where you created the host
file, create a file
named playbook.yml
which contains the following:
- hosts: openvpn
vars:
# EasyRSA
easyrsa_generate_dh: true
easyrsa_servers:
- name: server
easyrsa_clients: []
easyrsa_pki_dir: /etc/easyrsa/pki
# OpenVPN
openvpn_keydir: "{{ easyrsa_pki_dir }}"
openvpn_clients: []
openvpn_use_pam: false
roles:
- role: nkakouros.easyrsa
- role: Stouts.openvpn
3. Run the Playbook
Run the ansible playbook using:
ansible-playbook -i hosts playbook.yml -b -k -K --become-method=su
4. Importing the CA and the Server Certificate
To import the CA and Server Certificate, you need to access your server
via ssh
or any other method that suits you.
You need to change your directory to /etc/easyrsa/pki/
Note
If you face -bash: cd: /etc/easyrsa/pki: Permission denied
you may
need to login as root user.
Importing the CA:
On your openwisp dashboard go to /admin/pki/ca/add/
In Operation Type choose Import Existing
Get your CA Certificate from ca.crt
file and Private Key from
private/ca.key
and then enter them in the respective fields.
Importing the Server Certificate:
On your openwisp dashboard go to /admin/pki/cert/add/
In Operation Type choose Import Existing and in CA choose the CA you just created.
Get your Server Certificate from issued/server.crt
file and Server
Private Key from private/server.key
and then enter them in the
respective fields.
4. Creating VPN Server
On your openwisp dashboard go to /admin/config/vpn/add/
In Host enter you Server IP, in Certification Authority select the CA you created and in X509 Certificate select the certificate you created.
Now under Configuration, open Configuration Menu and deselect Property Files. For VPN1 Change Server (Bridged) to the Type of your VPN Server. The VPN Server installed using the guide above is a Routed Server so change the Type to Server (Routed). The Process to setup a Bridged Server is identical to that of Routed Server.
Change the rest of the Configuration of the VPN according to the
configuration in /etc/openvpn/server.conf
Tip
You can check if your VPN Configuration is similar to the
server.conf
file using the Preview Configuration option at the
Top.
Preparing the configuration template for VPN Clients
Create VPN Template
On your openwisp dashboard go to /admin/config/template/add/
.
Change Type to VPN-client. For VPN select the VPN you created in the previous steps.
You can further toggle Enabled by default and Auto certificate options according to your needs.
Save the template. You can now tweak the Client VPN configuration. Now can add the template to your devices.
Auto Client Certificates
Option: Auto certificate
Default: True
Auto Client Certificates feature allows you to automatically generate generate client certificates for your Device.
Default Templates
Option: Enabled by default
Default: False
Default templates are automatically added to newly created devices of the organization of the template. If no organization is specified, the template is added to all devices of all the organizations.