Skip to content

Openvpn Server

Archived (pre-2022)

Preserved for reference only -- likely outdated. View original | Last updated: June 2019

Address: gw.production.fyber.com

How to add client:

  • login to openvpn server from office ips or add your ip to sg in aws

> ssh gw.production.fyber.com -l ubuntu
- run script with username (use names as in chef data bag)

ubuntu@ip-10-37-28-230:~$ ./add_ovpn_user.sh fmascolo
- script will create archive openvpn-core-fmascolo.tgz, send it to user

How to revoke certificate:

Go to /etc/openvpn/easy-rsa/ and do /revoke-full username, after that copy keys/crl.pem to /etc/openvpn/ dir and restart/reload openvpn server or use this script under ubuntu user:

- 

  ubuntu@ip-10-37-28-230:~$ ./remove_ovpn_user.sh dsimic

Routing:

On server iptables is configured with nat MASQURADING

root@ip-10-37-28-230:~# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.1 on Tue Apr  9 12:21:01 2019
*filter
:INPUT ACCEPT [310081:52420899]
:FORWARD ACCEPT [109351:223937310]
:OUTPUT ACCEPT [350510:255169655]
-A FORWARD -d 10.37.0.0/16 -i tun0 -j ACCEPT
-A FORWARD -d 10.99.0.0/16 -i tun0 -j ACCEPT
-A FORWARD -i tun0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Apr  9 12:21:01 2019
# Generated by iptables-save v1.6.1 on Tue Apr  9 12:21:01 2019
*nat
:PREROUTING ACCEPT [30:2249]
:INPUT ACCEPT [25:1913]
:OUTPUT ACCEPT [40:3202]
:POSTROUTING ACCEPT [40:3202]
-A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Apr  9 12:21:01 2019
root@ip-10-37-28-230:~#

Routes to DC and exasol are done in route table in aws for subnet where openvpn server running:

image2019-4-9_14-54-42.png

DNS:

On server dnsmasq is configured to serve request for internal and DC domains

root@ip-10-37-28-230:~# cat /etc/dnsmasq.conf  | grep -v -e "^#" -e "^$"
strict-order
server=/prd.fyber.com/10.99.41.1
server=/core-production-1.consul/10.37.113.11#8600
interface=tun0

openvpn server is configured to push dns to clients:

push "dhcp-option DNS 10.8.0.1"

Also it looks to /etc/hosts and responds to openvpn clients. It's done for resolving vpn clients ip to *.ovpn domain names.