🛡️ OpenVPN Implementation - Office Network Access

Edit Page New Page Revisions

📋 Overview

This document outlines the steps taken to implement a secure OpenVPN solution for accessing internal resources (like VMs and web servers) from an external location via a public IP.

🖥️ Server-Side Configuration

🔧 Netplan Configuration

File: /etc/netplan/01-netcfg.yaml

yaml

network:
  version: 2
  ethernets:
    ens18:
      dhcp4: no
      addresses:
        - XXX.XXX.XXX.XXX/24
      routes:
        - to: default
          via: XXX.XXX.XXX.XXX
      nameservers:
        addresses:
          - 8.8.8.8
          - 8.8.4.4
    ens19:
      dhcp4: no
      addresses:
        - YYY.YYY.YYY.YYY/24

🔐 OpenVPN Server Configuration

File: /etc/openvpn/server.conf

conf

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# DNS and Routing
push "dhcp-option DNS 8.8.8.8"       # You can change to your preferred DNS
push "dhcp-option DNS 8.8.4.4"       # You can change to your preferred DNS
push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.X.X 255.255.255.0" # Replace X.X with your internal LAN network

# Crypto
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key   # Path to your TLS-crypt key file
crl-verify crl.pem        # Path to your CRL (Certificate Revocation List) file
ca ca.crt                 # Path to your CA certificate
cert server.crt           # Path to your server certificate
key server.key            # Path to your private server key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM

# TLS Settings
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

client-config-dir /etc/openvpn/ccd   # Path to client-specific configs
status /var/log/openvpn/status.log   # Path to OpenVPN status log
duplicate-cn # Allows multiple connections with same username
verb 3

# Enable IP Forwarding
# On Linux, enable in /etc/sysctl.conf or /etc/sysctl.d/:
# net.ipv4.ip_forward = 1
# Then run: sysctl -p
bash
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Make it permanent:

bash
sudo nano /etc/sysctl.conf # Uncomment or add: 
net.ipv4.ip_forward=1 
sudo sysctl -p

🔥 IPTables NAT Rule

bash
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d 192.168.0.0/24 -j MASQUERADE sudo iptables-save | sudo tee /etc/iptables/rules.v4

💻 Client Configuration (Windows)

  • Use OpenVPN GUI to import .ovpn file.

  • Ensure route is added automatically.

  • If not, add manually via Admin Command Prompt:

cmd
route add 192.168.0.0 mask 255.255.255.0 10.8.0.1 -p

✅ Result

  • VPN clients can connect via Public_IP.

  • SSH and web access is now possible to internal VMs/sites in the 192.168.0.x network.

  • VPN traffic is routed via ens18 (TP-Link), while internal resources are accessed via ens19 (Jio).

🧠 Notes

  • The public IP (Public_IP) must forward port 1194/UDP to 192.168.1.x.

  • Make sure the OpenVPN subnet (10.8.0.0/24) is allowed in all internal firewalls.

  • Check and restart services if necessary:

    bash
sudo systemctl restart openvpn@server

Previous Page

Left

Next Page

Right
On this page