!!! Mediawiki has been upgraded !!!
Slack integration has been disabled for now due to an incompatibility.
If you want to testdrive the new skin (Tweeki), make sure your language settings are set to 'en - English' in your preferences!


From Brixel - Hackerspace Hasselt
Jump to: navigation, search

Project: Openvpn & DNS server to allow seamless resolving of custom TLDs/domains.
Description: combination Openvpn and Bind9 that allows you to push custom dns settings to a client.
Status: Completed
Participants: Woutervddn
Expertise: Network management, Linux, Networking, VPN, openvpn, DNS
Edit tags: Openvpn-w-custom-dns

Initial Problem

There are a bunch of situations where you have a webservice that you don't want to expose to the world. Yet you want to be able to access it from anywhere yourself. When it's just you, you might get away with client certificates, ssh-tunnels,... However, when you want non-tech people to figure it out you need something easier.

At Cr3do we had the exact same problem. We've got a bunch of websites, all of them have an accept environment and then we've also got some back-office applications that shouldn't be publicly available. Due to the need that non-tech people should be able to use it as well we pretty soon figured out we'd only be able to do so by using a VPN.

Due to it's open-source character we opted for OpenVPN. Managing the certificates however was a complete hassle so we opted for their non-free OpenVPN Access Server instead. However, this procedure would be totally feasible without access server.

The added requirement was that I wanted to use my own TLD. It made a lot more sense to me to use .cr3do domains. So the accept environment of our main website would beː main.accept.cr3do. Likewise we could make a page that links to all our components at something like home.cr3do. I struggled to find how to do this in OpenVPN. Turns out you need a separate DNS server for this. Bind9 was the obvious choice.

Combining these 2 allows for a system where clients connected with the OpenVPN server get automatic access to the DNS records of all .cr3do domains. People who aren't connected to the OpenVPN server don't see the records. Furthermore you can't reach the server with our internal services from outside the VPN as it's shielded from public access. This greatly reduces the risks that a 3rd-party gets access to our internal services.

To be clearː it does not remove the need to secure your internal services, it just makes it less likely that someone gets access to them. So the change you'll become victim of an attack is smaller.

Why OpenVPN-AS

So as I said already the fact that OpenVPN is open-source was a really nice benefit, but the hassle that came with the certificates convinced us we needed something with a web-control panel. Choices are getting a whole lot narrower at this point. We experimented with this OpenVPN-server called Pritunl, and for larger teams the €500 a year (enterprise edition, with unlimited users) might be a great deal. For us however it was to expensive.

OpenVPN-AS takes a different approach, you pay per user. And while you need to buy a minimum of 10 licences, you're still ending up with about €100 a year which is totally fine for our situation. We figured that the time we save managing certificates, settings and users would be worth more than €100 per year. Do noteː OpenVPN-AS is free for up to 2 users.

For those searching for a free-of-cost solution, you can just as well use the default open-source OpenVPN server, it just requires you to manage everything from the console.

Setting everything up

Setting up OpenVPN-AS on AWS

Setting up OpenVPN-AS was remarkably easy. We're hosting everything on AWS and there is a pre-configured AMI present. If you are setting up your own system manually you might jump through some hoops (or so I heard). But since I believe most people will just use open-source (command-only) version of OpenVPN I won't bother to explain it.

Setting up the EC2 instance

Go to your AWS control panel and click EC2. On the EC2 dashboard click the "Launch Instance" button.

Images and info will be added soonǃ

  • Please enter 'yes' to indicate your agreement [no]: yes
  • Once you provide a few initial configuration settings,
  • OpenVPN Access Server can be configured by accessing
  • its Admin Web UI using your Web browser.
  • Will this be the primary Access Server node?
  • (enter 'no' to configure as a backup or standby node)
  • > Press ENTER for default [yes]:
  • Please specify the network interface and IP address to be
  • used by the Admin Web UI:
  • (1) all interfaces:
  • (2) eth0:
  • Please enter the option number from the list above (1-2).
  • > Press Enter for default [2]: 1
  • Please specify the port number for the Admin Web UI.
  • > Press ENTER for default [943]:
  • Please specify the TCP port number for the OpenVPN Daemon
  • > Press ENTER for default [443]:
  • Should client traffic be routed by default through the VPN?
  • > Press ENTER for default [no]: yes
  • Should client DNS traffic be routed by default through the VPN?
  • > Press ENTER for default [no]: yes
  • Use local authentication via internal DB?
  • > Press ENTER for default [yes]:
  • Private subnets detected: ['']
  • Should private subnets be accessible to clients by default?
  • > Press ENTER for EC2 default [yes]:
  • To initially login to the Admin Web UI, you must use a
  • username and password that successfully authenticates you
  • with the host UNIX system (you can later modify the settings
  • so that RADIUS or LDAP is used for authentication instead).
  • You can login to the Admin Web UI as "openvpn" or specify
  • a different user account to use for this purpose.
  • Do you wish to login to the Admin UI as "openvpn"?
  • > Press ENTER for default [yes]: yes
  • > Please specify your OpenVPN-AS license key (or leave blank to specify later):
  • Initializing OpenVPN...
  • Adding new user login...
  • useradd -s /sbin/nologin "openvpn"
  • Writing as configuration file...
  • Perform sa init...
  • Wiping any previous userdb...
  • Creating default profile...
  • Modifying default profile...
  • Adding new user to userdb...
  • Modifying new user as superuser in userdb...
  • Getting hostname...
  • Hostname:
  • Preparing web certificates...
  • Getting web user account...
  • Adding web group account...
  • Adding web group...
  • Adjusting license directory ownership...
  • Initializing confdb...
  • Generating init scripts...
  • Generating PAM config...
  • Generating init scripts auto command...
  • Starting openvpnas...
  • NOTE: Your system clock must be correct for OpenVPN Access Server
  • to perform correctly. Please ensure that your time and date
  • are correct on this system.
  • Initial Configuration Complete!
  • You can now continue configuring OpenVPN Access Server by
  • directing your Web browser to this URL:
  • Login as "openvpn" with the same password used to authenticate
  • to this UNIX host.
  • During normal operation, OpenVPN AS can be accessed via these URLs:
  • Admin UI:
  • Client UI:
  • See the Release Notes for this release at:
  • http://www.openvpn.net/access-server/rn/openvpn_as_2_0_20.html

Setting up the open-source version of OpenVPN on Ubuntu server

To Do, feel free to add this sectionǃ

Setting up Bind9 DNS Server

To Do, feel free to add this sectionǃ