Memorandum on how to build an OpenVPN server and prevent split tunnels (Ubuntu 22.04 LTS)

Hello
from the Oshiri Memory Leak
System Solution Department.

It's been cool lately. These days are more like two seasons than four seasons, but how are you spending your time?
This time, when I installed OpenVPN on my Ubuntu machine, I was stuck because I couldn't connect to the internet, so
I would like to share my knowledge as a memo.

First of all, what is OpenVPN?

*If you know this, please skip reading

OpenVPN is OSS VPN software provided by OpenVPN Technologies Inc.
By installing it on a Linux machine, etc., it will operate as a VPN server and allow VPN connections from clients.
▼OpenVPN Japan official
https://www.openvpn.jp/introduction/

install

■Environment

# Server side Ubuntu 24.04 LTS OpenVPN 2.5.9 # Client OS Windows 11 Pro

This time, we will proceed with reference to the following pages. It's very convenient because you can easily proceed with the prompts.
https://github.com/angristan/openvpn-install

First, follow the steps and use curl to pull the shell script file.
The save location is optional. Change the permissions to enable execution.

$ sudo curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh % Total % Received % Xferd Average Speed ​​Time Time Time Current Dload Upload Total Spent Left Speed ​​100 40923 100 40923 0 0 282k 0 --:--:-- --:--:-- --:--:-- 281k $ sudo chmod +x openvpn-install.sh

When you run the script, the prompts will start and you can step through them one by one.
Unless you have special requirements, I think the default is fine.

$ sudo ./openvpn-install.sh Welcome to the OpenVPN installer! The git repository is available at: https://github.com/angristan/openvpn-install I need to ask you a few questions before starting the setup. You can leave the default options and just press enter if you are ok with them.

There are several places to enter information, so if you are not sure what to enter, please refer to the commented out part in the code block below.

# Enter the WAN side (facing the Internet) IP address when connecting from an external client. I need to know the IPv4 address of the network interface you want OpenVPN listening to. Unless your server is behind NAT, it should be your public IPv4 address. IP address: 192.0.2.1 # n (default) unless you use IPv6 Input Checking for IPv6 connectivity... Your host does not appear to have IPv6 connectivity. Do you want to enable IPv6 support (NAT)? [y/n]: n # Since UDP/1194 is used by default as the listening port , select 1 if there is no problem What port do you want OpenVPN to listen to? 1) Default: 1194 2) Custom 3) Random [49152-65535] Port choice [1-3]: 1 # Use UDP/TCP If there is no particular problem, leave the default and select 1 (UDP). What protocol do you want OpenVPN to use? UDP is faster. it is not available, you shouldn't use TCP. 1) UDP 2 ) TCP Protocol [1-2]: 1 # Select DNS resolver. In my environment, the default was 11. If no changes are required, leave as is. What DNS resolvers do you want to use with the VPN? 1) Current system resolvers (from /etc/resolv.conf) 2) Self-hosted DNS Resolver (Unbound) 3) Cloudflare ( Anycast: worldwide) 4) Quad9 (Anycast: worldwide) 5) Quad9 uncensored (Anycast: worldwide) 6) FDN (France) 7) DNS.WATCH (Germany) 8) OpenDNS (Anycast: worldwide) 9) Google (Anycast: worldwide) ) 10) Yandex Basic (Russia) 11) AdGuard DNS (Anycast: worldwide) 12) NextDNS (Anycast: worldwide) 13) Custom DNS [1-12]: 11 # VORACLE attack vulnerability in environments where communication data is compressed It seems that gender exists. Since NO is recommended for this item, leave it as default. # Reference: https://openvpn.net/security-advisory/the-voracle-attack-vulnerability/ Do you want to use compression? It is not recommended since the VORACLE attack makes use of it. Enable compression? [y/n ]: n # The default encryption setting is ECDSA with prime256v1, which is strong enough, so leave it as is. Do you want to customize encryption settings? Unless you know what you're doing, you should stick with the default parameters provided by the script. Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults) See https://github.com/angristan/openvpn-install#security-and-encryption to learn more. Customize encryption settings? [y/n]: n # You're done. Once you press Enter, the installation and configuration will start, so you can have a cup of tea and wait. Okay, that was all I needed. We are ready to setup your OpenVPN server now. You will be able to generate a client at the end of the installation. Press any key to continue...

Once the installation is complete, proceed to generate an ovpn file (profile) for distribution to clients.

# Specify the user name for connection (be careful not to duplicate names if you issue multiple users in the future). Tell me a name for the client. The name must consist of alphanumeric character. It may also include an underscore or a dash. Client name: test # You will be asked to provide a passphrase for the client profile. We will go with the default (the process if you select 2 will be explained later). Do you want to protect the configuration file with a password? (eg encrypt the private key with a password) 1) Add a passwordless client 2) Use a password for the client Select an option [1-2]: 1 The configuration file has has been written to /home/hamchan/test.ovpn. Download the .ovpn file and import it in your OpenVPN client.

A profile was generated at /home/hamchan/test.ovpn.

If you select 2 when assigning a passphrase, the flow will be as follows.
If you select this option and provide a passphrase, the client will have to enter the passphrase each time they connect.
Therefore, even if your profile is leaked, you will not be able to connect to a third party unless you know your passphrase.

Do you want to protect the configuration file with a password? (eg encrypt the private key with a password) 1) Add a passwordless client 2) Use a password for the client Select an option [1-2]: 2 # Passphrase Set. You will be asked twice for confirmation. ⚠️ You will be asked for the client password below ⚠️ * Using SSL: openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) * Using Easy-RSA configuration: /etc/openvpn/easy-rsa/ vars * The preferred location for 'vars' is within the PKI folder. To silence this message move your 'vars' file to your PKI or declare your 'vars' file with option: --vars=<FILE> Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- Notice ------ Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/test2 .req key: /etc/openvpn/easy-rsa/pki/private/test2.key Using configuration from /etc/openvpn/easy-rsa/pki/3e6d0991/temp.484dbf11 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'test2' Certificate is to be certified until Sep 25 03:20:30 2034 GMT (3650 days) Write out database with 1 new entries Database updated Notice ------ Certificate created at: * /etc/openvpn/easy-rsa/pki/issued/test2-chan.crt Notice ------ Inline file created: * /etc/openvpn/easy-rsa/pki/inline/test2. inline Client test2 added. The configuration file has been written to /home/hamchan/test2.ovpn. Download the .ovpn file and import it in your OpenVPN client.

Connection from client

Download/install the client software from below. The author's environment is Windows 11.
https://www.openvpn.jp/
Also, copy the OVPN client profile you created earlier (test.ovpn)

Right-click the OpenVPN icon (it looks like a PC display) from the task tray and select the ovpn file from Import.

Once the import is complete, connect using the profile name. It is OK if the status turns green (connected).

Can't open web page

Everything went smoothly so far, but I ran into an issue where I couldn't connect to the internet.

The problems are
: - Web page cannot be opened
- Name resolution (nslookup) is not possible
- Source IP is the WAN side IP of the OpenVPN server

That was the situation. Maybe it's a split tunnel by default?
It was a very inconvenient situation to have zero root access and not be able to access the internet. That's okay.

Avoid split tunnels

We have no choice but to break out of the split tunnel situation.
So I looked it up, and surprisingly, it seemed like all I had to do was add a few lines to the client profile.
Below is the default profile without any changes.

client proto udp explicit-exit-notify remote 192.0.2.1 1194 dev tun resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server verify-x509-name server_RsYFZmapV3EjCl7k name auth SHA256 auth-nocache cipher AES-128-GCM tls-client tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 ignore-unknown-option block-outside-dns setenv opt block-outside-dns # Prevent Windows 10 DNS leak verb 3

Add the following two points to this profile.
*When installing OpenVPN, 10.8.0.0/24 is configured by default, so if there is any overlap with the existing environment, you will need to rewrite /etc/openvpn/server.conf.

# Route information to the OpenVPN server route 10.8.0.0 255.255.255.0 # Ignore redirect gateway (do not route traffic destined for the Internet to the VPN connection destination) pull-filter ignore "redirect-gateway"

By the way, I used this method 1.
https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

You can win with this!
That's what I thought, but although the Internet connection was routed through the existing local environment line, and only 10.8.0.0/24 was addressed to the OpenVPN server,
the problem that the name could not be resolved and the web page still did not open continued. It was a closed situation

After much trial and error, I discovered that the following two default settings had an effect.
solved it by commenting it out .

;ignore-unknown-option block-outside-dns ;setenv opt block-outside-dns # Prevent Windows 10 DNS leak

This seems to be a remnant from the Windows 10 era,
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

----
--block-outside-dns
Block DNS servers on other network adapters to prevent DNS leaks. This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel. It uses Windows Filtering Platform (WFP) and works on Windows Vista or later.This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error. You may want to use --setenv opt or --ignore-unknown-option (not suitable for Windows XP) to ignore said error. Note that pushing unknown options from server does not trigger fatal errors.
----

It seems to be a setting to suppress DNS leak bugs seen in past Windows OSes. This seems to have obstructed the tunnel's DNS communication (TCP/UDP53).
However, it is an option that is recognized only by Windows OS, so other OSes do not seem to need to worry about it.

In the end, I ended up with a profile like this:

client proto udp explicit-exit-notify remote 192.0.2.1 1194 dev tun resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server verify-x509-name server_RsYFZmapV3EjCl7k name auth SHA256 auth-nocache cipher AES-128-GCM tls-client tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 ;ignore-unknown-option block-outside-dns ;setenv opt block-outside-dns # Prevent Windows 10 DNS leak route 10.8.0.0 255.255.255.0 pull-filter ignore "redirect-gateway" verb 3

It's a blessing, it's a blessing

bonus

In addition, depending on the application and environment, there may be cases where MTU size etc. have an effect.
In that case, please refer to the manual below.
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

Also, since the log option is not included in /etc/openvpn/server.conf on the server side by default, you will be happy if you add the following settings.

# Increase the log level by one verb 4 # Write the connection log to a file log /var/log/openvpn/debug.log