Categories
eduvpn Linux Network VPN

Install eduvpn on separate hosts (controller&vpn)

I’m planing to install eduvpn as a personal VPN solution.

I also want to separate the VPN functionality (“vpn-daemon”, hostname “eduvpn-node”) from the management web frontend (controller or “vpn-user-portal”, hostname “eduvpn”).

Adding software repository

So we start by configuring the required software repos (on both machines, here’s the new APT822 version):

eduvpn # cat /etc/apt/sources.list.d/eduvpn.sources
Types: deb
URIs: https://repo.eduvpn.org/v3/deb
Suites:  noble
Components: main
Architectures: amd64
# s. https://codeberg.org/eduVPN/deploy/raw/branch/v3/resources/repo+v3@eduvpn.org.asc
Signed-By:
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
 mDMEYoKbBhYJKwYBBAHaRw8BAQdAYqEfYQm8BFK1dC7dFbOQRoV+q47cB9i0gur8
 z9Dg4820MGVkdVZQTiAzLnggUmVwbyBTaWduaW5nIEtleSA8cmVwbyt2M0BlZHV2
 cG4ub3JnPoiZBBMWCgBBFiEE9nEMqvu0eoo+yRgAYp1+4rY93nMFAmKCmwYCGwMF
 CRLMAwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQYp1+4rY93nPy0QEA
 2hsMIdl4M/rYC/xWjwlJMPdYhRumcsB4LPvpFCynV80A/iezye1QS+HbFvWLe35f
 2fCzZPEXcfBj62wfeP3j+9EE
 =3C81
 -----END PGP PUBLIC KEY BLOCK-----

Basic installation

After that we install the basic packages on the user portal machine:

eduvpn # apt update
eduvpn # apt install -y vpn-user-portal

Add user with password and add it to admin list:

eduvpn # sudo -u www-data vpn-user-portal-account --add vpn --password test1234
linux # vi /etc/vpn-user-portal/config.php
<...>
'adminUserIdList' => ['vpn'],
<...>

Generate keys for node:

eduvpn # /usr/libexec/vpn-user-portal/generate-secrets --node 1

This will generate /etc/vpn-user-portal/keys/node.1.key

Create CA and certificates. The vpn-ca script will create files in the current directory if not specified otherwise. On the other hand the eduvpn tools expect files in very specific locations, 

eduvpn # cd /etc/vpn-user-portal/keys/ca
eduvpn # vpn-ca -init-ca
eduvpn # vpn-ca -server -name server
eduvpn # vpn-ca -client -name client

Now move and rename the client.* files to /etc/vpn-user-portal/keys/vpn-daemon/:

eduvpn # find /etc/vpn-user-portal/keys/ -type f
/etc/vpn-user-portal/keys/ca/ca.key
/etc/vpn-user-portal/keys/ca/ca.crt
<...>
/etc/vpn-user-portal/keys/vpn-daemon/vpn-daemon-client.key
/etc/vpn-user-portal/keys/vpn-daemon/vpn-daemon-client.crt
/etc/vpn-user-portal/keys/vpn-daemon/ca.crt
<...>

Copy the server.* files to the eduvpn node, into the directory defined by CREDENTIALS_DIRECTORY (/etc/default/vpn-daemon, see below):

eduvpn-node1 # find /etc/vpn-daemon/ -type f
/etc/vpn-daemon/ca.crt
/etc/vpn-daemon/server.crt
/etc/vpn-daemon/server.key

The maintenance scripts use hard-coded defaults (like “wg0”), instead of taking the config from /etc/default/vpn-daemon). So in my case they’d overwrite an existing config. Therefore I decided to do some things manually (which is not that complex considering that I’m not interested in configuring openvpn only wireguard).

Now let’s install software on the vpn node:

eduvpn-node1 # apt install vpn-server-node

And do a basic configuration of the vpn-daemon:

eduvpn-node1 # cat /etc/default/vpn-daemon
LISTEN=:41194
WG_DEVICE=wg1
CREDENTIALS_DIRECTORY=/etc/vpn-daemon
eduvpn-node1 # chown vpn-daemon:vpn-daemon /etc/vpn-daemon/*
eduvpn-node1 # systemctl restart vpn-daemon

Check certificates

On the node running vpn-daemon:

eduvpn-node1 # curl --cacert /etc/vpn-daemon/ca.crt --cert /etc/vpn-daemon/client.crt --key /etc/vpn-daemon/client.key --connect-to eduvpn-node1.mydomain.de:41193:localhost https://eduvpn-node1.mydomain.de:41194/i/node
{"rel_load_average":[0,0,0],"load_average":[0,0,0],"cpu_count":2,"node_uptime":806520,"maintenance_mode":false}

And – even more important – on the user-portal server:

eduvpn # curl --cacert /etc/vpn-user-portal/keys/vpn-daemon/ca.crt --cert /etc/vpn-user-portal/keys/vpn-daemon/vpn-daemon-client.crt --key /etc/vpn-user-portal/keys/vpn-daemon/vpn-daemon-client.key  https://eduvpn-node1.mydomain.de:41194/i/node
{"rel_load_average":[0,0,0],"load_average":[0,0,0],"cpu_count":2,"node_uptime":806520,"maintenance_mode":false}

Make sure to use the correct paths for ca and certificate files on both machines, otherwise you will not be able to establish a secure connection!

vpn-maint-apply-changes would call /usr/libexec/vpn-server-node/server-config to create a wireguard config in /etc/wireguard/wg0.conf:

eduvpn-node1 # cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.43.43.1/24,fd43::1/64
ListenPort = 51820
PrivateKey = <private key here>

So its fairly basic.

More information can be found here:

https://docs.eduvpn.org/server/v3/deploy-debian.html

Leave a Reply

Your email address will not be published. Required fields are marked *