OpenVPN server (debian,ubuntu,kali,raspberry pi) + IOS13 – IOS16 client

Update: this is still working on December 2023 with IOS16

apt install openvpn easy-rsa
cp -r /usr/share/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa
vim vars

/etc/openvpn/vars content

export KEY_COUNTRY="Serbia"
export KEY_PROVINCE="RS"
export KEY_CITY="Belgrade"
export KEY_ORG="LinuxWin"
export KEY_EMAIL="[email protected]"
export KEY_OU="OpenVPN"

Initialize PKI

./easyrsa init-pki

Build the CA without a password

./easyrsa build-ca nopass

Generate the server key

./easyrsa gen-req server nopass

Sign the server certificate

./easyrsa sign-req server server

Build a Diffie-Hellman key exchange

./easyrsa gen-dh

Generate a HMAC signature

openvpn --genkey --secret ta.key

Copy all the certificate and key to the /etc/openvpn

cp ta.key /etc/openvpn/
cp pki/ca.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/dh.pem /etc/openvpn/

Generate Client certificate

./easyrsa gen-req client nopass

Sign Client certificate

./easyrsa sign-req client client

Copy client certificate and key to /etc/openvpn/client/

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/

/etc/openvpn/server.conf file

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret
dh /etc/openvpn/dh.pem
;dh none

server 192.168.10.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 208.67.220.222"
keepalive 10 120

;tls-auth ta.key 0 # This file is secret
tls-crypt /etc/openvpn/ta.key 0

auth SHA256
cipher AES-256-GCM

user nobody
group nogroup
persist-key
persist-tun

tun-mtu 1500

status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

enable IP forwarding

vim /etc/sysctl.conf
###uncoment following line###
net.ipv4.ip_forward=1

###save and exit###
sysctl -p

### the other way is to do the same ###
echo 1 > /proc/sys/net/ipv4/ip_forward

Firewall rules

### for server behind NAT ###
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
### or just...###
iptables -t nat -A POSTROUTING -j MASQUERADE

### open udp port 1194 ###
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT

### allow TUN interface ###
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT

To save rules to be loaded on boot install iptables-persistent

sudo apt install iptables-persistent

### current iptables rules will be saved to the
### /etc/iptables/rules.v4
### /etc/iptables/rules.v6

Start OpenVPN server service

systemctl start openvpn@server

### check status with..###
systemctl status openvpn@server

.ovpn config file for ios

client
dev tun                             
proto udp          ####tcp if you use tcp protocol
remote 192.168.100.55   ### your server ip address or domain
port 1194     ####1194 only if your vpn server's port is the default port     
resolv-retry infinite
nobind
persist-key
persist-tun

tun-mtu 1500
;link-mtu 1549
mssfix 1300

auth SHA256
;auth-user-pass
verb 5
;comp-lzo  ###(disable compression)
remote-cert-tls server
cipher AES-256-GCM

redirect-gateway def1
;remote-gateway 192.168.6.1
;dhcp-options DNS .8.8.8.8

;route 192.168.6.0 255.255.255.0 192.168.6.1


<ca>
ca.crt  ### copy content here ###
</ca>

<cert>
clinet.ctr  ### copy content here ###
</cert>

<key>
client.key ### copy content here ###
</key>

<tls-crypt>
ta.key   ### copy contet of ta.key here ###
</tls-crypt>

Import .ovpn config file to ios via itunes, mail, google drive, onedrive…

There is a little script I made to automate this last step, (generate config file with all certificates). OVPNconfig

And for make certifictes and config file for more users you can use this script: OVPNclient

Kali Linux 2020 unable to boot after install

If you have more then one drive in your computer with more then one OS you can finish with this:

Error: unknown filesystem
Entering rescue mode...
grub rescue>

At this point you can try to locate kali partition and set root and prefix and try to boot…

ls
hd0) (hd0,msdos5) (hd0,msdos2) (hd0,msdos1)...etc... hd1) (hd1,msdos5) (hd0,msdos2) (hd0,msdos1)...etc

ls (hd0,5)/
ls (hd0,2)/
...etc, until you locate the kali partiton
then...

set boot=(hd1,5)    (...replace with the right partition)
set prefix=(hd1.5)/boot/grub/
insmod normal

and this finish with:
error: file '/grub/i386-pc/normal.mod' not found.

Even if you find the right .mod to boot, it doesn’t fix the problem.

The problem is quite stupid, more like a bug. This particular laptop has 2 drives. One SSD and one HDD. Different linux distros, detect those drives differently. For Parted Magic, gParted,…etc, SSD is /dev/sda and HDD is /dev/sdb. Even for Kali installer is the same thing. But for Kali 2020, SSD is /dev/sdb and HDD is /dev/sda. So live installer installs grub on sdb, and after reboot, sdb becomes wrong drive.

Solution to this is quite simple. Chroot to Kali installation from Kali live, and reinstall grub.

(replace sda2 with your drive)

mount /dev/sda2 /mnt
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
chroot /mnt
grub-install /dev/sda
update-grub

exit
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount /mnt
REBOOT
seo reseller