OpenVPN Server Rock-on

Please be aware of the common prerequisites for all Rockstor Rock-ons (Docker Plugins); specifically the Initial Rock-ons Setup and The Rock-ons root requirement.

Our OpenVPN server Rock-on forum area.

What is OpenVPN

This Rock-on installs an OpenVPN or Open (as in Open Source) Virtual Private Network Server. This is a network technology that creates a private encrypted tunnel, usually over the internet. In combination with client software installed on another machine that initiates one end of the tunnel, this server forms the other end of this tunnel and does so at the request of the client software.

OpenVPN Requirements

To use this OpenVPN server you will need an internet name, otherwise called a hostname, that point back to your Rockstor’s internet gateway. This allows the client software to be able to find your Rockstor machine on the internet; see An Internet Hostname or IP detailed below.

Installing OpenVPN Rock-on

First please consider the pre-requisites for any Rockstor Rock-on; these are linked to at the top of this document.

../../_images/openvpn_install.png

Click the Install button next to the OpenVPN listing on the Rock-ons page.

The OpenVPN Port

The OpenVPN install wizard will first request that you set a port and will suggest the default:-

../../_images/openvpn_port.png

You may well have to open and forward the configured port on your Rockstor’s internet gateway router back to the Rockstor machine. This effectively makes at least this port on Rockstor appear on your router’s red (internet) interface. The client OpenVPN software can then talk directly and securely to your Rockstor’s OpenVPN Rock-on using this port.

An Internet Hostname or IP

Although the OpenVPN client can be told which port you are using it also needs to know where on the internet your Rockstor machine is; this is done using an internet hostname or in much less common instances your router’s public IP address, but this will only work in the long run if your public IP is static:-

../../_images/openvpn_address.png

N.B. no default is provided as this is specific to your install, the image shows a made up example.

In the case of your internet connection having a dynamically assigned IP (common in domestic internet installs) you will have to use a dynamic dns naming services. These work by using client software running either on your internet router or on a machine within your network that periodically calls out to your dynamic dns naming provider and updates that provider with your router’s current location / IP on the internet. The dynamic dns naming provider will then update their publicly available records of the hostname you agreed upon during account sign up. This then allows for your Rockstor’s internet connection to be located by that hostname / IP.

The client OpenVPN software can then use this port / name combination to make the necessary connections to establish the tunnel.

../../_images/openvpn_verify.png

Now check that the entered details are correct before clicking Submit

The Authentication Credentials

Once the install has completed you will see the following:-

../../_images/openvpn_exitcode.png

This is a peculiar complexity that exists in our first flush OpenVPN Rock-on implementation. Please click on the “i” icon to get the following instructions:

../../_images/openvpn_certs.png

The above indicated steps are reproduced here for clarity:-

Additional steps are required by this Rock-on

Run the following commands as the root user on your Rockstor system ie via a ssh console.

Initialize PKI The OpenVPN Rock-on will not start without it

/opt/rockstor/.venv/bin/ovpn-initpki

This command will ask for a PEM pass phrase, a Common Name (after which a long list of .'s and +'s will appear as the key is generated), and a passphrase for the private key.

Generate a client certificate. You need to generate one for every client

/opt/rockstor/.venv/bin/ovpn-client-gen

This command will ask for the client name (no spaces) and a pass phrase.

Retrieve the client configuration. For any one of your clients. The resulting .ovpn file can be used to connect to this OpenVPN server.

/opt/rockstor/.venv/bin/ovpn-client-print

This command will ask for the name of the client you wish the .ovpn file to be created for; the file will be placed in /tmp, i.e.:

/tmp/<clientname>.ovpn

Warning

Please note that if you change your hostname you will need to regenerate your client authentication credentials and re-deploy them as they contain this information in order to inform the Client OpenVPN software on how to find your Rockstor’s OpenVPN Server Rock-on.

Now we just need to turn the OpenVPN Rock-on ON:-

../../_images/openvpn_on.png

It should then appear as shown in the Installed tab above.