How to install Letsencrypt Certificates on Open VPN Access Server Web Interface

In this tutorial we are going to show you how to install letsencrypt certificates on your OpenVPN Access Server’s Web Interface. This tutorial assumes you are using an ubuntu or debian based distribution.

STEP 1:

SSH into your openvpn access server in your terminal, and install certbot:

sudo apt update && sudo apt install certbot

STEP 2:

Configure your DNS A records from your registrar to point to your server’s public IP address. If you are using cloudflare, it should look like this:

STEP 3:

Run certbot and enter the answers to its questions.

sudo certbot certonly

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1

Enter email address (used for urgent renewal and security notices): contact@nerd-tech.net

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory

(A)gree/(C)ancel: A


Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: N


Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): vpn.yourdomain.com (ex: vpn.nerd-tech.net)
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vpn.nerd-tech.net
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/vpn.nerd-tech.net/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/vpn.nerd-tech.net/privkey.pem
    Your cert will expire on 2021-12-18. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”
  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
  • If you like Certbot, please consider supporting our work by: Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Now enter the following lines replacing vpn.mydomain.com with your domain prefaced with a vpn and a dot (ex: vpn.nerd-tech.net).

/usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/etc/letsencrypt/live/vpn.mydomain.com/privkey.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/etc/letsencrypt/live/vpn.mydomain.com/cert.pem" ConfigPut
sudo /usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/etc/letsencrypt/live/vpn.mydomain.com/chain.pem" ConfigPut
sudo /usr/local/openvpn_as/scripts/sacli start

RunStart warm None
{
“active_profile”: “Default”,
“errors”: {},
“last_restarted”: “Sun Sep 19 10:09:45 2021”,
“service_status”: {
“api”: “on”,
“auth”: “on”,
“bridge”: “on”,
“client_query”: “restarted”,
“crl”: “on”,
“daemon_pre”: “on”,
“db_push”: “on”,
“ip6tables_live”: “on”,
“ip6tables_openvpn”: “on”,
“iptables_live”: “on”,
“iptables_openvpn”: “on”,
“iptables_web”: “restarted”,
“log”: “on”,
“openvpn_0”: “on”,
“subscription”: “on”,
“user”: “on”,
“web”: “restarted”
}
}
WILL_RESTART [‘web’, ‘client’]

Now, restart your Openvpn Access Server.

sudo service openvpnas restart

Now you can browse to your new domain on port 943 (unless you changed openvpnas default web interface port).

So open your web browser and go to https://vpn.yourdomain.com:943/admin

You should see a lock icon in the top left corner of your browser, indicating that you are now using your secure letsencrypt certificates.

FINALLY, you need to log into your admin web interface, and change your hostname to the hostname you created for it.

And that is how you install letsencrypt certificates on the Openvpn Access Server Web Interface!

The best Linux tutorials on the Internet? Linuxbabe.com

I just wanted to give a heads up to users who flock to my tutorials, but are in need of advanced linux setups. I am not an expert, but just post the things that I learn as I go. Although my tutorials are relatively accurate, they are NOT for advanced users looking to really get the most out of their linux server experience. If you are looking for tutorials that have absolutely zero flaws, and are generally about setting up a proper server environment, please head to linuxbabe.com for some of the best tutorials out on the internet! Xiao, the owner of Linuxbabe.com, is a top notch pro, and really knows his stuff. So if you are trying to create an email server, a vpn server, a website, or secure your wordpress, etc. etc., then you should take my recommendation and check out Linuxbabe.com for all of your server and advanced tutorials!

How to install and update Mega command line (megacmd) on your Raspberry Pi running Ubuntu 20.04

This quick guide will teach you how to add the Mega.nz Repositroy so you can easily install and upgrade the “Megacmd” and “Megasync” apps on your Linux Distribution. This tutorial will show you how to do it specifically on Ubuntu 20.04, however, the instructions can be easily modified for any ARM based debian based distribution.

STEP 1:

Go to the Mega.nz repository at https://mega.nz/linux/MEGAsync/ in your web browser, and select the folder that pertains to your working distribution. For the Raspberry Pi (because you need the ARM version), that is going to be the Raspbian_10.0 folder located at https://mega.nz/linux/MEGAsync/Raspbian_10.0/.

Then Go to your terminal and add the Release.key file to your apt repository:

wget -qO - https://mega.nz/linux/MEGAsync/Raspbian_10.0/Release.key | sudo apt-key add -

STEP 2: Figure out your systems architecture.

Before adding mega.nz to your repository list, you first need to verfiy that you are using the 32-bit Ubuntu or Raspberry Pi OS distribution. If you are not, then you need to add the 32 bit architecture to your OS.

Verify your architecture with the following command:

dpkg --print-architecture

If the above command returns “arm64”, then proceed to the next step (STEP 2b). If the above command returns “armhf”, then you shoudl skip the next step (STEP 2b). If it returns “arm64” then you should continue with the next step (STEP 2b).

STEP 2b:

Add support for a 32-bit arm foreign architecture (armhf) with the following command:

sudo dpkg --add-architecture armhf

Verify you are now using armhf as a foreign architecture, with the following command:

dpkg --print-foreign-architectures

You should see “armhf” from this command. Now you may move on to STEP 3.

STEP 3:

Add the mega.nz repo to your apt repository by openining up your nano editor in terminal…

sudo nano /etc/apt/sources.list.d/MEGA.nz.list

then pasting the indicated code below:

# Mega.nz repo for 32bit (compatable with 64-bit) Raspberry Pi
deb [arch=armhf] https://mega.nz/linux/MEGAsync/Raspbian_10.0/ ./

Type “Control-X“, then “y“, then “Enter“, to save and quit your nano editor.

Now, update your apt list, then install mega-cmd from your newly added repository with the following command:

sudo apt update && sudo apt install megacmd

Now, whenever you run the command sudo apt update && sudo apt upgrade your “megacmd” installation will automatically update, when updates are available.

To run your newly installed mega command line application run the following command:

mega-cmd

DONE!

How to install OpenVPN 3 client on Ubuntu 20.04

Today we are going to learn how to install openvpn3 client on Ubuntu 20.04 using the command line. For those who don’t know, the client is what connects to your openvpn service provider and tunnels its connection out to your openvpn service provider.

In this tutorial we will take the following steps to complete this task:

  1. Add openvpn3 repository to your apt sources.list to get automatic updates.
  2. Install the OpenVPN3 repository signing key
  3. Install OpenVPN3
  4. Download and modify your my-openvpn-client-config-file.ovpn to work with openvpn3
  5. Create a simple yet secure and useful my-openvpn3-client-config-file.autoload file to automatically load openvpn3 at boot time and start up.
  6. Create a simple yet secure and useful my-openvpn3-client-config.file.autoload file to automatically reconnect openvpn after it unexpectedly disconnects.
  7. Enable openvpn3 permanantely to connect on boot and after any unexpected disconnects.

Lets begin.

1st,

Open open up your terminal and run the following command to add openvpn3 to your apt repository…

sudo nano /etc/apt/sources.list.d/openvpn3.list

Your nano text editor will open up and your terminal should be blank. Then you must copy and paste the following lines into your nano editor:

# OpenVPN3 Official Apt Repository for openvpn3.
deb https://swupdate.openvpn.net/community/openvpn3/repos focal main

Once you have pasted the text into your nano text editor (using the terminal), you can save and exit by typing “Control-X“, then hit “y” for the save option, then hit “Enter” to save and exit nano.

2nd,

Ensure your apt supports the https transport by installing apt-transport-https. Then install the OpenVPN3 repository signing key used by the openVPN 3 Linux packages. You can do all of this by running the following commands:

cd ~/
sudo apt install apt-transport-https && wget https://swupdate.openvpn.net/repos/openvpn-repo-pkg-key.pub && sudo apt-key add openvpn-repo-pkg-key.pub
rm ~/openvpn-repo-pkg-key.pub

Now, you can install your openvpn3 package with the following command:

sudo apt update && sudo apt install openvpn3

Now, navigate to /etc/openvpn3/autoload.

cd /etc/openvpn3/autoload/

Download your openvpn.ovpn configuration file from your vpn service provider and open it with a text editor. Then add the following to its configuration with each option on its own seperate line:

auth-user-pass
push-peer-info
resolv-retry infinite
persist-key
persist-tun
keepalive 10 120

Now, copy all of the text in your openvpn.ovpn file that you downloaded and edited, and paste it into a new file called “myvpn3client.conf” located in the /etc/openvpn3/autoload directory, using nano.

sudo nano /etc/openvpn3/autoload/myvpn3client.conf

Type ctrl+x, y, then Enter, to save your file.

Now, create your autoload file by openining up your nano editor with the following command:

cd /etc/openvpn3/autoload && sudo nano myvpn3client.autoload

Copy and paste the following text into the currently opened “myvpn3client.autoload” file with your nano editor.

{
   "autostart": true,
    "name": "myvpnclient",
    "acl": {
        "set-owner": "my_ubuntu_username"
    },
    "tunnel": {
        "ipv6": "no",
        "persist": true,
        "dns-fallback": "google",
        "dns-setup-disabled": false
    },
    "user-auth": {
        "username": "my_vpn_username",
        "password": "my_vpn_password"
    }
}

Fill in “my_ubuntu_username” “my_vpn_username” and “my_vpn_password” with your corresponding information. DO NOT DELETE THE QUOTES! Leave them. Your username should be the name that you registered when you set up your ubuntu installation. It should also be noted in your terminal on the left next to your computer’s hostname i.e. mrubuntu@mrubuntusdesktop.

Once you have finished filling in the blanks inside the quotes, press “control-X“, then “y” to save, and hit “Enter” to exit out of nano with a newly saved .autoload file.

Now, lets secure the permissions for your myopenvpn.conf and myopenvpn.autoload files.

sudo chmod 644 /etc/openvpn3/autoload/myvpn3client.conf && sudo chmod 644 /etc/openvpn3/autoload/myvpn3client.autoload

Now we’re ready to start your VPN. The following command will automatically connect your VPN on boot, as well as reconnect it if your internet connection drops, and restarts again. In other words, this will keep you connected to your vpn after reboot or connection failure.

Run this last command to do so:

sudo systemctl enable openvpn3-autoload.service

Now reboot and check to see if your vpn is connected by running the following command:

curl https://ipinfo.io/ip

It should show the IP Address of your vpn provider.

Next,

lets test to see if your DNS is leaking or not.

Download the dns command line dns leak test from github, and make it executable by your user by running the following command:

cd ~/ && curl https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.sh -o dnsleaktest.sh && chmod +x dnsleaktest.sh

Run your dnsleaktest!

./dnsleaktest.sh

After a minute or so, it should show the IP addresses of your VPN provider. If it does not, then your dns may be leaking, and the leaktest will tell you that.

THE END