Pauls Notes

OpenVPN on Debian over UFW

Complete OpenVPN How-To here:

Click here for a very nice tutorial about OpenVPN on Debian

UFW open ports

Get running applications with their used ports

netstat -tulpen

UFW command to open ports

ufw allow 22/tcp

SSH Server

!!! SSH port HAS TO be opened befor you activate UFW, in other case you will block yourself from the server !!!

22/tcp

Apache 2

80/tcp
443/tcp

Dovecot Mail Server

# Managesieve mailfilter (process name: dovecot)
4190/tcp

# POP3 (process name: dovecot) 
110/tcp
995/tcp #secure

# IMAP (process name: init)
143/tcp 
993/tcp #secure 

# SMTP (process name: master) Postfix
25/tcp
587/tcp #secure
465/tcp #secure

TeamSpeak 3 Server

10011/tcp
30033/tcp
9987/udp

Create new VPN client certificate

First you have to prepare the server, if not already done (see also https://wiki.ubuntuusers.de/OpenVPN/).

Edit the vars and create <ca>, <dh> and <server key>:

source ./vars
./build-dh
./build-ca
./build-key-server server 
service openvpn restart

In terminal go to /etc/openvpn/easy-rsa  and run following command where client1  is the name of the new client.

./build-key client1 # certificate without password
# OR
./build-key-pass client1 # certificate secured with password (PEM)

Accept the sign certificate and commit questions:

Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]

The new client certificates are now generated and can be copied to the client device.
You can find them in /etc/openvpn/easy-rsa/keys and you need the following files:

ca.crt # client independent
client1.crt # client certificate
client1.key # client key
client.ovpn # configuration file template

You can generate a unified ovpn configuration file that contains the CA, CRT and KEY data. For that take the ovpn file and replace the following lines with the content of the CA, CRT and KEY files:

# comment out using ; following lines
;ca ca.crt
;cert client.crt
;key client.key

# add the replacement
<ca>
# paste the content of the ca.crt file here
</ca>
<cert>
# paste the content of the client1.crt file here
</cert>
<key>
# paste the content of the client1.key file here
</key>