Freedombox in LXC -- how to make OpenVPN work?

** Problem : run automatically OpenVPN at startup of a Freedombox running in a LXC container **
Currently I’m struggling to run openVPN.
After some efforts I attempt to run OpenVPN manually using the following (see misc section bellow for further info on Freedom box installation and network setup of the LXC container),
sudo openvpn /etc/openvpn/server/freedombox.conf
with
sudo ifconfig -a
I see the tun0 interface.

but It seems to have some problem while running it properly and automatically at the startup.

sudo systemctl status openvpn@freedombox.conf
● openvpn@freedombox.conf.service
Loaded: loaded (/lib/systemd/system/openvpn@.service; bad; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Thu 2021-02-18 15:33:19 UTC; 1s ago
Process: 40709 ExecStart=/usr/sbin/openvpn --daemon ovpn-freedombox.conf --status /run/openvpn/freedombox.conf.status 10 --cd /etc/o
penvpn --config /etc/openvpn/freedombox.conf.conf --writepid /run/openvpn/freedombox.conf.pid (code=exited, status=1/FAILURE)

Main PID: 40709 (code=exited, status=1/FAILURE)

and :
sudo journalctl -xe

I get some error messages :

"-- Logs begin at Thu 2021-02-18 11:28:19 UTC, end at Thu 2021-02-18 12:24:04 UTC. –
févr. 18 12:19:44 DebianBuster systemd[1]: openvpn-server(a)freedombox.service: Service RestartSec=5s expired, scheduling restart.
févr. 18 12:19:44 DebianBuster systemd[1]: openvpn-server(a)freedombox.service: Scheduled restart job, restart counter is at 587.
– Subject: Automatic restarting of a unit has been scheduled
– Defined-By: systemd
– Support: .debian.org/support
– Automatic restarting of the unit openvpn-server(a)freedombox.service has been scheduled, as the result for
– the configured Restart= setting for the unit.
févr. 18 12:19:44 DebianBuster systemd[1]: Stopped OpenVPN service for freedombox.
– Subject: A stop job for unit openvpn-server(a)freedombox.service has finished
– Defined-By: systemd
– Support: .debian.org/support
– A stop job for unit openvpn-server(a)freedombox.service has finished.
– The job identifier is 30058 and the job result is done.
févr. 18 12:19:44 DebianBuster systemd[1]: Starting OpenVPN service for freedombox…
– Subject: A start job for unit openvpn-server(a)freedombox.service has begun execution
– Defined-By: systemd
– Support: .debian.org/support
– A start job for unit openvpn-server(a)freedombox.service has begun execution.
– The job identifier is 30058.
févr. 18 12:19:44 DebianBuster openvpn[9575]: OpenVPN 2.4.7 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKT
INFO] [AEAD] built on Feb 20 2019
févr. 18 12:19:44 DebianBuster openvpn[9575]: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
févr. 18 12:19:44 DebianBuster openvpn[9575]: NOTE: your local LAN uses the extremely common subnet address XXX.XXX.XXX.XXX or XXX.XXX.XXX.XXX. B
e aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that us
e the same subnet.
févr. 18 12:19:44 DebianBuster systemd[1]: Started OpenVPN service for freedombox.
– Subject: A start job for unit openvpn-server(a)freedombox.service has finished successfully
– Defined-By: systemd
– Support: .debian.org/support
– A start job for unit openvpn-server(a)freedombox.service has finished successfully.
– The job identifier is 30058.
févr. 18 12:19:44 DebianBuster openvpn[9575]: ROUTE_GATEWAY XXX.XXX.XXX.XXX/255.255.255.0 IFACE=eth0 HWADDR=YY:YY:YY:YY:YY:YY
févr. 18 12:19:44 DebianBuster openvpn[9575]: TUN/TAP device tun0 opened
févr. 18 12:19:44 DebianBuster openvpn[9575]: Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
févr. 18 12:19:44 DebianBuster openvpn[9575]: /sbin/ip link set dev tun0 up mtu 1500
févr. 18 12:19:44 DebianBuster openvpn[9575]: openvpn_execve: unable to fork: Resource temporarily unavailable (errno=11)
févr. 18 12:19:44 DebianBuster openvpn[9575]: Exiting due to fatal error
févr. 18 12:19:44 DebianBuster NetworkManager[139]: [1613650784.6154] manager: (tun0): new Tun device (/org/freedesktop/NetworkMan
ager/Devices/590)
févr. 18 12:19:44 DebianBuster systemd-udevd[9576]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writabl
e.
févr. 18 12:19:44 DebianBuster systemd-udevd[9576]: link_config: could not get ethtool features for tun0
févr. 18 12:19:44 DebianBuster systemd-udevd[9576]: Could not set offload features of tun0: No such device
févr. 18 12:19:44 DebianBuster systemd[1]: openvpn-server(a)freedombox.service: Main process exited, code=exited, st
atus=1/FAILURE
"

** Do somebody has an recipe to make it work ? **

Moreover I have some similar trouble with fail2ban which is dedicated to avoid attacks on SSH and OpenVPN. (Currently it is not a problem for me since I’m only working on my local network, but when I’ll want to make the server being reachable from a distant terminal through internet, it will be)

“-- The unit openvpn-server(a)freedombox.service has entered the ‘failed’ state with result ‘exit-code’.
févr. 18 11:28:24 DebianBuster nscd[110]: 110 monitoring file /etc/passwd (1)
févr. 18 11:28:24 DebianBuster nscd[110]: 110 monitoring directory /etc (2)
févr. 18 11:28:24 DebianBuster nscd[110]: 110 monitoring file /etc/group (3)
févr. 18 11:28:24 DebianBuster nscd[110]: 110 monitoring directory /etc (2)”

** Misc : installing Freedombox in a LXC **
Before being lock on the OpenVPN configuration problem, I followed these steps to make a LXC Freedombox.
My machine is a Raspberry Pi 4 4Go.
I flashed the SDcard using the Imager app provided by ubuntu and installed a ubuntu server.
After it succeeded the following is done via a SSH connection.

  • Installation of LXD/LXC

sudo apt-get install lxd
sudo lxd init # use the default options for LXD configuration
sudo apt-get install lxc-utils # LXC container management tool

Creation of a LXC container based on DebianBuster

sudo lxc launch images:debian/buster DebianBuster
sudo newgrp lxd
sudo usermod -aG lxd $(whoami)

Confirm it by executing (then reeboot the machin)
/snap/bin/lxc query --wait -X GET /1

Configure LXC network so that it can have access to your local network

lxc profile device remove default eth0
lxc profile device add default eth0 nic nictype=macvlan parent=eth0 name=eth0

In order to install FreedomBox in the DebianBuster LXC container

lxc exec DebianBuster – /bin/bash
apt-get update
apt-get install freedombox
apt-get install net-tools
apt-get install ethtool
apt-get install openvpn network-manager-openvpn # this I did after an unsuccesfull attempt of installing OpenVPN from Freedombox’s interface
apt-get install bridge-utils
apt-get install nano

lxc list # will show the IP adress of your DebianBuster container on the local network, you can try to access to the PLINTH’s interface of the Freedombox with your web browser. Actually for me, it works.

As one of the first problem with LXC Freedombox and OpenVPN is the fail of creating a TUN interface, I did the following to enable LXC to support the TUN interface

sudo lxc stop DebianBuster
cd /etc/lxc
sudo nano default.conf

on the RBpi, add the following lines to default.conf (without “”) :
“lxc.cgroup.devices.allow = c 10:200 rwm”,
“lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file”
Save “ctrl+o”, then exit “ctrl+x”

lxc config device add DebianBuster tun unix-char path=/dev/net/tun
note : it applies to all LXC containers, if there is a better alternative let me know

Now restart the DebianBuster LXC container and continue the configuration of the TUN interface inside

sudo lxc start DebianBuster
lxc exec DebianBuster – /bin/bash
mknod /dev/net/tun c 10 200

Then modify the openvpn config file :
nano /lib/systemd/system/openvpn@.service

by commenting (#) the line LimitNPROC=10 Save “ctrl+o”, then exit “ctrl+x”

^next modify rc.local

sudo nano /etc/rc.local

by adding the following lines :
" if ! [ -c /dev/net/tun ]; then
mkdir -p /dev/net
mknod -m 666 /dev/net/tun c 10 200
fi"

Then, I’m stuck as explained on the top of the post.
thanks for your help!

\\\\\\\\THE REVENGE \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
First I removed several packages, including FreedomBox from DebianBuster
I followed an exemple where the certification authority is on another machine than where the OpenVPN is.Here I use an other LXC container,
lets call it “CertifBuster” or “198.168.1.19”
Then I reinstalled the OpenVPN server on DebianBuster.
This follows the last post starting from ** Misc : installing Freedombox in a LXC **
For installing OpenVPN,I followed the process explained in this document How To Set Up and Configure an OpenVPN Server on Ubuntu 20.04 | DigitalOcean ; I took other sources when in order to solve the numerous problems that occured.
I’m not a professionnal of the domain, I just modestly gathered everething that skilled people did. Thanks for their explanations and pedagogy.

#~…Certification Authority : CertifBuster

I used the graphic interface LXDUI on the host RaspberryHostDebianBased, to clone DebianBuster and male another container “CertifBuster”

on the host :

lxc start CertifBuster
lxc exec CertifBuster – /bin/bash
passwd root
adduser Ramon
apt-get install sudo
usermod -aG sudo Ramon
apt-get install openssh-server openssh-client
sudo apt install easy-rsa
sudo apt install nano
sudo apt-get install ufw
sudo apt-get install rsync

ufw allow openssh

exit

lxc list # → note the IP adress from CertifBuster

from my on the local network (192.168.1.12), I can connect the RaspberryHostDebianBased (192.168.1.16), the LXC container DebianBuster (192.168.1.17) and CertifBuster (192.168.1.19)

ssh Ramon[at]192.168.1.19

public key infrastructure creation

mkdir ~/easy-rsa
ln -s /usr/share/easy-rsa/* ~/easy-rsa/
chmod 700 /home/Ramon/easy-rsa
cd ~/easy-rsa
./easyrsa init-pki

Certification Authoritie creation

in ~/easy-rsa

nano vars

#Input the identification data :

set_var EASYRSA_REQ_COUNTRY “ZZ”
set_var EASYRSA_REQ_PROVINCE “ANiceCountry”
set_var EASYRSA_REQ_CITY “BeautifullCity”
set_var EASYRSA_REQ_ORG “RamonTumorapa.PTE-LTD”
set_var EASYRSA_REQ_EMAIL “Ramon.Tumorapa[at]fakemail.zzz”
set_var EASYRSA_REQ_OU “SignedByRamonTumorapaOnlyMasterOnBoardAfterGod”
export KEY_ALTNAMES=“EasyRSA”

building the certification authority :

./easyrsa build-ca

Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CertifBuster

succes :-).

2 important files :

~/easy-rsa/pki/ca.crt : CA’s public certificate file

~/easy-rsa/pki/private/ca.key : is the private key that the CA uses to sign certificates for servers and clients.

Copy of the public key in an encrypted folder on

scp Ramon[at]192.168.1.19:/home/Ramon/easy-rsa/pki/ca.crt /media/veracrypt1/

then the key is transfered on le DebianBuster

scp /media/veracrypt1/ca.crt Ramon[at]DebianBuster:/home/Ramon/easy-rsa/pki/ca.crt
scp /media/veracrypt1/CertifBuster\ (authorité\ de\ certification)/ca.crt Ramon[at]DebianBuster:/tmp

I have to do in two shots since with the LXD’s MACVLAN option 192.168.1.16 , 192.168.1.17 and 192.168.1.19 can’t communicate each other

then inside DebianBuster

sudo mv /tmp/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

comment : If knew before I would have considered the LXC “virtual machine” instead of LXC container in order to keep everything in an encrypted

file system. LXC virtual machine seems to work on Raspberry Pi 4 using Qemu, but it is recent and currently in development

#~… Back to LXC DebianBuster container : Focus on the installing the OpenVPN

As said, I removed the Freedom Box Package from the container. I want to focus on OpenVPN until it works. Then I’ll backup the container, clone it and install Freedombox in order to see if it performs better.

from Ramon[at]RaspberryHostDebianBased$

lxc exec DebianBuster – /bin/bash
apt-get update
apt-get install openssh-server openssh-client
sudo apt-get install rsync
sudo apt-get install ufw
apt-get install net-tools
apt-get install ethtool
apt-get install bridge-utils
apt-get install nano
apt-get install openvpn network-manager-openvpn
sudo apt install easy-rsa

sudo ufw allow openssh

ssh connection to DebianBuster then create a folder on OpenVPN as non root user : ~/easy-rsa

mkdir ~/easy-rsa

Make a symbolic link between the easy-rsa folder and the above folder

ln -s /usr/share/easy-rsa/* ~/easy-rsa/

Access restriction of ~/easy-rsa on Ramon to sudo

sudo chown Ramon ~/easy-rsa
chmod 700 ~/easy-rsa

build of the Public Key Infrastructure, use

nano vars

for adding the following lines


set_var EASYRSA_ALGO “ec”
set_var EASYRSA_DIGEST “sha512”

then initialize the Public Key Infrastructure

./easyrsa init-pki

Issue a certificate anfd private key request for the OpenVPN server

cd ~/easy-rsa/
./easyrsa gen-req DebianBuster nopass

Common Name (eg: your user, host, or server name) [DebianBuster]:Ramon_at_DebianBuster

sudo cp /home/Ramon/easy-rsa/pki/private/DebianBuster.key /etc/openvpn/server/

From MyLaptop : export the certificate request to the Certification Autority “CertifBuster”

scp Ramon[at]DebianBuster:/home/Ramon/easy-rsa/pki/reqs/DebianBuster.req /media/veracrypt1/DebianBuster
scp /media/veracrypt1/DebianBuster/DebianBuster.req Ramon[at]192.168.1.19:/tmp

On CertifBuster : import the certification request

cd ~/easy-rsa/
./easyrsa import-req /tmp/DebianBuster.req DebianBuster

validation of the request using “sign-req”, note as second can be either “server” or “client” in this case it is “server”

./easyrsa sign-req server DebianBuster

copie vers DebianBuster, en deux temps :

# Ramon[at]CertifBuster : 

scp /home/Ramon/easy-rsa/pki/issued/DebianBuster.crt Ramon[at]192.168.1.12:/media/veracrypt1/DebianBuster/
# Ramon[at]MyLaptop :
scp /media/veracrypt1/DebianBuster/DebianBuster.crt Ramon[at]DebianBuster:/tmp
scp Ramon[at]192.168.1.19:/home/Ramon/easy-rsa/pki/ca.crt /media/veracrypt1/DebianBuster/
scp /media/veracrypt1/DebianBuster/ca.crt Ramon[at]DebianBuster:/tmp

on DebianBuster

sudo mv /tmp/DebianBuster.crt /etc/openvpn/server
sudo mv /tmp/ca.crt /etc/openvpn/server

Configuration of cryptographic material for OpenVPN. An additionnal security level can be added using a tls secret key (OpenVPN tls-crypt).

tls-crypt pre-shared key generation :

cd ~/easy-rsa
sudo openvpn --genkey --secret ta.key
sudo cp ta.key /etc/openvpn/server

Generation of the clients’ pairs of certificates and keys, on the OpenVPN server via SSH on DebianBuster

build a public key infrastructure on the OpenVPN server in order to store the client’s certificates and public keys

mkdir -p ~/client-configs/keys
mkdir -p ~/client-configs/keys

Key generation for MyLaptop

cd ~/easy-rsa

[*>]

./easyrsa gen-req MyLaptop nopass
# options :
# Common Name : Ramon[at]MyLaptop

→ this step can be iterated for all users or clients to connect to your OpenVPN server [<*]

copy of the private keys in the right folder

cp /home/Ramon/easy-rsa/pki/private/*.key ~/client-configs/keys/

transfert of the signature request to CertifBuster from MyLaptop, (Two shots because of MACVLAN)

Ramon[at]MyLaptop

scp Ramon[at]DebianBuster:/home/Ramon/easy-rsa/pki/reqs/.req /media/veracrypt1/Clients
scp /media/veracrypt1/Clients/
.req Ramon[at]192.168.1.19:/tmp

On the certification authority :

Ramon[at]CertifBuster

cd ~/easy-rsa
./easyrsa import-req /tmp/MyLaptop.req MyLaptop
.
. {…} All your clients or users keys
.
./easyrsa import-req /tmp/LastTerm.req LastTerm

# signature of each certificate

./easyrsa sign-req client MyLaptop
{…}

transfer back all signed certificates back to DebianBuster

Ramon[at]MyLaptop:~$

scp Ramon[at]192.168.1.19:/home/Ramon/easy-rsa/pki/issued/.crt /media/veracrypt1/Clients/
scp /media/veracrypt1/Clients/
.crt Ramon[at]DebianBuster:/tmp

copie all signed certificates in their respective folders

mv /tmp/.crt ~/client-configs/keys/
cp ~/easy-rsa/ta.key ~/client-configs/keys/
sudo cp /etc/openvpn/server/ca.crt ~/client-configs/keys/
sudo chown Ramon.Ramon ~/client-configs/keys/

Check that ca.crt (the certificate of the certification authority), DebianBuster.key (the private key of the OpenVPN server), the ta.key are located in the folder /etc/openvpn/server

otherwise locate them and copy them in this folder. (They might remain in ~/client-configs/keys/ with the last operations)

sudo cp ca.crt /etc/openvpn/server
sudo mv DebianBuster.key /etc/openvpn/server
sudo cp ta.key /etc/openvpn/server

Reduce the acces privileges to the cryptographic files

sudo chmod 640 * # rw pour su & sudo, r pour usr
sudo chmod 600 *.key

Now the Certification Authority can be stop from RaspberryHostDebianBased

LXC stop CertifBuster

OpenVPN’s configuration

The configuration file is adapted from the given “server.conf” exemple

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/server/
sudo gunzip /etc/openvpn/server/server.conf.gz
sudo mv /etc/openvpn/server/server.conf /etc/openvpn/server/DebianBuster.conf
sudo nano /etc/openvpn/server/DebianBuster.conf

# Edition of the configuration's script DebianBuster.conf
	# Some options will be changed :
local 192.168.1.17
# beware to input the absolute paths to the certificates
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/DebianBuster.crt
key /etc/openvpn/server/DebianBuster.key  # This file should be kept secret
tls-crypt /etc/openvpn/server/ta.key  # This file should be kept secret
dh none
topology subnet
client-to-client
# comment the following line "; tls-auth ta.key 0 # This file is secret" and replace it by 	
tls-crypt /etc/openvpn/server/ta.key
# comment the following line "; cipher AES-256-CBC" and replace it by 	
cipher AES-256-GCM
auth SHA256
# uncomment 
user nobody
group nogroup
# then save [ctrl]+[o] and exit [ctrl]+[x]

tune the network configuration of the OpenVPN server

sudo nano /etc/sysctl.conf
# on active lignes :
net.ipv4.ip_forward = 1

sudo sysctl -p # update and activate the modifications

Firewall config

sudo nano /etc/ufw/before.rules

# insert the following lines in the before.rules file
"
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
"
# then save [ctrl]+[o] and exit [ctrl]+[x]

sudo nano /etc/default/ufw
# insert the following lines

DEFAULT_FORWARD_POLICY=“ACCEPT”

# then save [ctrl]+[o] and exit [ctrl]+[x]

Add firewall rules :

sudo ufw allow 1194/udp
sudo ufw allow OpenSSH

reload UFW with the updated parameters

sudo ufw disable
sudo ufw enable

In case ssh would be blocked log on RaspberryHostDebianBased then open a shell the uing the command “lxc exec DebianBuster – /bin/bash” the “ufw disable”

Next let’s modify the files required for launching OpenVPN at Startup.

sudo nano /etc/default/openvpn
# add the line
AUTOSTART=“DebianBuster”

then save [ctrl]+[o] and exit [ctrl]+[x]

sudo nano /etc/init.d/openvpn
# replace “CONFIG_DIR=/etc/openvpn”
# par
CONFIG_DIR=/etc/openvpn/server

then save [ctrl]+[o] and exit [ctrl]+[x]

sudo nano /lib/systemd/system/openvpn[at].service
# modify the working directory to the one where the DebianBuster.conf is located
WorkingDirectory=/etc/openvpn/server

then save [ctrl]+[o] and exit [ctrl]+[x]

#[*>]-----------------specific to the use of OpenVPN in a LXC container/related to LXD config ---------------------------#

Edit each of the following systemctl files related to openvpn-server by adding the following lines :

[Service]

LimitNPROC=infinity

sudo systemctl edit openvpn-server[at].service
sudo systemctl edit openvpn-client[at].service
sudo systemctl edit openvpn[at].service

sudo systemctl edit openvpn-server[at]DebianBuster.service
sudo systemctl edit openvpn[at]DebianBuster.service
sudo systemctl edit openvpn-client[at]DebianBuster.service
#-----------------specific to the use of OpenVPN in a LXC container/related to LXD config --------------------------[<*]#

next have a try for running the OpenVPN server

sudo systemctl -f enable openvpn-server[at]DebianBuster.service
sudo systemctl start openvpn-server[at]DebianBuster.service
sudo systemctl status openvpn-server[at]DebianBuster.service

At the present time, I still don’t know whether connecting clients to the OpenVPN inside the LXC container will be a success,

but for sure, it’s begining to be likely.

#======================= Client’s configuration infrastructure ================================================================

Each client can have its own configuration. Instead of writting each config file, the tutorial that I followed propose a process where config files are generated with a script

Building of a client configuration infrastructure.

mkdir -p ~/client-configs/files

It starts by adapting the template client’s config file to the server’s parameter

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
nano ~/client-configs/base.conf
# instructions are adapted accordingly with the server’s config file :
remote 192.168.1.17 1194
proto udp
user nobody
group nogroup
# comment the following lines since these will be provided to the client with the config file
;ca ca.crt
;cert client.crt
;key client.key
;tls-auth ta.key 1 # ta.key will be provided to the client with the config file
cipher AES-256-GCM
auth SHA256
key-direction 1
# for clients using resolvconf
; script-security 2
; up /etc/openvpn/update-resolv-conf
; down /etc/openvpn/update-resolv-conf
# for clients using systemd-resolved
; script-security 2
; up /etc/openvpn/update-systemd-resolved
; down /etc/openvpn/update-systemd-resolved
; down-pre
; dhcp-option DOMAIN-ROUTE

to know more about the script, look at the tutorial cited in reference above

nano ~/client-configs/make_config.sh
sudo chmod 700 ~/client-configs/make_config.sh

execution of the script to generate a client’s config file

cd ~/client-configs
./ClientLocal_make_config.sh MyLaptop

copy the configuration to the client computer MyLaptop

scp ~/client-configs/files/MyLaptop.ovpn ramon@MyLaptop:/home/ramon/
# on MyLaptop 
sudo apt update
sudo apt install openvpn

# do MyLaptop uses resolved.conf ?
cat /etc/resolv.conf
# nameserver 127.0.0.1 different from 127.0.0.53 --> My Laptop don't use resolved-conf
ls /etc/openvpn
# --> but instead it uses update-resolv-conf . Need to adapt the client's configuration file.
nano ~/client1.ovpn

	# for clients  using systemd-resolved (un comment the following lines)
	script-security 2
	up /etc/openvpn/update-resolv-conf
	down /etc/openvpn/update-resolv-conf

# Now we try to connect to the Openvpn server From MyLaptop
ramon@MyLaptop:~$ sudo openvpn --config MyLaptop.ovpn
#--> connection success !

# On the RaspberryHostDebianBased, we clone DebianBuster :
# and backup it in a tar.gz file
cd ~
cd Documents/
mkdir LXC
cd LXC
lxc publish DebianBuster --alias=BaseOpenVPN --force
lxc image export BaseOpenVPN
# the file is created in the current folder /home/ramon/Documents/LXC
# it is then renemaed BaseOpenVPN.tar.gz
# The container can be reinstalles using : lxc image import BaseOpenVPN.tar.gz	

~~~~~~~~~~ Installation of the Freedombox package  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sudo apt-get install apt-utils
sudo apt-get install freedombox
# modify the firewall configuration
sudo ufw disable
	# in order to let MyLaptop acces to the Freedombox's web interface
sudo ufw allow 443/tcp
# reload UFW with the new parameters
sudo ufw disable
sudo ufw enable
sudo ufw status
# Now we can access to the Freedombox on the local network with our web-browser at the adress 198.168.1.17 (depends of your system)

~~~~~~ Hacking the Freedombox in order to connect to connect the OpenVPN server with the certificates generated by CertifBuster ~~~~~~~~~~~~~~~~~
# From MyLaptop, we reinstall OpenVPN from Freedombox  
# On RaspberryHostDebianBased, reboot DebianBuster
Ramon@RaspberryHostDebianBased:~/Documents/LXC$ lxc exec DebianBuster -- /bin/bash
	root@DebianBuster:~# reboot
# On DebianBuster :
# Ramon@DebianBuster:
cd /etc/openvpn/server

# Backup of the Freedombox OpenVPN-server's config file
sudo cp freedombox.conf freedombox.conf.bck 
# Now replace freedombox.conf by the DebianBuster.conf
sudo mv DebianBuster.conf freedombox.conf
sudo reboot
# From MyLaptop's web browser on the local network https://192.168.1.17/plinth/
# it can be check by browsing the OpenVPN App that the server is active.

# From MyLaptop :
Ramon@MyLaptop:~$ sudo openvpn --config MyLaptop.ovpn
# Connection success to TUN0 !

# the VPN tunnel is open, 
Ramon@MyLaptop:~$ ssh ramon@10.8.1.1 # connection succes to DebianBuster
Ramon@DebianBuster:~$ ssh ramon@10.8.1.2 # reverse connection succes to MyLaptop

# In order to add new clients, it will be necessary to use the "manual" method of above , instead of using the freedombox interface https://192.168.1.17/plinth/?selected=openvpn
# 

~~~~~~~~~~ conclusion for Freedom Box Project  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* It is possible to run an OpenVPn server on a Freedombox set up in a LXC container on a Raspberry Pi 4 4Go and manage the cryptographic stuff
in an independant container.

* Check the startup scripts : 
    /etc/default/openvpn 
    /etc/init.d/openvpn
	/lib/systemd/system/openvpn[at].service
so that they enable the input of the right address for the openvpn configuration script /etc/openvpn/server/freedombox.conf 

* Check that /etc/openvpn/server/freedombox.conf provide the right addresses for the certificates and keys. Providing their absolute path might fix the problem that I encountered.

* LXC allow to separate the Certification Authority from the openvpn server. This might increase the security of the system. Moreover with the possibility to handle LXC virutal machines, running the Certification Autority in a virtual machine using an encrypted file system might provide an additionnal layer of security. The certification authority can be used only while needed, using LXC start/stop, reducing the vulnerability.

* The use of LXC with Freedombox may help to make containers with the degree of privacy wanted by the user, by exemple :
	- a trusted level for the backup of the files, 
	- a "shared" level for communicating between the colleagues/partners for small businesses or individual enterpreneurs using ejabberd, jitsi ...
	- a "public" level where the small businesses or individual enterpreneurs can interact with the customers, show their web site.
It would be very cool if the Freedombox project could developp its web interface for that purpose.

* Freedombox team could add an option in the plinth interface to enable the user to customize the OpenVPN config files for both clients and server. By example by providing the templates of theses files and allow the user to manage these templates accordingly.

There is something that I don’t catch is that I’m not able to browse the Freedombox plinth interface from my web browser when I input the 10.8.1.1 adress.
Is there a special configuration of the webbrowser to do or do the problem has to be solved on the side of OpenVPn (client or server) ?

Thanks !

Note : the default client template config file provided by freedombox doesn’t work. I Think it lacks at least the lines related the way related to the DNS

for clients using resolvconf

; script-security 2
; up /etc/openvpn/update-resolv-conf
; down /etc/openvpn/update-resolv-conf

for clients using systemd-resolved

; script-security 2
; up /etc/openvpn/update-systemd-resolved
; down /etc/openvpn/update-systemd-resolved
; down-pre
; dhcp-option DOMAIN-ROUTE

It would be a big improvement if the user could tune theses config files for both server and client from the Plinth interface :slight_smile:

//////////// Access to the Plinth Interface of the FreedomBox inside the VPN /////////////////////////////////

to browse the Freedombox interface inside the VPN Tunnel, the web browser needs to now,where to find the web server.

So it need to a DNS to help him to find the location.

Connect the freedombox from the local network with the web-browser, log-in

Go to the menu “System”>“BIND”,in order to setup a Domain Name Server on the FreedomBox

That’s it ! If the VPN network’s adress (10.8.1.1) is input in the adress bar of the web browser,

It can reach the FreedomBox’s web interface.

It seem’s to start to work, toward being a fully functional server. :slight_smile: