For some time I’ve been limited to SSH for remote access. I have had no complaints, especially considering how easy it is to open a dynamic socks 5 proxy.
However, recently I have started to run into its limitations, especially where browser support is concerned for applications like iLo.
To get around this I decided to set up a VPN. Now usually I would set up something like that either on a UTM system or firewall/router. Unfortunately I am still using my ISP’s router and it is rather limited in its capabilities. I decided it would be easiest to set up the VPN on my hypervisor and forward the required ports.
After a fair bit of research I decided to go for OpenVPN and was fairly pleased with this decision when I found that they provide a deployable appliance. Unfortunately the appliance is made available for VMware via an OVA template and for Hyper-V via a VHD, neither of which can be directly deployed on Proxmox.
However after some reading I found that it was rather easy to deploy an OVF on KVM. This was done as follows:
Firstly download the OVA template and extract it with tar -xvf. You will find it contains several files.
The OVA file contains the instructions for the virtual hardware that the machine will have while the VMDK is the virtual machine disk. Proxmox can actually use the VMDK format, albeit with some limitations. I decided however to convert it to my preferred format of QCow2.
I copied the VMDK to a directory on the Proxmox hypervisor using WinSCP but feel free to use your tool of choice. I then read through the OVF file which is fairly human readable and built a virtual machine in Proxmox as similarly as possible, in my case selecting VMDK as the virtual disk format.
I then ssh’d into Proxmox (as I find the web browser shell rather limiting) and copied the OpenVPN VMDK over the newly created one as follows: (Note the path may be different in your case)
Back in the Proxmox web GUI it is rather easy to use the move tool to convert a VMDK disk to QCow2 on the same storage. This can also be done in the command line as documented here.
From there it was a simple case of starting the virtual machine and configuring the VPN as documented here.
Now the problem with virtual appliances is that after being packaged they are rarely updated until the next release meaning that my nice new OpenVPN server that I need to open to the internet is probably missing security updates. After a quick nose around the file system I quickly found from /etc/lsb-release That the operating system packaged in the OpenVPN appliance was Ubuntu 14.04.3 LTS.
To update it I simply ran the usual:
A quick reboot later and I was ready to finish off the configuration the VPN in the webgui and set up the port forwarding. The webgui is fairly self explanatory and is well documented on the OpenVPN website.
Just to add an extra layer of security I also enabled multi factor authentication which is now a single check box in openvpn.
All in all I’m rather pleased with this solution and have been using it rather heavily over the past few days.
EDIT: Since I initially wrote this I have found that simply updating the VM from the repositories does not actually update the OpenVPN access server software package.
To do this you have to do the following:
Go to the OpenVPN website and find the latest release HERE. Download and install the latest release for Ubuntu 14 amx/x86 64-bit on your OpenVPN VM:
(in my case)
This is documented HERE.
I would also recommend setting TLS 1.0 as your minimum accepted protocol in the SSL options as SSL 3 and below have known vulnerabilities.