OpenVPN Access Server Installation

This note was created on 4/23/2023
This note was last edited on 4/23/2023

=== Server Configuration ===
0. Connect to the server:
   > ssh root@X.X.X.X -i /path/to/sshkey
1. Change hostname:
   > hostnamectl set-hostname openvpnas
2. Fix hostname in "/etc/hosts".
3. Reboot.
4. Configure user:
   > adduser ovpn
   > adduser ovpn sudo
5. Set password for root:
   > passwd root
6. Reboot.
7. Configure SSH password for non-root user:
   > ssh-copy-id -i /path/to/sshkey ovpn@X.X.X.X
8. Configure SSH config:
   > nano /etc/ssh/sshd_config
   ~~~
   PermitRootLogin no
   PubkeyAuthentication yes
   PasswordAuthentication no
   PermitEmptyPasswords no
   X11Forwarding no
   ~~~
9. Restart ssh server:
   > systemctl restart sshd.service
10. Install FirewallD:
    > apt install firewalld
    > systemctl enable firewalld
11. Configure FirewallD:
    > firewall-cmd --remove-service=dhcpv6-client --permanent
    > firewall-cmd --add-port=943/tcp --permanent
    > firewall-cmd --add-port=44123/udp --permanent
    > firewall-cmd --add-masquerade --permanent
12. Restart Firewalld:
    > systemctl restart firewalld
13. Check result:
    > firewall-cmd --list-all
14. Install Pip:
    > apt install python3-pip
15. Install service-identity:
    > python3 -m pip install service-identity
16. Install OpenVPN Access Server:
    > apt update && apt -y install ca-certificates wget net-tools gnupg
    > wget https://as-repository.openvpn.net/as-repo-public.asc -qO /etc/apt/trusted.gpg.d/as-repository.asc
    > echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/as-repository.asc] http://as-repository.openvpn.net/as/debian bullseye main">/etc/apt/sources.list.d/openvpn-as-repo.list
    > apt update && apt -y install openvpn-as
17. Coninue configuring OpenVPN AS via web according to your needs.

=== Disable logging ===
There are log file and log DB used by OpenVPN AS:
- "/var/log/openvpnas.log"
- "/usr/local/openvpn_as/etc/db/log.db"
Here's how to clean them securely and stop logging:
0. Stop the server:
   > systemctl stop 
1. Update config file:
   > nano /usr/local/openvpn_as/etc/as.conf
   ~~~
   --- # log DB
   --- log_db=sqlite:///~/db/log.db
   +++ # log DB
   +++ log_db=/dev/null
   ~~~
2. Shred DB and create empty one (just in case you'll need it):
   > shred -vfuz /usr/local/openvpn_as/etc/db/log.db
   > touch /usr/local/openvpn_as/etc/db/log.db
   > chmod 600 /usr/local/openvpn_as/etc/db/log.db
3. Disable logging to log file:
   > systemctl edit --full openvpnas.service
   ~~~
   --- ExecStart=/usr/local/openvpn_as/scripts/openvpnas  --nodaemon --logfile=/var/log/openvpnas.log --pidfile=
   +++ ExecStart=/usr/local/openvpn_as/scripts/openvpnas  --nodaemon --logfile=/dev/null --pidfile=
   ~~~
4. Shred log file(s) and create empty one (just in case you'll need it):
   > shred -vfuz /var/log/openvpnas.*
   > touch /var/log/openvpnas.log
   > chmod 644 /var/log/openvpnas.log
5. Start server:
   > systemctl start openvpnas.service
6. Confirm, that both log file and log DB are empty:
   > ls -lah /var/log/openvpnas.*
   > ls -lah /usr/local/openvpn_as/etc/db/log.db
7. Done!