OpenVPN Access Server Installation

This note was created on 2023-04-23
This note was last edited on 2023-04-23

=== Server Configuration ===
0. Connect to the server:
   $ ssh root@X.X.X.X -i /path/to/sshkey
1. Change hostname:
   # hostnamectl set-hostname openvpnas
2. Fix hostname in "/etc/hosts".
3. Reboot.
4. Configure user:
   # adduser ovpn
   # adduser ovpn sudo
5. Set password for root:
   # passwd root
6. Reboot.
7. Configure SSH password for non-root user:
   $ ssh-copy-id -i /path/to/sshkey ovpn@X.X.X.X
8. Configure SSH config:
   # nano /etc/ssh/sshd_config
   ~~~
   PermitRootLogin no
   PubkeyAuthentication yes
   PasswordAuthentication no
   PermitEmptyPasswords no
   X11Forwarding no
   ~~~
9. Restart ssh server:
   # systemctl restart sshd.service
10. Install FirewallD:
    # apt install firewalld
    # systemctl enable firewalld
11. Configure FirewallD:
    # firewall-cmd --remove-service=dhcpv6-client --permanent
    # firewall-cmd --add-port=943/tcp --permanent
    # firewall-cmd --add-port=44123/udp --permanent
    # firewall-cmd --add-masquerade --permanent
12. Restart Firewalld:
    # systemctl restart firewalld
13. Check result:
    # firewall-cmd --list-all
14. Install Pip:
    # apt install python3-pip
15. Install service-identity:
    $ python3 -m pip install service-identity
16. Install OpenVPN Access Server:
    # apt update && apt -y install ca-certificates wget net-tools gnupg
    # wget https://as-repository.openvpn.net/as-repo-public.asc -qO /etc/apt/trusted.gpg.d/as-repository.asc
    # echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/as-repository.asc] http://as-repository.openvpn.net/as/debian bullseye main">/etc/apt/sources.list.d/openvpn-as-repo.list
    # apt update && apt -y install openvpn-as
17. Coninue configuring OpenVPN AS via web according to your needs.

=== Disable logging ===
There are log file and log DB used by OpenVPN AS:
- "/var/log/openvpnas.log"
- "/usr/local/openvpn_as/etc/db/log.db"
Here's how to clean them securely and stop logging:
0. Stop the server:
   # systemctl stop 
1. Update config file:
   # nano /usr/local/openvpn_as/etc/as.conf
   ~~~
   --- # log DB
   --- log_db=sqlite:///~/db/log.db
   +++ # log DB
   +++ log_db=/dev/null
   ~~~
2. Shred DB and create empty one (just in case you'll need it):
   # shred -vfuz /usr/local/openvpn_as/etc/db/log.db
   # touch /usr/local/openvpn_as/etc/db/log.db
   # chmod 600 /usr/local/openvpn_as/etc/db/log.db
3. Disable logging to log file:
   # systemctl edit --full openvpnas.service
   ~~~
   --- ExecStart=/usr/local/openvpn_as/scripts/openvpnas  --nodaemon --logfile=/var/log/openvpnas.log --pidfile=
   +++ ExecStart=/usr/local/openvpn_as/scripts/openvpnas  --nodaemon --logfile=/dev/null --pidfile=
   ~~~
4. Shred log file(s) and create empty one (just in case you'll need it):
   # shred -vfuz /var/log/openvpnas.*
   # touch /var/log/openvpnas.log
   # chmod 644 /var/log/openvpnas.log
5. Start server:
   # systemctl start openvpnas.service
6. Confirm, that both log file and log DB are empty:
   $ ls -lah /var/log/openvpnas.*
   $ ls -lah /usr/local/openvpn_as/etc/db/log.db
7. Done!