- Create AWS VPC (Virtual Private Cloud)
- give it a name
main - define IPv4 CIDR block
10.0.0.0/16
- give it a name
-
Create AWS Internet Gateway
- call it
igw
- call it
-
Attach Internet Gateway to AWS VPC
-
Create public subnet
- call it
public - define IPv4 CIDR block
10.0.0.0/22, it will give you1,024IP addresses, witht the last IP -10.0.3.255
- call it
-
Create
publicroute table with default route to the internet gateway -
Attach
publicroute table to the public subnet
-
Allocate Elastic IP address for nat
- tag
Name: nat
- tag
-
Create NAT gateway
- call it
nat
- call it
-
Place it to public subnet
-
Create
private-largesubnet10.0.16.0/20 -
Create
private-smallsubnet10.0.32.0/24 -
Create
privateroute table with default route to nat gateway -
Update route tables for private subnets
-
Allocate static public IP address
openvpn -
Create Ubuntu 20.04
- tag
Name: openvpn - Instance type:
t3.small - SG:
OpenVPN, add1194custom udp fromAnywhere
- tag
-
Associate Elastic IP with EC2
- Update permissions on the key
chmod 400 devops.pem- SSH to the Ubuntu server
ssh -i devops.pem ubuntu@<ip>- Update Ubuntu repositories
sudo apt update- Check OpenVPN candidate
apt policy openvpn-
Compate verion with the latest release of OpenVPN on GitHub
-
We would need to run commands as a root, let's temporary use
sudo -s
sudo -s- Then import the public GPG key that is used to sign the packages:
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -- Add OpenVPN repo
echo "deb http://build.openvpn.net/debian/openvpn/stable focal main" > /etc/apt/sources.list.d/openvpn-aptrepo.list- Update repositories again with the new openvpn source list
apt update- Exit root
exit- Check version of candidate again
apt policy openvpn- Install the latest one
sudo apt install openvpn=2.5.3-focal0- Check the candidate verion
apt policy easy-rsa-
Check available verions on GitHub
-
Download
easy-esatarball
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz- Untar it
tar -zxf EasyRSA-3.0.8.tgz- Clean UP
ls
rm EasyRSA-3.0.8.tgz- Move
easy-rsato OpenVPN
sudo mv EasyRSA-3.0.8/ /etc/openvpn/easy-rsa- (Optionally) create soft link
sudo ln -s /etc/openvpn/easy-rsa/easyrsa /usr/local/bin/- Change directory to home and test cli
easyrsa --version- Change directory to openvpn
cd /etc/openvpn/easy-rsa- Initialize a PKI CA
easyrsa init-pki- List directories
ls
ls pki- Create vars file
vim vars- Create CA (security or convenience)
easyrsa build-ca nopass- List files
ls pki
ls pki/private- Generate signing request
easyrsa gen-req openvpn-server nopass- Sign cert
easyrsa sign-req server openvpn-server
- Generate the tls-crypt pre-shared key
openvpn --genkey secret ta.key
cat ta.key- Enable IP forwarding
sudo vim /etc/sysctl.conf- Read the file and load the new values for the current session
sudo sysctl -p- Configure IP Tables
sudo iptables -t nat -S- Find out network public network interface
ip route list default- Configure nat routing
sudo iptables \
-t nat -I POSTROUTING -s 10.8.0.0/24 -o ens5 -j MASQUERADE- Save iptables
sudo apt-get install iptables-persistent- Create config file, leave routes out for now
sudo vim /etc/openvpn/server/server.conf- Check if you have
nobodyuser
cat /etc/passwd | grep nobody- Check if you have
nogroup
cat /etc/group | grep nogroup-
Check subnet masks for CIDR here
-
Start OpenVPN
sudo systemctl start openvpn-server@server- Check status OpenVPN
sudo systemctl status openvpn-server@server- Enable openvpn-server
sudo systemctl enable openvpn-server@server- Check logs
journalctl \
--no-pager --full -u openvpn-server@server -f- Generate key pair
easyrsa gen-req example-1 nopass- Sign certificate request
easyrsa sign-req client example-1- Create
example-1.ovpnprofile
cat /etc/openvpn/easy-rsa/pki/ca.crt
cat \
/etc/openvpn/easy-rsa/pki/issued/example-1.crt
cat \
/etc/openvpn/easy-rsa/pki/private/example-1.key
cat /etc/openvpn/easy-rsa/ta.key- Install tunnelblick
brew install --cask tunnelblick-
Install
example-1.ovpnprofile -
Run journalctl on OpenVPN server
journalctl \
--no-pager --full -u openvpn-server@server -f-
Connect to the VPN
-
Check routes on mac
netstat -r-
Create Ubuntu server in
private-smallsubnet- Use openvpn security group as a source
-
SSH to Ubuntu using private IP address
ssh -i devops.pem ubuntu@<private ip>-
Create
devops.pvtprivate hosted zone -
Create
test.devops.pvtA record with random IP address -
Try to resolve it from development host
dig test.devops.pvt- Enable VPC DNS resolution
- To use private hosted zones, you must set the following Amazon VPC settings to true:
- enableDnsHostnames
- enableDnsSupport
- To use private hosted zones, you must set the following Amazon VPC settings to true:
- Revoke
example-1certificate
cd /etc/openvpn/easy-rsa/
easyrsa revoke example-1- Generate CRL (Certificate Revocation List)
easyrsa gen-crl- Add CRL to OpenVPN server config
sudo vim /etc/openvpn/server/server.conf
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
sudo systemctl restart openvpn-server@server
journalctl \
--no-pager --full -u openvpn-server@server -f
cd /etc/openvpn/
sudo mkdir client-configs
cd client-configs
sudo vim base.ovpn
cd /etc/openvpn/easy-rsa/
easyrsa gen-req example-2 nopass
easyrsa sign-req client example-2
vim gen_client_profile.sh
sudo chmod +x gen_client_profile.sh
sudo ./gen_client_profile.sh example-2
cat \
/etc/openvpn/client-configs/example-2.ovpn-
Create
example-2.ovpn -
Install
example-2.ovpnprofile -
Check DNS again
dig test.devops.pvt- Set up the repository
sudo apt install \
apt-transport-https \
ca-certificates \
curl \
gnupg \
lsb-release- Add Docker’s official GPG key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg- Set up the stable repository
echo \
"deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null- Install Docker Engine
sudo apt update
sudo apt install \
docker-ce docker-ce-cli containerd.io- Install docker compose
sudo apt install docker-compose- Create
docker-compose.yamlto run MySQL 5.7
vim docker-compose.yaml- Run docker compose up
sudo docker-compose up -d- Check running containers
sudo docker ps- Install MySQL client
sudo apt install mysql-client- Connect to mysql
mysql -u root -p -h 127.0.0.1 -P 3306- Create user for gate-sso
CREATE USER 'gate' IDENTIFIED BY 'devops123';- Grant access to
gate_developmentandgate_testdatabases
GRANT ALL PRIVILEGES ON gate_development.* TO 'gate';
GRANT ALL PRIVILEGES ON gate_test.* TO 'gate';
FLUSH PRIVILEGES;- Log out
exit- Check ruby version (must be >= 2.4)
ruby -v- Install rvm
curl -L https://get.rvm.io | bash -s stable- Import GPG keys
curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl -sSL https://rvm.io/pkuczynski.asc | gpg --import -- Run script again
curl -L https://get.rvm.io | bash -s stable- To start using RVM, load the script environment variables using the source command:
source ~/.rvm/scripts/rvm- Install ruby
2.4.3with rvm
rvm install 2.4.3- Install
bundlergem
gem install bundler- Clone gate-sso GitHub repository
cd /opt
sudo git clone https://github.com/gate-sso/gate.git- Update ownership of the repository
sudo chown -R ubuntu:ubuntu gate- Install gate-sso dependencies
cd gate
bundle install- Fix deps
sudo apt-get install libmysqlclient-dev- Run bundle install again
bundle install- Install nodejs
sudo apt install nodejs- Run again
rake app:init-
Create SSO in gcp
- Go to APIs & Services
- Create OAuth Client ID credentials
- http://gate.devopsbyexample.io/users/auth/google_oauth2/callback
-
Update env
vim .envGATE_SERVER_URL=http://gate.devopsbyexample.io
GATE_OAUTH_CLIENT_ID=771040318735-7anf9ct0fo5a23s6gqsnmc2vo3ifbo28.apps.googleusercontent.com
GATE_OAUTH_CLIENT_SECRET=8SNXY_H7RE2-nffqDGIKGZ9i
GATE_HOSTED_DOMAIN=devopsbyexample.io
GATE_HOSTED_DOMAINS=antonputra.com
GATE_DB_HOST=127.0.0.1
GATE_DB_PASSWORD=devops123
-
Create A record for gate.devopsbyexample.io
-
Run setup
rake app:setup-
Open port 80 on SG
-
Create
sudo vim /etc/openvpn/easy-rsa/gen-client-conf(Update remote ip) -
Create
sudo vim /etc/openvpn/easy-rsa/gen-client-keys(Update remote ip) -
Start rails
rvmsudo rails server \
--port 80 \
--binding 0.0.0.0 \
--daemon- Go to http://gate.devopsbyexample.io and download profile
-
Certificate Authority (CA) Starting from OpenVPN 2.4, one can also use elliptic curves for TLS connections (e.g. tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384). Elliptic curve cryptography provides more security and eliminates the need for a Diffie-Hellman parameters file. See [2] and [3].
- VPC
main - Key pair
devops - Release public IPs
- Delete tunnelblick
brew remove tunnelblick- Delete Route53 hosted zone
devops.pvt - Remove GCP credentials
- Remove
gate.devopsbyexample.ioA record