Tunnelling openvpn server out from behind cgnat.

[edmoncu]

Here's how i did mine.
1. i setup an esxi box

setup openvpnas
1. create an openvpnas account online (so that i can activate my deployment)
2. deployed openvpnas vmware appliance onto it
3. setup openvpnas from the appliance
4. activate your openvpnas deployment and configure openvpn (from the mgt) to use only TCP 443
5. add accounts as needed
5. test web/admin and client connection using internal IP (and specify it to use only TCP port 443)

setup ngrok on top of openvpnas appliance
1. download winscp and putty off your windows
2. download ngrok linux zipped binary in windows
3. winscp onto the openvpnas appliance using root creds to upload the zip file
4. ssh using putty onto the openpnas appliance and install unzip/zip using
sudo apt install unzip
sudo apt-get install zip
5. unzip the ngrok zipped file
7. on your windows pc, register a ngrok account and take note the part where it says 'connect to your account'
8. going back to ssh, type that command (as you see on the previous step 7)
./ngrok authtoken ....
9. update the automatically generated ngrok.yml file by adding the region of your choice (in my case i used region: ap)
10. run ngrok using the command
./ngrok http 443

even after doing that... i was able to connect only to my web interface (and /admin).
i was able to add the connection to the client fine and authenticate fine
however, i was unable to connect onto my openvpnas server when actually connecting.

it says "there was an error attempting to connect to the selected server"

i need help on that though as i am running out of ideas.

[edmoncu]

*update* i was able to fix it buy implementing multi-tunneling for both TCP and HTTP using port 443
here's my ngrok.yml config

authtoken: myauthtoken
region: ap
log: /var/log/ngrok.log
log_format: logfmt
log_level: debug
tunnels:
http443:
addr: 443
proto: http
bind_tls: true
subdomain: mysubdomain443
tcp443:
addr: 443
proto: tcp

however, due to ngrok's design, it assigns a fixed URL for TCP forwarding (0.tcp.ap.ngrok.io) using a custom port
unfortunately with openvpn connect, it ALWAYS forces ONLY adding the source server in HTTPS:// prefix EVEN if it needs only TCP connection.

therefore, what i did is i edit the openvpn profile (*.ovpn) with a text editor and i did this on the following lines
proto (removed)
port (removed)
remote (updated the URL to 0.tcp.ap.ngrok.io randomportnumberassigned tcp

i imported the *.ovpn file back to openvpn connect, then connect

[edmoncu]

it's been a couple years since this, and here's a more easier to follow approach i made of this

VM preparation
setup virtualbox (or any hypervisor)
create a vm (needs to have internet)
download debian 11 (net-install preferred) -> install it onto the vm

OS preparation
reset root password by rebooting into single-user mode
at the grub boot menu, press 'e' to edit the first boot option
in the grub menu, find the line that starts with linux and at the end of its line, remove the
ro quiet
and replace it with the following
rw init=/bin/bash
press f10 key and wait until it goes into the # prompt. at the # prompt, type
mount -o remount,rw /
passwd root
{enter the new password twice}
reboot -f
at the debian login, log as the normal user. open terminal and type
su root
{enter the recently changed root password}

at the root part, ensure update of the OS firstly
apt update && apt full-upgrade -y

Install OpenvpnAS for Debian 11 (bullseye)
apt update && apt -y install ca-certificates wget net-tools gnupg
wget https://as-repository.openvpn.net/as-repo-public.asc -qO /etc/apt/trusted.gpg.d/as-repository.asc
echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/as-repository.asc] http://as-repository.openvpn.net/as/debian bullseye main">/etc/apt/sources.list.d/openvpn-as-repo.list
apt update && apt -y install openvpn-as
take note of the openvpn password

setup openvpn by opening firefox inside the UI, you may type https://localhost and enter the openvpn password. you will be greeting with a EULA that you need to accept
openvpn will load now, from here, do the following
create a regular user account and specify its password > Save Settings
go to Configuration
> Network Settings (most important part)
set the protocol to TCP > Save Settings
> VPN settings (optional)
have the clients use specific DNS servers (you may specify 8.8.8.8 as primary and 1.1.1.1 or any other specific DNS you prefer)
> Advanced VPN (optional)
enable prefer Openvpn data channel offloading if available (ovpn-dco) > Save Settings
> Web Server (optional)
click yes on the Self-signed Certificate > Save Settings

Setup Ngrok
create a free ngrok account and within ngrok dashboard, go into Setup & Installation
take note of the line under "Connect your account"
at the same terminal window with root privileges, type the following to download and setup ngrok
wget https://bin.equinox.io/c/bNyj1mQVY4c/ng ... -amd64.tgz
sudo tar xvzf ./ngrok-v3-stable-linux-amd64.tgz -C /usr/local/bin
ngrok authtoken NGROK_AUTHTOKEN
ngrok tcp 443 {take note of the forwarding line -- usually it's in the format of number.tcp.region.ngrok.io:random-port-forward-number (ex: 1.tcp.ap.ngrok.io:12345)}

Client Setup
open a browser window on your client and access the generated URL with the following format
https://number.tcp.region.ngrok.io:random-port-forward-number
login with the regular user account
download the "Yourself(user-locked-profile)" > it will download a *.ovpn file

using a text editor, edit the *.ovpn file by looking for a line that starts with port, change the value from 443 to the random-port-forward-number generated by ngrok. save the file.
install openvpn connect
choose to import profile, and choose file
browse/drag the *.ovpn file you just edited

you should be able to connect to the VPN server under a CGNAT

notes to consider:
ensure ngrok automatically runs upon startup
restarting ngrok changes the random port, thus requires a change of setting at the client-level (will need to redownload updated profile setting)
instead of a vm, you may instead use a raspberry pi to host this using the pi-os

[edmoncu]

update, installing to raspberry pi 4

download and use ubuntu 22 LTS 64-bit (arm64)
you may use raspberry pi imager
device: raspberry pi 4
operating system: other general purpose OS > ubuntu > ubuntu desktop 22.04.3 LTS (64-bit)
once done, re-insert the sdcard back to the raspberry pi to boot ubuntu
on the raspberry pi, setup preliminary installation routines via system configuration (country, keyboard, wifi, region, account)

once done, open a terminal window in ubuntu to install SSH (optional, if you want to manage this remotely)
sudo passwd root {enter a new root password}
su root {provide the updated root password}
apt update
apt install ssh
systemctl status ssh
ufw allow ssh
ufw enable && ufw reload
you may now ssh and access the URL of your pi's internal IP

install openvpnas
apt update && apt -y install ca-certificates wget net-tools gnupg
wget https://as-repository.openvpn.net/as-repo-public.asc -qO /etc/apt/trusted.gpg.d/as-repository.asc
echo "deb [arch=arm64 signed-by=/etc/apt/trusted.gpg.d/as-repository.asc] http://as-repository.openvpn.net/as/debian jammy main">/etc/apt/sources.list.d/openvpn-as-repo.list
apt update && apt -y install openvpn-as

access openvpn server via browser (can be remotely using its internal IP)
usermanagement > user permissions > create a new standard user
configuration
network settings > protocol > tcp (only)
vpn settings > dns settings > primary 1.1.1.1 secondary 8.8.8.8
web server > self-signed certificate (yes)

install ngrok
create an ngrok account take note of the authtoken
wget https://bin.equinox.io/c/bNyj1mQVY4c/ng ... -arm64.tgz
tar xvzf ./ngrok-v3-stable-linux-arm64.tgz -C /usr/local/bin
ngrok config add-authtoken xxxxxxx
ngrok tcp 443

download the client VPN profile by login client account via URL : https://x.tcp.region.ngrok.io:nnnn
download "Yourself (user-locked profile). it will download an *.ovpn file
edit the file to change (and save)
remote : enter the ngrok URL x.tcp.region.ngrok.io
port : enter the ngrok random port forwarded nnnn

import the profile onto a vpn client (openvpn connect)
enter the credentials of the standard user (click save password)

notes
restarting the ngrok daemon changes the random port. update your *.OVPN file and update your openvpn connect profile accordingly with the updated port number.

if using openvpn connect on mobile, the ngrok URL might not resolve, just enter its A-record IP (via whatsmydns) as "Server Override (optional)"

caveat: there will be a warning: AES instruction set support has not been detected on this host. This may cause performance degradation. Consult your virtualization solution and/or BIOS/UEFI setting to enable AES instructions.
this means raspberry pi 4 CPU doesn't support AES instruction (https://forums.raspberrypi.com//viewtop ... 3&t=207888)

[edmoncu]

to install ngrok as a service (which allows logout of current shell session) please do the following,
close the current ngrok instance (ngrok tcp 443) by pressing ctrl+c
update your ngrok-generated config file /root/.config/ngrok/ngrok.yml and add the following lines after the authtoken. please be mindful of the indented spaces needed, otherwise, service will show an error:

Code: Select all

tunnels:
 default:
  proto: http
  addr: 80

then enter the following commands
ngrok service install --config /root/.config/ngrok/ngrok.yml
ngrok service start
ngrok update

now check the updated port at the dashboard and download/update the corresponding tunnel file with the updated port.

[edmoncu]

to install ngrok as a service (which allows logout of current shell session) please do the following,
close the current ngrok instance (ngrok tcp 443) by pressing ctrl+c
update your ngrok-generated config file /root/.config/ngrok/ngrok.yml and add the following lines after the authtoken. please be mindful of the indented spaces needed, otherwise, service will show an error:

Code: Select all

tunnels:
 default:
  proto: http
  addr: 80

then enter the following commands
ngrok service install --config /root/.config/ngrok/ngrok.yml
ngrok service start
ngrok update

now check the updated port at the dashboard and download/update the corresponding tunnel file with the updated port.

correction, the code should be

Code: Select all

tunnels:
 default:
  proto: tcp
  addr: 443

[edmoncu]

additional notes to consider, based on my replicated re-setups of this:
it "may be" better that ngrok.yml is placed on a readable/accessible location if the agent is run on a non-sudo user.

ex: i placed ngrok.yml on a new folder called /ngrokyml resulting in file /ngrokyml/ngrok.yml

• i made sure the folder /ngrokyml has full access :

Code: Select all

chmod 777 /ngrokyml

• i made sure the yml file has full access

Code: Select all

chmod 666 /ngrokyml/ngrok.yml

then i set this up on a non-sudo user:

Code: Select all

sudo ngrok service install --config /ngrokyml/ngrok.yml
sudo ngrok service start
ngrok update

[edmoncu]

im looking at another way to this using cloudflare tunnels... however, it will require you to have a domain, which usually requires a purchase. however, the advantage is it will use the domain as a fixed reference should you need to restart the openvpnas or any of its dependent upstream services (ex: your ISP).

[edmoncu]

im looking at another way to this using cloudflare tunnels... however, it will require you to have a domain, which usually requires a purchase. however, the advantage is it will use the domain as a fixed reference should you need to restart the openvpnas or any of its dependent upstream services (ex: your ISP).

update: stucked at this and might not have a workaround. TCP tunnelling of openvpnas seems to not work even at port 443. I was only able to utilize HTTPs tunnelling. Reverting back to ngrok.

[edmoncu]

update on use of ngrok (paid version - for static FQDN)

1) register an account with ngrok and note of the auth token

2) create new TCP address (cloud edge > tcp addresses > new tcp addresses) and note the address (ex : 1.tcp.ap.ngrok.io:random-port) -- make sure your account is entitled for Reserved TCP Addresses. minimum plan - devcelopment 8$/yr

3) install agent for linux, ensure that you're on root to avoid any problems (sudo su)

Code: Select all

wget https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-arm64.tgz
tar -xvzf ./ngrok-v3-stable-linux-arm64.tgz -C /usr/local/bin
ngrok config add-authtoken (from #1)

4) edit ngrok file and add the following (note the proper use of indents) and save
nano /root/.config/ngrok/ngrok.yml

Code: Select all

version: "2"
authtoken: auth-token from #1
tunnels:
    default:
        proto: tcp
        addr: 443
        remote_addr: fqdn and port from #2

5) run the following to allow ngrok to run as a service automatically
ngrok service install --config /root/.config/ngrok/ngrok.yml
ngrok service start
ngrok update

[edmoncu]

client access using openvpn connect for windows

due to problems adding the profile from the clients, it is advisable to download the profile from the access server web portal

1) from the browser, access the URL https://1.tcp.ap.ngrok.io:random-port
2) login with a valid openvpn access server profile
3) click on the connection profile to download it. the file will have an extension of .ovpn
4) edit the file in notepad and look for the line "port 443" and replace it with the port from #2 of the previous post "port random-port"). save it
5) from the openvpn connect client, click on +
6) click on upload file and browse the recently saved .ovpn file
7) you may tick the "Save Password" and provide with the account's corresponding credential. click Connect
8) if you're unable to connect, it is possible that the ngrok URL is not resolved, override it by editing the profile in openvpn connect by clicking the pencil icon
9) using whatsmydns to resolve the IP of the ngrok-provided FQDN, take note of any of the IPs resolved (ex: 1.tcp.ap.ngrok.io resolves to 18.139.9.214)
10) under "Sever Override (optional)" part, provide the static IP that you obtained from step #9 (ex: 18.139.9.214) and click Save
11) try to connect

client access using openvpn connect for mobile device (ex IOS). follow the same steps above, except for #5 on uploading the .ovpn file to your IOS device.