On certain ISPs like Jio, it is not possible to access a server over the internet. This can happen if the ISP does not allow incoming connections on the dynamic IP address. As a result, it is not possible to access BUSY using the provided Mobile App.
The Ansible playbook in this repository creates a private OpenVPN network. The BUSY Mobile App can then connect to the BUSY server over the virtual network using the “LAN” profile.
You can run the OpenVPN server for free by using the Oracle Cloud Always Free tier. Terraform script for deploying the server is below,
- terraform__oci-instance-1
- GitHub: github.com/k3karthic/ansible__busy-behind-nat
- Codeberg: codeberg.org/k3karthic/ansible__busy-behind-nat
Install the following before running the playbook,
$ pip install oci
$ ansible-galaxy collection install oracle.oci
The Oracle Ansible Inventory Plugin populates public Ubuntu instances.
The target instance must have the freeform tag openvpn_service: yes.
We need to create a Certificate Authority (CA) for the OpenVPN server and clients. A key signing server generates and signs certificates used for authentication.
For security, the key signing server should be a standalone server. The OpenVPN server can act as the key signing server for smaller deployments.
To get started, install easy-rsa on the system you will be using as the key signing server.
Run the following commands on the key signing server.
Create a new Public Key Infrastructure (PKI) and CA,
$ ./easyrsa init-pki
$ ./easyrsa build-ca
Run the following commands on the key signing server.
Create and sign a certificate for the OpenVPN server,
$ ./easyrsa gen-req Relay
$ ./easyrsa sign-req server Relay
Generate the Diffie-Hellman (DH) parameters for the OpenVPN server,
$ ./easyrsa gen-dh
Copy pki/ca.crt and pki/dh.pem into the ca folder of the current repository. Create a file called ca/Relay.pass with the passphrase of the Relay private key (Relay.key).
Install OpenVPN on the key signing server and run the following command. This is only required to generate a shared secret for TLS authentication.
$ openvpn --genkey --secret ta.key
Copy ta.key into the ca folder of the current directory.
Run the following commands on the key signing server.
Create and sign a certificate for the BUSY server,
$ ./easyrsa gen-req BUSY
$ ./easyrsa sign-req client BUSY
Copy pki/ca.crt, pki/ta.key, pki/private/BUSY.key, pki/issues/BUSY.crt to the BUSY server. Create a file called BUSY.pass with the passphrase of the BUSY private key (BUSY.key).
Run the following commands on the key signing server.
Create and sign a certificate for the BUSY App,
$ ./easyrsa gen-req BUSYMobile1
$ ./easyrsa sign-req client BUSYMobile1
Copy pki/ca.crt, pki/ta.key, pki/private/BUSYMobile1.key, pki/issues/BUSYMobile1.crt to the phone. Enter the passphrase of the private key during import or in the configuration.
- Update
inventory/oracle.oci.yml,- Specify the region where you have deployed your server on Oracle Cloud. List of regions are at docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm.
- Configure the authentication as per the Oracle Guide
- Set username and ssh authentication in
inventory/group_vars/all.yml - Change the CIDR of the virtual network (172.23.0.0/16) to ensure it does not overlap with your local network
Run the playbook using the following command,
$ ./bin/apply.sh
The following sample configuration files are in the resources directory,
- BUSY.ovpn: configuration for the BUSY server running OpenVPN Community
- BUSYMobile1.ovpn: configuration for the phone running BUSY mobile app and OpenVPN
Replace the hostname of the OpenVPN server. Change the virtual IP (172.23.0.X) if required.
BUSY should be able to accept connections from the OpenVPN virtual network interface.
Encrypt sensitive files (SSH private keys) before saving them. .gitignore must contain the unencrypted file paths.
Use the following command to decrypt the files after cloning the repository,
$ ./bin/decrypt.sh
Use the following command after running terraform to update the encrypted files,
$ ./bin/encrypt.sh <gpg key id>