OpenVPN

From wiki.techunit.org
Jump to: navigation, search

Introduction

  • Realized on
    • Debian 8 (Jessie)
    • Ubuntu 14.04
  • easy-rsa version : 2.2.2-1
  • OpenVPN versions :
    • 2.3.2-7
    • 2.3.4-5

Goal of this page is to provide a simple guide to create a multi VPN architecture with OpenVPN.

Server configuration

Minimal server configuration

Before configuration

  • Install packages
aptitude install openvpn easy-rsa -y
  • Create base directory
mkdir -p /etc/openvpn/demovpn/jail/tmp
make-cadir /etc/openvpn/demovpn/easy-rsa
ln -s /etc/openvpn/demovpn/easy-rsa/keys /etc/openvpn/demovpn
  • Edit these values in /etc/openvpn/demovpn/easy-rsa/vars
# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048
# In how many days should the root CA key expire?
export CA_EXPIRE=3650
# In how many days should certificates expire?
export KEY_EXPIRE=3650
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="NL"
export KEY_PROVINCE=""
export KEY_CITY="Amsterdam"
export KEY_ORG="techUnit.org"
export KEY_EMAIL="your.mail@your.domain"
export KEY_OU=""
  • Generate the server certificate and key
cd /etc/openvpn/demovpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
openvpn --genkey --secret keys/da.key

Configuration file

  • Create config file : edit /etc/openvpn/demovpn/server.conf
#############
#Base
#############
#client-to-client
proto udp # udp or tcp
port 123
dev tun
ca /etc/openvpn/demovpn/keys/ca.crt
cert /etc/openvpn/demovpn/keys/server.crt
key /etc/openvpn/demovpn/keys/server.key
dh /etc/openvpn/demovpn/keys/dh2048.pem
tls-auth /etc/openvpn/demovpn/keys/da.key 1
key-direction 0 # Mode server
server 10.0.0.0 255.255.255.0 # VPN IP Range : 10.0.0.1 - 10.0.0.254
keepalive 10 120
push "redirect-gateway def1 bypass-dhcp" # Force traffic redirection through the tunnel
push "dhcp-option DNS 8.8.8.8" # Force client's DNS
#client-config-dir demovpn/ccd
#############
#Security
#############
cipher AES-256-CBC
auth SHA512
user nobody 
group nogroup
chroot /etc/openvpn/demovpn/jail
persist-key
persist-tun
comp-lzo
remote-cert-eku "TLS Web Client Authentication"
#crl-verify demovpn/crl.pem
#############
#Logs
#############
verb 3
mute 20
status demovpn/openvpn-status.log
log-append /var/log/openvpn.log
  • test configuration
user@srv2:~$openvpn --config /etc/openvpn/demovpn/server.conf
..........
..........
Sat Oct 17 13:03:44 2015 Initialization Sequence Completed
  • If it end with the message above:
    • configuration is ok
    • Uncomment this line in config file : log-append /var/log/openvpn.log
    • Create the sym link and start VPN service
ln -s /etc/openvpn/demovpn/server.conf /etc/openvpn/1_demovpn.conf
service openvpn start 1_demovpn

Enable routing

  • As root
#Temporary 
echo 1 > /proc/sys/net/ipv4/ip_forward
#Permanent
echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf

Firewall configuration

  • The OpenVPN port defined in configuration (here 123) must be open from the net to allow access from the client.
  • The forward traffic from the tun interface to the net interface have to be allowed
  • The traffic from the VPN subnet have to be masqueraded
  • Iptables simple example
#VPN Rules
iptables -A INPUT -p udp -i eth0 --dport 123 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Check source address validity on packets going out to internet
iptables -A FORWARD ! -s 10.0.0.0/24 -i tun0 -j DROP
#Masquerade
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

UDP or TCP ?

  • UDP = Performance
  • TCP = Mobility - (Use the 443 port to pass through restricted Firewall)

Continue the minimal config tutorial ?

Revoke a client certificate

  • Revoke the client with easy-rsa
cd /etc/openvpn/demovpn/easy-rsa
source vars
./revoke-full client_name
  • The command above create a crl.pem file, copy it to the jail directory, also create a sym link to the base directory
cp /etc/openvpn/demovpn/easy-rsa/crl.pem /etc/openvpn/demovpn/jail/demovpn
ln -s /etc/openvpn/demovpn/jail/demovpn/crl.pem /etc/openvpn/demovpn/
  • Uncomment or create the line in /etc/openvpn/demovpn/server.conf : crl-verify demovpn/crl.pem
  • The restart the service : service openvpn restart demovpn

More configuration options

Client configuration directory

  • Create the directory and link
mkdir -p /etc/openvpn/demovpn/jail/demovpn/ccd
ln -s /etc/openvpn/demovpn/jail/demovpn/ccd /etc/openvpn/demovpn/
  • Uncomment or create the line ( /etc/openvpn/demovpn/server.conf ): client-config-dir demovpn/ccd

Forward only traffic to a subnet - Server Method

(Internet)<----| client |----> VPN |----> 192.168.0.0/24
  • Comment or delete this line in server configuration : push "redirect-gateway def1 bypass-dhcp"
  • Add the following : push "route 192.168.0.0 255.255.255.0"
  • Restart the server

Forward only traffic to a subnet - Client Method

If you want to modify only route for one client

  • Edit /etc/openvpn/client.conf
  • Add the following to the file
route-nopull
route 192.168.0.0 255.255.255.0

Route traffic from client to client

We want to be able to contact client2's LAN from client1 and vice versa.

client1       |-----------------------| VPN server |-----------------------|client2
192.168.0.0/24|                       |10.0.0.0/24 |                       |192.168.1.0/24
  • Follow this section : Openvpn#Client_configuration_directory
  • Edit the server configuration file ( /etc/openvpn/demovpn/server.conf )
    • uncomment or create the line : client-to-client
    • Add the following section to the file
#############
#route
#############
#client1's LAN
route 192.168.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
#client2's LAN
route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
  • Create the file /etc/openvpn/demovpn/jail/demovpn/ccd/client1, and add this line to it: iroute 192.168.0.0 255.255.255.0
  • Create the file /etc/openvpn/demovpn/jail/demovpn/ccd/client2, and add this line to it: iroute 192.168.1.0 255.255.255.0
  • Restart the VPN : service openvpn restart demovpn
  • To do on client1 & client2
    • Enable IP forward : Openvpn#Enable_routing
    • Masquerade the traffic from VPN : iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

Client's Static IP

For some reason, you may need some clients to have static IP (example : internal DNS)

  • Follow this section : Openvpn#Client_configuration_directory
  • Then edit /etc/openvpn/demovpn/jail/demovpn/ccd/fixipclient, and add this line to it: ifconfig-push 10.0.0.3 10.0.0.4
  • Restart OpenVPN server
  • Your client, (here fixipclient) will get 10.0.0.3

Be careful with Windows clients, IP in ccd file have to be in a /30 subnet:

  • 10.0.0.0 - NOK (Network)
  • 10.0.0.1 - OK
  • 10.0.0.2 - OK
  • 10.0.0.3 - NOK (Gateway)
  • 10.0.0.4 - NOK (Network)
  • ...

Share Port 443 with apache web server

Configure the port-share on openvpn

  • Edit /etc/openvpn/server.conf
client-to-client
proto tcp
port 443
port-share 127.0.0.1 8443
#...

Configure your apache to listen in https on port 8443

Client configuration

Server side

Client key generation

cd /etc/openvpn/demovpn/easy-rsa/
source vars
./pkitool client_name

Linux client config directory - 1st method

Replace client_name by your client name

  • Create clientconf directory
mkdir -p /etc/openvpn/demovpn/clientconf/client_name
cd /etc/openvpn/demovpn/clientconf/client_name
cp /etc/openvpn/demovpn/keys/{ca.crt,da.key,client_name.crt,client_name.key} . #Multi file copy
  • Edit config file /etc/openvpn/demovpn/clientconf/client_name/client_name.conf
# Client
client
dev tun
proto tcp-client
remote A.B.C.D # Replace A.B.C.D by server public IP
port 123
resolv-retry infinite
# Security
cipher AES-256-CBC
auth SHA512
nobind
persist-key
persist-tun
comp-lzo
remote-cert-eku "TLS Web Server Authentication"
# keys
ca demovpn/keys/ca.crt
cert demovpn/keys/client_name.crt # To replace
key demovpn/keys/client_name.key # To replace
tls-auth demovpn/keys/da.key 1
key-direction 1
  • Easiest Method but you have to copy the whole directory to the client (works only for linux)

Linux client config file - 2nd and better method

  • Create clientconf directory
mkdir -p /etc/openvpn/demovpn/clientconf/client_name
  • Edit config file /etc/openvpn/demovpn/clientconf/client_name/client_name.conf
# Client
client
dev tun
proto tcp-client
remote A.B.C.D # Replace A.B.C.D by server public IP
port 123
resolv-retry infinite
cipher AES-256-CBC
# Security
nobind
persist-key
persist-tun
comp-lzo
verb 3
# keys
key-direction 1
  • Adapt and run those commands to complete the config file
echo "<ca>" >> /etc/openvpn/demovpn/clientconf/client_name/client_name.conf
cat /etc/openvpn/demovpn/keys/ca.crt >> /etc/openvpn/demovpn/clientconf/client_name/client_name.conf
echo "</ca>" >> /etc/openvpn/demovpn/clientconf/client_name/client_name.conf
echo "<cert>" >> /etc/openvpn/demovpn/clientconf/client_name/client_name.conf
cat /etc/openvpn/demovpn/keys/client_name.crt >> /etc/openvpn/demovpn/clientconf/client_name/client_name.conf
echo "</cert>" >> /etc/openvpn/demovpn/clientconf/client_name/client_name.conf
echo "<key>"
cat /etc/openvpn/demovpn/keys/client_name.key >> /etc/openvpn/demovpn/clientconf/client_name/client_name.conf
echo "</key>" >> /etc/openvpn/demovpn/clientconf/client_name/client_name.conf
echo "<tls-auth>" >> /etc/openvpn/demovpn/clientconf/client_name/client_name.conf
cat /etc/openvpn/demovpn/keys/da.key >> /etc/openvpn/demovpn/clientconf/client_name/client_name.conf
echo "</tls-auth>" >> /etc/openvpn/demovpn/clientconf/client_name/client_name.conf

Android and mac config file

  • Generated from 2nd method
cd /etc/openvpn/demovpn/clientconf/client_name/
cp client_name.conf client_name.ovpn

Windows config file

  • Generated from 2nd method
cd /etc/openvpn/demovpn/clientconf/client_name/
cp client_name.conf client_name_windows.ovpn
echo "route-method exe" >> client_name_windows.ovpn
echo "route-delay 2" >> client_name_windows.ovpn
echo "win-sys env" >> client_name_windows.ovpn

Client side - Linux

  • Get the config file
  • install OpenVPN : sudo aptitude install openvpn -y
  • Copy config to directory : sudo cp client_name.conf /etc/openvpn
  • Start VPN : sudo service openvpn start

Elliot
techUnit's cofounder