OpenVPN
Contents
- 1 Removing
- 2 Certificate Revocation
- 3 iptables/route
- 4 Setup
- 5 Setup Firewall and IP Forwarding UFW
- 6 Enable and Setup IP Forwarding Linux/Debian
- 7 Installing a DNS Server to tunnel DNS over VPN
- 8 Creating an additional OpenVPN interface in Windows
- 9 OpenVPN Access Server Install Debian 6.0 AKA Squeeze
- 10 OpenVPN Monitor
Removing
I tried OpenVPN Manager 0.0.3.8 - the latest release. Now it works fine, the selected config is the one that is actually used. It is a little tricky to get rid of OpenVPN Manager 0.0.3.6, it doesn't have a nice uninstall: a) Copy all the config files from C:\Program Files\OpenVPN\OpenVPN Manager\config and save them somewhere. b) Delete the OpenVPNManagger service: > sc delete OpenVPNManager c) Delete C:\Program Files\OpenVPN\OpenVPN Manager (this folder and everything under it) OpenVPN Manager 0.0.3.8 is much better. The pre-built Windows installer is here: http://openvpn.jowisoftware.de/downloads/ The source code is here: https://github.com/jochenwierum/openvpn-manager It installs to its own folder in Program Files, and has a Control Panel/Programs entry of its own. After installing 0.0.3.8, copy the config files to: C:\Program Files\OpenVPN Manager\config Can the OpenVPN Manager built into the Client Export Utility be updated to 0.0.3.8 please? OpenVPN Manager provides a command line interface which can be used to control the connections. So far, there are two interesting commands: -connect "name" connects to the virtual private network name. The name is identical to the one you see in the main window. -disconnect "name" disconnects from the vpn name. -quit quits OpenVPN Manager -install install the OpenVPN Manager Service (see this howto for more information) -uninstall uninstall the OpenVPN Manager Service
Certificate Revocation
./build-key-pkcs12 revoked ./revoke-full revoked crl-verify /path/name/crl.pem
Notes
this is from a CRL file, dumped with: openssl -in <crl> -noout -text
iptables/route
/etc/networking/interfaces
up iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
/etc/init.d/vpnroute
#!/bin/bash /sbin/route add -net 10.37.161.0 netmask 255.255.255.0 gw 10.37.161.1
Setup
Copied From: http://www.monkeedev.co.uk/blog/2009/03/06/setting-up-openvpn-in-debianubuntu/
This is little bit later than I originally intended but I finally got around to setting up OpenVPN, and here’s how I did it.
This guide is pretty simple to follow and should have an OpenVPN server on debian or ubuntu working within half an hour. I’ll also explain how to connect to the VPN from a windows PC.
First, install OpenVPN on the server (you’ll need to be root for all of this guide)
apt-get install openvpn
Next, we need to configure the server. You need to make a decision here whether you want tun (routed) or tap (bridged) connections. The main difference is that tap will give the client a network address on the server network, whereas tun creates a private network managed by the server. In this guide I will use tap because I find that it works better with windows clients.
Now you need to create certificates for the server and client for authentication purposes (which is much more secure than the passwords used in pptp). This is done through a number of steps:
Preparing to generate the keys
mkdir /etc/openvpn/easy-rsa cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
Now you need to edit /etc/openvpn/easy-rsa/vars with your required settings. You only really need to change the last section which is the default values for the fields in the certificates.
Generate the certificate authority (CA) which will be used to sign the server and client certificates.
cd /etc/openvpn/easy-rsa
source ./vars ./clean-all ./build-ca
Next, we need to create the server keys
./build-key-server servername
Answer ‘yes’ when asked to sign the certificate and commit to the database, and then you’ll need to generate the diffie-hellman parameters which are used for key exchange between the client and server.
./build-dh
For further security it is recommended that you also do a tls-auth key.
openvpn --genkey --secret ta.key
This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a pre-existing secure channel to the server and all client machines. It can be placed in the same directory as the RSA .key and .crt files.
In the server configuration, add:
tls-auth ta.key 0
In the client configuration, add:
tls-auth ta.key 1
And finally, create some client keys which will be used to allow clients to authenticate with the server. I prefer to use pkcs12 which stores the client public key and certificate in one passworded file.
./build-key-pkcs12 client1
As before, sign the key and commit to the database. You will be asked for a password which the client will use to connect to the server.
Now all the keys are created, we need to configure the server.
vim /etc/openvpn/server.conf (add the following lines) port 443 proto tcp dev tap ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/servername.crt key /etc/openvpn/easy-rsa/keys/servername.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem ifconfig-pool-persist ipp.txt server-bridge 10.1.0.1 255.255.255.0 10.1.0.236 10.1.0.245 push “route 10.0.0.0 255.0.0.0″ keepalive 10 120 comp-lzo persist-key persist-tun status /var/log/openvpn-status.log verb 3
Created by me:
port 11111 prote tcp dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/bla.crt key /etc/openvpn/easy-rsa/keys/bla.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.xxx.xxx.0 255.255.255.0 #client-to-client cipher AES-256-CBC keepalive 10 120 comp-lzo max-clients 20 verb 11
client-config-dir ccd log-append openvpn.log status openvpn-status.log
ifconfig-pool-persist ipp.txt route 192.168.0.0 255.255.255.0 #crl-verify crl.pem max-routes-per-client 3000 management localhost 11111
The only lines which you will need to change are ‘server-bridge’, which is simply the default gateway, subnet mask, and the start and end IP’s to assign the clients, and the push route, which pushes specific routes to all clients.
Now we need to create an ethernet bridge. First, we need to install bridge-utils:
apt-get install bridge-utils
Rather than explain how to set up a network bridge, I found a shell script which will do it for you. This can be found here. Just edit this with your network settings and execute it. You will also need to set it to create the bridge at boot time:
update-rc.d bridge defaults
Now you can start the openvpn server
/etc/init.d/openvpn start
Now we need to set up the windows client. First, download the OpenVPN client from here (at the time of writing, select 2.1 RC15). Install it, and create a file ‘client.conf’ in the config directory with the following parameters
client dev tap proto tcp remote x.x.x.x 443 # (replace with your server IP) resolv-retry infinite nobind pkcs12 client1.p12 # (replace with the client name) ns-cert-type server comp-lzo verb 3
You can also add ‘redirect-gateway’ to the client configuration to pass all traffic down the VPN tunnel (rather than just traffic intended for the VPN itself).
Now copy the client1.p12 certificate file to the config directory on the client, start the gui, and connect. Everything should now work.
If you need to create any clients in the future, do the following:
cd /etc/openvpn/easy-rsa source ./vars ./build-key-pkcs12 clientx
If one of your certificates is compromised, you can revoke it using the guide here.
This guide has been written from my notes and what I remember, so there may be a couple of things which aren’t 100% right. If anything goes wrong then post a comment or contact me and I’ll update the guide.
Notes
Setup Firewall and IP Forwarding UFW
You still need to enable forwarding. See the iptables section below. You should prolly disable ipv6 too.
You also want to edit /etc/default/ufw:
/etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"
And change the default forward policy to accept.
You want to edit /etc/ufw/before.rules and add below
/etc/ufw/before.rules
#NAT rules for internet out from VPN *nat :POSTROUTING ACCEPT [0:0] #forward vpn traffic through eth0 -A POSTROUTING -s VPN.NET.WORK.ADDY/24 -o eth0 -j MASQUERADE #COMMIT NAT COMMIT
You also want to add more but in a different section:
/etc/ufw/before.rules
# Don't delete these required lines, otherwise there will be errors *filter #More NAT rules for VPN -A ufw-before-input -i tun+ -j ACCEPT -A ufw-before-output -i tun+ -j ACCEPT -A ufw-before-forward -s VPN.NET.WORK.ADDY/24 -j ACCEPT -A ufw-before-forward -d VPN.NET.WORK.ADDY/24 -j ACCEPT #End added NAT rules for VPN
You also want to:
ufw allow port/protocol ufw allow from VPN.NET.WORK.ADDY/24
Enable and Setup IP Forwarding Linux/Debian
Check if IP Forwarding is enabled
#sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0 or cat /proc/sys/net/ipv4/ip_forward 0
As we can see in both the above examples this was disabled (as show by the value 0).
Enable IP Forwarding on the fly
#sysctl -w net.ipv4.ip_forward=1 or #echo 1 > /proc/sys/net/ipv4/ip_forward
Permanent setting using /etc/sysctl.conf
- /etc/sysctl.conf:
net.ipv4.ip_forward = 1 #sysctl -p /etc/sysctl.conf
TUN/TAP forwarding: Allow TUN interface connections to OpenVPN server
# iptables -A INPUT -i tun+ -j ACCEPT
Allow TUN interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tun+ -j ACCEPT
Allow TAP interface connections to OpenVPN server
# iptables -A INPUT -i tap+ -j ACCEPT
Allow TAP interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tap+ -j ACCEPT
- rule iptables for internet sharing from eth1 to eth0.
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#iptables-save
iptables -t nat -A POSTROUTING -s 10.234.134.0/24 -o eth0 -j MASQUERADE
or the real way
http://wiki.debian.org/iptables
add route perm make a exe file /etc/init.d/vpnroute and add the route to file
route add -net 10.37.161.0 netmask 255.255.255.0 gw 10.37.161.1
Notes
- http://www.cyberciti.biz/faq/flush-iptables-ubuntu-linux/
- https://forums.openvpn.net/topic9465.html
- http://www.linuxquestions.org/questions/linux-networking-3/how-to-add-a-persistent-route-in-debian-linux-623771/
Installing a DNS Server to tunnel DNS over VPN
You want to tunnel your DNS over the VPN. It is more secure espically on hostile networks. Personally I use ubound because I like DNSSEC but as I read into it and use it more I know on some parts of the internet DNSSEC just is not working or fails if you do not configure it right. For now this guide will show you how to use bind9 as a DNS proxy. I have also used unbound.
apt-get install bind9 bind9-doc dnsutils resolvconf
/etc/bind/named.conf.options
// I comment this line simply because I am not using ipv6 // listen-on-v6 { any; };
Add the lines below to the file too:
/etc/bind/named.conf.options
version "not currently available"; listen-on { 127.0.0.1; THE.VPN.TUN0.IP; }; forwarders { 8.8.8.8; 8.8.4.4; }; forward only; max-ncache-ttl 3; # 3 seconds allow-transfer { none; }; allow-update-forwarding { none; }; allow-notify { none; };
You also want to:
nano -w /etc/init.d/bind9
and change the line:
# Required-Start: $remote_fs
to:
# Required-Start: $remote_fs openvpn
So that bind9 starts after OpenVPN so it can bind to the VPN ip.
Notes
Creating an additional OpenVPN interface in Windows
It was bitching about being not having an additional tun interface. I still had tun0 and tun1 in the config files and did not test if something more generic would work like just tun.
A command from a forum post:
C:\>"C:\Program Files (x86)\OpenVPN\bin\tapinstall.exe" install "C:\Program Files (x86)\OpenVPN\driver\OemWin2k.inf" tap0901
https://forums.openvpn.net/topic8236.html
I have to figure out what the tap0901 means but it looks like if you pass help install that it is a hardware id. It most likely identifies what to pull from the driver.
Found it in official docs: http://openvpn.net/index.php/open-source/documentation/install.html?start=1
Notes -- Manual Install/Update/Uninstall of the TAP-Win32 kernel driver
This is best done using tapinstall.exe, a utility based on a DDK sample which is distributed with the self-installing form of OpenVPN on Windows. Cd to the directory which contains OemWin2k.inf and tap0801.sys.
To install:
tapinstall install OemWin2k.inf TAP0801
To update:
tapinstall update OemWin2k.inf TAP0801
To uninstall:
tapinstall remove TAP0801
By installing multiple times, you will create additional TAP-Win32 adapter instances, which can be used for multiple concurrent VPN tunnels.
It is also possible to install using Control Panel -> Add New Hardware, and it is possible to uninstall using Control Panel -> System -> Hardware -> Device Manager.
OpenVPN Access Server Install Debian 6.0 AKA Squeeze
- wget the proper file
- install instructions:
Notes
OpenVPN Monitor
It is a python script that runs with mod_python so:
apt-get install libapache2-mod-python libapache2-mod-python-doc
Should install apache2 also as a dep.
In your server.conf you need:
management localhost aport
Put openvpn-monitor in your /var/www then:
chown -R www-data:www-data /var/www/*
nano /etc/apache2/sites-available/default
and add:
AddHandler cgi-script .py Options +ExecCGI
to the directory/site that you would like.
You need to edit: openvpn-monitor.cfg
[VPN1] host=127.0.0.1 port=younumbericport name=VPN
You need to edit: openvpn-monitor.py
CONFIG_FILE = "/config/file/location/whatever.cfg"
I also needed to change this:
locale.setlocale(locale.LC_ALL, 'en_GB.UTF-8')
to
locale.setlocale(locale.LC_ALL, 'en_US.UTF-8')
You also need:
aptitude install python-geoip
You are going to need a GeoIP City database:
cd /usr/share/GeoIP/ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz gunzip GeoLiteCity.dat.gz mv GeoLiteCity.dat GeoIPCity.dat
For password protection to the openvpn dir:
nano 000-default
add/change
AllowOverride AuthConfig
mkdir /etc/apache2/passwords htpasswd -c /etc/apache2/passwords/shadow ausername
nano .htaccess
.htaccess
AuthType Basic AuthName "Restricted Files" AuthUserFile /etc/apache2/passwords/shadow Require user ausername
Notes
index.html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>w00t</title> <meta http-equiv="REFRESH" content="0;url=http://server.ip.or.host/script.py"></HEAD> <BODY> w00t </BODY> </HTML>
- Pfsense management interface hack: http://forum.pfsense.org/index.php?topic=46398.0
ncat -l -k -p 5001 -c 'nc -U /var/etc/openvpn/server1.sock'