Difference between revisions of "OpenVPN"

From ArchWiki
Jump to: navigation, search
(Routing the LAN of the server to a client: improve the heading)
(Routing the server side LAN to a client: rework the section)
Line 569: Line 569:
 
* The server (elmer) is on a LAN using the 10.66.0.0/24 [[Wikipedia:Private_network|private network range]].
 
* The server (elmer) is on a LAN using the 10.66.0.0/24 [[Wikipedia:Private_network|private network range]].
 
* The server's LAN network interface is called eth0.
 
* The server's LAN network interface is called eth0.
* The client (bugs) is assigned an ip address out of the address pool 10.8.0.0/24, as specified by the server directive in the server's configuration file (/etc/openvpn/server.conf):
+
* The client (bugs) is assigned an ip address out of the address pool 10.8.0.0/24.
{{hc|/etc/openvpn/server.conf|server 10.8.0.0 255.255.255.0}}
 
  
As OpenVPN will need to forward packets between the tun/tap device and the LAN device, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. Takes effect at the next boot.
+
As OpenVPN will need to forward packets between the tun/tap device and the LAN device, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding (takes effect at the next boot):
 
{{hc|/etc/sysctl.conf|<nowiki>
 
{{hc|/etc/sysctl.conf|<nowiki>
 
# Enable packet forwarding
 
# Enable packet forwarding
Line 578: Line 577:
 
</nowiki>}}
 
</nowiki>}}
  
To temporarily enable without rebooting do: {{bc|# echo 1 > /proc/sys/net/ipv4/ip_forward}}
+
To temporarily enable without rebooting: {{bc|# echo 1 > /proc/sys/net/ipv4/ip_forward}}
  
 
{{Accuracy|Investigate if scripts hooked into openvpn can do this,  http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR}}
 
{{Accuracy|Investigate if scripts hooked into openvpn can do this,  http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR}}
As the server will have to accept traffic destined to a different IP than it's LAN interface (eth0) is configured for, it needs to be set to [[Wikipedia:Promiscuous_mode|promiscious mode]].  Add the following to /etc/rc.local: {{hc|/etc/rc.local|ip link set dev eth0 promisc on}}  Takes effect at the next boot, to enable it without rebooting do: {{ic|# ip link set dev eth0 promisc on}}
 
  
To inform the client about the available subnet, add a push directive to the server configuration file:
+
As the server will have to accept LAN traffic destined to a different IP address than its LAN interface (eth0) is configured for, it needs to be set to [[Wikipedia:Promiscuous_mode|promiscious mode]].  Add the following to /etc/rc.local (takes effect at the next boot): {{hc|/etc/rc.local|ip link set dev eth0 promisc on}}
  
{{hc|/etc/openvpn/server.conf|push "route 10.66.0.0 255.255.255.0"}}
+
To temporarily enable without rebooting: {{ic|# ip link set dev eth0 promisc on}}
 +
 
 +
To assign the client an address out of the address pool 10.8.0.0/24, add a server directive to the server configuration file: {{hc|/etc/openvpn/server.conf|server 10.8.0.0 255.255.255.0}}
 +
 
 +
To inform the client about the available subnet, add a push directive to the server configuration file:{{hc|/etc/openvpn/server.conf|push "route 10.66.0.0 255.255.255.0"}}
  
 
{{Note|If the server (elmer) is not the default LAN gateway on the server side, you will have to do one of the following:
 
{{Note|If the server (elmer) is not the default LAN gateway on the server side, you will have to do one of the following:

Revision as of 17:38, 23 August 2012

zh-CN:OpenVPN

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: (at least) add support for ipv6 and L2 ethernet bridging (Discuss in Talk:OpenVPN#)

This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use. For more detailed information, please see the official OpenVPN 2.2 man page and the OpenVPN documentation.

OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.

OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it.

OpenVPN supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels.

OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms.

Overall, OpenVPN aims to offer many of the key features of IPSec but with a relatively lightweight footprint.

OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL).

Installing OpenVPN

Install openvpn from the official repositories.

Note: The software contained in this package supports both server and client mode, so install it on all machines that need to create vpn connections.

Configuring the system for TUN/TAP support

OpenVPN requires TUN/TAP support. Make sure to load the TUN module.

/etc/modules-load.d/tun.conf
# Load tun.ko at boot
tun

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Is the rest of this section really needed, seeing that the default kernel already builds the tun/tap module? (Discuss in Talk:OpenVPN#)

The default kernel is already properly configured, but if you build your own kernel make sure to enable the TUN/TAP module.

Kernel config file
Device Drivers --->
   Network device support --->
[*]Network device support
<M>   Universal TUN/TAP device driver support 

To see if your running kernel has this support enabled, run the following and check the output:

[myuser@rpi0 ~]# zgrep CONFIG_TUN /proc/config.gz 
CONFIG_TUN=m

CONFIG_TUN should be either 'm' or 'y'.

Connecting to a VPN provided by a third party

To connect to a VPN provided by a third party, most of the following can most likely be ignored. Use the certificates and instructions given by your provider, for instance see: Airvpn.

Creating a Public Key Infrastructure (PKI)

The first step when setting up OpenVPN is to create a Public Key Infrastructure (PKI). The PKI consists of:

  • A public master Certificate Authority (CA) certificate and a private key.
  • A separate public certificate and private key for each server and each client.

To facilitate the key/certificate creation process, OpenVPN comes with a collection of RSA key manangement scripts (based on the openssl command line tool) known as easy-rsa.

Note: Only .key files need to be kept secret, .crt and .csr files can be sent over insecure channels such as plaintext email.

In this article the needed keys and certificates are created in root's home directory. This ensures that the generated files have the right ownership and permissions, thus being safe from other users.

Note: The keys and certificates can be created on any machine. For the highest security, generate the keys on a physically secure machine disconnected from any network, and make sure that the generated ca.key private key is backed up and never accessible to anyone.
Warning: Make sure that the generated files are backed up, especially the ca.key and ca.crt files, since if lost you will not be able to create any new, nor revoke any comprised keys and certificates, thus requiring the generation of a new Certificate Authority (CA) certificate and key, invalidating the entire PKI infrastructure.

Installing the easy-rsa scripts

Install the scripts by doing the following:

# cp -r /usr/share/openvpn/easy-rsa /root

Creating keys and certificates

Now you need to create the needed keys and certificates.

Change to the directory where you installed the scripts.

# cd /root/easy-rsa

To ensure the consistent use of values when generating the PKI, set default values to be used by the PKI generating scripts. Edit /root/easy-rsa/vars and at a minimum set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters (do not leave any of these parameters blank). Change the KEY_SIZE parameter to 2048 for the SSL/TLS to use 2048bit RSA keys for authentication.

/root/easy-rsa/vars
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# do not edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"

# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Do not leave any of these fields blank.


export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="Acme Acres"
export KEY_ORG="Acme"
export KEY_EMAIL="roadrunner@acmecorp.org"
#export KEY_EMAIL=mail@host.domain
export KEY_CN=Acme-CA
export KEY_NAME=Acme-CA
export KEY_OU=""
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234

Export the environment variables.

# source ./vars

Delete any previously created certificates and keys.

# ./clean-all
Note: Entering a . (dot) when prompted for a value, blanks out the parameter.

The build-ca script generates the Certificate Authority (CA) certificate/key pair.

# ./build-ca
Generating a 2048 bit RSA private key
..............++++++
...++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Acme Acres]:
Organization Name (eg, company) [Acme]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Acme-CA]:
Name [Acme-CA]:
Email Address [roadrunner@acmecorp.org]:

The build-key-server script (followed by the server name) generates a certificate/key pair for a server. Make sure that the server name (Common Name when running the script) is unique.

Note: Do not enter a challenge password or company name when the script prompts you for one.
# ./build-key-server elmer
Generating a 2048 bit RSA private key
.....................++++++
.......................................................++++++
writing new private key to 'elmer.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Acme Acres]:
Organization Name (eg, company) [Acme]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [elmer]:
Name [Acme-CA]:
Email Address [roadrunner@acmecorp.org]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'Acme Acres'
organizationName      :PRINTABLE:'Acme'
commonName            :PRINTABLE:'elmer'
name                  :PRINTABLE:'Acme-CA'
emailAddress          :IA5STRING:'roadrunner@acmecorp.org'
Certificate is to be certified until Dec 27 19:11:59 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

The build-dh script generates the Diffie-Hellman parameters .pem file needed by the server.

Note: It would be better to generate a new one for each server, but you can use the same one for your servers if you want to.
# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..+.............................................................................
.
.
.
............+...............+...................................................
..................................................................++*++*

The build-key script (followed by a client name) generates a certificate/key pair for a client. Make sure that the client name (Common Name when running the script) is unique.

Note: Do not enter a challenge password or company name when the script prompts you for one.
# ./build-key bugs
Generating a 2048 bit RSA private key
....++++++
.............................................................++++++
writing new private key to 'bugs.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Acme Acres]:
Organization Name (eg, company) [Acme]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [bugs]:
Name [Acme-CA]:
Email Address [roadrunner@acmecorp.org]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'Acme Acres'
organizationName      :PRINTABLE:'Acme'
commonName            :PRINTABLE:'bugs'
name                  :PRINTABLE:'Acme-CA'
emailAddress          :IA5STRING:'roadrunner@acmecorp.org'
Certificate is to be certified until Dec 27 19:18:27 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Generate a secret Hash-based Message Authentication Code (HMAC) by running: # openvpn --genkey --secret /root/easy-rsa/keys/ta.key

This will be used to add an additional HMAC signature to all SSL/TLS handshake packets. In addition any UDP packet not having the correct HMAC signature will be immidiately dropped, protecting against:

  • Portscanning.
  • DOS attacks on the OpenVPN UDP port.
  • SSL/TLS handshake initiations from unauthorized machines.
  • Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.

All the created keys and certificates have been stored in /root/easy-rsa/keys. If you make a mistake, you can start over by running the clean-all script again.

Warning: This will delete any previously generated keys and certificates stored in /root/easy-rsa/keys.

The final step of the key creation process is to copy the files needed to the correct machines through a secure channel.

Note: In this article the keys and certificates will be placed into /etc/openvpn on the server and the client.

The public ca.crt certificate will be needed on all servers and clients. The private ca.key key is secret and only needed on the key generating machine.

The public server.crt, and dh2048.pem, and private server.key and ta.key files are needed on the server.

The public client.crt, and private client.key and ta.key files are needed on the client.

A basic OpenVPN configuration

OpenVPN is an extremely versatile software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.

What really distinguishes a server from a client is the configuration file itself. The openvpn daemon startup script reads all the .conf configuration files it finds in /etc/openvpn on startup, and acts accordingly. In fact if it finds more than one configuration file it will start one OpenVPN processes per configuration file.

This article explains how to setup a machine that is called the server (elmer), and a machine that connects to it is called the client (bugs). More servers and clients can easily be added, by creating more key/certificate pairs and adding more server and client configuration files.

The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:

  • Uses Public Key Infrastructure (PKI) for authentication.
  • Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).
  • Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number).
  • Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.

For more advanced configurations, please see the official OpenVPN 2.2 man page and the OpenVPN documentation.

The server configuration file

Copy the example server configuration file to /etc/openvpn/server.conf

# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf

Edit the following:

  • The ca, cert, key, and dh parameters to reflect the path and names of the keys and certificates. Specifying the paths will allow you to run the OpenVPN executable from any directory for testing purposes.
  • Enable the SSL/TLS HMAC handshake protection. Note the use of the parameter 0 for a server.
  • It is recommended to run OpenVPN with reduced privileges once it has initialized, do this by uncommenting the user and group directives.
/etc/openvpn/server.conf
ca /etc/openvpn/ca.crt
cert /etc/openvpn/elmer.crt
key /etc/openvpn/elmer.key

dh /etc/openvpn/dh2048.pem
.
.
tls-auth /etc/openvpn/ta.key 0
.
.
user nobody
group nobody
Note: Note that if the server is behind a firewall or a NAT translating router, you will have to forward the OpenVPN UDP port (1194) to the server.

The client configuration file

Copy the example client configuration file to /etc/openvpn/client.conf

# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf

Edit the following:

  • The remote directive to reflect the server's Fully Qualified Domain Name, hostname (as known to the client) or IP address.
  • Uncomment the user and group directives to drop privileges.
  • The ca, cert, and key parameters to reflect the path and names of the keys and certificates.
  • Enable the SSL/TLS HMAC handshake protection. Note the use of the parameter 1 for a client.
/etc/openvpn/client.conf
remote elmer.acmecorp.org 1194
.
.
user nobody
group nobody
.
.
ca /etc/openvpn/ca.crt
cert /etc/openvpn/bugs.crt
key /etc/openvpn/bugs.key
.
.
tls-auth /etc/openvpn/ta.key 1

Testing the OpenVPN configuration

Run # openvpn /etc/openvpn/server.conf on the server, and # openvpn /etc/openvpn/client.conf on the client. You should see something similar to this:

# openvpn /etc/openvpn/server.conf
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key
Wed Dec 28 14:41:26 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 28 14:41:26 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]
Wed Dec 28 14:41:26 2011 ROUTE default_gateway=10.66.0.1
Wed Dec 28 14:41:26 2011 TUN/TAP device tun0 opened
Wed Dec 28 14:41:26 2011 TUN/TAP TX queue length set to 100
Wed Dec 28 14:41:26 2011 /usr/sbin/ip link set dev tun0 up mtu 1500
Wed Dec 28 14:41:26 2011 /usr/sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Dec 28 14:41:26 2011 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Dec 28 14:41:26 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 28 14:41:26 2011 GID set to nobody
Wed Dec 28 14:41:26 2011 UID set to nobody
Wed Dec 28 14:41:26 2011 UDPv4 link local (bound): [undef]:1194
Wed Dec 28 14:41:26 2011 UDPv4 link remote: [undef]
Wed Dec 28 14:41:26 2011 MULTI: multi_init called, r=256 v=256
Wed Dec 28 14:41:26 2011 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Dec 28 14:41:26 2011 IFCONFIG POOL LIST
Wed Dec 28 14:41:26 2011 Initialization Sequence Completed
Wed Dec 28 14:41:51 2011 MULTI: multi_create_instance called
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Re-using SSL/TLS context
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 LZO compression initialized
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Local Options hash (VER=V4): '530fdded'
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Expected Remote Options hash (VER=V4): '41690919'
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 TLS: Initial packet from 95.126.136.73:48904, sid=163f4a5e e0399137
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=bugs/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 [bugs] Peer Connection Initiated with 95.126.136.73:48904
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: Learn: 10.8.0.6 -> bugs/95.126.136.73:48904
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
# openvpn /etc/openvpn/client.conf
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:50 2011 LZO compression initialized
Wed Dec 28 14:41:50 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 28 14:41:50 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
Wed Dec 28 14:41:51 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 28 14:41:51 2011 Local Options hash (VER=V4): '41690919'
Wed Dec 28 14:41:51 2011 Expected Remote Options hash (VER=V4): '530fdded'
Wed Dec 28 14:41:51 2011 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Dec 28 14:41:51 2011 UDPv4 link local: [undef]
Wed Dec 28 14:41:51 2011 UDPv4 link remote: 85.93.204.250:1194
Wed Dec 28 14:41:51 2011 TLS: Initial packet from 85.93.204.250:1194, sid=5f379f35 50c9ab11
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
Wed Dec 28 14:41:52 2011 VERIFY OK: nsCertType=SERVER
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=elmer/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Dec 28 14:41:54 2011 [elmer] Peer Connection Initiated with 85.93.204.250:1194
Wed Dec 28 14:41:57 2011 SENT CONTROL [elmer]: 'PUSH_REQUEST' (status=1)
Wed Dec 28 14:41:57 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: timers and/or timeouts modified
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: --ifconfig/up options modified
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: route options modified
Wed Dec 28 14:41:57 2011 ROUTE default_gateway=10.64.64.64
Wed Dec 28 14:41:57 2011 TUN/TAP device tun1 opened
Wed Dec 28 14:41:57 2011 TUN/TAP TX queue length set to 100
Wed Dec 28 14:41:57 2011 /usr/sbin/ip link set dev tun1 up mtu 1500
Wed Dec 28 14:41:57 2011 /usr/sbin/ip addr add dev tun1 local 10.8.0.6 peer 10.8.0.5
Wed Dec 28 14:41:57 2011 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Wed Dec 28 14:41:57 2011 GID set to nobody
Wed Dec 28 14:41:57 2011 UID set to nobody
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed

On the server, find the IP assigned to the tunX device:

# ip addr show
.
.
.
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.

Do the same on the client:

# ip addr show
.
.
.
37: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun1

And the client side has been given the IP 10.8.0.6.

Now try pinging the interfaces.

On the server:

# ping 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms
^C
--- 10.8.0.6 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms

On the client:

# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms

You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer), and vice versa.

Starting OpenVPN

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: This section needs to add systemd instructions (Discuss in Talk:OpenVPN#)

To manually start OpenVPN (both server and client), run:

# rc.d start openvpn

To have your system run OpenVPN automatically at system start, add openvpn to the daemon array in /etc/rc.conf.

Advanced OpenVPN configuration

Routing the server side LAN to a client

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Add information on how to route several server side LANs to the client (Discuss in Talk:OpenVPN#)

Prerequisites:

  • The server (elmer) is on a LAN using the 10.66.0.0/24 private network range.
  • The server's LAN network interface is called eth0.
  • The client (bugs) is assigned an ip address out of the address pool 10.8.0.0/24.

As OpenVPN will need to forward packets between the tun/tap device and the LAN device, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding (takes effect at the next boot):

/etc/sysctl.conf
# Enable packet forwarding
net.ipv4.ip_forward=1
To temporarily enable without rebooting:
# echo 1 > /proc/sys/net/ipv4/ip_forward

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Investigate if scripts hooked into openvpn can do this, http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR (Discuss in Talk:OpenVPN#)
As the server will have to accept LAN traffic destined to a different IP address than its LAN interface (eth0) is configured for, it needs to be set to promiscious mode. Add the following to /etc/rc.local (takes effect at the next boot):
/etc/rc.local
ip link set dev eth0 promisc on

To temporarily enable without rebooting: # ip link set dev eth0 promisc on

To assign the client an address out of the address pool 10.8.0.0/24, add a server directive to the server configuration file:
/etc/openvpn/server.conf
server 10.8.0.0 255.255.255.0
To inform the client about the available subnet, add a push directive to the server configuration file:
/etc/openvpn/server.conf
push "route 10.66.0.0 255.255.255.0"
Note: If the server (elmer) is not the default LAN gateway on the server side, you will have to do one of the following:
  • Add a static route to the LAN's default gateway (most likely the LAN's router), routing the client IP range 10.8.0.0/24 back to the server's eth0 IP address.
  • Add a static route to each host on the server side LAN that you want to be able to communicate with the client (bugs).
  • Use the iptables NAT feature to masquerade the IP packets.

Routing the LAN of a client to the server

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Add information on how to route several client side LANs to the server side (Discuss in Talk:OpenVPN#)

Prerequisites:

  • You must make sure that any subnets used on the client side (bugs), are unique and not in use on the server side or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.
  • The client's LAN network interface is called eth0.
  • Each client's certificate has a unique Common Name, in this case bugs.
  • The server may not use the duplicate-cn directive in it's config file.

As OpenVPN will need to forward packets between the tun/tap device and the LAN device, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. Takes effect at the next boot.

/etc/sysctl.conf
# Enable packet forwarding
net.ipv4.ip_forward=1
To temporarily enable without rebooting do:
# echo 1 > /proc/sys/net/ipv4/ip_forward
As the client will have to accept traffic destined to a different IP than the LAN interface is configured for, you will need to set it to promiscious mode. Add the following to /etc/rc.local:
/etc/rc.local
ip link set dev eth0 promisc on
Takes effect at the next boot, to enable it without rebooting do: # ip link set dev eth0 promisc on.

You must now create a client configuration directory on the server (elmer). When a client connects, the server process will check this directory for a file named the same as the client certificate's common name, and apply the directives to the client.

# mkdir -p /etc/openvpn/ccd

Create a file in the client configuration directory called bugs, containing the directive iroute 192.168.4.0 255.255.255.0. This will tell the server that the 192.168.4.0/24 subnet should be routed to the client (bugs):

/etc/openvpn/ccd/bugs
iroute 192.168.4.0 255.255.255.0

Then add the directive route 192.168.4.0 255.255.255.0 to the server's configuration file /etc/openvpn/server.conf. This will tell the server that the 192.168.4.0/24 subnet should be routed from the tun device to the server process. Both are needed:

/etc/openvpn/server.conf
route 192.168.4.0 255.255.255.0
Note: If the client (bugs) is not the default LAN gateway on the client side, you will need to do one of the following:
  • Add a static route to the client LAN's default gateway (most likely the client LAN router), routing the server's IP range 10.66.0.0/24 back to the client's eth0 IP address.
  • Add a static route to each host on the client side LAN that you want to be able to respond to the server.
  • Use the iptables NAT feature to masquerade the IP packets.

Routing client traffic through the server

Append the following to your server's openvpn.conf configuration file:

push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1"

Change "192.168.1.1" to your preferred DNS IP address.

If you have problems with non responsive DNS after connecting to server, install BIND as simple DNS forwarder and push openvpn ip address of server as DNS to clients.

Configure ufw for routing

Configure your ufw settings to enable routing traffic from clients through server.

You must change default forward policy, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. Takes effect at the next boot.

/etc/sysctl.conf
# Enable packet forwarding
net.ipv4.ip_forward=1

And then configure ufw in /etc/default/ufw

/etc/default/ufw
DEFAULT_FORWARD_POLICY=”ACCEPT”

Now change /etc/ufw/before.rules, add following code after header and before *filter line, don't forget to change ip range to yours

/etc/ufw/before.rules
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Allow traffic from clients to eth0
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

# don.t delete the .COMMIT. line or these nat table rules won.t be processed
COMMIT

Open openvpn port 1194

ufw allow 1194

usage of iptables

Use an iptable for NAT forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If running ArchLinux in a OpenVZ VPS environment [1]:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)

If all is well, make the changes permanent:

Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1

/etc/rc.d/iptables save

Proposed sections for future expansion of the article

Pushing DHCP options to clients

Configuring client-specific rules and access policies

Routing all client traffic through the server

Running an OpenVPN server on a dynamic IP address

Implementing a load-balancing/failover configuration

Locking down security

Security through obfuscation

Port knocking

Running in unprivileged mode

Running in a chroot jail

Larger RSA keys

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Is it worth it, or maybe better just use the default blowfish? (Discuss in Talk:OpenVPN#)

Enable the 256 bit AES (Advanced Encryption Standard) instead of the default 128 bit blowfish cryptographic cipher:

/etc/openvpn/server.conf
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
cipher AES-256-CBC

Revoking certificates

Configuring iptables for use with OpenVPN

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: This also needs a major rewrite, please take the content with a pinch of salt. (Discuss in Talk:OpenVPN#)

Add a rule for the tun devices on both the server and the client.

Note: That the order of the rules is important. See iptables for more information
/etc/iptables/iptables.rules
-A INPUT -i tun+ -j ACCEPT

Add a rule to accept connections on the OpenVPN UDP port (1194) on the server.

/etc/iptables/iptables.rules
-A INPUT -p udp --dport 1194 -j ACCEPT

If you use the iptables firewall on the server (elmer) add the following rules to /etc/iptables/iptables.rules, then restart iptables:

/etc/iptables/iptables.rules
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT

If you use the iptables firewall on the client (bugs) add the following rules to /etc/iptables/iptables.rules, then restart iptables:

/etc/iptables/iptables.rules
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT

Configuring LDAP authorization

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: what does the following do, and is the package still supported? (Discuss in Talk:OpenVPN#)

You may also want to install openvpn-authldap-pluginAUR, available in the Arch User Repository.

Deprecated older wiki content

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: See how this older content can be fitted into the new article (Discuss in Talk:OpenVPN#)

Using PAM and passwords to authenticate

port 1194
proto udp
dev tap
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 192.168.56.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;learn-address ./script
client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-pam.so login

Using certs to authenticate

port 1194
proto tcp
dev tun0

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

log-append /var/log/openvpn
status /tmp/vpn.status 10

Routing traffic through the server

Append the following to your server's openvpn.conf configuration file:

push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"

Change "192.168.1.1" to your external DNS IP address.

Use an iptable for NAT forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If running ArchLinux in a OpenVZ VPS environment [2]:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)

If all is well, make the changes permanent:

Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1

/etc/rc.d/iptables save

Setting up the Client

The clientside .conf file

With password authentication

client
dev tap
proto udp
remote <address> 1194
resolv-retry infinite
nobind
persist-tun
comp-lzo
verb 3
auth-user-pass passwd
ca ca.crt

passwd file (referenced by auth-user-pass) must contain two lines:

  • first line - username
  • second - password

Certs authentication

client
remote <MYSERVER> 1194
dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 2
ca ca.crt
cert client1.crt
key client1.key
comp-lzo

Copy three files from server to remote computer.

ca.crt
client1.crt
client1.key

Install the tunnel/tap module:

 # sudo modprobe tun

To have the tun module loaded automatically at boot time add it to the Modules line in /etc/rc.conf

DNS

The DNS servers used by the system are defined in /etc/resolv.conf. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...) However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install openresolv, which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes. Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before. You should not need to configure openresolv; it should be automatically detected and used by your network system.

Next, save the following script at /usr/share/openvpn/update-resolv-conf:

#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
# and Chris Hanson
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL.
#
# 05/2006 chlauber@bnc.ch
#
# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'

[ -x /usr/sbin/resolvconf ] || exit 0

case $script_type in

up)
   for optionname in ${!foreign_option_*} ; do
      option="${!optionname}"
      echo $option
      part1=$(echo "$option" | cut -d " " -f 1)
      if [ "$part1" == "dhcp-option" ] ; then
         part2=$(echo "$option" | cut -d " " -f 2)
         part3=$(echo "$option" | cut -d " " -f 3)
         if [ "$part2" == "DNS" ] ; then
            IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
         fi
         if [ "$part2" == "DOMAIN" ] ; then
            IF_DNS_SEARCH="$part3"
         fi
      fi
   done
   R=""
   if [ "$IF_DNS_SEARCH" ] ; then
           R="${R}search $IF_DNS_SEARCH
"
   fi
   for NS in $IF_DNS_NAMESERVERS ; do
           R="${R}nameserver $NS
"
   done
   echo -n "$R" | /usr/sbin/resolvconf -a "${dev}.inet"
   ;;
down)
   /usr/sbin/resolvconf -d "${dev}.inet"
   ;;
esac

Remember to make the file executable with:

 $ chmod +x /usr/share/openvpn/update-resolv-conf

Next, add the following lines to your OpenVPN client configuration file:

script-security 2
up /usr/share/openvpn/update-resolv-conf
down /usr/share/openvpn/update-resolv-conf

Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.

Connecting to the Server

You need to start the service on the server

/etc/rc.d/openvpn start

You can add it to rc.conf to make it permanet.

On the client, in the home directory create a folder that will hold your OpenVPN client config files along with the .crt/.key files. Assuming your OpenVPN config folder is called .openvpn and your client config file is vpn1.conf, to connect to the server issue the following command:

cd ~/.openvpn && sudo openvpn vpn1.conf