SDB:OpenVPN Installation and Setup

Jump to: navigation, search

OpenVPN is a full-featured SSL VPN (Virtual Private Network) software which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.

Purpose

This HowTo is a walk-through for installing and setting up OpenVPN server and client.


Requirements

TUN/TAP

TUN/TAP must be installed and enabled. To check if the requirement is met, run the following commmnd:

cat /dev/net/tun

The output looks as follow:

cat: /dev/net/tun: File descriptor in bad state

Install OpenVPN

Use openSUSE package manager to install OpenVPN:

zypper in openvpn



Install Easy-RSA

Easy-rsa is a key management package based on openssl.

Use openSUSE package manager to install OpenVPN:

zypper in easy-rsa


Generate Certificates & Keys

The values for EASYRSA_REQ_COUNTRY, EASYRSA_REQ_PROVINCE, EASYRSA_REQ_CITY, EASYRSA_REQ_ORG, EASYRSA_REQ_EMAIL and EASYRSA_REQ_OU (organizational unit) in the file /etc/easy-rsa/vars may be edited if one so chooses.

The 'EASYRSA_KEY_SIZE' parameter in vars can be increased to 4096 for enhanced security. Increasing this value will also increase the key generating process time substantially, but will have no adverse effect on bandwidth speed. The default 2048 will be used in this document.

To edit any file or vars for example, use vi:

vim /etc/easy-rsa/vars

Press the letter i to enable edit mode, and when done, press Esc key, then :wq to save and exit vi editor.

Public Key Infrastructure (PKI) Initialization

Run:

easyrsa clean-all

(This is equivalent to 'easyrsa init-pki')

It should output:

Note: using Easy-RSA configuration from: /etc/easy-rsa/vars


WARNING!!!

You are about to remove the EASYRSA_PKI at: /etc/easy-rsa/pki
and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/easy-rsa/pki

Run:

easyrsa build-ca

or use the 'nopass' option if not wanting to use CA passphrase protection

easyrsa build-ca nopass

Press enter to accept the default values, or modify them.

It should output:

Note: using Easy-RSA configuration from: /etc/easy-rsa/vars
Generating a 2048 bit RSA private key
..............................................................+++
...........................................+++
writing new private key to '/etc/easy-rsa/pki/private/ca.key.lyD9dCZFDq'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/easy-rsa/pki/ca.crt

Generate Certificate & Key for Server

Run:

easyrsa build-server-full server
Note: using Easy-RSA configuration from: /etc/easy-rsa/vars
Generating a 2048 bit RSA private key
....................................+++
.................................................................................+++
writing new private key to '/etc/easy-rsa/pki/private/server.key.bO22znNIO3'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /etc/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Oct  2 22:25:40 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Generate Certificates & Keys for 2 Clients

To generate the first client key, run:

easyrsa build-client-full client1
Note: using Easy-RSA configuration from: /etc/easy-rsa/vars
Generating a 2048 bit RSA private key
.............+++
............+++
writing new private key to '/etc/easy-rsa/pki/private/client1.key.dlwBEmx3SA'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /etc/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client1'
Certificate is to be certified until Oct  2 22:28:58 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

To generate the second client key, run:

easyrsa build-client-full client2

Generate Diffie Hellman Parameters

Run:

easyrsa gen-dh

The output looks similar to:

Note: using Easy-RSA configuration from: /etc/easy-rsa/vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time

..........................+.+.......................

DH parameters of size 2048 created at /etc/easy-rsa/pki/dh.pem

Key Files

Each client needs 3 files; ca.crt, clientX.crt, and clientX.key. ca.crt are located in '/etc/easy-rsa/pki/', clientX.crt in'/etc/easy-rsa/pki/issued/' and clientX.key in '/etc/easy-rsa/pki/private/'. Copy these files to client's computers. FileZilla with sftp is one way to transfer the files.

Alternative ways you could pull these files from the remote server:

Scp (Secure Copy); for example:

scp user@<remote-server>:/path/to/file /local/path/to/store

Rsync combined with ssh; for example:

rsync -av -e "ssh -p 22" user@<remote-server>:/path/to/file /local/path/to/store
Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES

Client Configuration

Create a client.conf file for each client with the following content:

client
remote 192.168.1.100 1194
ca "/path/to/ca.crt"
cert "/path/to/client.crt"
key "/path/to/client.key"
comp-lzo yes
cipher AES-256-CBC
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
remote-cert-tls server

Note that '192.168.1.100' should be the actual IP address of the server running OpenVPN. Also, substitute the appropriate client name for cert, key, and paths. See http://openvpn.net/index.php/open-source/documentation/howto.html#examples for more information on the configuration file.

Server Configuration

Edit the configuration of openvpn:

vim /etc/openvpn/server.conf
#change with your port
port 1194

#You can use udp or tcp
proto udp

# "dev tun" will create a routed IP tunnel.
dev tun
topology subnet

#Certificate Configuration

#ca certificate
ca /etc/easy-rsa/pki/ca.crt
#Server Certificate
cert /etc/easy-rsa/pki/issued/server.crt

#Server Key and keep this is secret
askpass /etc/easy-rsa/pki/private/server.pass
key /etc/easy-rsa/pki/private/server.key

#See the size a dh key in /etc/openvpn/keys/
dh /etc/easy-rsa/pki/dh.pem

#Internal IP will get when already connect
server 10.8.0.0 255.255.255.0

#this line will redirect all traffic through our OpenVPN
push "redirect-gateway def1"
push "route 192.168.0.0 255.255.255.0"

#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

#Enable multiple client to connect with same key
duplicate-cn

cipher AES-256-CBC

keepalive 20 60
comp-lzo
persist-key
persist-tun
daemon

#openvpn status log
status /var/log/openvpn/openvpn-status.log

#enable log
log-append /var/log/openvpn/openvpn.log

#Log Level
verb 3

Save the file and exit vi editor.


Firewall Configuration

Open UDP port 1194 (YaST > Security and Users > Firewall > Allowed Services).

Edit sysctl.conf:

vim /etc/sysctl.conf

The change should reflect:

net.ipv4.ip_forward = 1

Save the file and exit vi editor.


for openSUSE Leap 15 and up

Using firewalld

#Open incoming connections to the server, if you haven't already done it with yast
firewall-cmd --zone=public --add-service openvpn 

#Add tun0 to trusted zone. Device name may vary depending on how many VPNs and other services like VMs you're running
firewall-cmd --zone=trusted --add-interface tun0 

#Enable masquerading
firewall-cmd --zone=trusted --add-masquerade 

#Swap the eth0 for your device or ip that traffic goes out of that you need NAT'd.
firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

#once you're happy it's working, save with
firewall-cmd --runtime-to-permanent
for openSUSE Leap 42.3

Start the openVPN service with tun0 device ifup:

sudo wicked ifup tun0

Enable firewall rules to start at boot:

vim /etc/rc.d/boot.local
# Allow traffic initiated from VPN to access LAN
#iptables -I FORWARD -i tun0 -o eth0  -s 10.8.0.0/24 -d 192.168.0.0/24  -m conntrack --ctstate NEW -j ACCEPT

# Allow traffic initiated from VPN to access Internet
iptables -I FORWARD -i tun0 -o eth0  -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

# Allow traffic initiated from LAN to access Internet
#iptables -I FORWARD -i eth0 -o eth1  -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED  -j ACCEPT

# Notice that -I is used, so when listing it (iptables -vxnL) it
# will be reversed.  This is intentional in this demonstration.

# Masquerade traffic from VPN to Internet -- done in the nat table
iptables -t nat -I POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

# Masquerade traffic from LAN to Internet
#iptables -t nat -I POSTROUTING -o eth1  -s 192.168.0.0/24 -j MASQUERADE

If using OpenVZ, add the following:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.1.100

If using KVM or other, add the following :

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Note that 192.168.1.100 is the IP address of the server and should be changed to reflect the actual value.


Start OpenVPN and Connect

Start OpenVPN:

systemctl start openvpn@server

Enable OpenVPN service to start on boot:

systemctl enable openvpn@server

To test the connection without first rebooting, run the following:

echo 1 > /proc/sys/net/ipv4/ip_forward

You should also execute all the previous iptables rules made in previous chapter. You can execute one by one command, or executing '/etc/rc.d/boot.local' (take care of this).

sh /etc/rc.d/boot.local

The configuration can also be imported from Network Manager applet.

Hardening OpenVPN Security

See: http://openvpn.net/index.php/open-source/documentation/howto.html#security

External links