Open VPN

Open VPN (At the Server)

Setting up Open VPN between a Linux Firewall/Samba servers and a Windows PC.

This configuration also works for a server to server connection where I needed to share one servers samba shares with another server so all the PCs in the remote location could see the main servers samba shares.

As with any configuration I worked till it worked for me. with my settings and my peculiarities.

Sources: http://openvpn.net/index.php/open-source/documentation/howto.html

Thanks to http://www.techimo.com/forum/t176687.html (which seems to now be dead.)

YUM

yum install openvpn easy-rsa net-tools

systemctl enable openvpn@service.service

Setting up your own Certificate Authority (CA)

The first step in building an OpenVPN 2.0 confinet-toolsguration is to establish a PKI (public key infrastructure). The PKI consists of:

• a separate certificate (also known as a public key) and private key for the server and each client, and
• a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.

OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established.

Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority (CA), and then by testing information in the now-authenticated certificate header, such as the certificate common name or certificate type (client or server). This security model has a number of desirable features from the VPN perspective:

The server only needs its own certificate/key -- it doesn't need to know the individual certificates of every client which might possibly connect to it.

The server will only accept clients whose certificates were signed by the master CA certificate (which we will generate below). And because the server can perform this signature verification without needing access to the CA private key itself, it is possible for the CA key (the most sensitive key in the entire PKI) to reside on a completely different machine, even one without a network connection.

If a private key is compromised, it can be disabled by adding its certificate to a CRL (certificate revocation list). The CRL allows compromised certificates to be selectively rejected without requiring that the entire PKI be rebuilt.

• The server can enforce client-specific access rights based on embedded certificate fields, such as the Common Name.
• Note that the server and client clocks need to be roughly in sync or certificates might not work properly.
• Generate the master Certificate Authority (CA) certificate & key
• In this section we will generate a master CA certificate/key, a server certificate/key, and certificates/keys for 3 separate clients.
• For PKI management, we will use a set of scripts bundled with OpenVPN.

If you are using Linux, BSD, or a unix-like OS, open a shell and cd to the easy-rsa subdirectory of the OpenVPN distribution. If you installed OpenVPN from an RPM file, the easy-rsa directory can usually be found in /usr/share/easy-rsa. (It's best to copy this directory to another location such as /etc/openvpn, before any edits, so that future OpenVPN package upgrades won't overwrite your modifications). If you installed from a .tar.gz file, the easy-rsa directory will be in the top level directory of the expanded source tree.

Setting up Certificates

cd /etc/openvpn
cp -fr /usr/share/easy-rsa .
cd easy-rsa/2.0/

Now edit the vars file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.

emasc vars

Change these values to what you want, it will save you having to type them in several times.

export KEY_COUNTRY=" "
export KEY_PROVINCE=""
export KEY_CITY=" "
export KEY_ORG=""
export KEY_EMAIL=""
export KEY_OU=""

Next, initialize the PKI. On Linux/BSD/Unix:[to make this work on Centos I had to...]

chmod 744 vars whichopensslcnf clean-all buildnet-tools-ca pkitool build-key-server build-key build-dh
. ./vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys

./clean-all

Please source the vars script first (i.e. "source ./vars") This may be redundant.

source ./vars

Make sure you have edited it to reflect your configuration.

./build-ca

You should just need to [ENTER] all the questions. The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command.

Generate certificate & key for server

Next, we will generate a certificate and private key for the server. On Linux/BSD/Unix:

./build-key-server "meaningful_name"

You should just need to [ENTER] all the questions, answering yes at the end.

Generate certificates & keys for 3 clients

The keys we generate next will be used by the client computers, whether a server (Linux) acting as a client or a windows PC. Generating client certificates is very similar to the previous step. On Linux/BSD/Unix:

./build-key ED
./build-key Hamilton
./build-key Masterton

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client.

Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server. On Linux/BSD/Unix:

./build-dhnet-tools

Key Files

Now we will find our newly-generated keys and certificates in the keys sub-directory. Here is an explanation of the relevant files:

Filename	Needed By	Purpose	Secret
ca.crt	server + all clients	Root CA certificate	NO
ca.key	key signing machine only	Root CA key	YES
dh{n}.pem	server onlynet-tools	Diffie Hellman parameters	NO
server.crt	server only	Server Certificate	NO
server.key	server only	Server Key	YES
client1.crt	client1 only	Client1 Certificate	NO
client1.key	client1 only	Client1 Key	YESnet-tools
client2.crt	client2 only	Client2 Certificate	NO
client2.key	client2 only	Client2 Key	YES
client3.crt	client3 only	Client3 Certificate	NO
client3.key	client3 only	Client3 Key	YES

On the Server as router

On the Server single nic

https://forums.openvpn.net/topic9465.html

iptables -t nat -A POSTROUTING -o <local_lan_interface_name> -j MASQUERADE
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o <local_lan_interface_name> -J ACCEPT
iptables -A FORWARD -i <local_lan_interface_name> -o tun+ -j ACCEPT

/sbin/iptables-save > /etc/sysconfig/iptables

This is a bit different as the server in this example is not the router for the network. On the server do the following:

emacs /etc/openvpn/openvpn.conf

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
mssfix 1200
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client

cp /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpn/ [server.crt being the name you used]
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn/ [server.key being the name you used]

/etc/openvpn/server.conf

Now in one terminal run

tail -f /var/log/messages|grep openvpn

And in another

systemctl start openvpn@server.service
systemctl status -l openvpn@server.service
systemctl restart openvpn@server.service

Things to consider

Dec 17 10:56:04 server openvpn[15123]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.
Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes
that use the same subnet

Dec 17 10:56:04 server openvpn[15123]: Diffie-Hellman initialized with 2048 bit key
Dec 17 10:56:04 server openvpn[15123]: Socket Buffers: R=[212992->131072] S=[212992->131072]
Dec 17 10:56:04 server openvpn[15123]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp2s0 HWADDR=74:d4:35:bb:63:c6
Dec 17 10:56:04 server openvpn[15123]: TUN/TAP device tun0 opened
Dec 17 10:56:04 server openvpn[15123]: TUN/TAP TX queue length set to 100
Dec 17 10:56:04 server openvpn[15123]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Dec 17 10:56:04 server openvpn[15123]: /usr/sbin/ip link set dev tun0 up mtu 1500
Dec 17 10:56:04 server openvpn[15123]: /usr/sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Dec 17 10:56:04 server openvpn[15123]: /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Dec 17 10:56:04 server openvpn[15133]: UDPv4 link local (bound): [undef]
Dec 17 10:56:04 server openvpn[15133]: UDPv4 link remote: [undef]
Dec 17 10:56:04 server openvpn[15133]: MULTI: multi_init called, r=256 v=256
Dec 17 10:56:04 server openvpn[15133]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Dec 17 10:56:04 server openvpn[15133]: IFCONFIG POOL LIST
Dec 17 10:56:04 server openvpn[15133]: Initialization Sequence Completed

What should we expect?

ifconfig

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
       inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
       unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
       RX packets 0  bytes 0 (0.0 B)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 0  bytes 0 (0.0 B)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

systemctl status openvpn@server.service

openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
  Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled)
  Active: active (running) since Wed 2014-12-17 15:09:10 NZDT; 52min ago
 Process: 1106 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)
Main PID: 1111 (openvpn)
  CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
          └─1111 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn/ --config server.con...

Dec 17 15:33:55 server.qc.co.nz openvpn[1111]: 202.174.170.34:60685 Data Channel Decrypt: Using 160 bit message...ation
Dec 17 15:33:55 server.qc.co.nz openvpn[1111]: 202.174.170.34:60685 Control Channel: TLSv1, cipher TLSv1/SSLv3 ...t RSA
Dec 17 15:33:55 server.qc.co.nz openvpn[1111]: 202.174.170.34:60685 [tonyarcus] Peer Connection Initiated with ...60685
Dec 17 15:33:55 server.qc.co.nz openvpn[1111]: MULTI: new connection by client 'tonyarcus' will cause previous ...nect.
Dec 17 15:33:55 server.qc.co.nz openvpn[1111]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Dec 17 15:33:55 server.qc.co.nz openvpn[1111]: MULTI: Learn: 10.8.0.6 -> tonyarcus/202.174.170.34:60685
Dec 17 15:33:55 server.qc.co.nz openvpn[1111]: MULTI: primary virtual IP for tonyarcus/202.174.170.34:60685: 10.8.0.6
Dec 17 15:33:57 server.qc.co.nz openvpn[1111]: tonyarcus/202.174.170.34:60685 PUSH: Received control message: '...UEST'
Dec 17 15:33:57 server.qc.co.nz openvpn[1111]: tonyarcus/202.174.170.34:60685 send_push_reply(): safe_cap=940
Dec 17 15:33:57 server.qc.co.nz openvpn[1111]: tonyarcus/202.174.170.34:60685 SENT CONTROL [tonyarcus]: 'PUSH_R...us=1)

The tony comments are just being remembered from previous starts.