{"id":154,"date":"2019-06-03T00:48:43","date_gmt":"2019-06-02T23:48:43","guid":{"rendered":"https:\/\/blog.inplico.uk\/?p=154"},"modified":"2019-06-03T00:49:04","modified_gmt":"2019-06-02T23:49:04","slug":"open-vpn","status":"publish","type":"post","link":"https:\/\/blog.inplico.uk\/?p=154","title":{"rendered":"Open VPN"},"content":{"rendered":"

Installation<\/strong><\/p>\n

With point to point tunneling protocol VPN\u2019s depreciated because of security issues we are now not even bothering to install pptp at all and are instead opting for openvpn.<\/p>\n

For the installation you are going to want 2 applications, openvpn and easy-rsa.<\/p>\n

#apt-get install openvpn easy-rsa<\/pre>\n
 <\/p>\n
Build and configure the certificate authority<\/strong><\/p>\n
OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established. We will use Easy RSA’s scripts to do this.<\/p>\n
First copy over the Easy-RSA generation scripts.<\/p>\n
#cp -r \/usr\/share\/easy-rsa\/ \/etc\/openvpn<\/pre>\n
Then create a directory to store the keys in.<\/p>\n
#mkdir \/etc\/openvpn\/easy-rsa\/keys<\/pre>\n
Next we need to set the parameters for our certificate<\/p>\n
#vi \/etc\/openvpn\/easy-rsa\/vars<\/pre>\n
You need to set the following according to your configuration.<\/p>\n
export KEY_COUNTRY=\r\nexport KEY_PROVINCE=\r\nexport KEY_CITY=\r\nexport KEY_ORG=\r\nexport KEY_EMAIL=\r\nexport KEY_OU=<\/pre>\n
The country code for England is GB; the province is the county (I guess this is a yank thing but I just put LA for Lancashire; KEY_ORG is the company; and KEY_OU is the top level domain.<\/p>\n
Further down you will find the X509 Subject field. This is what your ca certificate will be called. I am going to call it \u201cOpenvpnServer<\/strong>\u201d<\/p>\n
export KEY_NAME=\"OpenvpnServer\"<\/pre>\n
That is it for vars, now we can move on to the initialization process.<\/p>\n
 <\/p>\n
Initialise the Certificate Authority<\/strong><\/p>\n
First we generate the Diffie-Helman parameters using a built-in OpenSSL tool called dhparam.<\/p>\n
#openssl dhparam -out \/etc\/openvpn\/dh4096.pem 4096<\/pre>\n
The -out flag specifies where to save the new parameters file<\/p>\n
Now it is time to generate the first key. First we need to switch to the easy-rsa directory.<\/p>\n
#cd \/etc\/openvpn\/easy-rsa<\/pre>\n
Next, we can begin setting up the Certificate Authority itself. First, initialize the Public Key Infrastructure (PKI). The first thing to so is source the vars file (I guess this tells build-ca where to look for the configuration file)<\/p>\n
#source .\/vars<\/pre>\n
Then run clean-all to we’ll clear any other keys that may interfere with our installation.<\/p>\n
#.\/clean-all<\/pre>\n
Finally, we will build the CA using an OpenSSL command. This command will prompt you for a confirmation of “Distinguished Name” variables that were entered earlier. Press ENTER to accept existing values.<\/p>\n
# .\/build-ca<\/pre>\n
If you get the following error:<\/p>\n
grep: \/etc\/openvpn\/easy-rsa\/openssl.cnf: No such file or directory pkitool: KEY_CONFIG (set by the .\/vars script) is pointing to the wrong version of openssl.cnf: \/etc\/openvpn\/easy-rsa\/openssl.cnf The correct version should have a comment that says: easy-rsa version 2.x<\/p>\n
Then you need to create a symbolic link which is<\/p>\n
#ln -s openssl-1.0.0.cnf openssl.cnf<\/pre>\n
Note: this may change in future versions. There are some suggestions that this is caused by running source .\/vars before .\/build-ca but the current documentation is fairly unclear on this.<\/p>\n
The Certificate Authority is now set up but we still have to build the key for the server<\/p>\n
Type hostname to get the name of your server<\/p>\n
#hostname<\/pre>\n
If you do not get a proper name or it just returns \u201clocalhost\u201d then check your \/etc\/hosts file for errors.<\/p>\n
#.\/build-key-server OpenvpnServer<\/pre>\n
NOTE: The name here needs to be the same as the name under the X509 stanza in the vars file.<\/p>\n
You will be asked several questions; when you get to Common Name<\/strong>, you need to type in the name of your server. Do the same for Name.<\/p>\n
When you get to password<\/strong> just press <enter> and do the same for company name<\/strong>. The CA will now ask you if you want it to sign the certificate. Press y followed by <enter>. If all is well it should say<\/p>\n
1 out of 1 certificate requests certified, commit? [y\/n]<\/p>\n
Again press \u201cy\u201d followd by <enter> and the CA should respond with the following 2 lines<\/p>\n
Write out database with 1 new entries<\/p>\n
Data Base Updated<\/p>\n
You now have a certificate for your server. The next thing to so is to copy your certificate and keys to the correct directory.<\/p>\n
#cp \/etc\/openvpn\/easy-rsa\/keys\/{OpenvpnServer.crt,OpenvpnServer.key,ca.crt} \/etc\/openvpn<\/pre>\n
You can verify the copy was successful with:<\/p>\n
#ls \/etc\/openvpn<\/pre>\n
We will leave easy-rsa for now and configure the openvpn server however we will need to revisit easy-rsa when we generate the certificates for our clients.<\/p>\n
 <\/p>\n
Openvpn Server Configuration<\/strong><\/p>\n
\/etc\/openvpn\/server.conf is where the configuration is set for the openvpn server. This file does not exist by default and needs to unzipped and copied from the sample config files. You could of course write your own, it is entirely up to you.<\/p>\n
For the purpose of this exercise we are going to assume that the server has a LAN IP address of 172.17.1.16 and the server is behind a NAT. The subnet is 255.255.0.0 and the local dns servers are 172.17.1.4 and 172.17.1.3<\/p>\n
#gunzip -c \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz > \/etc\/openvpn\/server.conf\r\n#vi \/etc\/openvpn\/server.conf<\/pre>\n
The following directive are the important ones<\/p>\n
port 1194\r\nproto tcp\r\ndev tun\r\nca ca.crt\r\ncert OpenvpnServer.crt\r\nkey OpenvpnServer.key\r\ndh dh4096.pem\r\nserver 10.8.0.0 255.255.255.0\r\nifconfig-pool-persist ipp.txt\r\npush \"route 172.17.0.0 255.255.0.0\"\r\nclient-config-dir ccd\r\npush \"dhcp-option DNS 172.17.1.4\"\r\npush \"dhcp-option DNS 172.17.1.3\"\r\nclient-to-client\r\nuser nobody\r\ngroup nogroup\r\nkeepalive 10 120\r\n**comp-lzo**\r\npersist-key\r\npersist-tun\r\nstatus openvpn-status.log\r\nlog-append \/var\/log\/openvpn.log\r\nverb 4<\/pre>\n
Don\u2019t use comp-lzo<\/strong> on the later versions (Debian stretch) use compress lz4-v2<\/strong> This will also need to be changed in the client config.<\/p>\n
port<\/strong>, proto<\/strong> and dev<\/strong> should already be set as default as should ca<\/strong>. You will need to set cert<\/strong> and key<\/strong> correctly and change dh<\/strong> from<\/p>\n
dh1024.pem<\/p>\n
to<\/p>\n
dh4096.pem<\/p>\n
server<\/strong> should be fine at 10.8.0.0<\/strong> unless you have any special networking requirements such as a conflict with an existing network. ifconfig-pool-persist<\/strong> should also already be set. You will need to add the line<\/p>\n
push \"route 172.17.0.0 255.255.0.0\"<\/pre>\n
or uncomment one of the existing examples and set it according to your configuration.<\/p>\n
Now uncomment<\/p>\n
client-config-dir ccd<\/pre>\n
Next amend the DNS directives by uncommenting them and changing them to point to the appropriate DNS servers.<\/p>\n
push \"dhcp-option DNS 172.17.1.4\"\r\npush \"dhcp-option DNS 172.17.1.3\"<\/pre>\n
and uncomment client-to-client<\/strong>. keepalive<\/strong> should be ok as it is, as should comp<\/strong>. For added security you will need to uncomment to user<\/strong> and group<\/strong> directives to prevent openvpn from running as root.<\/p>\n
persist-tun and persist-key should be fine as they are, as should status. Uncomment log-append<\/strong> and change verbosity from verb 3<\/strong> to verb 4<\/strong> and you should be done.<\/p>\n
Newer tunnelblick clients will generate a warning if you use an insecure cipher so you have to comment out any existing ciphers and add<\/p>\n
cipher AES-256-CBC<\/pre>\n
Additionally later versions have the following directive<\/p>\n
explicit-exit-notify 1<\/pre>\n
This needs to be commented out if you are using proto tcp<\/strong> as it only works with udp<\/p>\n
Save and exit server.conf and run<\/p>\n
#openvpn --genkey --secret \/etc\/openvpn\/ta.key<\/pre>\n
to generate the ta.key<\/p>\n
The last thing to do is make a directory called ccd in \/etc\/openvpn<\/p>\n
#mkdir \/etc\/openvpn\/ccd<\/pre>\n
Forgetting to do this will cause the openvpn service to appear to be running but when it isn\u2019t<\/p>\n
 <\/p>\n
Routing tables<\/strong><\/p>\n
Before we start openvpn we need to tell our server what to do with incoming traffic. First we need to enable packet forwarding. Enter the following command<\/p>\n
#echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward<\/pre>\n
You should now have a file that simply has a 1 in it<\/p>\n
#cat \/proc\/sys\/net\/ipv4\/ip_forward<\/pre>\n
Next, we’ll need to make this permanent so that this setting persists after a server reboot. Open the sysctl<\/strong> configuration file<\/p>\n
#vi \/etc\/sysctl.conf<\/pre>\n
Near the top of the sysctl file, you will see:<\/p>\n
#Uncomment the next line to enable packet forwarding for IPv4\r\n#net.ipv4.ip_forward=1<\/pre>\n
Uncomment net.ipv4.ip_forward as suggested, save the file and exit.<\/p>\n
Assuming that you have left the default configuration for the VPN subnet as it is at 10.8.0.0 255.255.255.0 in the server.conf i.e.<\/p>\n
server 10.8.0.0 255.255.255.0<\/pre>\n
Then you need to run the following line from the command line in order to tell the server what to do with traffic coming from the VPN subnet<\/p>\n
#iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE<\/pre>\n
Again here, we are assuming here that the Ethernet port that you are using is eth0. If there is more than one network card in your machine then you need to make sure you are configuring the correct one, but usually it is eth0 <\/strong>(Be careful with some HP\u2019s that have crazy names for their Ethernet ports). Before you start run ifconfig<\/strong> to check this.<\/p>\n
Iptables is not persistent across reboots but once you have it configured correctly, there\u2019s an app for that:<\/p>\n
#apt-get install iptables-persistent<\/pre>\n
And follow the instructions on screen. Iptables saves the configuration in \/etc\/iptables\/rules.v4 and rules.v6 respectively.<\/p>\n
Congratulations, you should now have a working openvpn server. Make sure that you open port 1194<\/strong> for udp on your router and point it to your server. Start your server in the usual way by running<\/p>\n
#service openvpn start<\/pre>\n
and check that it is running with<\/p>\n
#service openvpn status<\/pre>\n
Note that openvpn will appear as though it is started and running when it isn\u2019t; see troubleshooting below to see how to make sure you have a live server.<\/p>\n
The big problem that you have at this stage is that although you have a nice vpn server, your clients will not be able to connect to it. In order to get the clients connecting you will need to go back to easy-rsa and generate some client certificates<\/p>\n
 <\/p>\n
Bind 9<\/strong><\/p>\n
If you are using the later versions of bind 9 for dns lookups then you will have to allow the subnet that you have set for your vpn to perform recursive lookups.<\/p>\n
Once you have connected to the vpn you should be able to access any devices on the remote network using their ordinary host names. If you cannot do this, but you can access them by IP then chances are this is the problem.<\/p>\n
To resolve it you first need to create an access control list.<\/p>\n
#vi \/etc\/bind\/named.conf.options<\/pre>\n
Here we are making assumptions that the remote lan is using 172.17.0.0\/16 the local lan is using 172.18.0.0\/16 and the bridge is using 10.8.1.0\/24 and thus the access control list stanza should look like so:<\/p>\n
acl \"trusted\" {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 172.18.0.0\/16;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 172.17.0.0\/16;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10.8.1.0\/24;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 localhost;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 localnets;\r\n};<\/pre>\n
Now under the \u201coptions\u201d stanza we can tell bind that we want to allow machines in the \u201ctrusted\u201d acl to use queries and recursion.<\/p>\n
options {\r\n    ....\r\n    recursion yes;\r\n    allow-query { trusted; };\r\n    allow-recursion { trusted; };\r\n    allow-query-cache { trusted; };\r\n    \u2026.\r\n}<\/pre>\n
Now we can restart bind and we should be able to perform lookups on the dns server.<\/p>\n
 <\/p>\n
Connecting Clients<\/strong><\/p>\n
There are 4 files needed for each client ca.crt; an openvpn client configuration file; and the client certificate files.<\/p>\n
First we will grab a copy of the default client.ovpn file and rename it as we copy it. Note that the naming convention is important here as the name of the file must match the name of the client machine. <\/strong>In this example we are going to assume that the client machine is called \u201cmypc<\/strong>\u201d. First run<\/p>\n
#cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/client.conf \/etc\/openvpn\/easy-rsa\/keys\/mypc.ovpn<\/pre>\n
Remember to change ovpn<\/strong> to the name of your pc suffixed by \u201c.ovpn\u201d<\/p>\n
Now we need to edit the file we have just created.<\/p>\n
#vi \/etc\/openvpn\/easy-rsa\/keys\/mypc.ovpn<\/pre>\n
Change the remote<\/strong> directive to reflect the public ip address of your server (If you are behind a NAT then this will be your static ip address assigned by your ISP). If you do not know it then google \u201cWhat is my ip\u201d<\/p>\n
remote XXX.XXX.XXX.XXX 1194<\/pre>\n
Next you will need to change the certificate names to reflect the ones that you are about to generate. In this example they will be called crt<\/strong> and mypc.key<\/strong>.<\/p>\n
cert mycp.crt\r\nkey mypc.key<\/pre>\n
change verb<\/strong> to 4<\/strong> and add<\/p>\n
log-append \/var\/log\/vpnclient.log<\/p>\n
ns-cert-type<\/strong> has now been depreciated so this should be commented out and replaced with<\/p>\n
remote-cert-tls server<\/pre>\n
Although not strictly necessary you can add<\/p>\n
auth-nocache<\/pre>\n
to the client file; This will prevent the client from caching passwords.<\/p>\n
You will also need to set the cipher to match that in the server configuration file (i.e. AES-256) by inserting the line<\/p>\n
cipher AES-256-CBC<\/pre>\n
and commenting out any other cipher declarations<\/p>\n
As mentioned previously comp-lzo<\/strong> is in the process of being depreciated in favour of compress lz4-v2 for later servers you need to add this directive to the client file and comment out any reference to comp-lzo<\/p>\n
compress lz4-v2<\/pre>\n
If this configuration is for a linux client then uncomment user<\/strong> and group<\/strong> directives which should be set to nobody; otherwise you are done.<\/p>\n
 <\/p>\n
OPTIONAL:<\/strong><\/p>\n
There is a directive that ensures that all traffic is routed through the server (which is great for security but slow as fuck so only really useful as when you are using a public network and cannot get the access that you need).<\/p>\n
redirect-gateway def1 bypass-dhcp<\/pre>\n
This directive is only well suited for roaming computers such as laptops and phones so what I would suggest is to create a second .ovpn file and only use it when necessary.<\/p>\n
If you want to make sure that all traffic is routed through the vpn then you can push the directive from the server.<\/p>\n
Now to generate the certificates. Navigate to the easy-rsa directory<\/p>\n
#cd \/etc\/openvpn\/easy-rsa<\/pre>\n
and run the following command to generate the keys (changing mypc to the name of your client box)<\/p>\n
#.\/build-key mypc<\/pre>\n
You will be presented with a series of questions, just press <enter> as the defaults should be fine as long as you have given the certificate a unique name should it be necessary to reference it in the ccd directory. You may want change the name to the same as the common name, but this is not strictly necessary. (note, sometimes you will have to source the vars file again by running source .\/vars<\/strong>, not sure why). When asked to sign the certificate answer \u201cy\u201d and the same with commit.<\/p>\n
The next thing you need to do is copy the following files into a folder and put them on your client.<\/p>\n
\/etc\/openvpn\/ca.crt<\/p>\n
\/etc\/openvpn\/ta.key<\/p>\n
\/etc\/openvpn\/rsa-keys\/mypc.crt<\/p>\n
\/etc\/openvpn\/rsa-keys\/mypc.key<\/p>\n
\/etc\/openvpn\/rsa-keys\/mypc.ovpn<\/p>\n
Note that the prefix of the file names will be the name of your client.<\/p>\n
 <\/p>\n
Tunnelblick<\/strong><\/p>\n
Tunnelblick is the openvpn client for mac. It does not play nice if you are using a static ip address and are using either<\/p>\n
dhcp-option DNS xxx.xxx.xxx.xxx<\/pre>\n
Set in the *.ovpn file on the client or the push equivalent set in the server\u2019s conf file.<\/p>\n
push \u201cdhcp-option DNS xxx.xxx.xxx.xxx\u201d<\/pre>\n
To get around this you will need to set dhcp or add the dns server to the list. The problem with the latter is that it will slow your computer down when you are not connected to the vpn because it will have to wait until the lookup times out trying to access a server that it thinks has died.<\/p>\n
If you need a static ip on your client then the best way is to bind it to you client\u2019s mac address using your router. How to do this is beyond the scope of this manual as it is entirely dependent what router you are using.<\/p>\n
 <\/p>\n
Troubleshooting<\/strong><\/p>\n
nmap is your friend. With the openvpn service up and running run<\/p>\n
#nmap -p 1194 -sU -PO xxx.xxx.xxx.xxx<\/pre>\n
note \u2013p is the port number, -sU tells nmap it is looking at a udp port and \u2013PO is the flag for the ip address of the interface. The output should look something like<\/p>\n
Starting Nmap 6.47 ( http:\/\/nmap.org ) at 2016-04-07 09:46 BST<\/p>\n
Nmap scan report for fqdn.suffix (xxx.xxx.xxx.xxx)<\/p>\n
Host is up.<\/p>\n
PORT\u00a0\u00a0\u00a0\u00a0 STATE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SERVICE<\/p>\n
1194\/udp open|filtered openvpn<\/p>\n
If it says closed then this will need to be resolved before you go any further. If the status of the service is \u201cactive\u201d but the port is closed then check that you have created the ccd directory.<\/p>\n
On another server I hand to stop the service (even though it wasn\u2019t actually running) and they run systemctl enable openvpn followed by systemctl start openvpn and then it worked. I found this out by running openvpn from the command line<\/p>\n
Also try netstat which should tell you what ip and protocol openvpn is listening on<\/p>\n
#netstat -uapn | grep openvpn<\/pre>\n
Check that it is using the udp port and that the ip address that the port is using is correct. If not then you will need to set the local<\/strong> directive in the conf<\/strong> file.<\/p>\n
Check the log for errors at \/var\/log\/openvpn.log<\/strong><\/p>\n
Check that you have a tun0<\/strong> interface by running ifconfig<\/strong><\/p>\n
If all else fails then temporarily change to tcp<\/strong> by changing the proto<\/strong> directive in server.conf. Restart the service and then try and telnet to it.<\/p>\n
If you can create a tunnel but cannot connect to clients then check the iptables. In particular<\/p>\n
#iptables \u2013t nat --list<\/pre>\n
should return something like<\/p>\n
0\u00a0\u00a0\u00a0\u00a0 0 MASQUERADE all — *\u00a0\u00a0\u00a0\u00a0 eth0\u00a0\u00a0 10.8.0.0\/24\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0.0.0.0\/0<\/p>\n
If not then run<\/p>\n
#iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE<\/pre>\n
The flags are:<\/p>\n
-t = table name<\/p>\n
-A = append<\/p>\n
-s = source address\/mask<\/p>\n
-o = output interface (use [+] for wildcard)<\/p>\n
-j = target<\/p>\n
If you have a couple of vpn servers that may at some point end up talking to each other then you might want to make sure that you put their internal addresses on different subnets (Say 10.8.1.0\/24 for the second one for example).<\/p>\n
To delete a record replace the \u2013A flag with a \u2013D flag<\/p>\n
#iptables -t nat -D POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE<\/pre>\n","protected":false},"excerpt":{"rendered":"
Installation With point to point tunneling protocol VPN\u2019s depreciated because of security issues we are now not even bothering to install pptp at all and are instead opting for openvpn. For the installation you are going to want 2 applications, openvpn and easy-rsa. #apt-get install openvpn easy-rsa   Build and configure the certificate authority OpenVPN […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-154","post","type-post","status-publish","format-standard","hentry","category-debian-server"],"_links":{"self":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/154","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=154"}],"version-history":[{"count":1,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/154\/revisions"}],"predecessor-version":[{"id":155,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/154\/revisions\/155"}],"wp:attachment":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}