Line 1: |
Line 1: |
| {{Languages}} | | {{Languages}} |
| + | {{usefulnote}} |
| + | <blockquote style="float: right;">[[File:openvpn.png|250px]]</blockquote><br> |
| | | |
| + | ===Maintainer=== |
| + | [mailto:daniel@firewall-services.com][[User:VIP-ire|Daniel B.]] from [http://www.firewall-services.com Firewall Services] |
| + | |
| + | ===Version=== |
| | | |
− | ===Maintainer===
| + | {{#smeversion: smeserver-openvpn-routed }} |
− | [mailto:daniel@firewall-services.com[[User:VIP-ire|Daniel B.]]] from [http://www.firewall-services.com Firewall Services]
| |
| | | |
| === Description === | | === Description === |
Line 9: |
Line 14: |
| [http://openvpn.net OpenVPN] is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, fail-over, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-targeted for the SME and enterprise markets. | | [http://openvpn.net OpenVPN] is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, fail-over, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-targeted for the SME and enterprise markets. |
| | | |
− | This contrib will help you configuring OpenVPN in routed mode. With this mode, clients connecting to the VPN from the outside will get an IP in a virtual private network. (this network will use a separated IP range from your standard local network, unlike the [[OpenVPN_Bridge]] contrib | + | This contrib will help you configuring '''OpenVPN in routed mode'''. With this mode, clients connecting to the VPN from the outside will get an IP in a virtual private network. (this network will use a '''separated IP range''' from your standard local network, unlike the [[OpenVPN_Bridge]] contrib |
| | | |
| === Requirements === | | === Requirements === |
Line 20: |
Line 25: |
| | | |
| === Installation === | | === Installation === |
| + | <tabs container><tab name="For SME 10"> |
| + | /!\ new default cipher = AES-128-GCM and HMAC SHA256, if you have issues check the configuration options |
| + | yum install smeserver-openvpn-routed --enablerepo=smecontribs |
| + | if you have smeserver-openvpn-bridge installed and configured then all will work automaticly. |
| + | It will change its port to a different one, and it will copy certificates from the bridge openvpn |
| | | |
− | ==== install the rpms ====
| + | to know the new port |
| + | config getprop openvpn-routed UDPPort |
| + | </tab> |
| + | <tab name="For SME 9"> |
| install fws repo, see : [[Fws]] | | install fws repo, see : [[Fws]] |
| | | |
Line 28: |
Line 41: |
| yum install smeserver-openvpn-routed --enablerepo=fws,smecontribs | | yum install smeserver-openvpn-routed --enablerepo=fws,smecontribs |
| | | |
− | ==== Configure ====
| + | you will then have to configure by hand |
| + | |
| + | If you already run the [[OpenVPN_Bridge]] contrib, you can just copy all the certificates: |
| + | cp -a /etc/openvpn/bridge/{priv,pub} /etc/openvpn/routed/ |
| + | |
| + | |
| + | </tab> |
| + | </tabs> |
| + | === Configure === |
| | | |
− | This contribs is really minimal and doesn't have a panel to configure everything. You have to configure all by hand. | + | This contribs is really minimal and doesn't have a panel to configure everything. You have to configure all by hand. Except on SME10 if you already have smeserver-openvpn-bridge installed and configured. |
| | | |
| here's the file the contrib expects to see before being started: | | here's the file the contrib expects to see before being started: |
Line 40: |
Line 61: |
| * /etc/openvpn/routed/priv/takey.pem (an optional shared key) | | * /etc/openvpn/routed/priv/takey.pem (an optional shared key) |
| | | |
− | If you already run the [[OpenVPN_Bridge]] contrib, you can just copy all the certificates: | + | and an available port to bind to. |
− | cp -a /etc/openvpn/bridge/{priv,pub} /etc/openvpn/routed/ | + | |
| + | |
| + | ==== Using PHPki ==== |
| + | |
| + | If you are using the PHPki contrib to manage your certificates you need to do the following : |
| + | |
| + | Create a new certificate for your OpenVPN server - make sure it is a VPN server only certificate. |
| + | |
| + | {{Note box|Make sure you don't protect the private key with a password}} |
| + | |
| + | From PHPki get the following certificates : |
| + | |
| + | From the main page of PHPki : |
| + | |
| + | dh pub/dh.pem - Download the Diffie-Hellman parameters |
| + | ca pub/cacert.pem - Download the Root Certificate |
| + | |
| + | If you need to, get a copy of the revocation list |
| + | crl-verify pub/cacrl.pem - Download the Certificate Revocation List |
| + | |
| + | The Revocation certificate can be obtained automatically with a cronjob |
| + | db configuration setprop openvpn-routed CrlUrl 'https://your-phpki-box.domain.net/phpki/index.php?stage=dl_crl_pem' |
| + | |
| + | From the Manage Certificates page of PHPki : |
| + | |
| + | cert pub/cert.pem - use the PEM Certificate |
| + | key priv/key.pem - use the PEM Key |
| + | |
| + | |
| + | Copy them to the relevant directories as above |
| + | |
| + | Make sure that the certs are set 0600 |
| + | |
| + | If you want your VPN clients to use the SME as default gateway for all traffic once connected : |
| + | |
| + | db configuration setprop openvpn-routed RedirectGateway enabled |
| + | signal-event openvpn-routed-update |
| + | |
| + | You can now add your Client certificates to your device. |
| + | |
| + | Make sure you have a user on the server. |
| + | |
| + | Make sure in your device that you choose Certificate + Password as an option. |
| + | |
| + | Enter in your user name and password in addition to the certificates |
| | | |
| ==== Configure as running in parallel of bridge contrib ==== | | ==== Configure as running in parallel of bridge contrib ==== |
| + | Not needed for SME10, the contrib does it for you. |
| | | |
| #install | | #install |
Line 55: |
Line 121: |
| # signale event to regenerate all you need | | # signale event to regenerate all you need |
| signal-event openvpn-routed-update | | signal-event openvpn-routed-update |
− |
| |
| | | |
| ===Client configuration - iOS=== | | ===Client configuration - iOS=== |
Line 110: |
Line 175: |
| | | |
| This will take a moment to sync. Once that is completed, open the OpenVPN Connect app on your device. It will inform you that there's a new profile available for import. On that screen, tap the green + button. | | This will take a moment to sync. Once that is completed, open the OpenVPN Connect app on your device. It will inform you that there's a new profile available for import. On that screen, tap the green + button. |
− | [[File:Openvpn_newprofile.png]] | + | [[File:Openvpn_newprofile.PNG]] |
| | | |
| The app will open the profile and indicate that it isn't associated with an identity by showing "None selected". Tap where it says "None selected" to choose an identity profile. | | The app will open the profile and indicate that it isn't associated with an identity by showing "None selected". Tap where it says "None selected" to choose an identity profile. |
− | [[File:Openvpn_importprofile.png]] | + | [[File:Openvpn_importprofile.PNG]] |
| | | |
| Next, the app will list your available identity profiles. Choose the one you want to associate with this OpenVPN connection. | | Next, the app will list your available identity profiles. Choose the one you want to associate with this OpenVPN connection. |
− | [[File:Openvpn_chooseidentity.png]] | + | [[File:Openvpn_chooseidentity.PNG]] |
| | | |
| Configuration is now complete. You can connect to your OpenVPN server using the slider on the screen. | | Configuration is now complete. You can connect to your OpenVPN server using the slider on the screen. |
| | | |
− | === default key properties === | + | === Default key properties === |
− | these properties can be modified simply by issuing | + | these properties can be modified simply by issuing |
| | | |
− | config setprop openvpn-routed propertie newvalue | + | config setprop openvpn-routed ''property'' ''newvalue'' |
| | | |
| to reset to default, simply issue: | | to reset to default, simply issue: |
− | config delprop openvpn-routed propertie | + | config delprop openvpn-routed ''property'' |
| + | |
| + | where you have to replace ''property'' and ''newvalue'' with what you want. |
| + | |
| + | {| class="wikitable" |
| + | |- |
| + | ! db !! Key !! Type !! Property !! Default !! Allowed !! Description |
| + | |- |
| + | | configuration || openvpn-routed || service || || || || |
| + | |- |
| + | | || || || Protocol || udp || udp / tcp || |
| + | |- |
| + | | || || || UDPPort || 1194 || || |
| + | |- |
| + | | || || || TCPPort || 1194 || || |
| + | |- |
| + | | || || || Authentication || CrtWithPass || || |
| + | |- |
| + | | || || || Network || 192.168.29.0/255.255.255.0 || user defined || |
| + | |
| + | |- |
| + | | || || || PushLocalNetworks || enabled || enabled / disabled || |
| + | |
| + | |- |
| + | | || || || RedirectGateway || disabled || enabled / disabled || |
| + | |
| + | |- |
| + | | || || || Mtu || none || [nnnn] || |
| + | |- |
| + | | || || || Fragment || none || || |
| + | |
| + | |- |
| + | | || || || DuplicateCN || disabled || enabled / disabled || |
| + | |
| + | |- |
| + | | || || || PassTOS || enabled || enabled / disabled || |
| + | |
| + | |- |
| + | | || || || Compression || enabled || enabled / disabled || |
| + | |
| + | |- |
| + | | || || || MaxClients || none || 1 - 254 || |
| + | |- |
| + | | || || || ConfigRequired || disabled || enabled / disabled || |
| + | |
| + | |- |
| + | | || || || Verbose || 3 || [n] || |
| + | |
| + | |- |
| + | | || || || Cipher || None || Various. AES-128-CBC || Default BF-CBC deprecated |
| + | |
| + | |- |
| + | | || || || HMAC || None || Various. SHA256 || Default SHA1 deprecated |
| + | |
| + | |- |
| + | | || || || CrlUrl ||None || http://url/phpki/index.php?stage=dl_crl_pem || |
| + | |} |
| + | |
| + | you can also set the property PushRoute to disabled to any network in networks db to avoid the contrib to push the network to the client |
| + | |
| + | ===Workarounds and known issues=== |
| + | if you migrate from SME8 to SME9 and are not able to connect after correctly migrating your certificates, this might be related to not secure enough algorithm. CentOS 6.9 release notes state that "Support for insecure cryptographic protocols and algorithms has been dropped. This affects usage of MD5, SHA0, RC4 and DH parameters shorter than 1024 bits." Of course real solution would be to migrate all your certs to better algorithm. |
| + | |
| + | workaround :<syntaxhighlight lang="bash"> |
| + | echo -e "LegacySigningMDs md2 md5\nMinimumDHBits 512\n" >> /etc/pki/tls/legacy-settings |
| + | service openvpn-routed restart |
| + | </syntaxhighlight> |
| + | |
| + | ===Bugs=== |
| + | Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] |
| + | and select the smeserver-openvpn-routed component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-openvpn-routed|title=this link}} |
| + | |
| + | |
| + | {{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-openvpn-routed|noresultsmessage="No open bugs found."}} |
| + | |
| + | ===Changelog=== |
| + | Only versions released in smecontrib are listed here. |
| | | |
− | where you have to replace propertie and newvalue with what you want.
| + | {{#smechangelog: smeserver-openvpn-routed}} |
| | | |
− | {propertie} || default; | + | ==Other articles in this category== |
| + | {{#ask: [[Category:VPN]]}} |
| | | |
− | # {Protocol} || 'udp';
| + | [[Category:Contrib]] |
− | # {UDPPort} || '1194';
| + | [[Category:Administration:VPN]] |
− | # {TCPPort} || '1194';
| + | [[Category:VPN]] |
− | # {Authentication} || 'CrtWithPass';
| |
− | # {'Network'} || '192.168.29.0/255.255.255.0';
| |
− | # {PushLocalNetworks} || 'enabled';
| |
− | # {RedirectGateway} || 'disabled';
| |
− | # {Mtu} || '';
| |
− | # {Fragment} || '';
| |
− | # {Cipher} || '';
| |
− | # {RedirectGateway} || '';
| |
− | # {Protocol} || 'udp';
| |
− | # {DuplicateCN} || 'disabled';
| |
− | # {PassTOS} || 'enabled';
| |
− | # {Compression} || 'enabled';
| |
− | # {MaxClients} || '';
| |
− | # {ConfigRequired} || 'disabled';
| |
− | # {Verbose} || '3';
| |