OpenVPN Bridge
Maintainer
Daniel B. from Firewall Services
Version
Description
OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, fail-over, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-targeted for the SME and enterprise markets.
This contrib will help you configuring OpenVPN in bridge mode. With this mode, clients connecting to the VPN from the outside will get an IP in the local subnet, the VPN and the Internal Interface are bridged. There's no routing problem, no additional firewall rules. The downside is that you cannot limit which services VPN clients has access to, they are just treated as locally connected computers.
Requirements
- SME Server 7.X and 8.0 (serveronly or server&gateway works)
- You have to install and enable the bridge-interface contrib
- You may want to install PHPki to manage easily your certificates.
Installation
install the rpms (7.x)
yum --enablerepo=smecontribs install smeserver-openvpn-bridge
install the rpms (8.x)
db yum_repositories set sme7contribs repository GPGCheck yes MirrorList http://distro.ibiblio.org/pub/linux/distributions/smeserver/mirrorlist/smecontribs-7 \ Name 'SME 7 - contribs' Visible no status disabled signal-event yum-modify yum clean all yum --enablerepo=sme7contribs --enablerepo=smecontribs install smeserver-openvpn-bridge
--Ddougan 15:30, 20 October 2012 (MDT)
Configure the certificates
You can now go in the server-manager, you'll find a new OpenVPN-Bridge menu. Here, you will first have to click on the "configure certificates" link and you will need to enter various mandatory information:
- An URL where OpenVPN can update the CRL. If you use PHPki on the same server, you can let the default value.
- A master Certificate (used to verify clients certificates)
- The server certificate (used by clients to verify the server)
- The server private key associated with the certificate
- Diffie-Helman parameters (Used to exchange the session key)
- An optional key generate by OpenVPN to add TLS authentication
You can use PHPki contrib to manage this easily. PHPki doesn't need to be installed on the same server. You can also manage your PKI manually, or with your own PKI tool if you already use one (for example, tinyCA)
Once you have enter all the required information, just submit the form.
You should then see the message:
Certificates status Certificates are ready
With "Certificates are ready" in green. If it's not the case, you have a problem with the certificates configuration.
Configure the service
The second step is to configure the service. In the main page of the panel, click on the "Service configuration" button. Here you can enable the service, choose the authentication mode you want, and configure the IP address range for the clients. Once you submit this form, the service should start. You can check everything is ok with this command:
tailf /var/log/openvpn-bridge/current
Control the service
Starting with version 2.0, OpenVPN daemon is now supervised. You can control (start/stop/restart) the service from the server-manager, and you're advised to do so. But if you want to manually start/stop/restart the service, here are the corresponding commands:
- start
sv u /service/openvpn-bridge
- stop
sv d /service/openvpn-bridge
- restart
sv t /service/openvpn-bridge
Using PHPki to manage the certificates
With this new release, you can manage the certificates the way you want, but most of you will use PHPki for this.
Initialize your PKI
This should already be done as you have installed the contrib following this how-to.
Create a certificate for the server
Now you need to create a certificate for OpenVPN on the server. For this, go in PHPki interface, then "create a new certificate". Here, you'll have to enter some informations about the certificate:
- Common Name: this is the name of the certificate. You can enter what you want, for example "openvpn-bridge"
- Email address: the email address of the technical contact (this field is not used, you can enter what you want as long as it's a valid email address), for example admin@domain.tld
- Organization, Department, Locality, State and Country fields should have the values you entered when you have created your PKI. You can let those values.
- Password: This field must be blank. Remember that OpenVPN daemon starts without human intervention when the server boots, so it need to have access to the certificate key without being prompted for a password.
- Certificate life: How-long the certificate will be valid. Enter what you want, but remember, when the certificate expires, you'll have to create another one, and update it in OpenVPN Bridge panel.
- Key size: you can enter what you want (I use 2048 in general). The bigger, the stronger, but will use a bit more CPU power when the session key is negotiated (at the connection, and once an hour)
- Certificate Use: you should use "VPN Server Only". This is important. If you don't choose this type of certificates, clients may be unable to connect, or you may be unable to proceed as some other certificate uses won't allow an empty password.
Here's an example:
Now, confirm you want to create this certificate:
Configure OpenVPN with the newly created certificates
Now, you can configure OpenVPN with your certificates. Go in the server-manager->OpenVPN-Bridge->certificates configuration.
Here you have some fields to setup:
- URL to update the CRL: you should let the default: http://localhost:940/phpki/index.php?stage=dl_crl_pem unless PHPki is installed on another server (or if you use another PKI tool)
- CA certificate: You should put here the Root certificate in PEM format. You can get it in PHPki, by clicking on the link "Display the Root Certificate (PEM Encoded)" Copy and paste this data into the "CA certificate" box.
- Server certificate: You should put here the certificate of the server. You can get it in PHPki, manage certificates, click on the download link corresponding to the certificate you have created for the server ("openvpn-bridge" in the example), choose PEM certificate in the drop-down menu, download it. You can open this file with a text editor. Copy and paste this text into the "Server certificate" window.
- Server private key: This is the private key associated with the server's certificate. To get it, follow the same steps as above, but choose "PEM Key" in the drop-down menu instead of "PEM Certificate" and paste the text into the "Server private key" window.
- DH Parameters: To get the DH Parameters, click on the "Display the Diffie-Hellman parameters" link in PHPki and paste the text into the "DH parameters" window.
- Static Key: This is optional. You can get it using the "Display the static pre-shared key" link in PHPki. Note that if you enter this key on the server, you'll have to deploy it on each client.
You can now submit the request. "Certificates are ready" should be displayed.
Here's an example:
Upgrade from smeserver-openvpn-bridge-fws-1.1-2
If you was using the previous version of the contrib, follow this part. It will migrate the certificate configuration from the previous installation.
Install the PHPki contrib
First, you'll have to install PHPki. Be sure to follow the migration step
Install the latest OpenVPN contrib
yum --enablerepo=smecontribs install smeserver-openvpn-bridge
You can configure the bridge-interface contrib now. You can follow this how-to
Migrate previous/existing OpenVPN Server certificates
Now, you should install the old certificates in the new location For this, you can use this script:
#!/bin/bash
# Store the actual time in $TIME
TIME=$(date +%d%m%Y%H%M%S)
OPENSSL=/usr/bin/openssl
OLDDIR=/etc/openvpn/easy-rsa/keys/bridge/
OVPNNEWDIR=/etc/openvpn/bridge
SRVCN=$(db configuration getprop openvpn-bridge localCN)
convert_cert_to_rule_entries(){
DBNAME='openvpn-bridge'
# The new OpenVPN contrib doesn't use cert entries but rules ones
# So we need to convert it
if [ -e /home/e-smith/db/$DBNAME ]; then
mv /home/e-smith/db/$DBNAME /home/e-smith/db/$DBNAME.$TIME
for CERT in $(/sbin/e-smith/db $DBNAME.$TIME keys); do
# If the entry is a cert and cert-type=client
if [ $(/sbin/e-smith/db $DBNAME.$TIME gettype $CERT) == 'cert' ]&&[ $(/sbin/e-smith/db $DBNAME.$TIME getprop $CERT cert-type) == 'client' ]; then
COM=$(/sbin/e-smith/db $DBNAME.$TIME getprop $CERT comment)
REDIR=$(/sbin/e-smith/db $DBNAME.$TIME getprop $CERT redirectGW)
IP=$(/sbin/e-smith/db $DBNAME.$TIME getprop $CERT ip)
# Blank out the IP if defined as 'undef'
if [ $IP == 'undef' ]; then
IP=
fi
/sbin/e-smith/db $DBNAME set $CERT rule comment "$COM" redirectGW "$REDIR" ip "$IP"
fi
done
fi
}
install_cert_in_new_dir(){
# Here, we install the old certificates used by OpenVPN daemon to the new location
mkdir -p $OVPNNEWDIR/{priv,pub}
cat $OLDDIR/$SRVCN.crt > $OVPNNEWDIR/pub/cert.pem
cat $OLDDIR/$SRVCN.key > $OVPNNEWDIR/priv/key.pem
cat $OLDDIR/dh.pem > $OVPNNEWDIR/pub/dh.pem
cat $OLDDIR/ca.crt > $OVPNNEWDIR/pub/cacert.pem
cat $OLDDIR/ta.key > $OVPNNEWDIR/priv/takey.pem
cat $OLDDIR/crl.pem > $OVPNNEWDIR/pub/cacrl.pem
}
perms(){
# Restrict access
chown -R root:root $OVPNNEWDIR
chmod -R o-rwx $OVPNNEWDIR/priv
}
convert_cert_to_rule_entries
install_cert_in_new_dir
perms
Save this script and run it as root.
Configuration rules
The configuration rules is the new way to apply specific configuration to a client. As now the certificates are managed separately, you have to create rules separately. It's still quite simple, just add a new rule, enter the common name to match, a comment, choose an optional fixed IP, choose to enable/disable the gateway redirection, or even block a specific client. Then save, and you're done.
Client Configuration
OpenVPN runs on most platforms. In any case, the first step will always be the same: you have to create a new certificate for the client.
Create the certificate with PHPki
If you use your own PKI tool, you should be able to do it yourself ;) If you use PHPki, here are the steps to follow
- In PHPki administrative interface, click on the "Create a new certificate" link.
Here, you'll have to enter several informations. Most of them are up to you. Here's an example:
Once you have submitted this form, you'll have a confirmation page. Then your certificate will be ready.
Now, go in the "Manage Certificates" menu in PHPki and click on the Download link corresponding to your certificate, then choose the PKCS#12 bundle format (OpenVPN also accept pem encoded certificate, but the PKCS#12 bundle has the advantage of combining the CA, the certificate and the key in one file).
If you have configured and shared secret key on the server, you also need to download it.
Windows
For Windows systems, you should download the OpenVPN GUI stable release 2.0.9 from http://openvpn.se/download.html, or the release candidate 2.1 from http://openvpn.se/development.html. Starting with version 2.1, OpenVPN includes the Windows GUI in the installer. 2.1 is still in RC but is quite stable and has some advantages over 2.09. One of the main one is that your can run it on 2000/XP without administrative privileges.
On Windows, the configuration directory for OpenVPN is C:\Program Files\OpenVPN\config Here you can put all the needed files, or create sub-directories if you want to configure several connexions. Put here (either in the config directory or in a sub folder) the PKCS#12 file you have downloaded earlier, and the shared secret key if you used one on the server. Now create a text file, and change the extension to be .ovpn (the name isn't important). Edit it with your favorite text editor. Now, go in the panel of OpenVPN-Bridge and click on the link "Display a functional client configuration file". Copy and past this in your config file (.ovpn), and just change the pkcs12 directive to match your certificate name. Save this file. Now your client should be able to connect with the OpenVPN GUI.
Linux with Network Manager
Linux
Mac OS X
OpenVPN works great with Tunnelblick. Unfortunately, I have no Mac OS X here so if someone wants to add the exact notes, it would be great
Advanced configuration
Some advanced options are not presented in the panel. The goal was to keep the panel as simple as possible as most installations won't need to change advanced settings. But advanced options are still available with some DB keys:
- ConfigRequired: (enabled|disabled). If set to enable, clients will be rejected unless a configuration rule match the common name of their certificate. This can be useful if you use just one CA to sign a lot of different certificates, but only want a limited number of certificates to connect to the VPN
- UDPPort: (number) Change the port the server listen to when running in UDP mode
- TCPPort: (number) Change the port the server listen to when running in TCP mode
- access: (private|public) you should let this to public as running a VPN server just for the local network make no sens
- cipher: (valid cipher name) You can force the cipher to use. If you put auto, or delete this key, client and server will negotiate the stronger cipher both side support. To have the list of the supported cipher, issue the command
openvpn --show-ciphers
- clientToClient: (enabled|disabled) If you want to prevent two clients to communicate, you should enable this option
- duplicateCN: (enabled|disabled) If you want to allow several clients to connect simultaneously using the same certificate, you need to enable this option (default is disabled)
- compLzo: (enabled|disabled) This option control the usage of real time LZO compression. Enabling it usually improve the performance at no cost. It uses an adaptive algorithm, if data sent over the tunnel are uncompress-able, the compression will automatically be disabled. You may want to disable it on small hardware.
- management: (<ip to bind to>:<port>:<password>) this key control the management interface of OpenVPN. The default is to listen only on the loopback interface. It's used to display connected clients. You can allow the access on the local network to get some more statistics using for example: http://www.mertech.com.au/mertech-products-openvpnusermanager.aspx
- maxClients: (number) maximum number of clients connected at a time
- mtuTest: (enabled|disabled) When using UDP as transport protocol, mtu-test will measure the best MTU for the virtual interface. You should let it enabled unless you know what you're doing
- protocol: (udp|tcp) The transport protocol to use. UDP is recommended for both security and performance, but there are situations where you'll need to use TCP. If you use TCP, you should set TCPPort directive to set the port the daemon will listen on (instead of UDPPort)
- redirectGW: (perClient|always) The default is to enable the gateway redirection on a per client basis. But if you want the redirection to be always enabled, you can set this key to "always". This way, you won't have to create a new rule for each client.
- tapIf: (tap interface) use this tap interface. You should use a free tap interface enslaved in the bridge interface (configured with the bridge-interface contrib). Do not change this setting unless you know what you're doing
Once you have configured the service like you want, just run the command
signal-event openvpn-bridge-update
Uninstall
To remove the contrib, just run:
yum remove smeserver-openvpn-bridge
You may also want to remove some other dependencies if you don't use them anymore
yum remove smeserver-phpki phpki smeserver-bridge-interface perl-Net-OpenVPN-Manage perl-Net-Telnet
Notes
VMWare promiscuous mode
By default for at least ESX(i)3.5 and 4 VMWare rejects packets in promiscuous mode on the vSwitch, which will cause trouble with OpenVPN in bridge mode. To correct this in VMWare set:
Configuration > Networking > your vSwitch: Properties > Ports-tab > vSwitch > Edit > Security-tab > Promiscuous mode: accept
Virtualbox promiscuous mode
there is the same thing in virtualbox, you need to give the argument "allow all" in the network tab configuration.
virtual machine > configuration > network > adapter 1
choose adapter type "intel pro 1000....."
then put attached to on "bridged adapter" on your default NIC
click on advanced
then put promiscuous mode on "allow all"
go to the server-manager>Proxy services and disabled http and smtp proxy
Bugs
Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-openvpn-bridge component or use this link
