OpenVPN Bridge

From SME Server
Revision as of 14:56, 11 March 2009 by Slords (talk | contribs) (fix links)
Jump to navigation Jump to search


Maintainer

Daniel B.
Firewall Services
mailto:daniel@firewall-services.com

Description

OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-targeted for the SME and enterprise markets.

This contrib will help you configuring OpenVPN in bridge mode. With this mode, clients connecting to the VPN from the outside will get an IP in the local subnet, the VPN and the Internal Interface are bridged. There's no routing problem, no additional firewall rules. The downside is that you cannot limit which services VPN clients has access to, they are just treated as locally connected computers.

Requirements

  • SME Server 7.X (serveronly or server&gateway works)
  • You have to install and enable the bridge-interface contrib
  • You may want to install PHPki to manage easily your certificates.


  Warning:
The current version of the contrib is a complete rewrite of the older smeserver-openvpn-bridge.fws. There are a lot of changes between the two, mainly the way certificates are managed. You should read this before starting the upgrade. Even better, you should first try on a test server.


Installation

  • install the rpms
yum --enablerepo=smecontribs install smeserver-openvpn-bridge
  • Configure the certificates

You can now go in the server-manager, you'll find a new OpenVPN-Bridge menu. Here, you will first have to click on the "configure certificates" link.

Here, you'll need to enter several informations:


  Note:
All the certificates have to be PEM encoded


  • An URL where OpenVPN can update the CRL. If you use PHPki on the same server, you can let the default value.
  Note:
If a valid CRL file (in PEM format) is not found at this URL, you'll get an email every hour in the admin mailbox


  • A master Certificate (used to verify clients certificates)
  • The server certificate (used by clients to verify the server)
  • The server private key associated with the certificate
  • Diffie-Helman parameters (Used to exchange the session key)
  • An optional key generate by openvpn to add TLS authentication
  Note:
You can let this field blank if you don't want to use the additional TLS auth


You can use PHPki contrib to manage this easily. PHPki doesn't need to be installed on the same server. You can also manage your PKI by hands, or with your own PKI tool if you allready use one (for example, tinyCA)

Once you have enter all the required information, just submit the form.

You should then see the message:

Certificates status 	Certificates are ready

With "Certificates are ready" in green. If it's not the case, you have a problem with the certificates configuration.


  • Configure the service

The second step is to configure the service. In the main page of the panel, click on the "Service configuration" button.

Here you can enable the service, choose the authentication mode you want, and configure the IP address range for the clients

Once you submit this form, the service should start. You can check everything is ok with this command:

tailf /var/log/openvpn-bridge/current

Upgrade from smeserver-openvpn-bridge-fws-1.1-2

If you was using the previous version of the contrib, you'll need some additionnal steps to migrate your configuration.

First, you'll have to install PHPki. Be sure to follow the migration step

  • Install the new contrib
yum --enablerepo=smecontribs install smeserver-openvpn-bridge

You can configure the bridge-interface contrib now. You can follow this how-to

  • Migrate OpenVPN Server certificates

Now, you should install the old certificates in the new location For this, you can use this script:

#!/bin/bash

# Store the actual time in $TIME
TIME=$(date +%d%m%Y%H%M%S)

OPENSSL=/usr/bin/openssl
OLDDIR=/etc/openvpn/easy-rsa/keys/bridge/
OVPNNEWDIR=/etc/openvpn/bridge

convert_cert_to_rule_entries(){
	DBNAME='openvpn-bridge'

	# The new openvpn contrib doesn't use cert entries but rules ones
	# So we need to convert it	
	if [ -e /home/e-smith/db/$DBNAME ]; then
		mv /home/e-smith/db/$DBNAME /home/e-smith/db/$DBNAME.$TIME
		for CERT in $(/sbin/e-smith/db $DBNAME.$TIME keys); do
			# If the entry is a cert and cert-type=client
			if [ $(/sbin/e-smith/db $DBNAME.$TIME gettype $CERT) == 'cert' ]&&[ $(/sbin/e-smith/db $DBNAME.$TIME getprop $CERT cert-type) == 'client' ]; then
				COM=$(/sbin/e-smith/db $DBNAME.$TIME getprop $CERT comment)
				REDIR=$(/sbin/e-smith/db $DBNAME.$TIME getprop $CERT redirectGW)
				IP=$(/sbin/e-smith/db $DBNAME.$TIME getprop $CERT ip)
				# Blank out the IP if fefined as 'undef'
				if [ $IP == 'undef' ]; then
					IP=
				fi
				/sbin/e-smith/db $DBNAME set $CERT rule comment "$COM" redirectGW "$REDIR" ip "$IP"
			fi
		done
	fi
}

install_cert_in_new_dir(){
	# Here, we install the old certificates used by openvpn daemon to the new location
	mkdir -p $OVPNNEWDIR/{priv,pub}
	cat $OLDDIR/$SRVCN.crt > $OVPNNEWDIR/pub/cert.pem
	cat $OLDDIR/$SRVCN.key > $OVPNNEWDIR/priv/key.pem
	cat $OLDDIR/dh.pem > $OVPNNEWDIR/pub/dh.pem
	cat $OLDDIR/ca.crt > $OVPNNEWDIR/pub/cacert.pem
	cat $OLDDIR/ta.key > $OVPNNEWDIR/priv/takey.pem
	cat $OLDDIR/crl.pem > $OVPNNEWDIR/pub/cacrl.pem
}

perms(){
	# Restrict access
	chown -R root:root $OVPNNEWDIR
	chmod -R o-rwx $OVPNNEWDIR
}

convert_cert_to_rule_entries
install_cert_in_new_dir
perms

Save this script and run it as root.

Configuration rules

The configuration is the new way to apply specific configuration to a client. As now the certificates are managed separatly, you have to create rules separatly. It's still quite simple, just add a new rule, enter the common name to match, a comment, choose an optional fixed IP, choose to enable/disable the gateway redirection, or even block a specific client. Then save, and you're done.

Configuration file

On the main page of the panel, you can display a sample configuration file. This file is dynamically generated according to server-side configuration. Here, you'll just need to change the line

pkcs12 user.p12

or uncomment and change the lines

#ca cacert.pem
#cert user.pem
#key user-key.pem

to match the certificate name of the client

Advanced configuration

Some advanced options are not presented in the panel. The goal was to keep the panel as simple as possible as most installations won't need to change advanced settings. But advanced options are still available with some DB keys:

  • ConfigRequired: (enabled|disabled). If set to enable, clients will be rejected un less a configuration rule match the common name of their certificate. This can be usefull if you use just one CA to sign a lot of different certificates, but only want a limited number of certificates to connect to the VPN
  • UDPPort: (number) Change the port the server listen to when running in UDP mode
  • TCPPort: (number) Change the port the server listen to when running in TCP mode
  • access: (private|public) you should let this to public as running a VPN server just for the local network make no sens
  • cipher: (valid cipher name) You can force the cipher to use. If you put auto, or delete this key, client and server will negociate the stronger cipher both side support. To have the list of the supported cipher, issue the command
openvpn --show-ciphers
  • clientToClient: (enabled|disabled) If you want to prevent two clients to communicate, you should enable this option
  • compLzo: (enabled|disabled) This option control the usage of real time LZO compression. Enabling it usually improve the performance at no cost. It uses an adaptative algorithm, if data sent over the tunnel are uncompressable, the compression will automatically be disabled. You may want to disable it on small hardware.
  • management: (<ip to bind to>:<port>:password) this key contrl the management interface of openvpn. The default is to listen only on the loopback interface. It's used to display connected clients. You can allow the access on the local network to get some more statistics using for example: http://www.mertech.com.au/mertech-products-openvpnusermanager.aspx
  • maxClients: (number) maximum number of clients connected at a time
  • mtuTest: (enabled|disabled) When using UDP as transport protocol, mtu-test will mesure the best MTU for the virtual interface. You should let it enabled un less you know what you're doing
  • protocol: (udp|tcp) The transport protocol to use. UDP is recommadned for coth security and performance, but there are situations where you'll need to use TCP. If you use TCP, you should set TCPPort directive to set the port the daemon will listen on (instead of UDPPort)
  • redirectGW: (perClient|allways) The default is to enable the gateway redirection on a per client basis. But if you want the redirection to be allways enabled, you can set this key to "allways". This way, you won't have to create a new rule for each client.
  • tapIf: (tap interface) use this tap interface. You should use a free tap interface enlsaved in the bridge interface (configured with the bridge-interface contrib). Do not change this setting unless you know what you're doing


Once you have configured the service like you want, just run the command

signal-event openvpn-bridge-update

Uninstall

To remove the contrib, just run:

yum remove smeserver-openvpn-bridge

You may also want to remove some other dependencies if you don't use them anymore

yum remove smerver-phpki phpki smeserver-bridge-interface perl-Net-OpenVPN-Manage perl-Net-Telnet

Source

The source for this contrib can be found in the smeserver CVS on sourceforge.

Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-openvpn-bridge component or use this link