OpenVPN

From SME Server
Revision as of 09:54, 25 May 2013 by Knuddi (talk | contribs)
Jump to navigationJump to search

Maintainer

This howto has been developed by Jesper Knudsen from SME Optimizer

Description

OpenVPN (http://www.openvpn.net) is an excellent way to provide remote access to users from home or on the road. OpenVPN provides a complete replacement of the time to time unreliable PPTP VPN which is a part of the standard SME distribution. This Howto is focused on using OpenVPN in routed mode as a Windows 2k/XP/Vista Client to Server VPN connection. The installation consists of two steps, first the the portion which resides on the server and then the Client. I the following setup it is assumed that the local IP range for the private network is 192.168.1.0/24 and that the tunneled VPN network will be 192.168.100.0/24.


Important.png Note:
From OpenVPN website: I would recommend using routing unless you need a specific feature which requires bridging, such as:
  • the VPN needs to be able to handle non-IP protocols such as IPX,
  • you are running applications over the VPN which rely on network broadcasts (such as LAN games), or
  • you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server.



Important.png Note:
OpenVPN-Bridge contribution is an alternative to this (with even a server-manager panel) but is more targeted site<->end clients configurations. See http://wiki.contribs.org/OpenVPN_Bridge



Important.png Note:
You can also take a look at http://wiki.contribs.org/OpenVPN_SiteToSite . It's an alternative, with a panel in the server-manager and is specially made to connect several SME Servers together.


OpenVPN Server Configuration

For SME 7x, first Collect and install the rpm`s as indicated below. The RPM are taken from DAG's repository which is pretty extensive. 

cd /root
mkdir openvpn
cd openvpn
wget http://rpmforge.sw.be/redhat/el4/en/i386/rpmforge/RPMS/lzo-2.04-1.el4.rf.i386.rpm
wget http://dag.wieers.com/rpm/packages/openvpn/openvpn-2.0.9-1.el4.rf.i386.rpm
rpm -Uvh *.rpm

For SME 8x, the easiest way is to get the RPM from the DAG repository. 

cd /root
mkdir openvpn
cd openvpn
wget http://apt.sw.be/redhat/el5/en/i386/dag/RPMS/lzo-2.06-1.el5.rf.i386.rpm
wget http://apt.sw.be/redhat/el5/en/i386/dag/RPMS/openvpn-2.2.2-1.el5.rf.i386.rpm
wget http://apt.sw.be/redhat/el5/en/i386/dag/RPMS/pkcs11-helper-1.08-1.el5.rf.i386.rpm (--Ddougan 20:53, 6 September 2012 (MDT))
rpm -Uvh *.rpm

Now its time to create the keys. The openvpn configs live in /etc/openvpn. First we need to edit the file with default values to match our installation. Open the file "vars" and Edit the default values to reflect your setup at the bottom of the file (KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL). Default we use 1024 bit Diffie Hellman but this can be changed to 2048 or even 4096 bit keys (depending of your paranoia level..) 

cd /usr/share/doc/openvpn-2.0.9/easy-rsa
pico vars

Now we can create the master certificate. Choose the defaults as entered into the vars file. You will need to enter values for the "Organizational Unit Name" which you can set to "VPN" and"Common Name" could be set to "Server" 

source vars
sh clean-all
sh build-ca

Now we can build the certificate/private-key pairs for both the server and clients. Again choose choose "Organizational Unit Name" and "Common Name" as above. Do not add "A Challenge password" when asked, just press <ENTER>. The same goes for "An optional company name". Sign the certificate in the end. 

sh build-key server

Now its time for the Client certificate which is pretty much the same as before. Use "Client" as "Common Name" and "VPN" for "Organizational Unit Name". Do not add "A Challenge password" when asked, just press <ENTER>. The same goes for "An optional company name". Sign the certificate in the end. 

sh build-key client

Finally we build the Diffie Hellman parameters. 

sh build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................

And it can take a long time. Your generated keys will be in /usr/share/doc/openvpn-2.0.9/easy-rsa/keys. The key names - "Server" and "Client" are simply descriptive. Choose names that suit your setup. You can create as many keys as you like using the above method. clean-all will clean out your keys directory - so be careful.

The newly generated keys needs to be copied to the the OpenVPN directory. 

cp keys/ca.crt /etc/openvpn
cp keys/server.crt /etc/openvpn
cp keys/server.key /etc/openvpn
cp keys/dh1024.pem /etc/openvpn

The OpenVPN configuration along with authentication scripts file can be downloaded from my site. Download them and make the executable for root. There will be log files created in /var/log/openvpn indicating when users have logged in and out as well as login failures. Only users that have VPN Client Access enabled in Server-Manager will be allowed to VPN. 

cd /etc/openvpn
mkdir -p /var/log/openvpn
wget http://sme.swerts-knudsen.dk/downloads/OpenVPN/OpenVPN.tgz
tar xzf OpenVPN.tgz
chmod 755 *.pl
chmod 755 *.sh
chmod 700 *.up
rm -rf OpenVPN.tgz

Now you need to make a few changes to the /etc/openvpn/server.conf. Change the domain name listed as yourdomain.com, ensure that the DNS server pushed to the clients is correct (dhcp-option DNS 192.168.1.1) and lastly the route net pushed (route 192.168.1.0). 

port 1194
dev tap
tls-server
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key
auth-user-pass-verify ./validate.sh via-env
client-disconnect ./logoff.sh
up ./openvpn.up
mode server
duplicate-cn
ifconfig 192.168.100.1 255.255.255.0
ifconfig-pool 192.168.100.100 192.168.100.200 255.255.255.0 # IP range for OpenVPN clients
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
push "dhcp-option DOMAIN yourdomain.com"                # push the DNS domain suffix
push "dhcp-option DNS 192.168.1.1"                      # push primary DNS entry to the openvpn clients.
push "route 192.168.1.0 255.255.255.0 192.168.100.1"    # add route to to protected network
comp-lzo
status-version 2
status openvpn-status.log
verb 3

If you are running this server is "server-gateway mode" you now need to open port 1194 for UDP traffic as this is the default tunnel for OpenVPN. Now go into the Server Manager panel under port forwarding and forward UDP/1194 to "localhost". If your server is in "server mode" you also need to fiddle with IPTables. Install the port opener and ensure to update the navigation panel. You will now have a "Port Opening" in the "Configuration" sections of the server-manager. Use it to open UDP/1194. 

rpm -Uvh http://sme.swerts-knudsen.dk/downloads/dmc-mitel-portopening-0.0.1-4.noarch.rpm
/etc/e-smith/events/actions/navigation-conf

You now need to add the VPN address range as a local networks in the server-manager under the Security section.


Important.png Note:
Router: IP address of the SME servers LAN net. I this example 192.168.1.1


The last thing you need to do before the installation is complete is to do a small change in the /etc/openvpn/openvpn.up file. Change the 192.168.1.1 value to match router you used when adding a local network. 

#!/bin/sh
route del -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.1.1
route del -net 192.168.100.0 netmask 255.255.255.0 dev tap0
route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.100.1

When you have changed the file to match your network we start the service. 

/etc/init.d/openvpn start

Verify that the service is running correctly by issuing an "ifconfig" and see the new "tap0" device 

tap0      Link encap:Ethernet  HWaddr 00:FF:A3:3C:75:18
          inet addr:192.168.100.1  Bcast:192.168.100.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:178204868 errors:0 dropped:0 overruns:0 frame:0
          TX packets:192915252 errors:0 dropped:1880 overruns:0 carrier:0
          collisions:0
          RX bytes:1802570258 (1719.0 Mb)  TX bytes:1338165457 (1276.1 Mb)

Now you want to ensure the the OpenVPN service starts every time you reboot your SME server. 

ln -s /etc/rc.d/init.d/openvpn /etc/rc7.d/S99OpenVPN

OpenVPN Client Configuration

The Win2k/XP/Vista client installation is quite simple and pretty much only require the Windows GUI and a configuration file. The Windows GUI can be downloaded from openvpn.net. If you run Vista you need to use the 2.1 Release Candidate (today RC9) http://openvpn.net/release/openvpn-2.1_rc9-install.exe to get it to work. Windows 2K/XP users can use the stable version http://openvpn.net/release/openvpn-2.0.9-install.exe

When the GUI has been installed you need to create a configuration file for your VPN tunnel. Create a file in "C:/Program Files/OpenVPN/config" called VPN.ovpn with the following content and where you change the vpn.yourdomain.com to match your configuration. 

port 1194
dev tap
remote vpn.yourdomain.com
tls-client
auth-user-pass
ca ca.crt
cert client.crt
key client.key
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
comp-lzo
verb 4

You now need to copy the Client keys you generated during the Server installation to the same directory on the Win2k/XP/Vista client. The following keys and certificates must be copied to the "C:/Program Files/OpenVPN/config" folder. 

   * ca.crt
   * client.crt
   * client.key

The Client installation is now complete and the user will be prompted upon login for the username and passwords.

FAQ

When running the OpenVPN Client on MS Vista it fails updating routes

You need to make sure you run the OpenVPN GUI as administrator. See this page on details how to do that http://www.howtogeek.com/howto/windows-vista/always-start-an-application-in-administrator-mode-on-windows-vista/

How can I see which users are online or failed login?

Check the logfile in /var/log/openvpn/logins to see assigned IP, failures, etc.

How do I report a problem or a suggestion?

This contrib has not yet been created in the bugtracker so just send an email to mailto:contribs@swerts-knudsen.dk

Retrieved from "https://wiki.koozali.org/index.php?title=OpenVPN&oldid=20073"