Changes

From SME Server

2,402 bytes added , 09:32, 10 November 2023

Line 3: Line 3:

<blockquote style="float: right;">[[File:openvpn.png|250px]]</blockquote><br>

===Maintainer===

−

[mailto:daniel@firewall-services.com[[User:VIP-ire|Daniel B.]]] from [http://www.firewall-services.com Firewall Services]

[mailto:daniel@firewall-services.com][[User:VIP-ire|Daniel B.]] from [http://www.firewall-services.com Firewall Services]

−

=== Version ===

===Version===

−

===Description===

−

=== Description ===

[http://openvpn.net OpenVPN] is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, fail-over, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-targeted for the SME and enterprise markets.

Line 20: Line 18:

This contrib will help you configuring OpenVPN in bridge mode. With this mode, clients connecting to the VPN from the outside will get an IP in the local subnet, the VPN and the Internal Interface are bridged. There's no routing problem, no additional firewall rules. The downside is that you cannot limit which services VPN clients has access to, they are just treated as locally connected computers.

−

=== Requirements ===

===Requirements===

*You have to install and enable the [[BridgeInterface|bridge-interface]] contrib

*You may want to install [[PHPki]] to manage easily your certificates.

−

=== Installation ===

===Installation===

−

=~~===~~ For SME ~~8 ===~~=

/!\ new default cipher = AES-128-CBC and HMAC SHA256, if you have issues check the configuration options

yum --enablerepo=smecontribs install smeserver-openvpn-bridge

−

=~~===~~ For SME 9 ~~====~~

</tab>

you have to enable the '''[[epel]]''' repository

yum --enablerepo=smecontribs,epel install smeserver-openvpn-bridge

−

yum --enablerepo=smecontribs~~,epel~~ install smeserver-openvpn-bridge

</tab>

−

<~~headertabs~~/>

yum --enablerepo=smecontribs install smeserver-openvpn-bridge

</tab>

</tabs>

−

==== Configure the certificates ====

====Configure the certificates====

{{Note box|If you use [[PHPki]] to manage the certificates, you can go [[OpenVPN_Bridge#Using_PHPki_to_manage_the_certificates|here]] for more details.

If you are updating a previous installation, you can go [[OpenVPN_Bridge#Migrate_previous.2Fexisting_OpenVPN_Server_certificates|here]]}}

Line 46: Line 52:

*An URL where OpenVPN can update the CRL. If you use PHPki on the same server, you can let the default value.

{{Note box|If a valid CRL file (in PEM format) is not found at this URL, you'll get an email every hour in the admin mailbox}}

*A master Certificate (used to verify clients certificates)

*The server certificate (used by clients to verify the server)

Line 63: Line 70:

With "Certificates are ready" in green. If it's not the case, you have a problem with the certificates configuration.

−

==== Configure the service ====

====Configure the service====

The second step is to configure the service. In the main page of the panel, click on the "Service configuration" button. Here you can enable the service, choose the authentication mode you want, and configure the IP address range for the clients. Once you submit this form, the service should start. You can check everything is ok with this command:

Line 69: Line 76: −

==== Control the service ====

====Control the service====

Starting with version 2.0, OpenVPN daemon is now supervised.

You can control (start/stop/restart) the service from the server-manager, and you're advised to do so. But if you want to manually start/stop/restart the service, here are the corresponding commands:

*start

sv u /service/openvpn-bridge

*stop

sv d /service/openvpn-bridge

*restart

sv t /service/openvpn-bridge

{{Warning box|The script '''/etc/init.d/openvpn''' provided with OpenVPN rpm should not be used with SME. Do not try to use this script to control the service, it will not work due to SME templating system!!}}

−

=== Using PHPki to manage the certificates ===

===Using PHPki to manage the certificates===

With this new release, you can manage the certificates the way you want, but most of you will use [[PHPki]] for this.

−

==== Initialize your [http://en.wikipedia.org/wiki/Public_key_infrastructure PKI] ====

====Initialize your [http://en.wikipedia.org/wiki/Public_key_infrastructure PKI]====

This should already be done as you have installed the contrib following this [[PHPki#Installation|how-to]].

−

==== Create a certificate for the server ====

====Create a certificate for the server====

Now you need to create a certificate for OpenVPN on the server. For this, go in [[PHPki]] interface, then "create a new certificate". Here, you'll have to enter some informations about the certificate:

Line 106: Line 118:

[[File:Phpki_confirm_crt.png|768px|thumb|center|Confirm the creation of the new certificate]]

−

==== Configure OpenVPN with the newly created certificates ====

====Configure OpenVPN with the newly created certificates====

{{Note box|If you update an existing smeserver-openvpn-bridge installation, you can skip this part, and go directly [[OpenVPN_Bridge#Upgrade_from_smeserver-openvpn-bridge-fws-1.1-2|here]]}}

Line 126: Line 138:

[[File:Ovpn_bridge_config_crt.png|768px|thumb|center|Copy the certificates and keys in OpenVPN Bridge panel]]

−

=== Upgrade from smeserver-openvpn-bridge-fws-1.1-2 ===

===Upgrade from smeserver-openvpn-bridge-fws-1.1-2===

If you was using the previous version of the contrib, follow this part. It will migrate the certificate configuration from the previous installation.

−

==== Install the [[PHPki]] contrib ====

====Install the [[PHPki]] contrib====

First, you'll have to install [[PHPki]]. Be sure to follow the [[PHPki#Migrate_Certificates_from_previous_OpenVPN-Bridge_contrib_installations|migration step]]

−

==== Install the latest OpenVPN contrib ====

====Install the latest OpenVPN contrib====

yum --enablerepo=smecontribs install smeserver-openvpn-bridge

You can configure the bridge-interface contrib now. You can follow this [[BridgeInterface|how-to]]

−

==== Migrate previous/existing OpenVPN Server certificates ====

====Migrate previous/existing OpenVPN Server certificates====

Now, you should install the old certificates in the new location

For this, you can use this script:

Line 168: Line 180:

# Blank out the IP if defined as 'undef'

if [ $IP == 'undef' ]; then

−

IP=''

IP=

/sbin/e-smith/db $DBNAME set $CERT rule comment "$COM" redirectGW "$REDIR" ip "$IP"

Line 199: Line 211:

Save this script and run it as root.

−

=== Configuration rules ===

===Configuration rules===

The configuration rules is the new way to apply specific configuration to a client. As now the certificates are managed separately, you have to create rules separately. It's still quite simple, just add a new rule, enter the common name to match, a comment, choose an optional fixed IP, choose to enable/disable the gateway redirection, or even block a specific client. Then save, and you're done.

−

=== Client Configuration ===

===Client Configuration===

OpenVPN runs on most platforms.

In any case, the first step will always be the same: you have to create a new certificate for the client.

−

==== Create the certificate with PHPki ====

====Create the certificate with PHPki====

If you use your own PKI tool, you should be able to do it yourself ;)

If you use [[PHPki]], here are the steps to follow

−

* In [[PHPki]] administrative interface, click on the "Create a new certificate" link.

*In [[PHPki]] administrative interface, click on the "Create a new certificate" link.

Here, you'll have to enter several informations. Most of them are up to you. Here's an example:

[[File:Phpki_ovpn_bridge_create_client_crt.png|800px|thumb|center|Create a new certificate for the client]]

Line 237: Line 250:

If you have configured and shared secret key on the server, you also need to download it.

−

==== Windows ====

====Windows====

−

For Windows systems, you should download the OpenVPN GUI stable release 2.0.9 from ~~http~~://openvpn.se/~~download~~.~~html, or the release candidate 2.1 from http:~~//~~openvpn.se/development~~.html. ~~Starting with version 2.1,~~ OpenVPN includes the Windows GUI in the installer~~. 2.1 is still in RC but is quite stable and has some advantages over 2.09. One of the main one is that your can run it on 2000/XP without administrative privileges~~.

For Windows systems, you should download the OpenVPN GUI stable release 2.4.4 from https://openvpn.net/index.php/download/community-downloads.html. OpenVPN includes the Windows GUI in the installer.

On Windows, the configuration directory for OpenVPN is C:\Program Files\OpenVPN\config

Line 247: Line 260:

Now your client should be able to connect with the OpenVPN GUI.

−

==== Linux with Network Manager ====

====Linux with Network Manager====

−

You can see french page for Debian.

−

===== Ubuntu 12.10 64bit =====

=====Ubuntu 12.10 64bit=====

(Not tested in 32bit but will most likely work)

If possible follow the above windows tutorial first to test that you have configured openvpn correctly for server and client.

−

* '''Install openvpn for network manager'''

*'''Install openvpn for network manager'''

sudo apt-get install network-manager-openvpn

−

* Create folder called e.g. "~~openvpn" (can be anything) in your home directory (could be any directory).~~

Under Ubuntu 16.04 64bit, we also needed to install "network-manager-openvpn-gnome":

−

* Assuming that phpki is being used. In browser go to '''server-manager ~~panel > certificate management''' and download the relevant client's "PCKS#12 Bundle" and place it in the "~~openvpn" ~~folder.~~

sudo apt-get install network-manager-openvpn-gnome

−

* Go to '''server-manager ~~panel >~~ openvpn-bridge''' click on "Display a functional client configuration file". Copy and paste this into a text editor and save with '''.ovpn''' extension into the "openvpn" folder. Make sure user.p12 is replaced with the name of the .p12 (PCKS#12 Bundle) client file downloaded previously. Also check that the '''remote''' (gateway) is the correct server url.

−

* In ubuntu go to '''Network Manager > VPN Connections > Configure VPN'''. Click '''import''' then in the explorer navigate to the openvpn folder in the home directory and select the .ovpn file created previously. This should automatically load all settings into network manager.

−

* Add username and password of client, then you have to give the path of the '''user.p12''' key of your user and set the ~~Private key password (the password set during the certificate creation in phpky).~~

−

* After that you have to select the 'advanced' panel and go to 'TLS authentication'. Enable the use of TLS authentication, give the path or your '''takey.pem''' and select the key direction to 1. (if needed)

−

* As a note, when connected successfully to the vpn, browsing the internet may not work in tandem, therefore go to '''ipv4 settings''' tab when editing the vpn connection. Click on "Routes" and check "Use this connection only for resources on its network". Also try adding 8.8.4.4 to "Additional DNS Servers" (This is google's dns servers).

−

===== Fedora 16 / 17 64bit =====

*Create folder called e.g. "openvpn" (can be anything) in your home directory (could be any directory).

*Assuming that phpki is being used. In browser go to '''server-manager panel > certificate management''' and download the relevant client's "PCKS#12 Bundle" and place it in the "openvpn" folder.

*Go to '''server-manager panel > openvpn-bridge''' click on "Display a functional client configuration file". Copy and paste this into a text editor and save with '''.ovpn''' extension into the "openvpn" folder. Make sure user.p12 is replaced with the name of the .p12 (PCKS#12 Bundle) client file downloaded previously. Also check that the '''remote''' (gateway) is the correct server url.

*In ubuntu go to '''Network Manager > VPN Connections > Configure VPN'''. Click '''import''' then in the explorer navigate to the openvpn folder in the home directory and select the .ovpn file created previously. This should automatically load all settings into network manager.

*Add username and password of client, then you have to give the path of the '''user.p12''' key of your user and set the Private key password (the password set during the certificate creation in phpki).

*After that you have to select the 'advanced' panel and go to 'TLS authentication'. Enable the use of TLS authentication, give the path or your '''takey.pem''' and select the key direction to 1. (if needed)

*As a note, when connected successfully to the vpn, browsing the internet may not work in tandem, therefore go to '''ipv4 settings''' tab when editing the vpn connection. Click on "Routes" and check "Use this connection only for resources on its network". Also try adding 8.8.4.4 to "Additional DNS Servers" (This is google's dns servers).

=====Fedora 16 / 17 64bit=====

(Not tested in 32bit but will most likely work)

Note: server set as user/pass + certificate

−

* '''Install openvpn for network manager'''

*'''Install openvpn for network manager'''

yum install NetworkManager-openvpn

======manual settings======

−

~~====== manual settings ======~~

*Assuming that phpki is being used. In browser go to '''server-manger panel > certificate management''' and download the relevant client's "PCKS#12 Bundle" and place it into one convenient folder.

−

* Assuming that phpki is being used. In browser go to '''server-manger panel > certificate management''' and download the relevant client's "PCKS#12 Bundle" and place it into one convenient folder.

*go to '''yournuserame > System Settings > Network''' click on little '''+''' sign on bottom left

−

* go to '''yournuserame > System Settings > Network''' click on little '''+''' sign on bottom left

*in the new pop-up window select '''VPN''' then push Create

−

* in the new pop-up window select '''VPN''' then push Create

*select '''OpenVPN''' and push Create

−

* select '''OpenVPN''' and push Create

*select password with certificate (or any other method you set on server)

−

* select password with certificate (or any other method you set on server)

*put credentials for user and private key password

−

* put credentials for user and private key password

*set the gateway as your ''server.domain.tld ''

−

* set the gateway as your ''server.domain.tld ''

*at advanced check ''Use LZO data compression''

−

* at advanced check ''Use LZO data compression''

*at advanced check '' Use a TAP device''

−

* at advanced check '' Use a TAP device''

*at TLS authentication, give the path of the takey.pem and enable it with the direction 1 (if needed)

−

* at TLS authentication, give the path of the takey.pem and enable it with the direction 1 (if needed)

*click on the small folder near the first certificate and go to the bundle certificate downloaded into convenient folder - all certificates should be filled up

−

* click on the small folder near the first certificate and go to the bundle certificate downloaded into convenient folder - all certificates should be filled up

*Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network"''

−

* Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network"

*save and test

−

* save and test

−

====== import settings ======

======import settings======

−

* Create folder called e.g. ".openVPN" (can be anything) in your home directory (could be any directory).

*Create folder called e.g. ".openVPN" (can be anything) in your home directory (could be any directory).

−

* Assuming that phpki is being used. In browser go to '''server-manger panel > certificate management''' and download the relevant client's "PCKS#12 Bundle" and place it in the ".openVPN" folder.

*Assuming that phpki is being used. In browser go to '''server-manger panel > certificate management''' and download the relevant client's "PCKS#12 Bundle" and place it in the ".openVPN" folder.

−

* Go to '''server-manager panel > openvpn-bridge''' click on "Display a functional client configuration file". Copy and paste this into a text editor and save with '''.ovpn''' extension into the "openVPN" folder (the name of the file will be the visible name in network manager to select VPN connection). Make sure user.p12 is replaced with the name of the .p12 (PCKS#12 Bundle) client file downloaded previously. Also check that the '''remote''' (gateway) is the correct server url.

*Go to '''server-manager panel > openvpn-bridge''' click on "Display a functional client configuration file". Copy and paste this into a text editor and save with '''.ovpn''' extension into the "openVPN" folder (the name of the file will be the visible name in network manager to select VPN connection). Make sure user.p12 is replaced with the name of the .p12 (PCKS#12 Bundle) client file downloaded previously. Also check that the '''remote''' (gateway) is the correct server url.

−

* In fedora ALT+F2 enter ''nm-connection-editor'' and ENTER

*In fedora ALT+F2 enter ''nm-connection-editor'' and ENTER

−

* go to '''Network Connections > VPN '''. Click '''Import''' then in the explorer navigate to the openvpn folder in the home directory and select the .ovpn file created previously. This should automatically load all settings into network manager.

*go to '''Network Connections > VPN '''. Click '''Import''' then in the explorer navigate to the openvpn folder in the home directory and select the .ovpn file created previously. This should automatically load all settings into network manager.

−

* Add username and password of client. Private key password which could differ from the user pass (and will not change if user/admin will change user password in ''server-manager'' or ''server-user''. it is the password set during the certificate creation). Now give also the path of certificate '''user.p12'''

*Add username and password of client. Private key password which could differ from the user pass (and will not change if user/admin will change user password in ''server-manager'' or ''server-user''. it is the password set during the certificate creation). Now give also the path of certificate '''user.p12'''

−

* at Advanced/TLS authentication, give the path of the takey.pem and enable it with the direction 1 (if needed)

*at Advanced/TLS authentication, give the path of the takey.pem and enable it with the direction 1 (if needed)

−

* Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network'' (unless you use the "Redirect Gateway" functionality)

*Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network'' (unless you use the "Redirect Gateway" functionality)

−

* save and test

*save and test

−

===== Fedora 19 64bit =====

=====Fedora 19 64bit=====

(Not tested in 32bit but will most likely work)

Line 309: Line 328:

you'll need to

−

* Assuming that phpki is being used. In browser go to '''server-manager panel > certificate management''' and download the relevant client's cacert.pem user.pem user-key.pem and place them into one convenient place.

*Assuming that phpki is being used. In browser go to '''server-manager panel > certificate management''' and download the relevant client's cacert.pem user.pem user-key.pem and place them into one convenient place.

−

* go to '''yournuserame > System Settings > Network''' click on little '''+''' sign on bottom left

*go to '''yournuserame > System Settings > Network''' click on little '''+''' sign on bottom left

−

* in the new pop-up window select '''VPN''' then push Create

*in the new pop-up window select '''VPN''' then push Create

−

* select '''OpenVPN''' and push Create

*select '''OpenVPN''' and push Create

−

* select password with certificate (or any other method you set on server)

*select password with certificate (or any other method you set on server)

−

* put credentials for user and private key password

*put credentials for user and private key password

−

* set the gateway as your ''server.domain.tld ''

*set the gateway as your ''server.domain.tld ''

−

* at advanced check ''Use LZO data compression''

*at advanced check ''Use LZO data compression''

−

* at advanced check '' Use a TAP device''

*at advanced check '' Use a TAP device''

−

* click on the small folder near the first certificate and go to the user.pem certificate downloaded into convenient folder

*click on the small folder near the first certificate and go to the user.pem certificate downloaded into convenient folder

−

* click on the small folder near the second certificate and go to the cacert.pem certificate downloaded into convenient folder

*click on the small folder near the second certificate and go to the cacert.pem certificate downloaded into convenient folder

−

* click on the small folder near the third certificate and go to the user-key.pem certificate downloaded into convenient folder

*click on the small folder near the third certificate and go to the user-key.pem certificate downloaded into convenient folder

−

** Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network"

**Note: I recommend to check also in '''IPv4 > route''' ''Use this connection only for resources on its network"''

−

* save and test

*save and test

−

==== Linux ====

====Linux====

−

==== Mac OS X ====

====Mac OS X====

OpenVPN works great with [http://code.google.com/p/tunnelblick/ Tunnelblick].

Line 349: Line 368:

service openvpn-bridge restart

−

=== Advanced configuration ===

====Android====

You cannot use TAP mode, and therefore openvpn-bridge, with Android.

Please read this for more:

https://openvpn.net/faq/why-does-the-app-not-support-tap-style-tunnels/

You can use openvpn-routed:

https://wiki.contribs.org/OpenVPN_Routed

===Advanced configuration===

Some advanced options are not presented in the panel. The goal was to keep the panel as simple as possible as most installations won't need to change advanced settings. But advanced options are still available with some DB keys:

Line 361: Line 392:

*'''access''': (private|public) you should let this to public as running a VPN server just for the local network make no sens

−

*'''cipher''': (valid cipher name) You can force the cipher to use. If you put auto, or delete this key, client and server will negotiate the stronger cipher both side support. To have the list of the supported cipher, issue the command

*'''cipher''': (valid cipher name) You can force the cipher to use. Starting SME 10, default is AES-128-CBC . If you put auto ( or delete this key, for SME9 and before ) the default will be the current of openvpn wich is as per 2.4 : BF-CBC. Also when both client and server are at least version 2.4, they will negotiate the stronger cipher both side support. SME10 enforce the following authorized ciphers: --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC . To have the list of the supported cipher, issue the command

openvpn --show-ciphers

Line 381: Line 413:

*'''tapIf''': (tap interface) use this tap interface. You should use a free tap interface enslaved in the bridge interface (configured with the [http://wiki.contribs.org/BridgeInterface#Installation bridge-interface] contrib). Do not change this setting unless you know what you're doing

Also you can also set the property PushRoute "disabled" to any network in networks db to avoid the contrib to push the network to the client.

Once you have configured the service like you want, just run the command

signal-event openvpn-bridge-update

−

=== Uninstall ===

===Uninstall===

To remove the contrib, just run:

yum remove smeserver-openvpn-bridge

Line 392: Line 427:

yum remove smeserver-phpki phpki smeserver-bridge-interface perl-Net-OpenVPN-Manage perl-Net-Telnet

−

=== Notes ===

===Notes===

−

==== VMWare promiscuous mode ====

====OpenVPN and SME installed in virtual machine - VMWare promiscuous mode====

−

By default for ~~at least~~ ESX(i)3.5 ~~and 4~~ VMWare rejects packets in promiscuous mode on the vSwitch, which will cause trouble with OpenVPN in bridge mode. To correct this in VMWare set:

By default for all version of ESX(i) starting from 3.5 to 7.0 (current in february 2020) VMWare rejects packets in promiscuous mode on the vSwitch, which will cause trouble with OpenVPN in bridge mode. The main symptom is that after successful authentication from your remote client you can ping/reach only the OpenVPN server while any other ip address on the LAN can't be pinged/reached. To correct this in VMWare set:

Configuration > Networking > your vSwitch: Properties > Ports-tab > vSwitch > Edit > Security-tab > Promiscuous mode: accept

For ESXI hypervisor still working with vSphere client:

[[File:Promiscuous_mode_-_Esxi.jpg|786x786px]]

For ESXI greater than 6.5 using webui client:

[[File:Promiscuous mode - Webui.jpg|border|frameless|784x784px]]

−

==== Virtualbox promiscuous mode ====

====OpenVPN and SME installed in virtual machine - Virtualbox promiscuous mode====

−

~~there~~ is the same thing in virtualbox, you need to give the argument "allow all" in the network tab configuration.

There is the same thing in virtualbox, you need to give the argument "allow all" in the network tab configuration.

virtual machine > configuration > network > adapter 1

Line 413: Line 455:

[[Image:virtualbox-Sme8-Settings.png]]<br />

====OpenVPN and SME installed in virtual machine - Other hypervisors====

It's documented that you can experience such problems in other hypervisors like OVirt, Proxmox, XEN or others. Keep in mind to search for equivalent settings concerning "promiscuous mode" of vSwitch.

====Transparent proxy settings====

{{Note box|Keep in mind you need to disabled your transparent proxy else your host can no longer browse the http protocol.}}

Line 420: Line 466:

[[Image:proxy-setting.png|width|800px]]<br />

−

=== Bugs ===

===Workarounds and known issues===

if you migrate from SME8 to SME9 and are not able to connect after correctly migrating your certificates, this might be related to not secure enough algorithm. CentOS 6.9 release notes state that "Support for insecure cryptographic protocols and algorithms has been dropped. This affects usage of MD5, SHA0, RC4 and DH parameters shorter than 1024 bits." Of course real solution would be to migrate all your certs to better algorithm.

workaround :<syntaxhighlight lang="bash" line="1">

echo -e "LegacySigningMDs md2 md5\nMinimumDHBits 512\n" >> /etc/pki/tls/legacy-settings

service openvpn-bridge restart

</syntaxhighlight>

===Bugs===

Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]

and select the smeserver-openvpn-bridge component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-openvpn-bridge|title=this link}}

−

{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-openvpn-bridge|noresultsmessage="No open bugs found."}}

===Changelog===

Only versions released in smecontrib are listed here.

==Other articles in this category==

Gieres

3,054

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/33582...42373"

Changes

OpenVPN Bridge (view source)

Revision as of 09:32, 10 November 2023

Navigation menu

Page actions

Page actions

Personal tools

Koozali SME Server

Recent activities

Koozali resources

Koozali SME Server wiki

Tools

Search