Difference between revisions of "VPN client"
(10 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
+ | This page describes how to configure OpenVPN client for IPv4 and IPv6. | ||
− | |||
− | See [[VPN|VPN introduction]] | + | Related articles: |
+ | * See [[VPN|VPN introduction]] | ||
+ | * See [[VPN server configuration]] | ||
Line 15: | Line 17: | ||
The client requires: | The client requires: | ||
− | * Authority of certification ca.cert | + | * Authority of certification ca.cert (or content as text, section between ---begin certificate--- ---end certificate---- included) |
− | * Client private key | + | * Client private key client.key (or content as text) |
− | * Client certificate | + | * Client certificate client.crt (or content as text) |
Then, you can setup client configuration. | Then, you can setup client configuration. | ||
+ | |||
+ | |||
+ | '''IMPORTANT NOTE for iOS''': | ||
+ | * '''You must have the CONTENT of each file and include it in the ".ovpn" file''' | ||
Line 28: | Line 34: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
− | ################################################# | + | ################################################## |
− | # OpenVPN 2. | + | # OpenVPN 2.4 config file # |
− | # --------------------------------------------- # | + | # ---------------------------------------------- # |
− | # version 1.0 - April 2011 - Guillaume Diaz | + | # version 1.0 - April 2011 - Guillaume Diaz # |
− | # version 1.2 - June 2013 - Guillaume Diaz | + | # version 1.2 - June 2013 - Guillaume Diaz # |
− | # conf update + chroot | + | # conf update + chroot # |
− | ################################################# | + | # version 1.3 - April 2016 - Guillaume Diaz # |
+ | # security increase # | ||
+ | ################################################## | ||
− | # OpenVPN | + | # OpenVPN binding |
########################## | ########################## | ||
− | # | + | # Tell TLS that we are building a CLIENT configuration |
client | client | ||
− | # | + | |
+ | # Network interface to use | ||
dev tun | dev tun | ||
− | # | + | |
− | proto | + | # To support both IPv4 + IPv6 |
− | # | + | proto udp6 |
− | remote | + | |
− | # Do not bind to a specific | + | # VPN server @:port |
+ | remote myserver.mydomain 8080 | ||
+ | |||
+ | # Do not bind to a specific port number | ||
nobind | nobind | ||
− | # | + | |
+ | # keep trying indefinitely to resolve until connection is made | ||
resolv-retry infinite | resolv-retry infinite | ||
− | # | + | |
− | + | # Try to preserve state across restarts | |
+ | persist-key | ||
+ | persist-tun | ||
− | # SECURITY | + | # SECURITY - certificates |
######################## | ######################## | ||
# SSL/TLS root certificate (ca) | # SSL/TLS root certificate (ca) | ||
# The server and all clients will use the same ca file. | # The server and all clients will use the same ca file. | ||
− | ca "C: | + | ca "C:/Apps/OpenVPN/config/ca.crt" |
+ | |||
# Client certificate and private key | # Client certificate and private key | ||
− | cert | + | <cert> |
− | key | + | -----BEGIN CERTIFICATE----- |
+ | my_client_certificate | ||
+ | .. | ||
+ | .. | ||
+ | -----END CERTIFICATE----- | ||
+ | </cert> | ||
+ | |||
+ | |||
+ | <key> | ||
+ | -----BEGIN PRIVATE KEY----- | ||
+ | my_private_key | ||
+ | .. | ||
+ | .. | ||
+ | -----END PRIVATE KEY----- | ||
+ | </key> | ||
− | # | + | # Security details (cryptography and communication settings) |
− | + | ############################################################## | |
− | |||
− | # | ||
− | |||
− | |||
# Encryption of data exchange | # Encryption of data exchange | ||
− | cipher AES- | + | cipher AES-256-CBC |
+ | |||
# Integrity check | # Integrity check | ||
− | auth | + | auth SHA512 |
− | # | + | |
− | + | # Downgrade privileges after initialization (non-Windows only) | |
+ | #user nobody | ||
+ | #group nogroup | ||
+ | |||
+ | # Compression of data exchange | ||
+ | # (i) Main setting will be push once connect | ||
+ | |||
+ | # Enable standard compression for the connection phase, it acts as failover too | ||
+ | comp-lzo | ||
+ | # Ensure VPN server certificate is of type "server": this reduce the man-in-the-middle attacks risks | ||
+ | remote-cert-tls server | ||
− | ##- | + | |
− | # | + | # CLIENTS CONF |
+ | ########################## | ||
+ | # Server security level | ||
+ | #script-security 2 | ||
+ | |||
+ | |||
+ | # LOGS | ||
+ | ########################## | ||
+ | # Log in a dedicated file instead of /var/log/messages | ||
+ | #log "C:\Apps\OpenVPN\log\code.daxiongmao.eu.log" | ||
+ | |||
+ | # Log level | ||
+ | # 0 is silent, except for fatal errors | ||
+ | # 4 is reasonable for general usage | ||
+ | # 5 and 6 can help to debug connection problems | ||
+ | # 9 is extremely verbose | ||
verb 4 | verb 4 | ||
− | # | + | |
− | # | + | # Silence repeating messages. |
− | + | # At most xx sequential same messages will be output to the log file. | |
− | |||
mute 10 | mute 10 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | |||
− | + | ==Ubuntu VPN DNS== | |
− | + | ||
− | + | If DNS resolution doesn't work well you need to add the following line to your client configuration: | |
− | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
− | + | script-security 2 | |
− | + | up /etc/openvpn/update-resolv-conf | |
− | + | down /etc/openvpn/update-resolv-conf | |
</syntaxhighlight> | </syntaxhighlight> | ||
− | + | ||
+ | Source: http://blog.nicolargo.com/2015/02/resolution-du-probleme-de-dns-avec-openvpn-sous-ubuntu.html | ||
Line 118: | Line 168: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
+ | # VPN software | ||
apt-get install openssl openssh-server openvpn | apt-get install openssl openssh-server openvpn | ||
+ | # VPN manager (UI) | ||
+ | apt-get install network-manager-openvpn network-manager-openvpn-gnome | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 125: | Line 178: | ||
See [[Firewall VPN]] | See [[Firewall VPN]] | ||
+ | |||
+ | |||
+ | You must enable global FORWARDING | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | vim /etc/sysctl.conf | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | <syntaxhighlight lang="apache"> | ||
+ | # Uncomment the next line to enable packet forwarding for IPv4 | ||
+ | net.ipv4.ip_forward=1 | ||
+ | |||
+ | |||
+ | # Uncomment the next line to enable packet forwarding for IPv6 | ||
+ | # Enabling this option disables Stateless Address Autoconfiguration | ||
+ | # based on Router Advertisements for this host | ||
+ | net.ipv6.conf.all.forwarding=1 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | |||
+ | '''DNS''' | ||
+ | |||
+ | You can set some DNS entries. | ||
+ | |||
+ | * Network manager > Edit connections > VPN > Edit > IPv4 > Additional DNS servers | ||
+ | * Add: <code>8.8.8.8, 8.8.4.4</code> | ||
+ | |||
+ | [[File:VPN client linux DNS entries.png|none|Ubuntu additional DNS entries]] | ||
Line 150: | Line 232: | ||
* Set '''target''' = <code>C:\apps\OpenVPN\bin\openvpn-gui.exe --connect devDaxiongmao.ovpn</code> | * Set '''target''' = <code>C:\apps\OpenVPN\bin\openvpn-gui.exe --connect devDaxiongmao.ovpn</code> | ||
[[File:VPN win shortcut 01.png|none|VPN windows shortcut howto 01]] | [[File:VPN win shortcut 01.png|none|VPN windows shortcut howto 01]] | ||
+ | |||
+ | In target the ''--connect'' option allows you to start a specific profile automatically. :-) | ||
* In '''Compatibility''' tab set the ''run as administrator'' option. | * In '''Compatibility''' tab set the ''run as administrator'' option. | ||
[[File:VPN win shortcut 02.png|none|VPN windows shortcut howto 02]] | [[File:VPN win shortcut 02.png|none|VPN windows shortcut howto 02]] | ||
− | |||
− | |||
− | |||
Latest revision as of 21:26, 1 November 2019
This page describes how to configure OpenVPN client for IPv4 and IPv6.
Related articles:
Contents
Client
Client files
The client requires:
- Authority of certification ca.cert (or content as text, section between ---begin certificate--- ---end certificate---- included)
- Client private key client.key (or content as text)
- Client certificate client.crt (or content as text)
Then, you can setup client configuration.
IMPORTANT NOTE for iOS:
- You must have the CONTENT of each file and include it in the ".ovpn" file
Client configuration
Copy / paste the following configuration - just adjust your path according to your OS and file system:
##################################################
# OpenVPN 2.4 config file #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz #
# version 1.2 - June 2013 - Guillaume Diaz #
# conf update + chroot #
# version 1.3 - April 2016 - Guillaume Diaz #
# security increase #
##################################################
# OpenVPN binding
##########################
# Tell TLS that we are building a CLIENT configuration
client
# Network interface to use
dev tun
# To support both IPv4 + IPv6
proto udp6
# VPN server @:port
remote myserver.mydomain 8080
# Do not bind to a specific port number
nobind
# keep trying indefinitely to resolve until connection is made
resolv-retry infinite
# Try to preserve state across restarts
persist-key
persist-tun
# SECURITY - certificates
########################
# SSL/TLS root certificate (ca)
# The server and all clients will use the same ca file.
ca "C:/Apps/OpenVPN/config/ca.crt"
# Client certificate and private key
<cert>
-----BEGIN CERTIFICATE-----
my_client_certificate
..
..
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
my_private_key
..
..
-----END PRIVATE KEY-----
</key>
# Security details (cryptography and communication settings)
##############################################################
# Encryption of data exchange
cipher AES-256-CBC
# Integrity check
auth SHA512
# Downgrade privileges after initialization (non-Windows only)
#user nobody
#group nogroup
# Compression of data exchange
# (i) Main setting will be push once connect
# Enable standard compression for the connection phase, it acts as failover too
comp-lzo
# Ensure VPN server certificate is of type "server": this reduce the man-in-the-middle attacks risks
remote-cert-tls server
# CLIENTS CONF
##########################
# Server security level
#script-security 2
# LOGS
##########################
# Log in a dedicated file instead of /var/log/messages
#log "C:\Apps\OpenVPN\log\code.daxiongmao.eu.log"
# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4
# Silence repeating messages.
# At most xx sequential same messages will be output to the log file.
mute 10
Ubuntu VPN DNS
If DNS resolution doesn't work well you need to add the following line to your client configuration:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
Source: http://blog.nicolargo.com/2015/02/resolution-du-probleme-de-dns-avec-openvpn-sous-ubuntu.html
Software
Linux
Installation
# VPN software
apt-get install openssl openssh-server openvpn
# VPN manager (UI)
apt-get install network-manager-openvpn network-manager-openvpn-gnome
Security
See Firewall VPN
You must enable global FORWARDING
vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1
DNS
You can set some DNS entries.
- Network manager > Edit connections > VPN > Edit > IPv4 > Additional DNS servers
- Add:
8.8.8.8, 8.8.4.4
Windows
On windows, many clients are available. The best one, for me, is: « OpenVPN.net Community » https://openvpn.net/index.php/open-source/downloads.html
- Take the Installer (64-bit), Windows XP and later
Then, you have to copy your .OVPN configuration & certificates inside the ~/openvpn/config/
folder.
To use the VPN:
- Run the OpenVPN client as administrator ==> right click on the icon ==> run as administrator
- Right click on the icon close to the system clock ==> connect
!! Hint !! You can create a 1 click shortcut.
- Edit the default shortcut
- Set target =
C:\apps\OpenVPN\bin\openvpn-gui.exe --connect devDaxiongmao.ovpn
In target the --connect option allows you to start a specific profile automatically. :-)
- In Compatibility tab set the run as administrator option.
MacOSX
The best VPN client is “tunnelblick” http://code.google.com/p/tunnelblick
- Configuration files are in ~/librairies/openvpn
- That’s the libraries [“bibliothèque”] folder of the current user