Difference between revisions of "VPN client"

 
(10 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
  
 +
This page describes how to configure OpenVPN client for IPv4 and IPv6.
  
=Introduction=
 
  
See [[VPN|VPN introduction]]
+
Related articles:
 +
* See [[VPN|VPN introduction]]
 +
* See [[VPN server configuration]]
  
  
Line 15: Line 17:
  
 
The client requires:
 
The client requires:
* Authority of certification ca.cert
+
* Authority of certification ca.cert (or content as text, section between ---begin certificate--- ---end certificate---- included)
* Client private key client.key
+
* Client private key client.key     (or content as text)
* Client certificate client.crt
+
* Client certificate client.crt     (or content as text)
  
 
Then, you can setup client configuration.
 
Then, you can setup client configuration.
 +
 +
 +
'''IMPORTANT NOTE for iOS''':
 +
* '''You must have the CONTENT of each file and include it in the ".ovpn" file'''
  
  
Line 28: Line 34:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
#################################################
+
##################################################
# OpenVPN 2.0 client config                     #
+
# OpenVPN 2.4 config file                        #
# --------------------------------------------- #
+
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz
+
# version 1.0 - April 2011 - Guillaume Diaz     #
# version 1.2 - June 2013 - Guillaume Diaz
+
# version 1.2 - June 2013 - Guillaume Diaz       #
#                          conf update + chroot
+
#                          conf update + chroot #
#################################################
+
# version 1.3 - April 2016 - Guillaume Diaz      #
 +
#                          security increase    #
 +
##################################################
  
  
# OpenVPN configuration
+
# OpenVPN binding
 
##########################
 
##########################
# Client mode
+
# Tell TLS that we are building a CLIENT configuration
 
client
 
client
# VPN mode
+
 
 +
# Network interface to use
 
dev tun
 
dev tun
# Protocol
+
 
proto udp
+
# To support both IPv4 + IPv6
# Remote server
+
proto udp6
remote dev.daxiongmao.eu 8080
+
 
# Do not bind to a specific local port number
+
# VPN server @:port
 +
remote myserver.mydomain 8080
 +
 
 +
# Do not bind to a specific port number
 
nobind
 
nobind
# Keep trying indefinitely to resolve the hostname of the OpenVPN server.
+
 
 +
# keep trying indefinitely to resolve until connection is made
 
resolv-retry infinite
 
resolv-retry infinite
# Compression of data exchange
+
 
comp-lzo
+
# Try to preserve state across restarts
 +
persist-key
 +
persist-tun
  
  
  
# SECURITY
+
# SECURITY - certificates
 
########################
 
########################
 
# SSL/TLS root certificate (ca)
 
# SSL/TLS root certificate (ca)
 
# The server and all clients will use the same ca file.
 
# The server and all clients will use the same ca file.
ca "C:\\Apps\\OpenVPN\\config\\ca.crt"
+
ca "C:/Apps/OpenVPN/config/ca.crt"
 +
 
 
# Client certificate and private key
 
# Client certificate and private key
cert "C:\\Apps\\OpenVPN\\config\\xinxiongmao.crt"
+
<cert>
key "C:\\Apps\\OpenVPN\\config\\xinxiongmao.key"
+
-----BEGIN CERTIFICATE-----
 +
my_client_certificate
 +
..
 +
..
 +
-----END CERTIFICATE-----
 +
</cert>
 +
 
 +
 
 +
<key>
 +
-----BEGIN PRIVATE KEY-----
 +
my_private_key
 +
..
 +
..
 +
-----END PRIVATE KEY-----
 +
</key>
  
  
# Downgrade privileges after initialization (non-Windows only)
+
# Security details (cryptography and communication settings)
user nobody
+
##############################################################
group nogroup
 
# Try to preserve some state across restarts.
 
persist-key
 
persist-tun
 
  
 
# Encryption of data exchange
 
# Encryption of data exchange
cipher AES-128-CBC
+
cipher AES-256-CBC
 +
 
 
# Integrity check
 
# Integrity check
auth MD5
+
auth SHA512
# Control server certificate
+
 
ns-cert-type server
+
# Downgrade privileges after initialization (non-Windows only)
 +
#user nobody
 +
#group nogroup
 +
 
 +
# Compression of data exchange
 +
# (i) Main setting will be push once connect
 +
 
 +
# Enable standard compression for the connection phase, it acts as failover too
 +
comp-lzo
  
 +
# Ensure VPN server certificate is of type "server": this reduce the man-in-the-middle attacks risks
 +
remote-cert-tls server
  
##-- Logs --##
+
 
# Set log file verbosity.
+
# CLIENTS CONF
 +
##########################
 +
# Server security level
 +
#script-security 2
 +
 
 +
 
 +
# LOGS
 +
##########################
 +
# Log in a dedicated file instead of /var/log/messages
 +
#log         "C:\Apps\OpenVPN\log\code.daxiongmao.eu.log"
 +
 
 +
# Log level
 +
# 0 is silent, except for fatal errors
 +
# 4 is reasonable for general usage
 +
# 5 and 6 can help to debug connection problems
 +
# 9 is extremely verbose
 
verb 4
 
verb 4
# Wireless networks often produce a lot of duplicate packets.
+
 
# Set this flag to silence duplicate packet warnings.
+
# Silence repeating messages.
mute-replay-warnings
+
# At most xx sequential same messages will be output to the log file.
# Silence repeating messages
 
 
mute 10
 
mute 10
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
'''Notes:'''
 
  
You have to edit the configuration file.
+
==Ubuntu VPN DNS==
  
* Adjust paths on lines 30-38
+
 
* On Windows you must you the double slash \\
+
If DNS resolution doesn't work well you need to add the following line to your client configuration:
* On Linux don’t forget to uncomment the following lines for better security:
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
# Downgrade privileges after initialization (non-Windows only)
+
script-security 2
user nobody
+
up /etc/openvpn/update-resolv-conf
group nogroup
+
down /etc/openvpn/update-resolv-conf
 
</syntaxhighlight>
 
</syntaxhighlight>
  
* Linux: depending on your distribution you might need to adjust user / group default name.
+
 
 +
Source: http://blog.nicolargo.com/2015/02/resolution-du-probleme-de-dns-avec-openvpn-sous-ubuntu.html
  
  
Line 118: Line 168:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 +
# VPN software
 
apt-get install openssl openssh-server openvpn  
 
apt-get install openssl openssh-server openvpn  
 +
# VPN manager (UI)
 +
apt-get install network-manager-openvpn network-manager-openvpn-gnome
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 125: Line 178:
  
 
See [[Firewall VPN]]
 
See [[Firewall VPN]]
 +
 +
 +
You must enable global FORWARDING
 +
<syntaxhighlight lang="bash">
 +
vim /etc/sysctl.conf
 +
</syntaxhighlight>
 +
 +
 +
<syntaxhighlight lang="apache">
 +
# Uncomment the next line to enable packet forwarding for IPv4
 +
net.ipv4.ip_forward=1
 +
 +
 +
# Uncomment the next line to enable packet forwarding for IPv6
 +
#  Enabling this option disables Stateless Address Autoconfiguration
 +
#  based on Router Advertisements for this host
 +
net.ipv6.conf.all.forwarding=1
 +
</syntaxhighlight>
 +
 +
 +
 +
'''DNS'''
 +
 +
You can set some DNS entries.
 +
 +
* Network manager > Edit connections > VPN > Edit > IPv4 > Additional DNS servers
 +
* Add: <code>8.8.8.8, 8.8.4.4</code>
 +
 +
[[File:VPN client linux DNS entries.png|none|Ubuntu additional DNS entries]]
  
  
Line 150: Line 232:
 
* Set '''target''' = <code>C:\apps\OpenVPN\bin\openvpn-gui.exe --connect devDaxiongmao.ovpn</code>
 
* Set '''target''' = <code>C:\apps\OpenVPN\bin\openvpn-gui.exe --connect devDaxiongmao.ovpn</code>
 
[[File:VPN win shortcut 01.png|none|VPN windows shortcut howto 01]]
 
[[File:VPN win shortcut 01.png|none|VPN windows shortcut howto 01]]
 +
 +
In target the ''--connect'' option allows you to start a specific profile automatically. :-)
  
  
 
* In '''Compatibility''' tab set the ''run as administrator'' option.  
 
* In '''Compatibility''' tab set the ''run as administrator'' option.  
 
[[File:VPN win shortcut 02.png|none|VPN windows shortcut howto 02]]
 
[[File:VPN win shortcut 02.png|none|VPN windows shortcut howto 02]]
 
 
In target the ''--connect'' option allows you to start a specific profile automatically. :-)
 
  
  

Latest revision as of 21:26, 1 November 2019


This page describes how to configure OpenVPN client for IPv4 and IPv6.


Related articles:


Client

Client files

The client requires:

  • Authority of certification ca.cert (or content as text, section between ---begin certificate--- ---end certificate---- included)
  • Client private key client.key (or content as text)
  • Client certificate client.crt (or content as text)

Then, you can setup client configuration.


IMPORTANT NOTE for iOS:

  • You must have the CONTENT of each file and include it in the ".ovpn" file


Client configuration

Copy / paste the following configuration - just adjust your path according to your OS and file system:

##################################################
# OpenVPN 2.4 config file                        #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz      #
# version 1.2 - June 2013 - Guillaume Diaz       #
#                           conf update + chroot #
# version 1.3 - April 2016 - Guillaume Diaz      #
#                           security increase    #
##################################################


# OpenVPN binding
##########################
# Tell TLS that we are building a CLIENT configuration
client

# Network interface to use
dev tun

# To support both IPv4 + IPv6
proto udp6

# VPN server @:port
remote myserver.mydomain 8080

# Do not bind to a specific port number
nobind

# keep trying indefinitely to resolve until connection is made
resolv-retry infinite

# Try to preserve state across restarts
persist-key
persist-tun



# SECURITY - certificates
########################
# SSL/TLS root certificate (ca)
# The server and all clients will use the same ca file.
ca "C:/Apps/OpenVPN/config/ca.crt"

# Client certificate and private key
<cert>
-----BEGIN CERTIFICATE-----
my_client_certificate
..
..
-----END CERTIFICATE-----
</cert>


<key>
-----BEGIN PRIVATE KEY-----
my_private_key
..
..
-----END PRIVATE KEY-----
</key>


# Security details (cryptography and communication settings)
##############################################################

# Encryption of data exchange
cipher AES-256-CBC

# Integrity check
auth SHA512

# Downgrade privileges after initialization (non-Windows only)
#user nobody
#group nogroup

# Compression of data exchange
# (i) Main setting will be push once connect

# Enable standard compression for the connection phase, it acts as failover too
comp-lzo

# Ensure VPN server certificate is of type "server": this reduce the man-in-the-middle attacks risks
remote-cert-tls server


# CLIENTS CONF
##########################
# Server security level
#script-security 2


# LOGS
##########################
# Log in a dedicated file instead of /var/log/messages
#log         "C:\Apps\OpenVPN\log\code.daxiongmao.eu.log"

# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4

# Silence repeating messages.
# At most xx sequential same messages will be output to the log file.
mute 10


Ubuntu VPN DNS

If DNS resolution doesn't work well you need to add the following line to your client configuration:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf


Source: http://blog.nicolargo.com/2015/02/resolution-du-probleme-de-dns-avec-openvpn-sous-ubuntu.html


Software

Linux

Installation

# VPN software
apt-get install openssl openssh-server openvpn 
# VPN manager (UI)
apt-get install network-manager-openvpn network-manager-openvpn-gnome


Security

See Firewall VPN


You must enable global FORWARDING

vim /etc/sysctl.conf


# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1


# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1


DNS

You can set some DNS entries.

  • Network manager > Edit connections > VPN > Edit > IPv4 > Additional DNS servers
  • Add: 8.8.8.8, 8.8.4.4
Ubuntu additional DNS entries



Windows

On windows, many clients are available. The best one, for me, is: « OpenVPN.net Community » https://openvpn.net/index.php/open-source/downloads.html

  • Take the Installer (64-bit), Windows XP and later

Then, you have to copy your .OVPN configuration & certificates inside the ~/openvpn/config/ folder.


To use the VPN:

  • Run the OpenVPN client as administrator ==> right click on the icon ==> run as administrator
  • Right click on the icon close to the system clock ==> connect


!! Hint !! You can create a 1 click shortcut.

  • Edit the default shortcut
  • Set target = C:\apps\OpenVPN\bin\openvpn-gui.exe --connect devDaxiongmao.ovpn
VPN windows shortcut howto 01

In target the --connect option allows you to start a specific profile automatically. :-)


  • In Compatibility tab set the run as administrator option.
VPN windows shortcut howto 02



MacOSX

The best VPN client is “tunnelblick” http://code.google.com/p/tunnelblick

  • Configuration files are in ~/librairies/openvpn
  • That’s the libraries [“bibliothèque”] folder of the current user