Difference between revisions of "VPN server configuration"
Line 58: | Line 58: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | Search for: TLS-RSA-WITH-AES- | + | Search for: TLS-RSA-WITH-AES-256-CBC-SHA256 |
Line 75: | Line 75: | ||
# version 1.2 - June 2013 - Guillaume Diaz # | # version 1.2 - June 2013 - Guillaume Diaz # | ||
# conf update + chroot # | # conf update + chroot # | ||
+ | # version 1.3 - April 2016 - Guillaume Diaz # | ||
+ | # security increase # | ||
################################################## | ################################################## | ||
Line 99: | Line 101: | ||
cert /etc/openvpn/server.crt | cert /etc/openvpn/server.crt | ||
key /etc/openvpn/server.key | key /etc/openvpn/server.key | ||
− | dh /etc/openvpn/ | + | dh /etc/openvpn/dh4096.pem |
# Shared secret key by both server and clients | # Shared secret key by both server and clients | ||
Line 105: | Line 107: | ||
# Crypto settings | # Crypto settings | ||
− | cipher AES- | + | cipher AES-256-CBC |
− | auth | + | auth SHA-256 |
# Reduce OpenVPN daemon rights after application start | # Reduce OpenVPN daemon rights after application start | ||
Line 219: | Line 221: | ||
# version 1.2 - June 2013 - Guillaume Diaz # | # version 1.2 - June 2013 - Guillaume Diaz # | ||
# conf update + chroot # | # conf update + chroot # | ||
+ | # version 1.3 - April 2016 - Guillaume Diaz # | ||
+ | # security increase # | ||
################################################## | ################################################## | ||
Line 249: | Line 253: | ||
cert /etc/openvpn/server.crt | cert /etc/openvpn/server.crt | ||
key /etc/openvpn/server.key | key /etc/openvpn/server.key | ||
− | dh /etc/openvpn/ | + | dh /etc/openvpn/dh4096.pem |
# Shared secret key by both server and clients | # Shared secret key by both server and clients | ||
Line 255: | Line 259: | ||
# Crypto settings | # Crypto settings | ||
− | cipher AES- | + | cipher AES-256-CBC |
− | auth | + | auth SHA-256 |
# Reduce OpenVPN daemon rights after application start | # Reduce OpenVPN daemon rights after application start |
Revision as of 17:12, 25 April 2016
Contents
Generic setup
Installation
apt-get install openvpn easy-rsa
Prepare files
You can use an existing example or start from scratch, as you like. If you want to reuse one of the OpenVPN examples:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn/
gzip -d server.conf.gz
Security algorithms and hash
Depending on your server and distribution you might not always have the same encryption and|or hash algorithms available. Choose your algorithms!
Cryptographic algorithms
openvpn --show-ciphers
Search for: AES-256-CBC
Hash algorithms
openvpn --show-digests
Search for: SHA-256
Handshake algorithms
openvpn --show-tls
Search for: TLS-RSA-WITH-AES-256-CBC-SHA256
IPv4 configuration
This is how you configuration should look like (more or less, depending on your settings):
##################################################
# OpenVPN 2.0 config file #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz #
# version 1.2 - June 2013 - Guillaume Diaz #
# conf update + chroot #
# version 1.3 - April 2016 - Guillaume Diaz #
# security increase #
##################################################
# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
local 192.168.1.2
# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
proto udp
port 8080
# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh4096.pem
# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0
# Crypto settings
cipher AES-256-CBC
auth SHA-256
# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/
# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like)
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo
# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100
# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
# Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level
script-security 2
####### Client-to-Client communication
# Push routes to the client
# >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
# >> Set the VPN server as global gateway
push "redirect-gateway def1"
####### DNS
# Server as DNS server
;push "dhcp-option WINS 192.168.1.21"
;push "dhcp-option DNS 192.168.1.21"
# Use alternate DNS server (OpenDNS + Google)
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"
# >> Force windows clients to use the pushed DNS
push "register-dns"
####### VPN as gateway to other networks
# Set the VPN server to act as a gateway for remote network
# You must set 1 'push route <network> <mask>' per target network(s)
# >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
;push "route 192.168.1.0 255.255.255.0"
# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log
# Log in a dedicated file instead of /var/log/messages
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages.
# At most xx sequential same messages will be output to the log file.
mute 10
IPv6 + IPv4
This is a bit more advanced configuration. Notice the use of some *-ipv6
commands.
More details?
- Very good document about IPv6 VPN: http://tomsalmon.eu/2013/04/openvpn-ipv6-with-tun-device/
- Nice guide: http://the-technoholik.blogspot.com/2014/03/secure-ipv6-gateway-tunnelbroker-using.html
OpenVPN configuration
##################################################
# OpenVPN 2.0 config file #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz #
# version 1.2 - June 2013 - Guillaume Diaz #
# conf update + chroot #
# version 1.3 - April 2016 - Guillaume Diaz #
# security increase #
##################################################
# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
# >> Put nothing to listen on ALL interfaces and IPs (v4 + v6)
# Or you have to put 1 line per IP to listen to
#local 192.168.1.2
# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
# Enable IPv6 support
tun-ipv6
# Protocol and port
proto udp6
port 8080
# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh4096.pem
# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0
# Crypto settings
cipher AES-256-CBC
auth SHA-256
# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/
# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
server-ipv6 2001:41d0:8:9318::1/64
# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like)
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo
# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100
# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
# Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level
script-security 2
####### Client-to-Client communication
# Push routes to the client
# >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
push "route-ipv6 2001:41d0:8:9318::/64"
# >> Set the VPN server as global gateway
push "redirect-gateway def1"
# The following line is mandatory!!
# Set openvpn the default route for ipv6 connectivity
push "route-ipv6 2000::/3"
####### Set the client DNS (optional)
# Use alternate DNS server (OpenDNS + Google)
## OpenDNS
#push "dhcp-option DNS 208.67.222.222"
#push "dhcp-option DNS 208.67.220.220"
#push "dhcp-option DNS 2620:0:ccc::2"
#push "dhcp-option DNS 2620:0:ccd::2"
## Google
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
#push "dhcp-option DNS 2001:4860:4860::8888"
#push "dhcp-option DNS 2001:4860:4860::8844"
# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log
# Log in a dedicated file instead of /var/log/messages
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages.
# At most xx sequential same messages will be output to the log file.
mute 10
Sysctl
You must enable FORWARDING somewhere else:
vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1
See if it works
Start the service
service openvpn restart
Check that OpenVPN listen to port 8080
netstat -pl --numeric | grep 8080
You should have 1 entry per protocol
Check the OpenVPN logs
cat /var/log/openvpn.log
General notes
You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.
Be careful when you choose the port number! Common open ports:
- 80 (http)
- 443 (HTTPS)
- 8080 (Proxy / JEE servers)
[!] Reminder: for every network that you want to make it accessible through your VPN you must push a new route to it.