Difference between revisions of "VPN server configuration"

Line 58: Line 58:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Search for: TLS-RSA-WITH-AES-128-CBC-SHA256
+
Search for: TLS-RSA-WITH-AES-256-CBC-SHA256
  
  
Line 75: Line 75:
 
# version 1.2 - June 2013 - Guillaume Diaz      #
 
# version 1.2 - June 2013 - Guillaume Diaz      #
 
#                          conf update + chroot #
 
#                          conf update + chroot #
 +
# version 1.3 - April 2016 - Guillaume Diaz      #
 +
#                          security increase    #
 
##################################################
 
##################################################
  
Line 99: Line 101:
 
cert /etc/openvpn/server.crt
 
cert /etc/openvpn/server.crt
 
key /etc/openvpn/server.key
 
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
+
dh /etc/openvpn/dh4096.pem
  
 
# Shared secret key by both server and clients
 
# Shared secret key by both server and clients
Line 105: Line 107:
  
 
# Crypto settings
 
# Crypto settings
cipher AES-128-CBC
+
cipher AES-256-CBC
auth MD5
+
auth SHA-256
  
 
# Reduce OpenVPN daemon rights after application start
 
# Reduce OpenVPN daemon rights after application start
Line 219: Line 221:
 
# version 1.2 - June 2013 - Guillaume Diaz      #
 
# version 1.2 - June 2013 - Guillaume Diaz      #
 
#                          conf update + chroot #
 
#                          conf update + chroot #
 +
# version 1.3 - April 2016 - Guillaume Diaz      #
 +
#                          security increase    #
 
##################################################
 
##################################################
  
Line 249: Line 253:
 
cert /etc/openvpn/server.crt
 
cert /etc/openvpn/server.crt
 
key /etc/openvpn/server.key
 
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
+
dh /etc/openvpn/dh4096.pem
  
 
# Shared secret key by both server and clients
 
# Shared secret key by both server and clients
Line 255: Line 259:
  
 
# Crypto settings
 
# Crypto settings
cipher AES-128-CBC
+
cipher AES-256-CBC
auth MD5
+
auth SHA-256
  
 
# Reduce OpenVPN daemon rights after application start
 
# Reduce OpenVPN daemon rights after application start

Revision as of 17:12, 25 April 2016


IPv4 only

IPv4 only

IPv6

IPv6 + IPv4


Generic setup

Installation

apt-get install openvpn easy-rsa


Prepare files

You can use an existing example or start from scratch, as you like. If you want to reuse one of the OpenVPN examples:

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn/
gzip -d server.conf.gz


Security algorithms and hash

Depending on your server and distribution you might not always have the same encryption and|or hash algorithms available. Choose your algorithms!


Cryptographic algorithms

openvpn --show-ciphers

Search for: AES-256-CBC


Hash algorithms

openvpn --show-digests

Search for: SHA-256


Handshake algorithms

openvpn --show-tls

Search for: TLS-RSA-WITH-AES-256-CBC-SHA256


IPv4 configuration

This is how you configuration should look like (more or less, depending on your settings):


##################################################
# OpenVPN 2.0 config file                        #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz      #
# version 1.2 - June 2013 - Guillaume Diaz       #
#                           conf update + chroot #
# version 1.3 - April 2016 - Guillaume Diaz      #
#                           security increase    #
##################################################


# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
local 192.168.1.2

# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
proto udp
port 8080


# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh4096.pem

# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0

# Crypto settings
cipher AES-256-CBC
auth SHA-256

# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/



# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
# Maintain a record of client <-> virtual IP address associations in this file.  
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like) 
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo



# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100

# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
#  Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level
script-security 2

####### Client-to-Client communication
# Push routes to the client
#  >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
#  >> Set the VPN server as global gateway
push "redirect-gateway def1"


####### DNS
# Server as DNS server
;push "dhcp-option WINS 192.168.1.21"
;push "dhcp-option DNS 192.168.1.21"
# Use alternate DNS server (OpenDNS + Google)
push "dhcp-option DNS 208.67.222.222" 
push "dhcp-option DNS 8.8.8.8"
# >> Force windows clients to use the pushed DNS
push "register-dns"


####### VPN as gateway to other networks
# Set the VPN server to act as a gateway for remote network
# You must set 1 'push route <network> <mask>' per target network(s)
#  >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
;push "route 192.168.1.0 255.255.255.0"



# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log

# Log in a dedicated file instead of /var/log/messages
log         /etc/openvpn/openvpn.log
log-append  /etc/openvpn/openvpn.log

# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6

# Silence repeating messages.  
# At most xx sequential same messages will be output to the log file.
mute 10


IPv6 + IPv4

This is a bit more advanced configuration. Notice the use of some *-ipv6 commands.

More details?


OpenVPN configuration

##################################################
# OpenVPN 2.0 config file                        #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz      #
# version 1.2 - June 2013 - Guillaume Diaz       #
#                           conf update + chroot #
# version 1.3 - April 2016 - Guillaume Diaz      #
#                           security increase    #
##################################################


# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
# >> Put nothing to listen on ALL interfaces and IPs (v4 + v6)
#    Or you have to put 1 line per IP to listen to
#local 192.168.1.2


# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
# Enable IPv6 support
tun-ipv6
# Protocol and port
proto udp6
port 8080


# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh4096.pem

# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0

# Crypto settings
cipher AES-256-CBC
auth SHA-256

# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/



# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
server-ipv6 2001:41d0:8:9318::1/64
# Maintain a record of client <-> virtual IP address associations in this file.  
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like) 
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo



# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100

# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
#  Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level
script-security 2


####### Client-to-Client communication
# Push routes to the client
#  >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
push "route-ipv6 2001:41d0:8:9318::/64"

#  >> Set the VPN server as global gateway
push "redirect-gateway def1"
# The following line is mandatory!! 
# Set openvpn the default route for ipv6 connectivity
push "route-ipv6 2000::/3"


####### Set the client DNS (optional)
# Use alternate DNS server (OpenDNS + Google)
## OpenDNS
#push "dhcp-option DNS 208.67.222.222"
#push "dhcp-option DNS 208.67.220.220"
#push "dhcp-option DNS 2620:0:ccc::2"
#push "dhcp-option DNS 2620:0:ccd::2"
## Google
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
#push "dhcp-option DNS 2001:4860:4860::8888"
#push "dhcp-option DNS 2001:4860:4860::8844"


# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log

# Log in a dedicated file instead of /var/log/messages
log         /etc/openvpn/openvpn.log
log-append  /etc/openvpn/openvpn.log

# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6

# Silence repeating messages.  
# At most xx sequential same messages will be output to the log file.
mute 10



Sysctl

You must enable FORWARDING somewhere else:

vim /etc/sysctl.conf


# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1


# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1



See if it works

Start the service

service openvpn restart


Check that OpenVPN listen to port 8080

netstat -pl --numeric | grep 8080

You should have 1 entry per protocol


Check the OpenVPN logs

cat /var/log/openvpn.log



General notes

You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.

Be careful when you choose the port number! Common open ports:

  • 80 (http)
  • 443 (HTTPS)
  • 8080 (Proxy / JEE servers)



[!] Reminder: for every network that you want to make it accessible through your VPN you must push a new route to it.

Source: http://blog.remibergsma.com/2013/01/13/howto-connect-to-hosts-on-a-remote-network-using-openvpn-and-some-routing/