Difference between revisions of "VPN server configuration"
Line 154: | Line 154: | ||
# Fix for Microsoft Windows clients | # Fix for Microsoft Windows clients | ||
mssfix | mssfix | ||
− | # Server security level | + | # Server security level (mandatory since Ubuntu 15.04 due to OpenVPN DNS issue) |
script-security 2 | script-security 2 | ||
+ | |||
####### Client-to-Client communication | ####### Client-to-Client communication | ||
Line 162: | Line 163: | ||
push "route 192.168.15.0 255.255.255.0" | push "route 192.168.15.0 255.255.255.0" | ||
# >> Set the VPN server as global gateway | # >> Set the VPN server as global gateway | ||
− | push "redirect-gateway def1" | + | push "redirect-gateway def1 bypass-dhcp" |
####### DNS | ####### DNS | ||
− | # | + | ## VPN server acts as DNS server |
− | + | #push "dhcp-option WINS 192.168.1.21" | |
− | + | #push "dhcp-option DNS 192.168.1.21" | |
− | # Use alternate DNS server (OpenDNS | + | ## Use alternate DNS server (OpenDNS) |
push "dhcp-option DNS 208.67.222.222" | push "dhcp-option DNS 208.67.222.222" | ||
− | push "dhcp-option DNS | + | push "dhcp-option DNS 208.67.220.220" |
# >> Force windows clients to use the pushed DNS | # >> Force windows clients to use the pushed DNS | ||
push "register-dns" | push "register-dns" | ||
Line 177: | Line 178: | ||
####### VPN as gateway to other networks | ####### VPN as gateway to other networks | ||
− | # Set the VPN server to act as a gateway for remote network | + | ## Set the VPN server to act as a gateway for remote network |
− | # You must set 1 'push route <network> <mask>' per target network(s) | + | ## You must set 1 'push route <network> <mask>' per target network(s) |
− | # >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network | + | ## >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network |
− | + | #push "route 192.168.1.0 255.255.255.0" | |
Line 311: | Line 312: | ||
# Fix for Microsoft Windows clients | # Fix for Microsoft Windows clients | ||
mssfix | mssfix | ||
− | # Server security level | + | # Server security level (mandatory since Ubuntu 15.04 due to OpenVPN DNS issue) |
script-security 2 | script-security 2 | ||
Line 322: | Line 323: | ||
# >> Set the VPN server as global gateway | # >> Set the VPN server as global gateway | ||
− | push "redirect-gateway def1" | + | push "redirect-gateway def1 bypass-dhcp" |
# The following line is mandatory!! | # The following line is mandatory!! | ||
# Set openvpn the default route for ipv6 connectivity | # Set openvpn the default route for ipv6 connectivity | ||
Line 331: | Line 332: | ||
# Use alternate DNS server (OpenDNS + Google) | # Use alternate DNS server (OpenDNS + Google) | ||
## OpenDNS | ## OpenDNS | ||
− | + | push "dhcp-option DNS 208.67.222.222" | |
− | + | push "dhcp-option DNS 208.67.220.220" | |
− | + | push "dhcp-option DNS 2620:0:ccc::2" | |
− | + | push "dhcp-option DNS 2620:0:ccd::2" | |
## Google | ## Google | ||
#push "dhcp-option DNS 8.8.8.8" | #push "dhcp-option DNS 8.8.8.8" |
Revision as of 06:59, 26 April 2016
Contents
Generic setup
Installation
apt-get install openvpn easy-rsa
Prepare files
You can use an existing example or start from scratch, as you like. If you want to reuse one of the OpenVPN examples:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn/
gzip -d server.conf.gz
# create temp folder, required for the CHROOT
mkdir -p /etc/openvpn/tmp
Security algorithms and hash
Depending on your server and distribution you might not always have the same encryption and|or hash algorithms available. Choose your algorithms!
Cryptographic algorithms
openvpn --show-ciphers
Search for: AES-256-CBC
Hash algorithms
openvpn --show-digests
Search for: SHA256
Handshake algorithms
openvpn --show-tls
Search for: TLS-RSA-WITH-AES-256-CBC-SHA256
IPv4 configuration
This is how you configuration should look like (more or less, depending on your settings):
vim /etc/openvpn/server.conf
##################################################
# OpenVPN 2.0 config file #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz #
# version 1.2 - June 2013 - Guillaume Diaz #
# conf update + chroot #
# version 1.3 - April 2016 - Guillaume Diaz #
# security increase #
##################################################
# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
local 192.168.1.2
# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
proto udp
port 8080
# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0
# Crypto settings
cipher AES-256-CBC
auth SHA256
# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/
# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like)
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo
# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100
# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
# Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level (mandatory since Ubuntu 15.04 due to OpenVPN DNS issue)
script-security 2
####### Client-to-Client communication
# Push routes to the client
# >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
# >> Set the VPN server as global gateway
push "redirect-gateway def1 bypass-dhcp"
####### DNS
## VPN server acts as DNS server
#push "dhcp-option WINS 192.168.1.21"
#push "dhcp-option DNS 192.168.1.21"
## Use alternate DNS server (OpenDNS)
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# >> Force windows clients to use the pushed DNS
push "register-dns"
####### VPN as gateway to other networks
## Set the VPN server to act as a gateway for remote network
## You must set 1 'push route <network> <mask>' per target network(s)
## >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
#push "route 192.168.1.0 255.255.255.0"
# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log
# Log in a dedicated file instead of /var/log/messages
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages.
# At most xx sequential same messages will be output to the log file.
mute 10
IPv6 + IPv4
This is a bit more advanced configuration. Notice the use of some *-ipv6
commands.
More details?
- Very good document about IPv6 VPN: http://tomsalmon.eu/2013/04/openvpn-ipv6-with-tun-device/
- Nice guide: http://the-technoholik.blogspot.com/2014/03/secure-ipv6-gateway-tunnelbroker-using.html
OpenVPN configuration
vim /etc/openvpn/server.conf
##################################################
# OpenVPN 2.0 config file #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz #
# version 1.2 - June 2013 - Guillaume Diaz #
# conf update + chroot #
# version 1.3 - April 2016 - Guillaume Diaz #
# security increase #
##################################################
# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
# >> Put nothing to listen on ALL interfaces and IPs (v4 + v6)
# Or you have to put 1 line per IP to listen to
#local 192.168.1.2
# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
# Enable IPv6 support
tun-ipv6
# Protocol and port
proto udp6
port 8080
# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0
# Crypto settings
cipher AES-256-CBC
auth SHA256
# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/
# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
server-ipv6 2001:41d0:8:9318::1/64
# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like)
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo
# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100
# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
# Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level (mandatory since Ubuntu 15.04 due to OpenVPN DNS issue)
script-security 2
####### Client-to-Client communication
# Push routes to the client
# >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
push "route-ipv6 2001:41d0:8:9318::/64"
# >> Set the VPN server as global gateway
push "redirect-gateway def1 bypass-dhcp"
# The following line is mandatory!!
# Set openvpn the default route for ipv6 connectivity
push "route-ipv6 2000::/3"
####### Set the client DNS (optional)
# Use alternate DNS server (OpenDNS + Google)
## OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 2620:0:ccc::2"
push "dhcp-option DNS 2620:0:ccd::2"
## Google
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
#push "dhcp-option DNS 2001:4860:4860::8888"
#push "dhcp-option DNS 2001:4860:4860::8844"
# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log
# Log in a dedicated file instead of /var/log/messages
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages.
# At most xx sequential same messages will be output to the log file.
mute 10
Sysctl
You must enable FORWARDING somewhere else:
vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1
See if it works
Start the service
service openvpn restart
Check that OpenVPN listen to port 8080
netstat -pl --numeric | grep 8080
You should have 1 entry per protocol
Check the OpenVPN logs
cat /var/log/openvpn.log
General notes
You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.
Be careful when you choose the port number! Common open ports:
- 80 (http)
- 443 (HTTPS)
- 8080 (Proxy / JEE servers)
[!] Reminder: for every network that you want to make it accessible through your VPN you must push a new route to it.