CÁCH TẠO RA OPENVPN SERVER

By /

OpenVPN

VDC Servers

  • vpn1.itim.vn (nas1v.itim.vn)
  • vpn2.itim.vn (nas2v.itim.vn)

Deb Packages

  • coccoc-openvpn-ldap-tools
  • openvpn
  • openvpn-auth-ldap
  • coccoc-libldap-conf
  • libpam-ldap | libpam-ldapd

Server configuration: Openvpn

/etc/openvpn/tcp.conf from nas1v.itim.vn:

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
port 1194
proto tcp
dev tun
ca /etc/openvpn/easyrsa/keys/ca.crt
cert /etc/openvpn/easyrsa/keys/server.crt
key /etc/openvpn/easyrsa/keys/server.key  # This file should be kept secret
client-cert-not-required
dh /etc/openvpn/easyrsa/keys/dh1024.pem

server 10.130.4.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 123.30.175.10 255.255.255.255 net_gateway"

# Note: do not use tabs here, windows vpn client does not see it at all!
# here we are pushing routes and DNS for internal domain itim.vn
push "route 10.3.0.0 255.255.252.0"
push "route 10.10.0.0 255.255.254.0"
push "route 10.10.64.0 255.255.254.0"
push "route 10.101.0.0 255.255.252.0"
push "route 10.120.0.0 255.255.255.0"
push "route 172.16.16.0 255.255.255.0"
push "dhcp-option DNS 10.120.0.10"
push "dhcp-option DNS 10.120.0.20"
push "dhcp-option DOMAIN itim.vn"

tls-server
tls-auth /etc/openvpn/easyrsa/keys/ta.key 0
tls-timeout 120
auth MD5
cipher BF-CBC
keepalive 10 120
comp-lzo
persist-key
persist-tun
status  /var/log/openvpn/openvpn-status-tcp.log
log     /var/log/openvpn/openvpn-tcp.log
verb 3
mute 3
mssfix 1300

username-as-common-name
script-security 2
client-connect /etc/openvpn/ldap-group-access/conn_start.sh
client-disconnect /etc/openvpn/ldap-group-access/conn_stop.sh

# zabbix monitoring purposes
management 127.0.0.1 1150

Server configuration: LDAP

  • We are using LDAP to check user’s credentials.
  • We allows to connect to our Openvpn only for users in group Openvpn.

/etc/openvpn/tcp.conf from nas1v.itim.vn:

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

/etc/pam.d/openvpn for linux PAM

# cat /etc/pam.d/openvpn
# OpenVPN
account		required pam_ldap.so config=/etc/openvpn/pluginconf/pam_ldap.conf
auth		required pam_ldap.so config=/etc/openvpn/pluginconf/pam_ldap.conf
password	required pam_ldap.so config=/etc/openvpn/pluginconf/pam_ldap.conf
session		required pam_ldap.so config=/etc/openvpn/pluginconf/pam_ldap.conf

libpam-ldap config (/etc/openvpn/pluginconf/pam_ldap.conf)from nas{1,2}v:

base dc=itim,dc=vn
uri ldaps://ldap1.itim.vn ldaps://ldap2.itim.vn # Failover for ldaps servers
ldap_version 3
ssl on # Enabled SSL
bind_timelimit 1 # Timelimit for tcp connection to remote ldaps server
pam_groupdn cn=openvpn,ou=Group,dc=itim,dc=vn
pam_member_attribute memberUid

 

Client configuration

You can see HOWTOs, if you are an user:

  • OpenVPN Windows Vista/7 client HOWTO
  • OpenVPN Linux client HOWTO
  • OpenVPN Mac client HOWTO

General client config file (new, login-pass based)

/etc/openvpn/client.conf (Linux) or itim-pwd.opvn (Windows):

client
dev tun
proto tcp
# start of failover config
remote vpn1.itim.vn 1194
remote vpn2.itim.vn 1194
remote-random
# end of failover options
resolv-retry infinite
persist-key
persist-tun
ca ca-pwd.crt
tls-client
tls-auth ta-pwd.key 1
auth-user-pass
auth MD5
cipher BF-CBC
ns-cert-type server
comp-lzo
verb 5
#mtu-test
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Useful features

How to send all your traffic via OpenVPN

If we wanna send all our traffic via the VPN, add the next string to your client config ():

# make a vpn as a default route
redirect-gateway def1

Warning: if you have more than 1 VPN tunnels, this feature may cause routing bugs.

OpenVPN FT

Client

The OpenVPN client configuration can refer to multiple servers for load balancing and failover. For example:

remote server1.mydomain
remote server2.mydomain
remote server3.mydomain

will direct the OpenVPN client to attempt a connection with server1, server2, and server3 in that order. If an existing connection is broken, the OpenVPN client will retry the most recently connected server, and if that fails, will move on to the next server in the list. You can also direct the OpenVPN client to randomize its server list on startup, so that the client load will be probabilistically spread across the server pool.

remote-random

New user – ASK our admins to add new user!!!

We don’t use Key management right now, kept as note!!”’

Key management

cd /etc/openvpn/easy-rsa/2.0
source ./vars
./pkitool <username>

send to a user files keys/{ca.crt,<username>.{key,crt}}

Revoke user key

cd /etc/openvpn/easy-rsa/2.0
source ./vars
./revoke-full <username>

Citation:

Note the “error 23” in the last line. That is what you want to see, as it indicates that a certificate verification of the revoked certificate failed.

References

 

Configuration files: [root@samba2o:~]# tree 1 /etc/openvpn/

/etc/openvpn/
├── easyrsa
│   ├── keys # keys and certificate files
│   │   ├── ca.crt # this file need for client configure
│   │   ├── ca.key
│   │   ├── dh1024.pem
│   │   ├── server.crt
│   │   ├── server.csr
│   │   ├── server.key
│   │   └── ta.key # this file need for client configure
├── ldap-group-access
│   ├── confs
│   │   ├── ldap-groups.conf # Define groups in ldap can establish openvpn connect
│   │   ├── ldap-search.conf #
│   │   └── ldap-servers.conf # list of ldap severs
│   ├── conn_start.sh # Script to write log and add firewall to allow new connection
│   ├── conn_stop.sh # Script to write log and flush firewall rule
│   ├── func.lib # library used for above scripts
│   ├── ldap_test.sh # Test alive ldap servers
│   ├── services
│   │   ├── admins.services
│   │   ├── assessor.services
│   │   └── example.services.example
│   └── serv-test
├── pluginconf
│   └── pam_ldap.conf
├── tcp.conf # Main configuration file for tcp protocol connection method
├── udp.conf # Main configuration file for udp protocol connection method
└── update-resolv-conf # update dns to client when client establish connection

Detail of main configuration files:

root@samba2o:/etc/openvpn]# cat tcp.conf

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
port 1194
proto tcp
dev tun
ca /etc/openvpn/easyrsa/keys/ca.crt
cert /etc/openvpn/easyrsa/keys/server.crt
key /etc/openvpn/easyrsa/keys/server.key  # This file should be kept secret
client-cert-not-required
dh /etc/openvpn/easyrsa/keys/dh1024.pem

server 192.168.100.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp-tcp.txt
push "redirect-gateway def1"

push "dhcp-option DNS 192.168.100.1"
push "dhcp-option DOMAIN itim.vn"

# Note: do not use tabs here, windows vpn client does not see it at all!
push "route 10.0.0.0 255.128.0.0"
push "route 172.16.0.0 255.255.0.0"

#client-config-dir /etc/openvpn/ccd
#route 192.168.0.0 255.255.0.0
#client-to-client
tls-server
tls-auth /etc/openvpn/easyrsa/keys/ta.key 0
tls-timeout 120
auth MD5
cipher BF-CBC
keepalive 10 30
comp-lzo
persist-key
persist-tun
status	/var/log/openvpn/openvpn-status-tcp.log
log	/var/log/openvpn/openvpn-tcp.log
verb 3
mute 3
#mssfix 1300
#push "mssfix 1437"
tcp-nodelay

username-as-common-name
script-security 2
client-connect /etc/openvpn/ldap-group-access/conn_start.sh
client-disconnect /etc/openvpn/ldap-group-access/conn_stop.sh

# zabbix monitoring purposes
management 127.0.0.1 1150

[root@samba2o:/etc/openvpn]# cat /etc/openvpn/udp.conf

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
port 1194
proto udp
dev tun
ca /etc/openvpn/easyrsa/keys/ca.crt
cert /etc/openvpn/easyrsa/keys/server.crt
key /etc/openvpn/easyrsa/keys/server.key  # This file should be kept secret
client-cert-not-required
dh /etc/openvpn/easyrsa/keys/dh1024.pem

server 192.168.101.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp-udp.txt
push "redirect-gateway def1"

push "dhcp-option DNS 192.168.101.1"
push "dhcp-option DOMAIN itim.vn"

# Note: do not use tabs here, windows vpn client does not see it at all!
push "route 10.0.0.0 255.128.0.0"
push "route 172.16.0.0 255.255.0.0"


#client-config-dir /etc/openvpn/ccd
#route 192.168.0.0 255.255.0.0
#client-to-client
tls-server
tls-auth /etc/openvpn/easyrsa/keys/ta.key 0
tls-timeout 120
auth MD5
cipher BF-CBC
keepalive 10 30
comp-lzo
persist-key
persist-tun
status	/var/log/openvpn/openvpn-status-udp.log
log	/var/log/openvpn/openvpn-udp.log
verb 3
mute 3
mtu-test
mssfix 1300
#push "mssfix 1437"
tcp-nodelay

username-as-common-name
script-security 2
client-connect /etc/openvpn/ldap-group-access/conn_start.sh
client-disconnect /etc/openvpn/ldap-group-access/conn_stop.sh

# zabbix monitoring purposes
management 127.0.0.1 1151

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top