OpenVPN

possibledisastrousSecurity

Dec 9, 2013 (3 years and 6 months ago)

75 views

OpenVPN
From Front Internal Wiki
Please note that this file is a work in progress, we will continue to update it as
new/better ways of doing things are found to make the process as easy as
possible.
Contents
1 Client Setup
1.1 A note about DNS and VPN.
1.2 Firewalls
1.3 Linux Users
1.4 Windows Users
1.5 Mac OSX Users
2 Routing
2.1 NAT
Client Setup
All users will be provided a tar file containing their user certificates, should you
ever feel that these certificates may have been compromised please let us know
and we will revoke and re-create you certificates straight away.
The tar file will contain the following:
An example configuration file: front-client.config
A client certificate: <username>.crt
A certificate authority certificate: ca.crt
A user authentication key: <username>.key
Any other files in the tar can be ignored and are included for completeness.
A note about DNS and VPN.
Currently front do not push DNS down to clients, instead clients need to connect
to specific IP addresses or add the DNS servers themselves. Our two primary
OpenVPN - Front Internal Wiki
http://wiki/index.php?title=OpenVPN&printable=yes
1 of 6
16/07/10 11:13
DNS servers are:
192.168.1.2
192.168.1.3
An alternative option is to edit your local hosts file to add specific systems using
their front network ip addresses for ease of use.
Alternatively useful IP's to know are:
Ron: 192.168.1.68
Arrakis: 192.168.1.90
When you connect to front's VPN you will have a new virtual interface created
which will use an ip in the range 192.168.2.0/24. You will be able to ping
internal front ip addresses on the 192.168.1.0 subnet from this range.
Firewalls
OpenVPN for front operates over UDP on port 11194. You need to ensure that
your remote machine and remote network both allow traffic on this port. For
most users this will not be an issue, however if you fail to connect to the front
gateway ip (93.97.246.119) then please check your firewall settings.
Linux Users
Install openvpn via your package manager. Alternatively network-manager-
openvpn will be available for some distro's.
Create a client config file:
/etc/openvpn/client.vpn
OpenVPN - Front Internal Wiki
http://wiki/index.php?title=OpenVPN&printable=yes
2 of 6
16/07/10 11:13
client
dev tun
proto udp
remote 93.97.246.119 11194
resolv-retry infinite
nobind
persist-key
persist-tun
keepalive 10 120
ca /etc/openvpn/clients/front/ca.crt
#Adjust these to match your name i.e. <name>.crt
cert /etc/openvpn/clients/front/<username>.crt
key /etc/openvpn/clients/front/<username>.key
comp-lzo
verb 3
Launch the client with:
openvpn --config /etc/openvpn/client.vpn
If you want to background the process then add --daemonize or add daemonize
to the config file.
Windows Users
Install the openVPN client GUI by downloading from:
http://swupdate.openvpn.net/downloads/openvpn-client.msi
Copy the crt and key files into a directory of your choosing. For this example I
have used the Documents Folder:
C:\Users\front\Documents\<username>
Create a ovpn (configuration) text file using the configuration example provided
for linux above: For this example the file is simply named <username>.ovpn
NB: Textpad (http://www.textpad.com/) and notepad++ (http://notepad-
plus-plus.org/) are good textfile editors if you do not already use them.
OpenVPN - Front Internal Wiki
http://wiki/index.php?title=OpenVPN&printable=yes
3 of 6
16/07/10 11:13
client
dev tun
proto udp
remote 93.97.246.119 11194
resolv-retry infinite
nobind
persist-key
persist-tun
keepalive 10 120
# NB Windows Paths must have "\" escaped with another "\"
ca "C:\\Users\\front\\Documents\\<username>\\ca.crt"
cert "C:\\Users\\front\\Documents\\<username>\\<username>.crt"
key "C:\\Users\\front\\Documents\\<username>.key"
comp-lzo
verb 3
Launch the openVPN gui and choose "connection profiles", then import file.
Import the ovpn file created above.
Mac OSX Users
OpenVPN - Front Internal Wiki
http://wiki/index.php?title=OpenVPN&printable=yes
4 of 6
16/07/10 11:13
There are instructions for using OSX with openVPN at the URL below:
http://beta.openvpn.net/index.php/access-server/howto-openvpn-as/183-
how-to-connect-to-access-server-from-a-mac.html
Most sites seem to suggest using Tunnelblick (http://code.google.com
/p/tunnelblick/) as the client. Feedback would be appreciated on how well (or
not) this works.
Routing
Not really openvpn but a good place to stick this also, if the target VPN server is
a Gateway for devices on its network then you can also route through to local
subnets on the GW host using:
/sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw <your tunnel ip>
or by device:
/sbin/route add -net 192.168.1.0 netmask 255.255.255.0 dev tun0
The above can be completed much easier using push commands from openvpn-
server i.e:
push "route 192.168.1.0 255.255.255.0"
NAT
Example taken from:
http://www.openvpn.net/index.php/open-source/documentation/howto.html
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
To push a gateway to the client for routing all traffic:
push "redirect-gateway local def1"
Finally you can also push DNS changes:
OpenVPN - Front Internal Wiki
http://wiki/index.php?title=OpenVPN&printable=yes
5 of 6
16/07/10 11:13
push "dhcp-option DNS 192.168.1.2"
Retrieved from "http://wiki/OpenVPN"
Category: Network
This page was last modified on 16 July 2010, at 10:12.
Content is available under Attribution-NonCommercial-ShareAlike 2.5.
OpenVPN - Front Internal Wiki
http://wiki/index.php?title=OpenVPN&printable=yes
6 of 6
16/07/10 11:13