SoHo - OpenVPN

| IP Tables |

1. Requirements

In our setup OpenVPN server runs on RHEL 4 or CentOS 5 with clients on Ubuntu and Windows.
Both server and clients should run NTP, and their clocks should be synchronized before OpenVPN is started.If clocks are out of synch, connection attempts will complain:

TLS Error: Unroutable control packet
           received from xx.xx.xx.xx:xxxx

2. RHEL

2.1. Setup

Obtain the OpenVPN RPM for RHEL4:

• openvpn-2.1.el4.{i386,x86_64}.rpm
• lzo-1.08-4.2.el4.rf.{i386,x86_64}.rpm

General info:

• OpenVPN How-To
• OpenVPN Setup
• OpenVPN x509

2.2. Create certificates

Set up central certificate authority as explained here. This will create the CA certificate /etc/pki/ca/ca.crt

Create VPN server certificate

mkdir /etc/pki/openvpn
cd /etc/pki/openvpn
/etc/pki/ca/auto-sign /etc/pki/openvpn vpn
Organizational Unit Name (eg, section) []:VPN
Common Name (eg, your name or your server's hostname) []:secure.ourdom.com

This creates /etc/pki/openvpn/vpn.crt and /etc/pki/openvpn/vpn.key

Create a client certificate

/etc/pki/ca/auto-sign . client-f11
Organizational Unit Name (eg, section) []:VPN
Common Name (eg, your name or your server's hostname) []:client-f11

In the same way create remaining client certificates: client-win, client-tk, client-uk, client-ut, client-pella.

Build Diffie-Hellman parameters for the server side of SSL/TLS connection.

openssl dhparam -out diffie-helman.pem 2048

Build TLS key

openvpn --genkey --secret tls.key

2.3. Server configuration

Edit /etc/openvpn/server.conf:

local xx.xx.xx.xx
port 13578
proto udp
dev tun0
ca /etc/pki/ca/ca.crt
cert /etc/pki/openvpn/vpn.crt
key /etc/pki/openvpn/vpn.key
dh /etc/pki/openvpn/diffie-helman.pem
tls-auth /etc/pki/openvpn/tls.key 0
client-config-dir /etc/openvpn/ccd
ifconfig-pool-persist /etc/openvpn/ipp.txt
status /var/log/openvpn-status.log
cipher DES-EDE3-CBC
server 10.20.0.0 255.255.0.0
push "dhcp-option DNS 172.16.162.57"
push "dhcp-option WINS 10.20.0.1"
push "route 172.16.112.0 255.255.255.0"
push "route 172.16.113.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
max-clients 100
persist-key
persist-tun
verb 4
mute 20
;duplicate-cn
;user nobody
;group nobody
;log-append  openvpn.log

We use non-standard port for OpenVPN to increase security. soho/prerequisites should be set accordingly

For additional security we use triple-DES (DES-EDE3-CBC) and TLS key.

2.4. Static Clients

The clients win, tk and some more should have static IP addresses:

win   : 10.20.1.1
tk    : 10.20.2.1
ttk   : 10.20.3.1
el    : 10.20.4.1
pella : 10.20.5.1

Создаем файлы:

• /etc/openvpn/ccd/winsrv:

ifconfig-push 10.20.1.1 10.20.1.2
push "redirect-gateway"

• /etc/openvpn/ccd/tk:

ifconfig-push 10.20.2.1 10.20.2.2
push "redirect-gateway"

• /etc/openvpn/ccd/ttk:

ifconfig-push 10.20.3.1 10.20.3.2
push "route 172.16.112.0 255.255.255.0"
push "route 172.16.113.0 255.255.255.0"
push "redirect-gateway"

• /etc/openvpn/ccd/el:

ifconfig-push 10.20.4.1 10.20.4.2
push "route 172.16.112.0 255.255.255.0"
push "route 172.16.113.0 255.255.255.0"

• /etc/openvpn/ccd/pella:

ifconfig-push 10.20.5.1 10.20.5.2
push "route 172.16.112.0 255.255.255.0"
push "route 172.16.113.0 255.255.255.0"

Clients of types uk and ut use static routing and might use a shared certificate.Create /etc/openvpn/ccd/uk and /etc/openvpn/ccd/ut:

push "redirect-gateway"
duplicate-cn

2.5. Forwarding

Edit /etc/sysctl.conf:

net.ipv4.ip_forward = 1
# for VPN forwarding
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.vmnet1.forwarding = 1
net.ipv4.conf.tun0.forwarding = 1

Apply the rules

sysctl -p /etc/sysctl.conf

2.6. Firewall

VPN network is similar to semiconductor. Packets from outer world should be prohibited from entering the VPN kiosk. So we add the following iptables rule

-A INPUT -i eth0-o tun0 -j REJECT --reject-with icmp-host-prohibited

2.7. Fix permissions and run server

chown -R root:root /etc/pki/openvpn /etc/openvpn
chmod 600 /etc/pki/openvpn/*.crt /etc/pki/openvpn/*.key /etc/openvpn/*.conf
chkconfig openvpn on
service openvpn restart

3. VPN Client on Ubuntu

Install OpenVPN

apt-get install openvpn

Copy keys from server to client

ssh root@server
cd /etc/pki/openvpn
scp ../ca/ca.crt tls.key XXX.crt XXX.key XXX:/etc/openvpn

Create /etc/openvpn/client.conf on client. The same file is used on all clients except for windows

client
dev tun0
remote xx.xx.xx.xx 13578
proto udp
resolv-retry infinite
nobind
ca ca.crt
cert client.crt
key client.key
cipher DES-EDE3-CBC
tls-auth tls.key 1
;ns-cert-type server
persist-key
persist-tun
comp-lzo
verb 3
mute 20

Set secure file permissions

ssh root@XXX
cd /etc/openvpn
mv XXX.crt client.crt
mv XXX.key client.key
chown -R root.root .
chmod 600 *.conf *.crt *.keys

Run openvpn on client

chkconfig openvpn on
/etc/init.d/openvpn restart

4. Windows

First, install Windows. :)

4.1. Windows setup

Obtain installer for version 2.1 from openvpn.net or 2.1.rc7/win64 or 2.0.9/win32.

Install the software. If your installation aborts with message "The software you are installing has not passed Windows Logo testing", right-click "My Computer" and go to "My Computer >> Properties >> Hardware >> Drivers >> Driver Signing". Change "Block" to "Warn - Prompt me each time to choose an action".
Copy windows-specific files from VPN server: /etc/pki/ca/ca.crt /etc/pki/openvpn/tls.key /etc/pki/openvpn/client.conf /etc/pki/openvpn/client-win.crt /etc/pki/openvpn/client-win.key to Windows and copy C:\Program Files (x86)\OpenVPN\config. Edit client.ovpn.

OpenVPN for windows does not like when IP address has last octet of 0 (e.g. 10.20.1.0). We have taken care of it already by properly configuring ccd on the server.

Go to "Start >> Administration >> Services". Right-click on the "OpenVPN Service", choose Properties and set it ito "Start automatically".

Optionally go to "Control Panel >> Network Interfaces", rename new "Connection 2 (TAP)" (or whatever) connection to "VPN" and in its properties check "Show icon in notification area".

4.2. Routing problem

Windows Server 2003 i386 manifested following problem for me:VPN's TUN interface did not accept the VPN-address and chose local-site instead.This was fixed by the following additional lines in the client config file:

ip-win32 dynamic
;route-method exe
;show-net-up

However OpenVPN on Windows sometimes temporarily lost connection andset incorrect interface mask when the connection was restored.Similar problems are reportedin IXBT OpenVPN FAQ:

A route is not added to the routing table, probably when the RRAS service is turned on (this happens most frequently on server OSes like Windows Server 2003, but I came across this on XP too) - error:

NOTE: FlushIpNetTable failed on interface [2] {427E6BDF-...}
      (status=1413) : Invalid index.

Probably there is a Windows bug, because the Windows API command must add route to the table. And, when you add show-net-up to the OpenVPN config file, OpenVPN at startup will query the whole Windows routing table and log it - our route will be in. But issuing "route print" does not find the route...

Solution: "route-method exe" in config file - this tells OpenVPN, that the route should be add not via API, but via route.exe. Besides, you probably need a small delay before adding the route via route.exe (it happened that without a delay route.exe did not see just added interface and did not add the route). Do this using route-delay 10 (I don't care about 10 second delay on a server, on a client you can lower the value after experimenting).

So I tried to adjust client.ovpn using following options:

ip-win32 dynamic
route-method exe
route-delay 5
tap-sleep 5

This seems to have helped.

Also have to look at the registry parameter

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter = 1

This problem manifested itself many times, e.g. discussedhere1 (route method),here2 (route delay),here3 (IP enable router),here4 (ifconfig, reply).

4.3. SSH

Install cygwin on Windows.

5. Troubleshooting

Obtaining VPN message log on server:

grep openvpn /var/log/messages

Obtaining VPN client status on server

cat /etc/openvpn/openvpn/openvpn-status.log

See routing table on Windows

route print
netstat -rn

See VPN message log on Windows

cd "/cygdrive/c/Program Files (x86)/OpenVPN"
cat log/client.log

See VPN service status on Windows

sc query | grep -i vpn
sc query OpenVPNService

Restart VPN service on windows

sc stop openvpnservice
sc start openvpnservice

or

net stop openvpnservice
net start openvpnservice

How to improve VPN performance

6. Links

6.1. OpenVPN links

• OpenVPN Download
• OpenVPN 2.0 HOWTO
• OpenVPN with authorization (lissyara)
• OpenVPN - Ubuntu Forums
• OpenVPN-Auth-LDAP (google code)
• OpenVPN FAQ (forum.ixbt.com)

6.2. OpenVPN tuning

• MTU options: thread 1, thread 2, thread 3

Because OpenVPN is implemented by openvpn.exe user space process with Normal Priority assigned by default,connection speed drops dramatically when using CPU intensive programs (eg. compiling a big project)since both programs are competing for CPU. Solve by assigning High Priority to OpenVPN after loading.

• reniced - renice processes based on names

6.3. General VPN links

• SSL VPN: Understanding, evaluating, and planning secure, web-based remote access
• SSL-Explorer: The Worlds First Browser-Based, Open Source SSL VPN
• VPNServer - Community Ubuntu Documentation

Attachments

soho-client.ovpn.txt

soho-client.ovpn.txt 374 bytes

lzo-1.08-4.2.el4.rf.i386.rpm

lzo-1.08-4.2.el4.rf.i386.rpm 61.21 KB

lzo-1.08-4.2.el4.rf.x86_64.rpm

lzo-1.08-4.2.el4.rf.x86_64.rpm 54.8 KB

openvpn-2.1-0.17.rc2.el4.i386.rpm

openvpn-2.1-0.17.rc2.el4.i386.rpm 337.35 KB

openvpn-2.1-0.17.rc2.el4.x86_64.rpm

openvpn-2.1-0.17.rc2.el4.x86_64.rpm 361.3 KB

openvpn-2.0.9-install.exe

openvpn-2.0.9-install.exe 978.29 KB

openvpn-2.1_rc7-install.exe

openvpn-2.1_rc7-install.exe 1.33 MB