OpenVPN

From Indie IT Wiki

Introduction

OpenVPN is the open source virtual private network software, capable of connecting computers securely across the internet.

Download

https://openvpn.net/community-downloads/

VPN Comparison

PPPTP vs L2TP vs OpenVPN

PPTP vs L2TP vs OpenVPN vs Chameleon

Overview

laptop --> openvpn --> firewall --> server --> openvpn --> files

Modem Settings

OpenVPN requires a port to be opened on DSL/broadband modem.

Default Port: 1195 UDP

OpenVPN 2.0 HOWTO

This has nice notes and examples.

http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html

HOWTO: INSTALL:

AUTOMATED

sudo -i
curl -s -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
bash openvpn-install.sh

MANUAL

Ubuntu & Debian Linux

Where <version> can be one of

  • stable: stable releases only - no alphas, betas or RCs
  • testing: latest releases, including alphas/betas/RCs
  • release/2.3: OpenvPN 2.3 releases
  • release/2.4: OpenVPN 2.4 releases, including alphas/betas/RCs

and <osrelease> depends your distribution:

  • wheezy (Debian 7.x)
  • jessie (Debian 8.x)
  • precise (Ubuntu 12.04)
  • trusty (Ubuntu 14.04)
  • xenial (Ubuntu 16.04)
  • beaver (Ubuntu 18.04)
  • focal (Ubuntu 20.04)
sudo -i
sudo wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | sudo apt-key add -
sudo echo "deb http://build.openvpn.net/debian/openvpn/stable focal main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
sudo apt-get update && sudo apt-get -y install openvpn easy-rsa network-manager-openvpn network-manager-openvpn-gnome

https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos

https://help.ubuntu.com/community/OpenVPN

Raspberry Pi

http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing

Gentoo Linux

Add the local portage file:

** UPDATE **

Version 2.1.3 is now in the Portage tree. Do not use the method below.

Skip the to section Installing the software:

The latest version available in the official Gentoo portage tree is 2.1.0, however the latest community version of OpenVPN is 2.1.1

Download the latest version custom ebuild and install it as follows:-

su - root
echo "PORTDIR_OVERLAY=\"/usr/local/portage\"" >> /etc/make.conf
mkdir -p /usr/local/portage/net-misc/openvpn
cd /usr/local/portage/net-misc/openvpn/
wget http://www.paully.co.uk/openvpn-2.1.1.ebuild

Download OpenVPN Community Version 2.1.1 custom Gentoo Linux ebuild by Paul Littlefield openvpn-2.1.1.ebuild 2010-05-12

Copy the important files directory:

cp -av /usr/portage/net-misc/openvpn/files /usr/local/portage/net-misc/openvpn/

Create the portage manifest file:

cd /usr/local/portage/net-misc/openvpn/
ebuild openvpn-2.1.1.ebuild digest

Update the EIX portage cache:

eix-update

Allow beta software:

echo "net-misc/openvpn ~amd64" >> /etc/portage/package.keywords

Install the software:

You will need to make sure that the minimal USE flag is not set, and that the examples and ssl USE flags are set.

echo "net-misc/openvpn -minimal examples ssl" >> /etc/portage/package.use

Then test the software.

emerge -pv openvpn

Then install the software.

emerge openvpn

SSL keys / certificates:

Change to the directory with the OpenVPN scripts to set up the keys.

cd /usr/share/openvpn/easy-rsa/

Or

cd /usr/share/easy-rsa/

Then, edit the basic parameters for the certificates. Edit the vars file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.

nano vars

export KEY_COUNTRY="UK"
export KEY_PROVINCE="Kent"
export KEY_CITY="Canterbury"
export KEY_ORG="My Company"
export KEY_EMAIL="me@mycompany.com"

Next, initialize the PKI.

source ./vars
./clean-all
./build-ca

The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:

Generating a 1024 bit RSA private key
...........................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [UK]:
State or Province Name (full name) [Kent]:
Locality Name (eg, city) [Folkestone]:
Organization Name (eg, company) [Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Company Ltd CA]:server1.company.com
Name []:
Email Address [myname@company.com]:

Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "server1.company.com".

Generate certificate & key for server

Next, we will generate a certificate and private key for the server.

./build-key-server server

As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". When asked for a challenge password, leave it blank and hit Enter. Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Generating client certificates is very similar to the previous step. On Linux/BSD/Unix:

./build-key-pass client1

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client.

Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server.

./build-dh

'Server Configuration:

This is for a Gentoo Linux server with 2 network interface cards, acting as as gateway / firewall / file share...

ip addr show

 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host 
 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether e0:cb:4e:3a:da:a4 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0
    inet6 fe80::e2cb:4eff:fe3a:daa4/64 scope link 
 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:50:bf:10:05:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
    inet6 fe80::250:bfff:fe10:56e/64 scope link 
 4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN 
    link/sit 0.0.0.0 brd 0.0.0.0
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/[65534] 
    inet 192.168.1.1 peer 192.168.1.2/32 scope global tun0
12: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/[65534] 
    inet 192.168.2.1 peer 192.168.2.2/32 scope global tun1

Create a directory for your 'named' VPN, e.g 'vpn'...

mkdir /etc/openvpn/vpn

Copy the keys and certificates from the previous steps into the new directory...

rsync -av /usr/share/openvpn/easy-rsa/keys/* /etc/openvpn/vpn/

Routing:

Method A:

We will try the simpler method of a 'routed ip tunnel'.

OK, create the first VPN server configuration file...

nano /etc/openvpn/openvpn.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/vpn/ca.crt
cert /etc/openvpn/vpn/server.crt
key /etc/openvpn/vpn/server.key
dh /etc/openvpn/vpn/dh1024.pem
server 192.168.1.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/vpn/ipp.txt
push "route 192.168.0.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
verb 3
log /var/log/openvpn.log

Now create the second VPN server configuration file...

nano /etc/openvpn/openvpn2.conf

port 1195
proto udp
dev tun
ca /etc/openvpn/vpn/ca.crt
cert /etc/openvpn/vpn/server.crt
key /etc/openvpn/vpn/server.key
dh /etc/openvpn/vpn/dh1024.pem
server 192.168.2.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/vpn/ipp.txt
push "route 172.20.0.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
verb 3
log /var/log/openvpn2.log

Next, create the Gentoo Linux system start-up files...

cd /etc/init.d/
ln -s openvpn openvpn.openvpn2
rc-update add openvpn default
rc-update add openvpn.openvpn2 default

Finally, start the 2 OpenVPN servers...

/etc/init.d/openvpn start
/etc/init.d/openvpn.openvpn2 start

Check that you have both of the new VPN interfaces...

ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.1.1  P-t-P:192.168.1.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2294 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:247206 (241.4 KiB)
ifconfig tun1
tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.2.1  P-t-P:192.168.2.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3216 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3214 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:433830 (423.6 KiB)  TX bytes:607390 (593.1 KiB)

Your log file should look like this...

tail /var/log/openvpn.log
Fri May 21 14:02:51 2010 OpenVPN 2.1.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on May 14 2010
Fri May 21 14:02:51 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri May 21 14:02:51 2010 Diffie-Hellman initialized with 1024 bit key
Fri May 21 14:02:51 2010 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri May 21 14:02:51 2010 ROUTE default_gateway=10.0.0.2
Fri May 21 14:02:51 2010 TUN/TAP device tun1 opened
Fri May 21 14:02:51 2010 TUN/TAP TX queue length set to 100
Fri May 21 14:02:51 2010 /sbin/ifconfig tun1 192.168.2.1 pointopoint 192.168.2.2 mtu 1500
Fri May 21 14:02:51 2010 /sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.2
Fri May 21 14:02:51 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri May 21 14:02:51 2010 GID set to nogroup
Fri May 21 14:02:51 2010 UID set to nobody
Fri May 21 14:02:51 2010 Socket Buffers: R=[112640->131072] S=[112640->131072]
Fri May 21 14:02:51 2010 UDPv4 link local (bound): [undef]:1195
Fri May 21 14:02:51 2010 UDPv4 link remote: [undef]
Fri May 21 14:02:51 2010 MULTI: multi_init called, r=256 v=256
Fri May 21 14:02:51 2010 IFCONFIG POOL: base=192.168.2.4 size=62
Fri May 21 14:02:51 2010 IFCONFIG POOL LIST
Fri May 21 14:02:51 2010 Initialization Sequence Completed

'Method B: Bridged

to be done

Shoreline Firewall / Shorewall Configuration:

We would like to allow staff on the road (Roadwarriors :) access to the files on their server in the office. Our server acts as a gateway and firewall using 2 network interface cards (eth0 and eth1)

Internet <--> [123.456.789.0 Modem 10.0.0.2] <--> [10.0.0.1 Firewall | Server 192.168.0.1] <--> [Network]

http://www.shorewall.net/OPENVPN.html#RoadWarrior

IMPORTANT - If the roadwarrior uses a hotel WiFI, you have to allow for both ends of the tunnel to be the same IP address range. This ROUTING config will take care of that :-)

[192.168.0.x roadwarrior] <-- VPN --> [server 192.168.0.x]

Edit the Shorewall config files, adding the lines shown in bold below:-

/etc/shorewall/zones
###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4
vpn     ipv4
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/interfaces 
###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          routefilter,tcpflags
loc     eth1            detect          dhcp,tcpflags
vpn     tun+
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/tunnels
###############################################################################
#TYPE                   ZONE    GATEWAY         GATEWAY
#                                               ZONE
openvpnserver:1194      net     0.0.0.0/0
openvpnserver:1195      net     0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/policy
###############################################################################
#SOURCE         DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                                       LEVEL   BURST           MASK
loc             net     ACCEPT
loc             fw      ACCEPT
fw              net     ACCEPT
fw              loc     ACCEPT
vpn             loc     ACCEPT
loc             vpn     ACCEPT
vpn             fw      ACCEPT
fw              vpn     ACCEPT
net             all     DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all     REJECT          info
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/netmap
##############################################################################
#TYPE   NET1                    INTERFACE       NET2
SNAT    192.168.0.0/24          tun+            172.20.0.0/24
DNAT    172.20.0.0/24           tun+            192.168.0.0/24  
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Check your firewall configuration, and correct any errors.

shorewall check

Then restart.

/etc/init.d/shorewall restart


ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input

Make sure CONFIG_IP_NF_TARGET_NETMAP is set.

Thanks to Gentoo Wiki.

Quick and Dirty Gentoo Linux Install

This will install OpenVPN just for 1 client with a simple secret file instead of keys.

http://briancarper.net/blog/243/

Client Configuration

This will install OpenVPN so that the client can use it anywhere - even if both networks at each end of the VPN tunnel share the same IP address range.

Microsoft Windows

https://openvpn.net/client-connect-vpn-for-windows/

https://www.sparklabs.com/viscosity/download/

NOTE: The following examples are for Windows 7 64-bit, the file paths for 32-bit systems are slightly different - C:\Program Files (x86)\.

As Administrator

Install the latest OpenVPN Community Edition Microsoft Windows software from here, then reboot.

Copy the example config file (C:\Program Files\OpenVPN\config-samples\client.ovpn) into the actual config folder (C:\Program Files\OpenVPN\config) as something like 'office.ovpn' or 'server.ovpn'

Edit the file adding the following lines of the new .ovpn file:

# Site details
remote server1.myoffice.com 1195

# Windows tweaks
route-method exe
route-delay 2

# Prevent caching of password in Windows
auth-nocache

The 1195 is important, because you will be connecting to the second OpenVPN server which then passes the requests for data through the firewall by cool network mapping to the first openvpn server :-)

Copy the necessary client key files (ca.crt, client.crt, client.key) which have been generated from the server (as shown above) to the C:\Program Files\OpenVPN\config folder.

Follow this guide to have OpenVPN run as a privileged user, this saves following the steps in the As User section below.

As User

Right-click on the OpenVPN GUI shortcut icon, and choose Run as Administrator. Put in the Windows Administrator password and click OK.

Right-click on the little OpenVPN icon on the task bar near the clock, and choose Connect.

With any luck you see the connect log whizz buy and it will show Connected.

Then you can do a quick ping test...

ping 172.20.0.x    (the last number in the IP address of your server)

Then you can do a share test...

net view \\172.20.0.x

Then you can launch Windows Explorer and put the following in the address bar...

\\172.20.0.x\shared\   (or whatever your Samba share is called)

Thanks to Surfbouncer.

Linux

Install the package...

emerge openvpn

Create the directory for the VPN files...

mkdir -p /etc/openvpn/domain.co.uk

Copy the client and server files to that directory...

server1.ovpn
client1.key
client1.crt
ca.crt

Load the tun module...

modprobe tun

Start the client...

cd /etc/openvpn/domain.co.uk
openvpn server1.ovpn

Android

OpenVPN Connect

https://play.google.com/store/apps/details?id=net.openvpn.openvpn

OpenVPN Connect does not like X509 Certificates with the standard DSA encryption, so you have to change this to DES encryption before it will work and prompt you for the private key password...

cd /etc/openvpn/vpn/
openssl rsa -in client1.key -out client1_unencrypted.key
openssl rsa -in client1_unencrypted.key -des3 -out client1_DES.key
rm client1.key 
mv client1_unencrypted.key 
rm client1_unencrypted.key 
mv client1_DES.key client1.key

Then transfer the following 4 files to your MicroSD card / directory...

ca.crt
client1.crt
client1.key
server.ovpn

Start OpenVPN Connect > Menu > Import > Import Profile from SD card > Choose server.ovpn

Type in your Private Key password but do not tick Save.

You will now connect to the VPN and Android will show a notification near the clock.

You can now use an app like X-Plore File Manager to connect to the LAN Samba server or email app.

FAQS

https://forums.openvpn.net/topic14432.html

HELP

http://wiki.hidemyass.com/Tutorials:OpenVPN_Connect_on_Android

TROUBLESHOOTING

If you receive an error saying "cannot acquire tun interface", then you need to install the TUN module into your kernel.

TUN.ko Installer

https://play.google.com/store/apps/details?id=com.aed.tun.installer

Apple

NEW

https://www.sparklabs.com/viscosity/download/

https://tunnelblick.net/cUsingTunnelblick.html#the-first-time-tunnelblick-is-run-on-a-computer

OLD

https://forums.openvpn.net/post30830.html#p30830

OpenVPN Connect iTunes App

OpenVPN Setup on an iPad

OpenVPN Setup on an iPad

HOWTO: FIX:

TAP Driver Problems

TAP install failing

Managing Windows TAP Drivers

Authenticate/Decrypt packet error: cipher final failed

You have to exactly match the cipher's used at both ends of the VPN tunnel because of new security rules.

Default...

cipher BF-CBC

New...

cipher AES-128-CBC

Thanks - http://matthewcasperson.blogspot.co.uk/2015/03/fixing-openvpn-authenticatedecrypt.html

FIX 1

If you are not running an 'Administrator' profile, then you need to ensure that the User Account Control (UAC) is enabled.

Thanks to PersonalVPN.

FIX 2 (POSSIBLE)

If you are running OpenVPN under Home Editions of Vista in a 'Standard User' profile its permissions need to be set to allow it to run.

Log on in an administrator profile

Open Windows Explorer and navigate to the Program Files folder, locate and right-click on the OpenVPN folder and select 'Properties' from the shell menu.

Select the 'Security' tab and click the 'Edit' button.

On the next window click the 'Add' button

On the next window click the 'Advanced' button

On the next window click the 'Find' button

Under the search results click once on the user you want to add and then click the 'OK' buttons through to the window which reads 'Permissions for OpenVPN'

In the top box click on the user just added and in the permissions box below select the check box next to 'Full Control' in the 'Allow' column

Other possibles

http://www.surfbouncer.com/Windows_7.htm

http://forums.openvpn.net/topic9972.html

2FA

https://duo.com/docs/openvpn

https://community.duo.com/t/2fa-openvpn-for-linux-error-auth-received-control-message-auth-failed/10196/

HOWTO: Change The Passphrase On An OpenVPN Key

OpenVPN keys are generated using openssl and can be edited using the openssl command.

To change the passphrase on the key use openssl to write out a new key and move it into place.

openssl rsa -des3 -in /etc/openvpn/vpn/client.key -out /etc/openvpn/vpn/client-new.key
mv /etc/openvpn/vpn/client-new.key /etc/openvpn/vpn/client.key

To remove the passphrase all together, leave -des3 out of the openssl command.

openssl rsa -in /etc/openvpn/vpn/client.key -out /etc/openvpn/vpn/client-new.key
mv /etc/openvpn/vpn/client-new.key /etc/openvpn/vpn/client.key

Thanks - http://www.linuxsysadmintutorials.com/change-the-passphrase-on-an-openvpn-key/

http://bit.ly/1yIXtcb

HOWTO: Check the OpenVPN UDP Port Is Open

Use netcat to check the connection worked...

netcat -z -v -u vpn.mydomain.com 1194
Connection to vpn.mydomain.com 1194 port [udp/openvpn] succeeded!

Check it is alive...

sudo nmap -sP -Pn server.domain.co.uk

Scan the port...

sudo nmap -sU -Pn server.domain.co.uk -p 1194

Check Server Certificate Date

openssl x509 -noout -text -in ca.crt

Check Client Certificate

openssl verify -CAfile ca.crt client.crt

client.crt: OK
error 10 at 1 depth lookup:certificate has expired

Start OpenVPN Automatically

https://www.ovpn.com/en/blog/windows-run-openvpn-automatically-on-computer-startup

Help and Troubleshooting

OpenVPN Forum - Scripts and Customisations (iptables)

Advanced Usage

Pi-Hole + VPN