OpenVPN - Secure you server administration with multiplatform VPN connection

OpenVPN is a full-featured SSL VPN which implements the OSI layer 2 or 3 secure network extension by using the industry standard SSL/TLS protocol. It supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.

Server preparation

For this tutorial, we are going to use a Debian or Ubuntu server. You can use any server you already have in production.

 

OpenVPN Installation

All known distros of Linux and UNIX servers have OpenVPN in their repository. The installation is as simple as running:

apt-get install openvpn

Firewall configuration

The default listening port for OpenVPN is 1194. It’s safe to use the default port. OpenVPN uses the UDP protocol by default. There is simple reason for this:

OpenVPN uses Layer 2 and 3

  • Layer 2 is the Data Link layer providing error-free transfer of data frames over the physical layer, that means it uses its own TUN/TAP network device.
  • Layer 3 is the Network layer providing routing.

and this means Layer 4 (Transport layer ensuring packet delivering) is managed by the OS and application itself. Simply said, any control of traffic and packet delivery control is made by the OS, therefore there is no need to do it twice by OpenVPN itself. Of course, there is an option to use TCP for OpenVPN which means you get more resources wasted, but in case of some special environments, it may be handy.

To sum it up, opening port 1194 for UDP is enough to allow the VPN connection. No filtering is needed as OpenVPN has its own verification and control implemented (see in a later section). Add the following statement into your firewall configuration.

-A INPUT -p udp -m udp --dport 1194 -j ACCEPT

 

Server configuration

After successful installation of OpenVPN, you can find all OpenVPN config files in the folder /etc/openvpn. Let’s open the server.conf file in our editor and edit it.

nano /etc/openvpn/server.conf

Check and edit following sections:

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret

# Diffie hellman parameters.
dh /etc/openvpn/easy-rsa/keys/dh2048.pem

# Configure server mode and supply a VPN subnet
server 10.9.8.0 255.255.255.0

# Push routes to the client
push "route 10.9.8.0 255.255.255.0"

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret

# Select a cryptographic cipher.
cipher AES-128-CBC # AES

# Enable compression on the VPN link.
comp-lzo

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
user vpn
group vpn

As we chose the 10.9.8.0/24 subnet as an internal subnet, your client will get an IP address from this subnet after connecting. As default, 10.9.8.1 is reserved for the server itself.

 

Generating certificates

First, we have to edit the vars file. Fill in the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. These values will be used every time you generate a new certificate.

To load the vars file, run:

./vars

 After loading them, we can create certificate authority:

./clean-all

./build-ca

When CA has been generated, proceed with generating server certificates:

./build-key-server server

And one more certificate for client:

./build-key client

After all, we have to generate DH params:

./build-dh

 

More security

To ensure we have secured our OpenVPN server, we are going to use tls-auth. This ensures we won’t send our certificates to compromised servers.

openvpn –genkey –secret ta.key

 This ta.key file must be included now in every client's certificate bundle.

 

Client configuration

 ##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Windows adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote <your-server-ip> 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
mute 20 

Save it as client.ovpn file and include the ta.key, ca.crt, client.crt, client.key to one folder.

After installing the openvpn client to your computer and running the client.ovpn configuration file, you should be able to connect to your VPN server. After that you get an IP address from 10.9.8.0/24 range you set and cooperate with your server  privately.

Share this page:

3 Comment(s)

Add comment

Comments

From: sjau at: 2016-07-14 15:55:58

you could include the certs directly inthe configs. So you'd have to copy only one file.

 

key-direction 1


<ca>
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
</ca>


<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: xxx
        Validity
            Not Before: Jan  5 09:10:19 2015 GMT
            Not After : Dec 12 09:10:19 2114 GMT
        Subject: xxx
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    [...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier: 
                xxx
            X509v3 Authority Key Identifier: 
                keyid:xxx
                DirName:xxx
                serial:xxx

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
    Signature Algorithm: sha1WithRSAEncryption
         [...]
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
</cert>


<key>
-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----
</key>


<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[...]
-----END OpenVPN Static key V1-----
</tls-auth>

 

Also I use this little bash script that I created to quickly create a new client config file (.conf for linux and .ovpn for windows):

 

https://paste.simplylinux.ch/view/444d5562

 

Of course you need to adjust the server info and template stuff to your needs. But it will include the keys and certs directly.

From: Sachin at: 2016-07-16 06:17:38

The inline certs are a great thing! I also created a script that does the end-to-end work - also calling easy_rsa for the cerificate creation. However, I kept the template file outside - your single file method is neater.

Any idea how to bundle the created file with an OpenVPN Windows installer? That is, is there a way I can build a service(?) that will allow peopel to download an OpenVPN installer which already bundles the configuration file? Service should run on Linux.

 

From: P.Habdak at: 2016-07-15 08:34:05

Very nice sjau :)