Using iRedMail And OpenVPN For Virtual Email Hosting And VPN Services (CentOS 5.4) - Page 2
6 Enable IP forward and config iptables
Edit the /etc/sysctl.conf file to modify the following line to ensure that your system is able to forward IPv4 traffic:
net.ipv4.ip_forward = 1
Issue the following command to configure iptables to properly forward traffic through the VPN:
echo 1 > /proc/sys/net/ipv4/ip_forward
Edit the /etc/sysconfig/iptables file and add the below. Open port 1194.
#openvpn -A INPUT -p udp -m multiport --dport 1194 -j ACCEPT
Issue the following commands to set this variable for the current session:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Before continuing, insert these iptables rules into your system's /etc/rc.local file to ensure that theses iptables rules will be recreated following your next reboot cycle:
#!/bin/sh # # [...] # iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE touch /var/lock/subsys/local
7 Restart related services
We need to restart all related services to make the new configuration work:
/etc/init.d/ldap restart
/etc/init.d/openvpn restart
/etc/init.d/iptables restart
8 Client setting
cp /usr/share/doc/openvpn-2.1.1/sample-config-files/client.conf /etc/openvpn/easy-rsa/2.0/keys/client.ovpn
cd /etc/openvpn/easy-rsa/2.0/keys
Edit the client.ovpn file to modify the following line:
# Add the vpn server
remote mail.example.com 1194
#Comment out the below two line
#cert client.crt
#key client.key
#Add thes line at the botton
auth-user-pass
|
Copy the client.ovpn and ca.crt file to your client system. Also you can use mutt to send the files to your mailbox. You can log in to your email account and download the files.
yum -y install mutt zip
cd /etc/openvpn/easy-rsa/2.0/keys
zip config.zip client.ovpn ca.crt
mutt -s "OpenVPN client config files" -a /etc/openvpn/easy-rsa/2.0/keys/config.zip [email protected] < /usr/share/doc/openvpn-2.1.1/README
Installing OpenVPN GUI On Windows XP / Vista
Download the client software here: http://www.openvpn.se/development.html. The tested version is OpenVPN 2.1_beta7 & OpenVPN GUI 1.0.3, it works on Vista. After the installation, put the client.ovpn and ca.crt file to C:\Program Files\OpenVPN\config.
Now you can use the account [email protected] to connect to the vpn.
9 Troubleshooting
Enable logging in ldap:
vi /etc/ldap/slapd.conf
loglevel 256 # <-- change from 0 to 256
|
Enable the Openvpn log:
Issue the following commands to create log files and set the right permissions:
touch /var/log/openvpn.log
touch /var/log/openvpn-status.log
chown nobody.nobody /var/log/openvpn.log
chown nobody.nobody /var/log/openvpn-status.log
Edit /etc/openvpn/server.conf:
user nobody group nobody status /var/log/openvpn-status.log log /var/log/openvpn.log |
Monitor the log:
tail -0f /var/log/openldap.log
Apr 4 22:45:17 centos54 slapd[6622]: conn=0 fd=14 ACCEPT from IP=127.0.0.1:35456 (IP=0.0.0.0:389)
Apr 4 22:45:17 centos54 slapd[6622]: conn=0 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Apr 4 22:45:17 centos54 slapd[6622]: conn=0 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Apr 4 22:45:17 centos54 slapd[6622]: conn=0 op=0 RESULT tag=97 err=0 text=
Apr 4 22:45:17 centos54 slapd[6622]: conn=0 op=1 SRCH base="o=domains,dc=example,dc=com"
scope=2 deref=0 filter="(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
Apr 4 22:45:17 centos54 slapd[6622]: conn=1 fd=18 ACCEPT from IP=127.0.0.1:35457 (IP=0.0.0.0:389)
Apr 4 22:45:17 centos54 slapd[6622]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 4 22:45:17 centos54 slapd[6622]: conn=1 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Apr 4 22:45:17 centos54 slapd[6622]: conn=1 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Apr 4 22:45:17 centos54 slapd[6622]: conn=1 op=0 RESULT tag=97 err=0 text=
Apr 4 22:45:17 centos54 slapd[6622]: conn=1 op=1 BIND anonymous mech=implicit ssf=0
Apr 4 22:45:17 centos54 slapd[6622]: conn=1 op=1 BIND dn="[email protected],
ou=Users,domainName=example.com,o=domains,dc=example,dc=com" method=128
Apr 4 22:45:17 centos54 slapd[6622]: conn=1 op=1 BIND dn="[email protected],
ou=Users,domainName=example.com,o=domains,dc=example,dc=com" mech=SIMPLE ssf=0
Apr 4 22:45:17 centos54 slapd[6622]: conn=1 op=1 RESULT tag=97 err=0 text=
Apr 4 22:45:17 centos54 slapd[6622]: conn=0 op=2 UNBIND
Apr 4 22:45:17 centos54 slapd[6622]: conn=1 op=2 UNBIND
Apr 4 22:45:17 centos54 slapd[6622]: conn=1 fd=18 closed
Apr 4 22:45:17 centos54 slapd[6622]: conn=2 fd=18 ACCEPT from IP=127.0.0.1:35458 (IP=0.0.0.0:389)
Apr 4 22:45:17 centos54 slapd[6622]: conn=2 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Apr 4 22:45:17 centos54 slapd[6622]: conn=2 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Apr 4 22:45:17 centos54 slapd[6622]: conn=0 fd=14 closed
Apr 4 22:45:17 centos54 slapd[6622]: conn=2 op=0 RESULT tag=97 err=0 text=
Apr 4 22:45:17 centos54 slapd[6622]: conn=2 op=1 SRCH base="o=domains,dc=example,dc=com"
scope=2 deref=0 filter="(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))"
Apr 4 22:45:17 centos54 slapd[6622]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 4 22:45:17 centos54 slapd[6622]: conn=2 op=2 UNBIND
Apr 4 22:45:17 centos54 slapd[6622]: conn=2 fd=18 closed
tail -0f /var/log/openvpn.log
Sun Apr 4 22:47:01 2010 MULTI: multi_create_instance called
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 Re-using SSL/TLS context
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 LZO compression initialized
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 Local Options hash (VER=V4): '530fdded'
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 Expected Remote Options hash (VER=V4): '41690919'
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 TLS: Initial packet from 192.168.1.147:51240, sid=01b29dca a4554de8
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 PLUGIN_CALL:
POST /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 TLS: Username/Password authentication succeeded for username '[email protected]'
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 [] Peer Connection Initiated with 192.168.1.147:51240
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 PLUGIN_CALL:
POST /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 MULTI: Learn: 10.8.0.14 -> 192.168.1.147:51240
Sun Apr 4 22:47:01 2010 192.168.1.147:51240 MULTI: primary virtual IP for 192.168.1.147:51240: 10.8.0.14
Sun Apr 4 22:47:02 2010 192.168.1.147:51240 PUSH: Received control message: 'PUSH_REQUEST'
Sun Apr 4 22:47:02 2010 192.168.1.147:51240 SENT CONTROL [UNDEF]:
'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,
topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13' (status=1)
Sun Apr 4 22:47:13 2010 192.168.1.147:51240 Authenticate/Decrypt
packet error: bad packet ID (may be a replay): [ #1 ] -- see the man page entry for
--no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
10 Links
- Discussion forum: http://www.iredmail.org/forum/
- OpenVPN-auth-ldap Project home page: http://code.google.com/p/openvpn-auth-ldap/
- iRedMail Project home page: http://code.google.com/p/iredmail/
- Secure Communications with OpenVPN on CentOS 5: http://library.linode.com/networking/vpn-services/openvpn-centos-5