Difference between revisions of "OpenVPN"

From CSLabsWiki
Jump to: navigation, search
m (changed ldap status)
(Added main information)
Line 2: Line 2:
 
|ip_addr = 128.153.145.248
 
|ip_addr = 128.153.145.248
 
|contact_person = [[User:milton|Milton Griffin]]
 
|contact_person = [[User:milton|Milton Griffin]]
|last_update = Spring 2017
+
|last_update = Late Febuary 2017
|host_vm = [[Pyxis]]
 
|vm_host = [[Hydra]]
 
 
|services = ''OpenVPN''
 
|services = ''OpenVPN''
|category = VM
 
|handoff = no
 
 
}}
 
}}
  
{{VM
+
This service provides a VPN tunnel into COSI. The configuration file is available for any member of COSI in my home folder.
|hostname = Not yet implemented
+
 
|maintainer = [[User:milton|Milton Griffin]]
+
==How To Run a Client==
|operating_system = Arch
+
Install OpenVPN-gui (Windows) or the OpenVPN package (Linux). Move the configuration file to:
|ldap = Not implemented
+
"C:/Program Files/OpenVPN/config/" in Windows
|development_status = In Development
+
"/etc/openvpn/" for Linux service
|vm_host = [[Hydra]]
+
or anywhere for Linux general use. To start the VPN on Windows: start OpenVPN-gui, right click the icon in the notification area, click connect. To start the VPN on Linux: run
|status = Construction
+
sudo openvpn --config /location/of/cosi.ovpn
}}
+
As a Linux service that will start when the computer boots: run
 +
sudo systemctl enable openvpn@cosi.service
 +
NOTE: The configuration is plug and play for anything but Windows. For Windows clients, run (Win + r) regedit. Change
 +
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter
 +
from 0 to 1. Next run services.msc, right click 'Routing and Remote Access', select properties, change it to automatic, then restart.
 +
 
 +
==Server Management==
 +
This section is for initial configuration
 +
To make a new pki      : easyrsa init-pki
 +
To make the revoke list : easyrsa gen-crl
 +
To make the new CA      : easyrsa build-ca
 +
 
 +
This section explains how to make server and client certificates
 +
To make the server      : easyrsa build-server-full servername nopass
 +
To make the client      : easyrsa build-client-full clientname nopass
 +
 
 +
Move the needed files to the server's folder
 +
The system CA  : cp -a /etc/easyrsa/pki/ca.crt /etc/openvpn/server/pyxis.ca
 +
The server crt  : cp -a /etc/easyrsa/pki/issued/servername.crt /etc/openvpn/server/server.crt
 +
The server key  : cp -a /etc/easyrsa/pki/private/openvpn-server.key /etc/openvpn/server/server.key
 +
 
 +
The encryption uses a Diffie-Hellman
 +
Go to the server folder : cd /etc/openvpn/main/
 +
Generate the DH        : openssl dhparam -out dh2048.pem 2048
 +
 
 +
==Server Configuration==
 +
To allow the system to forward traffic, modify /etc/sysctl.conf/network.conf to include:
 +
 
 +
net.ipv4.ip_forward = 1
 +
 
 +
and run:
 +
 
 +
iptables -t nat -I POSTROUTING -o ens3 -s 10.200.0.0/24 -j MASQUERADE
 +
iptables-save > /etc/iptables/iptables.rules
 +
 
 +
Server configuration file:
 +
proto udp
 +
port 1194
 +
dev tun
 +
server 10.200.0.0 255.255.255.0
 +
topology subnet
 +
persist-key
 +
persist-tun
 +
keepalive 10 60
 +
push "redirect-gateway def1"
 +
push "0.0.0.0 0.0.0.0 10.200.0.1 999"
 +
push "dhcp-option DNS 128.153.145.3"
 +
dh      [inline]
 +
ca      [inline]
 +
cert    [inline]
 +
key    [inline]
 +
duplicate-cn
 +
user nobody
 +
group nobody
 +
verb 3
 +
daemon
 +
log-append /var/log/openvpn.log
 +
**dh ca cert and key omitted**
  
This is a service in progress that will link COSI with COSI's 2nd floor. Other uses will be reported when available.
+
==Client Configuration==
 +
Client configuration file:
 +
client
 +
proto udp
 +
remote 128.153.145.248
 +
port 1194
 +
dev tun
 +
nobind
 +
topology subnet
 +
pull
 +
**ca, cert, and key omitted**

Revision as of 01:25, 28 February 2017

OpenVPN
IP Address(es): 128.153.145.248
Contact Person: Milton Griffin
Last Update: Late Febuary 2017
Services: OpenVPN


This service provides a VPN tunnel into COSI. The configuration file is available for any member of COSI in my home folder.

How To Run a Client

Install OpenVPN-gui (Windows) or the OpenVPN package (Linux). Move the configuration file to:

"C:/Program Files/OpenVPN/config/" in Windows
"/etc/openvpn/" for Linux service 

or anywhere for Linux general use. To start the VPN on Windows: start OpenVPN-gui, right click the icon in the notification area, click connect. To start the VPN on Linux: run

sudo openvpn --config /location/of/cosi.ovpn

As a Linux service that will start when the computer boots: run

sudo systemctl enable openvpn@cosi.service

NOTE: The configuration is plug and play for anything but Windows. For Windows clients, run (Win + r) regedit. Change

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter 

from 0 to 1. Next run services.msc, right click 'Routing and Remote Access', select properties, change it to automatic, then restart.

Server Management

This section is for initial configuration

To make a new pki       : easyrsa init-pki
To make the revoke list : easyrsa gen-crl
To make the new CA      : easyrsa build-ca

This section explains how to make server and client certificates

To make the server      : easyrsa build-server-full servername nopass
To make the client      : easyrsa build-client-full clientname nopass

Move the needed files to the server's folder

The system CA   : cp -a /etc/easyrsa/pki/ca.crt /etc/openvpn/server/pyxis.ca
The server crt  : cp -a /etc/easyrsa/pki/issued/servername.crt /etc/openvpn/server/server.crt
The server key  : cp -a /etc/easyrsa/pki/private/openvpn-server.key /etc/openvpn/server/server.key

The encryption uses a Diffie-Hellman

Go to the server folder : cd /etc/openvpn/main/
Generate the DH         : openssl dhparam -out dh2048.pem 2048

Server Configuration

To allow the system to forward traffic, modify /etc/sysctl.conf/network.conf to include:

net.ipv4.ip_forward = 1

and run:

iptables -t nat -I POSTROUTING -o ens3 -s 10.200.0.0/24 -j MASQUERADE
iptables-save > /etc/iptables/iptables.rules

Server configuration file:

proto udp
port 1194
dev tun
server 10.200.0.0 255.255.255.0
topology subnet
persist-key
persist-tun
keepalive 10 60
push "redirect-gateway def1"
push "0.0.0.0 0.0.0.0 10.200.0.1 999"
push "dhcp-option DNS 128.153.145.3" 
dh      [inline]
ca      [inline]
cert    [inline]
key     [inline]
duplicate-cn
user nobody
group nobody
verb 3
daemon
log-append /var/log/openvpn.log
**dh ca cert and key omitted**

Client Configuration

Client configuration file:

client
proto udp
remote 128.153.145.248
port 1194
dev tun
nobind
topology subnet
pull
**ca, cert, and key omitted**