Difference between revisions of "OpenVPN"

From CSLabsWiki
m (changed ldap status)
(Added main information)
Line 2: Line 2:
 
|ip_addr = 128.153.145.248
 
|ip_addr = 128.153.145.248
 
|contact_person = [[User:milton|Milton Griffin]]
 
|contact_person = [[User:milton|Milton Griffin]]
|last_update = Spring 2017
+
|last_update = Late Febuary 2017
|host_vm = [[Pyxis]]
 
|vm_host = [[Hydra]]
 
 
|services = ''OpenVPN''
 
|services = ''OpenVPN''
|category = VM
 
|handoff = no
 
 
}}
 
}}
   
  +
This service provides a VPN tunnel into COSI. The configuration file is available for any member of COSI in my home folder.
{{VM
 
  +
|hostname = Not yet implemented
 
  +
==How To Run a Client==
|maintainer = [[User:milton|Milton Griffin]]
 
  +
Install OpenVPN-gui (Windows) or the OpenVPN package (Linux). Move the configuration file to:
|operating_system = Arch
 
  +
"C:/Program Files/OpenVPN/config/" in Windows
|ldap = Not implemented
 
  +
"/etc/openvpn/" for Linux service
|development_status = In Development
 
  +
or anywhere for Linux general use. To start the VPN on Windows: start OpenVPN-gui, right click the icon in the notification area, click connect. To start the VPN on Linux: run
|vm_host = [[Hydra]]
 
  +
sudo openvpn --config /location/of/cosi.ovpn
|status = Construction
 
  +
As a Linux service that will start when the computer boots: run
}}
 
  +
sudo systemctl enable openvpn@cosi.service
  +
NOTE: The configuration is plug and play for anything but Windows. For Windows clients, run (Win + r) regedit. Change
  +
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter
  +
from 0 to 1. Next run services.msc, right click 'Routing and Remote Access', select properties, change it to automatic, then restart.
  +
  +
==Server Management==
  +
This section is for initial configuration
  +
To make a new pki : easyrsa init-pki
  +
To make the revoke list : easyrsa gen-crl
  +
To make the new CA : easyrsa build-ca
  +
  +
This section explains how to make server and client certificates
  +
To make the server : easyrsa build-server-full servername nopass
  +
To make the client : easyrsa build-client-full clientname nopass
  +
  +
Move the needed files to the server's folder
  +
The system CA : cp -a /etc/easyrsa/pki/ca.crt /etc/openvpn/server/pyxis.ca
  +
The server crt : cp -a /etc/easyrsa/pki/issued/servername.crt /etc/openvpn/server/server.crt
  +
The server key : cp -a /etc/easyrsa/pki/private/openvpn-server.key /etc/openvpn/server/server.key
  +
  +
The encryption uses a Diffie-Hellman
  +
Go to the server folder : cd /etc/openvpn/main/
  +
Generate the DH : openssl dhparam -out dh2048.pem 2048
  +
  +
==Server Configuration==
  +
To allow the system to forward traffic, modify /etc/sysctl.conf/network.conf to include:
  +
  +
net.ipv4.ip_forward = 1
  +
  +
and run:
  +
  +
iptables -t nat -I POSTROUTING -o ens3 -s 10.200.0.0/24 -j MASQUERADE
  +
iptables-save > /etc/iptables/iptables.rules
  +
  +
Server configuration file:
  +
proto udp
  +
port 1194
  +
dev tun
  +
server 10.200.0.0 255.255.255.0
  +
topology subnet
  +
persist-key
  +
persist-tun
  +
keepalive 10 60
  +
push "redirect-gateway def1"
  +
push "0.0.0.0 0.0.0.0 10.200.0.1 999"
  +
push "dhcp-option DNS 128.153.145.3"
  +
dh [inline]
  +
ca [inline]
  +
cert [inline]
  +
key [inline]
  +
duplicate-cn
  +
user nobody
  +
group nobody
  +
verb 3
  +
daemon
  +
log-append /var/log/openvpn.log
  +
**dh ca cert and key omitted**
   
  +
==Client Configuration==
This is a service in progress that will link COSI with COSI's 2nd floor. Other uses will be reported when available.
 
  +
Client configuration file:
  +
client
  +
proto udp
  +
remote 128.153.145.248
  +
port 1194
  +
dev tun
  +
nobind
  +
topology subnet
  +
pull
  +
**ca, cert, and key omitted**

Revision as of 01:25, 28 February 2017

OpenVPN
IP Address(es): 128.153.145.248
Contact Person: Milton Griffin
Last Update: Late Febuary 2017
Services: OpenVPN


This service provides a VPN tunnel into COSI. The configuration file is available for any member of COSI in my home folder.

How To Run a Client

Install OpenVPN-gui (Windows) or the OpenVPN package (Linux). Move the configuration file to:

"C:/Program Files/OpenVPN/config/" in Windows
"/etc/openvpn/" for Linux service 

or anywhere for Linux general use. To start the VPN on Windows: start OpenVPN-gui, right click the icon in the notification area, click connect. To start the VPN on Linux: run

sudo openvpn --config /location/of/cosi.ovpn

As a Linux service that will start when the computer boots: run

sudo systemctl enable openvpn@cosi.service

NOTE: The configuration is plug and play for anything but Windows. For Windows clients, run (Win + r) regedit. Change

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter 

from 0 to 1. Next run services.msc, right click 'Routing and Remote Access', select properties, change it to automatic, then restart.

Server Management

This section is for initial configuration

To make a new pki       : easyrsa init-pki
To make the revoke list : easyrsa gen-crl
To make the new CA      : easyrsa build-ca

This section explains how to make server and client certificates

To make the server      : easyrsa build-server-full servername nopass
To make the client      : easyrsa build-client-full clientname nopass

Move the needed files to the server's folder

The system CA   : cp -a /etc/easyrsa/pki/ca.crt /etc/openvpn/server/pyxis.ca
The server crt  : cp -a /etc/easyrsa/pki/issued/servername.crt /etc/openvpn/server/server.crt
The server key  : cp -a /etc/easyrsa/pki/private/openvpn-server.key /etc/openvpn/server/server.key

The encryption uses a Diffie-Hellman

Go to the server folder : cd /etc/openvpn/main/
Generate the DH         : openssl dhparam -out dh2048.pem 2048

Server Configuration

To allow the system to forward traffic, modify /etc/sysctl.conf/network.conf to include:

net.ipv4.ip_forward = 1

and run:

iptables -t nat -I POSTROUTING -o ens3 -s 10.200.0.0/24 -j MASQUERADE
iptables-save > /etc/iptables/iptables.rules

Server configuration file:

proto udp
port 1194
dev tun
server 10.200.0.0 255.255.255.0
topology subnet
persist-key
persist-tun
keepalive 10 60
push "redirect-gateway def1"
push "0.0.0.0 0.0.0.0 10.200.0.1 999"
push "dhcp-option DNS 128.153.145.3" 
dh      [inline]
ca      [inline]
cert    [inline]
key     [inline]
duplicate-cn
user nobody
group nobody
verb 3
daemon
log-append /var/log/openvpn.log
**dh ca cert and key omitted**

Client Configuration

Client configuration file:

client
proto udp
remote 128.153.145.248
port 1194
dev tun
nobind
topology subnet
pull
**ca, cert, and key omitted**