OpenVPN – Config and procedures

Server: aglianico (192.168.50.254)
Link: https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7

Client Configuration

The client needs a config file (described below) and 4 keys:
– ca.crt (Server Certificate Authority, shared)
– ta.key (HMAC firewall key, shared)
– userName.crt (user private, see “new user” section)
– userName.key (user private, see “new user” section)
This is the client config (userName.ovpn file). Change paths and userName keys file.
To start a VPN, use the command: sudo openvpn userName.ovpn

client
dev tun
proto udp
remote 62.167.236.147 1194
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-CBC
comp-lzo
verb 3
ca /path/ca.crt
cert /path/userName.crt
key /path/userName.key
tls-auth /path/ta.key 1

New User

To create and register a new user (pippo), connect to frontend (192.168.50.254) as root and:
– cd /etc/openvpn/easy-rsa
– source ./vars
– ./build-key pippo
– leave all options as default BUT:
– Name [server]:pippo
Email Address [info@exmachina.ch]:pippo@exmachina.ch
– do not insert a “A challenge password []:”
– Sign the certificate? [y/n]:y
– 1 out of 1 certificate requests certified, commit? [y/n]y

At this point, in the /etc/openvpn/easy-rsa/keys directory, you will have:
– pippo.crt
– pippo.csr
– pippo.key
And a new entry in the file index.txt marked as “V”.

Make sure that the user obtains those 3 files (and also ca.crt and ta.key) ON A SAFE CHANNEL (better by hand) and remove them from the server.

Revoke User

To revok the access to an user (pippo), connect to frontend (192.168.50.254) as root and:
– cd /etc/openvpn/easy-rsa
– check the real certificate user’s name into file/etc/openvpn/easy-rsa/keys/index.txt
– source ./vars
– ./revoke-full pippo
– at this point the entry in the file keys/index.txt should be marked as “R” and the revoked cert list should be updated in keys/crl.pem (openssl crl -in keys/crl.pem -text)
Apply the revoke (overwrite current crl.pem):
– cp keys/crl.pem /etc/openvpn/
– systemctl restart openvpn@server.service (to kill current connections and force to re-authenticate)

Server Configuration

Required rpms: openvpn, easy-rsa, iptables-services.

Network setup

# systemctl disable firewalld
# systemctl stop firewalld
# sudo yum install iptables-services
# systemctl enable iptables
# systemctl start iptables
# iptables –flush
# iptables -t nat -A POSTROUTING -s 10.254.254.0/24 -d 192.168.50.0/24 -j MASQUERADE
# iptables-save > /etc/sysconfig/iptables
add “net.ipv4.ip_forward = 1” to /etc/sysctl.conf
# systemctl restart network.service

add NAT and FIREWALL rules (UDP 1194 from WAN to 192.168.50.254) to network firewall (192.168.50.1).

(WORK IN PROGRESS) ENABLE AWS ACCESS (OPTIONAL):

If you want to enable direct access from the VPN to one of the AWS machines you can add a rule like the following:
#iptables -A FORWARD -i tun0 -s 10.254.254.0/24 -d 52.7.20.36 -j ACCEPT

where 52.7.20.36 is the IP of the AWS machine, in this case prod-db

if you want to enable a whole set of ip you can use ipset
for example to enable all aws machines create a file aws_machines.txt containing

52.7.213.74 master-of-puppet
54.165.95.213 preprod-db
54.152.89.247 preprod-db-slave
54.174.81.104 preprod-app-1
50.19.47.175 preprod-app-2
52.4.19.80 preprod-web
52.70.81.160 preprod-common
52.7.20.36 prod-db
52.20.173.212 prod-db-slave
52.6.144.0 prod-app-1
52.205.141.229 prod-app-2
52.7.60.6 prod-web
52.70.149.30 prod-common
52.21.155.209 profiling-db
52.4.99.54 profiling-app
52.6.37.128 training-dbapp
52.5.106.176 training-web
52.86.25.222 training-common
54.174.137.149 uat-db
54.173.39.245 uat-web
52.20.189.161 uat-common
52.203.186.34 uat-app-2
23.20.29.192 uat-app-1
34.195.105.16 integration-common
34.195.94.82 integration-web
34.195.61.49 integration-dbapp
52.30.229.243 nexus
54.144.108.125 uat-rserver
107.20.70.108 r_playground
34.193.192.41 preprod-rserver
52.55.9.108 prod-rserver

then invoke

//Create the ips set
#ipset -N AWS_MACHINES iphash

//Add all aws machines to the ip set
#awk ‘{print $1}’ aws_machines.txt | xargs -I {} ipset -A AWS_MACHINES {}

#create an iptables rule that give access to the whole set

iptables -A FORWARD -i tun0 -s 10.254.254.0/24 -m set –match-set AWS_MACHINES dst -j ACCEPT

Service setup

# systemctl -f enable openvpn@server.service
# systemctl start openvpn@server.service

Server config file (/etc/openvpn/server.conf)

# Which local IP address should OpenVPN listen on? (optional)
local 192.168.50.254
port 1194
proto udp
dev tun

# SSL/TLS root certificate (ca), certificate (cert), and private key (key). Each client and the server must have their own cert and
# key file. The server and all clients will use the same ca file.
#
# See the “easy-rsa” directory for a series of scripts for generating RSA certificates and private keys. Remember to use
# a unique Common Name for the server and each of the client certificates.
#
# Any X509 key management system can be used. OpenVPN can also use a PKCS #12 formatted key file (see “pkcs12” directive in man page).
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
# Diffie hellman parameters. Generate your own with: openssl dhparam -out dh2048.pem 2048
dh /etc/openvpn/dh2048.pem
crl-verify /etc/openvpn/crl.pem

server 10.254.254.0 255.255.255.0

# Push routes to the client to allow it to reach other private subnets behind the server. Remember that these private subnets will also need
# to know to route the OpenVPN client address pool (10.8.0.0/255.255.255.0) back to the OpenVPN server.
push “route 192.168.50.0 255.255.255.0”

# If enabled, this directive will configure all clients to redirect their default network gateway through the VPN, causing all IP traffic such as web browsing and
# and DNS lookups to go through the VPN (The OpenVPN server machine may need to NAT or bridge the TUN/TAP interface to the internet in order for this to work properly).
;push “redirect-gateway def1 bypass-dhcp”
;push “dhcp-option DNS 8.8.8.8”
;push “dhcp-option DNS 8.8.4.4”

# The keepalive directive causes ping-like messages to be sent back and forth over the link so that each side knows when the other side has gone down.
# Ping every 10 seconds, assume that remote peer is down if no ping received during a 120 second time period.
keepalive 10 120

# For extra security beyond that provided by SSL/TLS, create an “HMAC firewall” to help block DoS attacks and UDP port flooding.
# Generate with: openvpn –genkey –secret ta.key
# The server and each client must have a copy of this key. The second parameter should be ‘0’ on the server and ‘1’ on the clients.
tls-auth /etc/openvpn/ta.key 0 # This file is secret

# Select a cryptographic cipher. Note that 2.4 client/server will automatically negotiate AES-256-GCM in TLS mode.
cipher AES-256-CBC
comp-lzo

# Max concurrent clients we want to allow.
max-clients 50
user nobody
group nobody
persist-key
persist-tun

# Output a short status file showing current connections, truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log
verb 4
log /etc/openvpn/openvpn.log