Openvpn - Instalar un servidor OpenVPN en Fedora Linux 20-22 y configurar clientes

OpenVPN

Para mas informacion, ver https://community.openvpn.net/.

Security note

    The configuration snippets here will produce a working server and client config. But take certain precautions if you want to use this approach in a production environment. Important things to avoid are:
  • Do not store the easy-rsa CA files on the OpenVPN server.
    • The server only needs ca.crt, server.crt, server.key and dh*.pem files
    • The client only needs ca.crt, client.crt and client.key
  • Avoid creating the encryption keys in a virtualized environment, as the random entropy may not be random enough to guarantee safe keys.

Working with systemd

With the transition to systemd, OpenVPN no longer has a single monolithic init script, where every connection with a configuration file in /etc/openvpn/ is started automatically. Instead, individual connections can be started and stopped with systemctl.
For example, to start a connection, run systemctl start openvpn@foo.service, where the connection is defined in /etc/openvpn/foo.conf.

Setting up an OpenVPN server

  1. yum install openvpn easy-rsa
  2. Copy /usr/share/easy-rsa/2.0 somewhere (like root's home directory with cp -ai /usr/share/easy-rsa/2.0 ~/easy-rsa).
  3. cd ~/easy-rsa
  4. Edit vars appropriately.
  5. . vars
  6. ./clean-all
  7. Before continuing, make sure the system time is correct. Preferably, set up NTP .
  8. ./build-ca
  9. ./build-key-server $( hostname | cut -d. -f1 )
  10. ./build-dh
  11. mkdir /etc/openvpn/keys
  12. cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh*.pem /etc/openvpn/keys/
  13. cp -ai /usr/share/doc/openvpn*/sample/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf
  14. Edit /etc/openvpn/server.conf appropriately to set your configuration and key paths, which are found in /etc/openvpn/keys/.
  15. Fix selinux context of files: restorecon -Rv /etc/openvpn
  16. ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service (Note that 'server' corresponds with the configuration name in /etc/openvpn/ such as server.conf; that is, 'server' corresponds to whatever name your configuration file has)
  17. systemctl -f enable openvpn@server.service
  18. systemctl start openvpn@server.service
  19. Verify that firewall rules allow traffic in from tun+, out from the LAN to tun+, and in from the outside on UDP port 1194. Para comprobar que el puerto 1194 esta a la escucha: netstat -uapn | grep 1194

Loa siguientes puntos son para habilitar openvpn en el firewall, si queremos saltarlo para probar que funciona podemos parar el firewall con el siguiente comando: systemctl stop firewalld
The following should work (assuming an outside interface is eth1 and an inside interface is eth0, no usar en Fedora 20, los comandos que me han funcionado son los de firewalld:
iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
These commands should work for firewalld, estos comandos me han funcionado correctamente en fedora 20:
firewall-cmd --add-service=openvpn  (si agregamos --permanent queda fijo en arranque)
firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Or for genfw (my firewall-generation script, not currently available in Fedora), this in /etc/sysconfig/genfw/rules:
append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
append INPUT -i tun+ -j ACCEPT
append FORWARD -i tun+ -j ACCEPT
append FORWARD -i eth0 -o tun+ -j ACCEPT
append FORWARD -i eth1 -o tun+ -j established
Or for system-config-firewall, you can add these custom rules:
-A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i eth0 -o tun+ -j ACCEPT
-A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
Create a file iptables-rules in /etc/sysconfig and add the above contents, then in system-config-firewall, choose the "Custom Rules" choice, click "Add", choose IPV4 for the protocol type, and filter for the firewall table. Then select /etc/sysconfig/iptables-rules for the File: choice. Then Apply the changes.

Setting up a Linux OpenVPN client

You need to generate new keys (or use existing other client/username keys) for the new client/username
On the server:
  1. cd easy-rsa
  2. . vars
  3. ./build-key username
On the client:
  • In the following, replace MyClient with a descriptive vpn connection name.
  1. Copy username.key, username.crt and ca.crt from server to /etc/openvpn/MyClient/.
  2. cp -ai /usr/share/doc/openvpn*/sample-config-files/client.conf /etc/openvpn/MyClient.conf
  3. Edit /etc/openvpn/MyClient.conf appropriately to set your configuration (just like server configuration, port, compression,..) and key paths.
  4. ln -s /lib/systemd/system/openvpn@.service /etc/systemd/system/openvpn@MyClient.service
  5. systemctl enable openvpn@MyClient.service
  6. systemctl start openvpn@MyClient.service
check /var/log/messages if things didn't work as expected
Alternatively, on the client, after copying the keys onto the client machine, you can use NetworkManager to add a vpn connection. Make sure you have the NetworkManager-openvpn package installed. Then just add a new VPN connection.
Should also test automatic starting at boot up, with password protected key files and maybe even --auth-user-pass. OpenVPN supports systemd's password passing if build with --enable-systemd via ./configure

Setting up a Windows OpenVPN client

On the server:
  1. cd easy-rsa
  2. . vars
  3. ./build-key username
On the client:
  1. Install the the OpenVPN Windows client.
  2. Copy username.crt, username.key, and ca.crt to C:\Program Files\OpenVPN\config\ on the client.
  3. Drop roadwarrior-client.conf into C:\Program Files\OpenVPN\config\ as whatever.ovpn and edit appropriately.
  4. Either use the GUI to start the connection, start the OpenVPN service manually, or set the OpenVPN service to start automatically.
Ideally the client should do some verification on the server key with tls-remote in the whatever.ovpn configuration file.

Using OpenVPN with Pacemaker

When using OpenVPN with Pacemaker and systemd a command like pcs resource create openvpn-foo systemd:openvpn@foo op monitor interval=60s --force is needed to create a new resource for OpenVPN, where the connection is defined in /etc/openvpn/foo.conf. Passing --force is required, otherwise the error message "Error: Unable to create resource 'systemd:openvpn@foo', it is not installed on this system (use --force to override)" is thrown even the OpenVPN configuration file exists.

Comentarios

Publicar un comentario

Entradas populares de este blog

Orange Pi IoT 2G Flashear memoria NAND

Imagen
He creado un paquete completo listo para usarse y flashear la NAND: Nota Importante: todo este trabajo está realizado gracias al aporte del usuario de github "aib", es un gran linux hacker, he aprendido mucho gracias a el :)) gracias! https://www.aib42.net/article/hacking-orangepi-2g 1.Necesitaremos poner la placa en modo USB otg: -Poner el interruptor en modo arranque desde flash (android) -Poner los Switches en la zona adecuada (1-4 en on y 5-8  en off) -Con la placa apagada apretar boton y conectar a puerto USB (asi entramos en modo otg, flash) Foto tal como deben estar los switches e interruptor de placa: Si lo hacemos bien aparecerá el dispositivo /dev/ttyACM0 1.1Bajar el paquete completo desde MEGA: https://mega.nz/#!BFcmiTpL!29AQt7E1odjNUaFV4JNXN8KnVM2dPSocf77EP8uFnPo - Resolver dependencia: #pip3 install pyserial - Descomprimir:  #tar xpvfz Opi2GIoTNANDflash.tar.gz  #cd FlashNANDOpi2GIoT/  .#/flashear.sh Si todo va bien ver
Leer más

Usar datos gratis para proyectos IoT FreedomPop y Orange Pi 2G IoT (también Simyo).

Imagen
Configuración PPP, freedompop y tarjera Orange Pi 2G IoT: He preparado este pequeño tutorial para poder usar los datos de conexión gratuita de freedompop con esta pequeña tarjeta de Orange Pi, comprada en aliexpress por unos 12€. La versión usada de Linux es Ubuntu Server, Link de descarga (http://www.orangepi.org/downloadresources/) también funcionará en Armbian, aunque no lo he probado. Es necesario registar el modem de la Orange Pi 2G IoT en la red GSM de movistar (de momento es la predeterminada por freedompop). Sin este paso no se puede registrar en su red. 1.Instalar el software necesario: #sudo apt-get install ppp wvdial 2. Configurar ficheros:         2.1  fichero:  /etc/wvdial.conf para Freedompop: [Dialer defaults] ISDN = 0 Modem Type = Analog Modem Phone = *99***1# Stupid Mode = 1 Dial Command = ATDT Modem = /dev/modem0 Baud = 460800 Init1 = AT+COPS=0 Init2 = AT+CFUN=1 Init3 = AT+CGATT=1 Init4 = AT+CGDCONT=1,"IP","freedompop.fogg
Leer más

Configurar modem GSM en la Orange Pi 2G IoT (Orange España)

Configurar modem GSM en la Orange Pi 2G IoT Comentaros que necesitáis unos conocimientos más o menos básicos para poder seguir esto, pero vamos, está todo cortado y pelado. Empezamos. Abrimos terminal. sudo apt-get install ppp wvdial Hacemos sudo vim /etc/wvdial.conf Y metemos: [Dialer defaults] Modem = /dev/modem0 Baud = 30720000 Dial Command = ATDT Init1 = ATE1 Init2 = AT+CGDCONT=1,"IP","internet","",0,0 FlowControl = CRTSCTS Init3 = ATM0 Phone = *99# Username = orange Password = orange Stupid Mode = 1 "internet" es donde va el nombre del APN, que en el caso de Orange es, precisamente ese,  internet . El username y password de Orange son  orange  para ambos, si teneis otra compañía estos datos serán diferentes. De hecho, quizá estas configuraciones no funcionen para ellos. NOTA: Lo he probado exitosamente también con Vodafone con el APN "airtelnet.es" y como usuario y contraseña  vodafone . Hacemos sudo vim /etc/pp
Leer más