(Replacing FirewallD commands with tested commands with Fedora 35 server) |
|||
(34 intermediate revisions by 21 users not shown) | |||
Line 1: | Line 1: | ||
= OpenVPN = | = OpenVPN = | ||
''For more information, see | ''For more information, see https://community.openvpn.net/.'' | ||
== Security note == | |||
The configuration snippets here will produce a working server and client config. But take certain precautions if you want to use this approach in a production environment. Important things to avoid are: | |||
* Do not store the easy-rsa CA files on the OpenVPN server. | |||
** The server only needs ca.crt, server.crt, server.key and dh*.pem files | |||
** The client only needs ca.crt, client.crt and client.key | |||
* Avoid creating the encryption keys in a virtualized environment, as the random entropy may not be random enough to guarantee safe keys. | |||
== Working with systemd == | |||
With the transition to [[Systemd|systemd]], OpenVPN no longer has a single monolithic init script, where every connection with a configuration file in <code>/etc/openvpn/</code> is started automatically. Instead, individual connections can be started and stopped with <code>systemctl</code>. | |||
For example, to start a connection, run <code>systemctl start openvpn-client@</code>''foo''<code>.service</code>, where the connection is defined in <code>/etc/openvpn/client/</code>''foo''<code>.conf</code>. | |||
For more information, see [[Systemd#How_do_I_start.2Fstop_or_enable.2Fdisable_services.3F]]. | |||
== Setting up an OpenVPN server == | == Setting up an OpenVPN server == | ||
# <code> | # <code>dnf install openvpn easy-rsa</code> | ||
# Copy <code>/usr/share | # Copy <code>/usr/share/easy-rsa/3</code> somewhere (like /etc/openvpn/ directory with <code>mkdir /etc/openvpn/easy-rsa; cp -rai /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/</code>). | ||
# <code>cd | # <code>cd /etc/openvpn/easy-rsa</code> | ||
# Edit <code>vars</code> appropriately. | # Edit <code>vars</code> appropriately. | ||
# <code>./easyrsa clean-all</code> | |||
# <code>./clean-all</code> | |||
# Before continuing, make sure the system time is correct. Preferably, set up [http://www.ntp.org/ NTP] . | # Before continuing, make sure the system time is correct. Preferably, set up [http://www.ntp.org/ NTP] . | ||
# <code>./build-ca</code> | # <code>./easyrsa build-ca</code> | ||
# <code>./build- | # <code>./easyrsa build-server-full $( hostname | cut -d. -f1 )</code> | ||
# <code>./ | # <code>./easyrsa gen-dh</code> | ||
# <code>mkdir /etc/openvpn/keys</code> | # <code>mkdir /etc/openvpn/keys</code> | ||
# <code>cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/ | # <code>cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh*.pem /etc/openvpn/keys/</code> | ||
# <code>cp -ai /usr/share/doc/openvpn | # <code>cp -ai /usr/share/doc/openvpn*/sample/sample-config-files/roadwarrior-server.conf /etc/openvpn/serverudp.conf</code> | ||
# Edit <code>/etc/openvpn/server.conf</code> appropriately to set your configuration and key paths. | # Edit <code>/etc/openvpn/server.conf</code> appropriately to set your configuration and key paths, which are found in /etc/openvpn/keys/. | ||
# <code> | # Fix selinux context of files: <code>restorecon -Rv /etc/openvpn</code> | ||
# <code>service openvpn | # (Note that 'serverudp' corresponds with the configuration name in /etc/openvpn/server such as serverudp.conf; that is, 'serverudp' corresponds to whatever name your configuration file has) | ||
# <code>systemctl enable openvpn-server@serverudp.service</code> | |||
# <code>systemctl start openvpn-server@serverudp.service</code> | |||
# Verify that firewall rules allow traffic in from <code>tun+</code>, out from the LAN to <code>tun+</code>, and in from the outside on UDP port 1194. | # Verify that firewall rules allow traffic in from <code>tun+</code>, out from the LAN to <code>tun+</code>, and in from the outside on UDP port 1194. | ||
The following should work (assuming | The following should work (assuming an outside interface is eth1 and an inside interface is eth0): | ||
<pre> | <pre> | ||
iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT | iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT | ||
Line 32: | Line 50: | ||
</pre> | </pre> | ||
Or for [http://www.kspei.com/projects/genfw/ genfw] (my firewall-generation script, not currently available in Fedora), this in <code>/etc/sysconfig/genfw/rules</code>: | These commands should work for firewalld: | ||
<pre> | |||
# The default 'openvpn' service references udp port 1194 | |||
firewall-cmd --add-service=openvpn | |||
# Add the network interface to the default zone (e.g. "FedoraServer" for Fedora Server) | |||
firewall-cmd --add-interface=tun0 --permanent | |||
# Allow intra-zone forwarding for the default zone | |||
firewall-cmd --add-forward --permanent | |||
# Allow masquerading (Network address translation - NAT) for the default zone | |||
firewall-cmd --add-masquerade --permanent | |||
# Reload FirewallD to check the bootup behaviour | |||
firewall-cmd --reload | |||
# Show the complete current config | |||
firewall-cmd --list-all | |||
</pre> | |||
Or for [http://www.kspei.com/projects/genfw/ genfw] (my firewall-generation script, not currently available in Fedora), this in <code>/etc/sysconfig/genfw/rules</code>: | |||
<pre> | <pre> | ||
append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT | append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT | ||
Line 40: | Line 73: | ||
append FORWARD -i eth1 -o tun+ -j established | append FORWARD -i eth1 -o tun+ -j established | ||
</pre> | </pre> | ||
Or for system-config-firewall, you can add these custom rules: | Or for system-config-firewall, you can add these custom rules: | ||
<pre> | <pre> | ||
-A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT | |||
-A INPUT -i tun+ -j ACCEPT | |||
-A FORWARD -i tun+ -j ACCEPT | |||
-A FORWARD -i eth0 -o tun+ -j ACCEPT | |||
-A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
</pre> | </pre> | ||
Create a file iptables-rules in /etc/sysconfig and add the above contents, then in system-config-firewall, choose the "Custom Rules" choice, click "Add", choose IPV4 for the protocol type, and filter for the firewall table. Then select /etc/sysconfig/iptables-rules for the File: choice. Then Apply the changes. | Create a file iptables-rules in /etc/sysconfig and add the above contents, then in system-config-firewall, choose the "Custom Rules" choice, click "Add", choose IPV4 for the protocol type, and filter for the firewall table. Then select /etc/sysconfig/iptables-rules for the File: choice. Then Apply the changes. | ||
Line 57: | Line 89: | ||
On the server: | On the server: | ||
# <code>cd easy-rsa | # <code>cd /etc/openvpn/easy-rsa</code> | ||
# <code>./easyrsa build-client-full ''username''</code> | |||
# <code>./build- | |||
On the client: | On the client: | ||
# Copy ''username''.key, ''username''.crt and ca.crt from server to <code>/etc/openvpn/ | *In the following, replace ''clientudp'' with a descriptive vpn connection name. | ||
# <code>cp -ai /usr/share/doc/openvpn | |||
# Edit <code>/etc/openvpn/client.conf</code> appropriately to set your configuration (just like server configuration, port, compression,..) and key paths. | # Copy ''username''.key, ''username''.crt and ca.crt from server to <code>/etc/openvpn/client/</code>. | ||
# <code> | # <code>cp -ai /usr/share/doc/openvpn*/sample-config-files/roadwarrior-client.conf /etc/openvpn/client/clientudp.conf</code> | ||
# <code>service | # Edit <code>/etc/openvpn/client/clientudp.conf</code> appropriately to set your configuration (just like server configuration, port, compression,..) and key paths. | ||
# <code>systemctl enable openvpn-client@clientudp.service</code> | |||
# <code>systemctl start openvpn-client@clientudp.service</code> | |||
check <code>/var/log/messages</code> if things didn't work as expected | check <code>/var/log/messages</code> if things didn't work as expected | ||
Alternatively, on the client, after copying the keys onto the client machine, you can use NetworkManager to add a vpn connection. Make sure you have the NetworkManager-openvpn package installed. Then just add a new VPN connection. | |||
Should also test automatic starting at boot up, with password protected key files and maybe even --auth-user-pass. OpenVPN supports systemd's password passing if build with --enable-systemd via ./configure | |||
== Setting up a Windows OpenVPN client == | == Setting up a Windows OpenVPN client == | ||
On the server: | On the server: | ||
# <code>cd easy-rsa | # <code>cd /etc/openvpn/easy-rsa</code> | ||
# <code>./easyrsa build-client-full ''username''</code> | |||
# <code>./build- | |||
On the client: | On the client: | ||
# Install the [http://openvpn. | # Install the the [http://openvpn.net/index.php/open-source/downloads.html OpenVPN Windows client]. | ||
# Copy ''username''.crt, ''username''.key, and ca.crt to <code>C:\Program Files\OpenVPN\config\</code> on the client. | # Copy ''username''.crt, ''username''.key, and ca.crt to <code>C:\Program Files\OpenVPN\config\</code> on the client. | ||
# Drop roadwarrior-client.conf into <code>C:\Program Files\OpenVPN\config\</code> as ''whatever''.ovpn and edit appropriately. | # Drop roadwarrior-client.conf into <code>C:\Program Files\OpenVPN\config\</code> as ''whatever''.ovpn and edit appropriately. | ||
Line 84: | Line 120: | ||
Ideally the client should do some verification on the server key with <code>tls-remote</code> in the ''whatever''.ovpn configuration file. | Ideally the client should do some verification on the server key with <code>tls-remote</code> in the ''whatever''.ovpn configuration file. | ||
== Using OpenVPN with Pacemaker == | |||
When using OpenVPN with Pacemaker and systemd a command like <code>pcs resource create openvpn-</code>''foo''<code> systemd:openvpn-client@</code>''foo''<code> op monitor interval=60s --force</code> is needed to create a new resource for OpenVPN, where the connection is defined in <code>/etc/openvpn/client/</code>''foo''<code>.conf</code>. Passing <code>--force</code> is required, otherwise the error message "Error: Unable to create resource 'systemd:openvpn-client@foo', it is not installed on this system (use --force to override)" is thrown even the OpenVPN configuration file exists. | |||
---- | ---- | ||
[[Category:Documentation]] [[Category:Packages]] | [[Category:Documentation]] | ||
[[Category:Packages]] | |||
[[category:Networking]] |
Latest revision as of 23:04, 17 October 2021
OpenVPN
For more information, see https://community.openvpn.net/.
Security note
The configuration snippets here will produce a working server and client config. But take certain precautions if you want to use this approach in a production environment. Important things to avoid are:
- Do not store the easy-rsa CA files on the OpenVPN server.
- The server only needs ca.crt, server.crt, server.key and dh*.pem files
- The client only needs ca.crt, client.crt and client.key
- Avoid creating the encryption keys in a virtualized environment, as the random entropy may not be random enough to guarantee safe keys.
Working with systemd
With the transition to systemd, OpenVPN no longer has a single monolithic init script, where every connection with a configuration file in /etc/openvpn/
is started automatically. Instead, individual connections can be started and stopped with systemctl
.
For example, to start a connection, run systemctl start openvpn-client@
foo.service
, where the connection is defined in /etc/openvpn/client/
foo.conf
.
For more information, see Systemd#How_do_I_start.2Fstop_or_enable.2Fdisable_services.3F.
Setting up an OpenVPN server
dnf install openvpn easy-rsa
- Copy
/usr/share/easy-rsa/3
somewhere (like /etc/openvpn/ directory withmkdir /etc/openvpn/easy-rsa; cp -rai /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
). cd /etc/openvpn/easy-rsa
- Edit
vars
appropriately. ./easyrsa clean-all
- Before continuing, make sure the system time is correct. Preferably, set up NTP .
./easyrsa build-ca
./easyrsa build-server-full $( hostname | cut -d. -f1 )
./easyrsa gen-dh
mkdir /etc/openvpn/keys
cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh*.pem /etc/openvpn/keys/
cp -ai /usr/share/doc/openvpn*/sample/sample-config-files/roadwarrior-server.conf /etc/openvpn/serverudp.conf
- Edit
/etc/openvpn/server.conf
appropriately to set your configuration and key paths, which are found in /etc/openvpn/keys/. - Fix selinux context of files:
restorecon -Rv /etc/openvpn
- (Note that 'serverudp' corresponds with the configuration name in /etc/openvpn/server such as serverudp.conf; that is, 'serverudp' corresponds to whatever name your configuration file has)
systemctl enable openvpn-server@serverudp.service
systemctl start openvpn-server@serverudp.service
- Verify that firewall rules allow traffic in from
tun+
, out from the LAN totun+
, and in from the outside on UDP port 1194.
The following should work (assuming an outside interface is eth1 and an inside interface is eth0):
iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
These commands should work for firewalld:
# The default 'openvpn' service references udp port 1194 firewall-cmd --add-service=openvpn # Add the network interface to the default zone (e.g. "FedoraServer" for Fedora Server) firewall-cmd --add-interface=tun0 --permanent # Allow intra-zone forwarding for the default zone firewall-cmd --add-forward --permanent # Allow masquerading (Network address translation - NAT) for the default zone firewall-cmd --add-masquerade --permanent # Reload FirewallD to check the bootup behaviour firewall-cmd --reload # Show the complete current config firewall-cmd --list-all
Or for genfw (my firewall-generation script, not currently available in Fedora), this in /etc/sysconfig/genfw/rules
:
append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT append INPUT -i tun+ -j ACCEPT append FORWARD -i tun+ -j ACCEPT append FORWARD -i eth0 -o tun+ -j ACCEPT append FORWARD -i eth1 -o tun+ -j established
Or for system-config-firewall, you can add these custom rules:
-A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A FORWARD -i tun+ -j ACCEPT -A FORWARD -i eth0 -o tun+ -j ACCEPT -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
Create a file iptables-rules in /etc/sysconfig and add the above contents, then in system-config-firewall, choose the "Custom Rules" choice, click "Add", choose IPV4 for the protocol type, and filter for the firewall table. Then select /etc/sysconfig/iptables-rules for the File: choice. Then Apply the changes.
Setting up a Linux OpenVPN client
You need to generate new keys (or use existing other client/username keys) for the new client/username
On the server:
cd /etc/openvpn/easy-rsa
./easyrsa build-client-full username
On the client:
- In the following, replace clientudp with a descriptive vpn connection name.
- Copy username.key, username.crt and ca.crt from server to
/etc/openvpn/client/
. cp -ai /usr/share/doc/openvpn*/sample-config-files/roadwarrior-client.conf /etc/openvpn/client/clientudp.conf
- Edit
/etc/openvpn/client/clientudp.conf
appropriately to set your configuration (just like server configuration, port, compression,..) and key paths. systemctl enable openvpn-client@clientudp.service
systemctl start openvpn-client@clientudp.service
check /var/log/messages
if things didn't work as expected
Alternatively, on the client, after copying the keys onto the client machine, you can use NetworkManager to add a vpn connection. Make sure you have the NetworkManager-openvpn package installed. Then just add a new VPN connection.
Should also test automatic starting at boot up, with password protected key files and maybe even --auth-user-pass. OpenVPN supports systemd's password passing if build with --enable-systemd via ./configure
Setting up a Windows OpenVPN client
On the server:
cd /etc/openvpn/easy-rsa
./easyrsa build-client-full username
On the client:
- Install the the OpenVPN Windows client.
- Copy username.crt, username.key, and ca.crt to
C:\Program Files\OpenVPN\config\
on the client. - Drop roadwarrior-client.conf into
C:\Program Files\OpenVPN\config\
as whatever.ovpn and edit appropriately. - Either use the GUI to start the connection, start the OpenVPN service manually, or set the OpenVPN service to start automatically.
Ideally the client should do some verification on the server key with tls-remote
in the whatever.ovpn configuration file.
Using OpenVPN with Pacemaker
When using OpenVPN with Pacemaker and systemd a command like pcs resource create openvpn-
foo systemd:openvpn-client@
foo op monitor interval=60s --force
is needed to create a new resource for OpenVPN, where the connection is defined in /etc/openvpn/client/
foo.conf
. Passing --force
is required, otherwise the error message "Error: Unable to create resource 'systemd:openvpn-client@foo', it is not installed on this system (use --force to override)" is thrown even the OpenVPN configuration file exists.