Configuring OpenVPN Server on Endian Firewall

Let's access in the Upper menu VPN

Here we need to Enable OpenVPN server click in the button

Now we shall get something like this

Now we need to configure the OpenVPN settings:

  • Authentication type: PSK (username/password)
  • Certificate configuration: generate a new certificate
  • Advanced: Checked
    • System hostname: endian.contoso.com
    • Administrator email address: douglas.q.santos@gmail.com
    • Department name: IT
    • Organization name: Contoso
    • City: Curitiba
    • State or province: Parana
    • Country: Brazil
    • PKCS12 file password: yourpassword
    • PKCS12 file password Confirmation: yourpassword
    • Now select Save.

Now will be display a message about the configuration was changed and need to apply select the Apply button.

Now we need to configure the OpenVPN server configuration

  • Bind only to: Leave it without a value
  • Port: 1194 is the default one
  • Device type: TUN
  • Protocol: TCP
  • VPN Subnet: 10.220.0.0/24 → This subnet will be used only for VPN server and clients
  • Now select Save

Now will be display a message about the configuration was changed and need to apply select the Apply button.

The VPN server configuration is ok.

Another thing very important is create a VPN route to GREEN network on Endian or another network through Endian, we can create a new route like this.

  • Advanced options
    • Check: Push these networks
    • Networks: 192.168.25.0/24 → this will be the GREEN network in Endian we can put more than one network inserting one per line.
    • Click in Save and Apply the configuration.

Now let's create a new user to test the connection.

Select in VPN/Authentication

Here select Add new local user

Here we need to create the new user as follows

  • Username: douglas
  • Remark: Douglas Home
  • Password: yourpassword
  • Confirm Password: yourpassword
  • Certificate configuration: Generate a new certificate
    • PKCS12 file password: yourpassword
    • PKCS12 file password Confirmation: yourpassword
    • Organizational unit name: IT
    • Organization name: Contoso
    • City: Curitiba
    • State or province: Parana
    • Country: Brazil
    • Email address: douglas.q.santos@gmail.com
    • Enabled: Checked
    • Select Add

We shall get the follow message that the certificate was created sucessfully

Configuring the Windows Client

Now we need to configure the Windows client the most likely client user used by your clients

We can Download the OpenVPN client in: OpenVPN Client the installation is like the other Windows applications.

After that we need to create the Client configuration File.

### OpenVPN client configuration file

# This directive offers policy-level control over OpenVPN's usage of external programs and scripts.
# Lower level values are more restrictive, higher values are more permissive. 
script-security 3

# A helper directive designed to simplify the configuration of OpenVPN's client mode. 
client

# TUN/TAP virtual network device.  You must use either tun devices on both ends of the connection or tap devices on both ends.
# You cannot mix them, as they represent different underlying network layers.
dev tun

# Indicates the protocol to use when connecting with the remote, and may be "tcp" or "udp".
proto tcp

# Remote host name or IP address. On the client, multiple --remote options may be specified for redundancy, each referring to a different 
# OpenVPN server. Specifying multiple --remote options for this purpose is a special case of the more general connection-profile feature.
remote 192.168.25.121 1194

# If hostname resolve fails for --remote, retry resolve for n seconds before failing. 
# Set n to "infinite" to retry indefinitely. 
resolv-retry infinite

# Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic 
# port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option. 
nobind

# Take the TUN device MTU to be n and derive the link MTU from it (default=1500). 
# In most cases, you will probably want to leave this parameter set to its default value. 
tun-mtu 1500

# Assume that the TUN/TAP device might return as many as n bytes more than the --tun-mtu size on read. 
# This parameter defaults to 0, which is sufficient for most TUN devices.
# TAP devices may introduce additional overhead in excess of the MTU size, and a setting of 32 is the default when TAP devices are used.
tun-mtu-extra 32 1500

# Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them,
# the resulting UDP packet size that OpenVPN sends to its peer will not exceed max bytes. The default value is 1450.
mssfix 1450

# Don't re-read key files across SIGUSR1 or --ping-restart. his option can be combined with --user nobody
# to allow restarts triggered by the SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot
# be restarted since it will now be unable to re-read protected key files.
persist-key

# Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.
# SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options.
persist-tun

# Certificate authority (CA) file in .pem format, also referred to as the root certificate.
# This file can have multiple certificates in .pem format, concatenated together.
ca cacert.pem

# Use fast LZO compression -- may add up to 1 byte per packet for incompressible data. mode may be "yes", "no", or "adaptive" (default).
comp-lzo adaptive

# If specified, this directive will cause OpenVPN to immediately forget username/password inputs after they are used. 
# As a result, when OpenVPN needs a username/password, it will prompt for input from stdin, which may be multiple times 
# during the duration of an OpenVPN session
auth-nocache

# Authenticate with server using username/password. douglas.passwd is a file containing username/password on 2 lines. 
# If the password line is missing, OpenVPN will prompt for one. 
auth-user-pass douglas.passwd

We need to save this file with the extension: ovpn in the desktop for a while.

Now we need to create a passwd file with the user and password to connection in OpenVPN

douglas
sci134*

Save this file as douglas.passwd

Now we need to get the *.pem file, let's access the Endian/VPN/OpenVPN server now click in Download certificate

Now save the cacert.pem, douglas.passwd and the client.ovpn in OpenVPN installation (C:\Program Files\OpenVPN\config)

Now need to start the OpenVPN GUI as administrator, after that access the upper arrow close to the clock with the right click in the OpenVPN icon select Connect.

After connect we can see the log files and see the connection completed as below.

We can Access Endian/Logs and Reports/Live logs/OpenVPN here select show this log only

The Client connection is ok.

Now let's run a test, let's try to access the Endian

As we can see the configuration is ok

Configuring the Linux Client

The client Linux is really simple the configuration.

Let's install the openVPN client in the Debian Likes we can use the follow command

apt-get install openvpn -y

Let's install the OpenVPN client in Red Hat likes we can use the follow command

yum install openvpn -y

After that we need to create the log directory

mkdir -p /var/log/openvpn/

Now we need to create a client configuration file with extension .conf in /etc/openvpn/

vim /etc/openvpn/douglas.conf
### OpenVPN client configuration file

# A helper directive designed to simplify the configuration of OpenVPN's client mode. 
client

# TUN/TAP virtual network device.  You must use either tun devices on both ends of the connection or tap devices on both ends.
# You cannot mix them, as they represent different underlying network layers.
dev tun

# Indicates the protocol to use when connecting with the remote, and may be "tcp" or "udp".
proto tcp

# Remote host name or IP address. On the client, multiple --remote options may be specified for redundancy, each referring to a different 
# OpenVPN server. Specifying multiple --remote options for this purpose is a special case of the more general connection-profile feature.
remote 192.168.25.121 1194

# If hostname resolve fails for --remote, retry resolve for n seconds before failing. 
# Set n to "infinite" to retry indefinitely. 
resolv-retry infinite

# Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic 
# port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option. 
nobind

# Optional user to be owner of this tunnel.
user    nobody

# Optional group to be owner of this tunnel.
group   nobody

# Don't re-read key files across SIGUSR1 or --ping-restart. his option can be combined with --user nobody
# to allow restarts triggered by the SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot
# be restarted since it will now be unable to re-read protected key files.
persist-key
 
# Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.
# SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options.
persist-tun

# Certificate authority (CA) file in .pem format, also referred to as the root certificate.
# This file can have multiple certificates in .pem format, concatenated together.
ca cacert.pem

# If specified, this directive will cause OpenVPN to immediately forget username/password inputs after they are used. 
# As a result, when OpenVPN needs a username/password, it will prompt for input from stdin, which may be multiple times 
# during the duration of an OpenVPN session
auth-nocache
 
# Authenticate with server using username/password. douglas.passwd is a file containing username/password on 2 lines. 
# If the password line is missing, OpenVPN will prompt for one. 
auth-user-pass douglas.passwd

# Use fast LZO compression -- may add up to 1 byte per packet for incompressible data. mode may be "yes", "no", or "adaptive" (default).
comp-lzo adaptive

# Write operational status to file every n seconds.
# Status can also be written to the syslog by sending a SIGUSR2 signal.
status  /var/log/openvpn/openvpn-status.log
 
# Output logging messages to file, including output to stdout/stderr which is generated by called scripts. If file already exists it will be
# truncated. This option takes effect immediately when it is parsed in the command line and will supercede syslog output if --daemon or --inetd
# is also specified. This option is persistent over the entire course of an OpenVPN instantiation and will not be reset by SIGHUP, SIGUSR1, or --ping-restart.
log /var/log/openvpn/openvpn.log
 
# Append logging messages to file. If file does not exist, it will be created. This option behaves exactly like --log except
# that it appends to rather than truncating the log file
log-append  /var/log/openvpn/openvpn.log
 
# Set output verbosity to n (default=1). Each level shows all info from the previous levels. Level 3 is recommended if you want a good
# summary of what's happening without being swamped by output.
# 0 -- No output except fatal errors.
# 1 to 4 -- Normal usage range.
# 5 -- Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
# 6 to 11 -- Debug info range (see errlevel.h for additional information on debug levels).
verb    4
 
# Log at most n consecutive messages in the same category. This is useful to limit repetitive logging of similar message types.
mute    20

In some distributions we have differents user and groups to use usually is nobody/nobody or nobody/nogroup if you got some problems with the user configuration, please check your /etc/passwod and your /etc/group to make sure what are the user and group that exits.

Now we need to create the passwd file

vim /etc/openvpn/douglas.passwd
douglas
sci134*

Now we need to get the *.pem file, let's access the Endian/VPN/OpenVPN server now click in Download certificate

Now let's restart or start your OpenVPN service e.g:

/etc/init.d/openvpn restart