Differences

This shows you the differences between two versions of the page.

Link to this comparison view

configuring_openvpn_server_on_endian_firewall_en [2017/09/05 12:18] (current)
Line 1: Line 1:
 +====== Configuring OpenVPN Server on Endian Firewall ======
  
 +Let's access in the Upper menu **VPN**
 +
 +Here we need to Enable <​nowiki>​OpenVPN</​nowiki>​ server click in the button
 +
 +{{:​endian-vpn-01.png?​600}}  ​
 +
 +
 +
 +Now we shall get something like this
 +
 +{{:​endian-vpn-02.png?​600}}  ​
 +
 +Now we need to configure the <​nowiki>​OpenVPN</​nowiki>​ settings:
 +  * **Authentication type:** PSK (username/​password)
 +  * **Certificate configuration:​** generate a new certificate
 +  * **Advanced:​** Checked
 +    * **System hostname:** endian.contoso.com
 +    * **Administrator email address:** douglas.q.santos@gmail.com
 +    * **Department name:** IT
 +    * **Organization name:** Contoso
 +    * **City:** Curitiba
 +    * **State or province:** Parana
 +    * **Country:​** Brazil
 +    * **PKCS12 file password:** yourpassword
 +    * **PKCS12 file password Confirmation:​** yourpassword
 +    * Now select **Save**.
 +
 +{{:​endian-vpn-03.png?​600}}  ​
 +
 +Now will be display a message about the configuration was changed and need to apply select the Apply button.
 +
 +{{:​endian-vpn-04.png?​600}}  ​
 +
 +Now we need to configure the <​nowiki>​OpenVPN</​nowiki>​ server configuration
 +  * Bind only to: Leave it without a value
 +  * Port: 1194 is the default one
 +  * Device type: TUN
 +  * Protocol: TCP
 +  * VPN Subnet: 10.220.0.0/​24 -> This subnet will be used only for VPN server and clients
 +  * Now select **Save**
 +
 +{{:​endian-vpn-05.png?​600}}  ​
 +
 +Now will be display a message about the configuration was changed and need to apply select the Apply button.
 +
 +{{:​endian-vpn-06.png?​600}}  ​
 +
 +
 +The VPN server configuration is ok.
 +
 +
 +Another thing very important is create a VPN route to GREEN network on Endian or another network through Endian, we can create a new route like this.
 +  * **Advanced options**
 +    * **Check:** Push these networks
 +    *** Networks:** 192.168.25.0/​24 -> this will be the GREEN network in Endian we can put more than one network inserting one per line.
 +    * Click in **Save** and **Apply the configuration**.
 +
 +{{:​endian-vpn-route-01.png?​600}}  ​
 +
 +
 +Now let's create a new user to test the connection.
 +
 +Select in **VPN/​Authentication**
 +
 +{{:​endian-vpn-07.png?​600}}  ​
 +
 +Here select **Add new local user**
 +
 +{{:​endian-vpn-08.png?​600}}  ​
 +
 +Here we need to create the new user as follows
 +  * **Username:​** douglas
 +  * **Remark:** Douglas Home
 +  * **Password:​** yourpassword
 +  * **Confirm Password:** yourpassword
 +  * **Certificate configuration:​** Generate a new certificate
 +    * **PKCS12 file password:** yourpassword
 +    * **PKCS12 file password Confirmation:​** yourpassword
 +    * **Organizational unit name:** IT
 +    * **Organization name:** Contoso
 +    * **City:** Curitiba
 +    * **State or province:** Parana
 +    * **Country:​** Brazil
 +    * **Email address:** douglas.q.santos@gmail.com
 +    * **Enabled:​** Checked
 +    * Select **Add**
 +
 +
 +{{:​endian-vpn-09.png?​600}}  ​
 +
 +We shall get the follow message that the certificate was created sucessfully
 +
 +{{:​endian-vpn-10.png?​600}}  ​
 +
 +
 +====== Configuring the Windows Client ======
 +
 +Now we need to configure the Windows client the most likely client user used by your clients
 +
 +We can Download the <​nowiki>​OpenVPN client</​nowiki>​ in: [[https://​openvpn.net/​index.php/​open-source/​downloads.html|OpenVPN Client]] the installation is like the other Windows applications.
 +
 +After that we need to create the Client configuration File.
 +<sxh bash;>
 +### OpenVPN client configuration file
 +
 +# This directive offers policy-level control over OpenVPN'​s usage of external programs and scripts.
 +# Lower level values are more restrictive,​ higher values are more permissive. ​
 +script-security 3
 +
 +# A helper directive designed to simplify the configuration of OpenVPN'​s client mode. 
 +client
 +
 +# TUN/TAP virtual network device. ​ You must use either tun devices on both ends of the connection or tap devices on both ends.
 +# You cannot mix them, as they represent different underlying network layers.
 +dev tun
 +
 +# Indicates the protocol to use when connecting with the remote, and may be "​tcp"​ or "​udp"​.
 +proto tcp
 +
 +# Remote host name or IP address. On the client, multiple --remote options may be specified for redundancy, each referring to a different ​
 +# OpenVPN server. Specifying multiple --remote options for this purpose is a special case of the more general connection-profile feature.
 +remote 192.168.25.121 1194
 +
 +# If hostname resolve fails for --remote, retry resolve for n seconds before failing. ​
 +# Set n to "​infinite"​ to retry indefinitely. ​
 +resolv-retry infinite
 +
 +# Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic ​
 +# port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option. ​
 +nobind
 +
 +# Take the TUN device MTU to be n and derive the link MTU from it (default=1500). ​
 +# In most cases, you will probably want to leave this parameter set to its default value. ​
 +tun-mtu 1500
 +
 +# Assume that the TUN/TAP device might return as many as n bytes more than the --tun-mtu size on read. 
 +# This parameter defaults to 0, which is sufficient for most TUN devices.
 +# TAP devices may introduce additional overhead in excess of the MTU size, and a setting of 32 is the default when TAP devices are used.
 +tun-mtu-extra 32 1500
 +
 +# Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them,
 +# the resulting UDP packet size that OpenVPN sends to its peer will not exceed max bytes. The default value is 1450.
 +mssfix 1450
 +
 +# Don't re-read key files across SIGUSR1 or --ping-restart. his option can be combined with --user nobody
 +# to allow restarts triggered by the SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot
 +# be restarted since it will now be unable to re-read protected key files.
 +persist-key
 +
 +# Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.
 +# SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options.
 +persist-tun
 +
 +# Certificate authority (CA) file in .pem format, also referred to as the root certificate.
 +# This file can have multiple certificates in .pem format, concatenated together.
 +ca cacert.pem
 +
 +# Use fast LZO compression -- may add up to 1 byte per packet for incompressible data. mode may be "​yes",​ "​no",​ or "​adaptive"​ (default).
 +comp-lzo adaptive
 +
 +# If specified, this directive will cause OpenVPN to immediately forget username/​password inputs after they are used. 
 +# As a result, when OpenVPN needs a username/​password,​ it will prompt for input from stdin, which may be multiple times 
 +# during the duration of an OpenVPN session
 +auth-nocache
 +
 +# Authenticate with server using username/​password. douglas.passwd is a file containing username/​password on 2 lines. ​
 +# If the password line is missing, OpenVPN will prompt for one. 
 +auth-user-pass douglas.passwd
 +</​sxh>​
 +
 +We need to save this file with the extension: ovpn in the desktop for a while.
 +
 +Now we need to create a passwd file with the user and password to connection in <​nowiki>​OpenVPN</​nowiki>​
 +<sxh bash;>
 +douglas
 +sci134*
 +</​sxh>​
 +
 +Save this file as douglas.passwd
 +
 +Now we need to get the *.pem file, let's access the Endian/​VPN/<​nowiki>​OpenVPN</​nowiki>​ server now click in Download certificate
 +
 +{{:​endian-vpn-11.png?​600}}  ​
 +
 +Now save the cacert.pem, douglas.passwd and the client.ovpn in <​nowiki>​OpenVPN</​nowiki>​ installation (C:\Program Files\<​nowiki>​OpenVPN</​nowiki>​\config)
 +
 +{{:​endian-vpn-12.png?​600}}  ​
 +
 +Now need to start the <​nowiki>​OpenVPN</​nowiki>​ GUI as administrator,​ after that access the upper arrow close to the clock with the right click in the <​nowiki>​OpenVPN</​nowiki>​ icon select Connect.
 +
 +{{:​endian-vpn-13.png?​600}}  ​
 +
 +After connect we can see the log files and see the connection completed as below.
 +
 +{{:​endian-vpn-14.png?​600}}  ​
 +
 +We can Access Endian/Logs and Reports/​Live logs/<​nowiki>​OpenVPN</​nowiki>​ here select show this log only
 +
 +{{:​endian-vpn-15.png?​600}}  ​
 +
 +The Client connection is ok.
 +
 +Now let's run a test, let's try to access the Endian
 +
 +{{:​endian-vpn-16.png?​600}}  ​
 +
 +As we can see the configuration is ok 
 +====== Configuring the Linux Client ======
 +
 +The client Linux is really simple the configuration.
 +
 +Let's install the openVPN client in the Debian Likes we can use the follow command
 +<sxh bash;>
 +apt-get install openvpn -y
 +</​sxh>​
 +
 +Let's install the <​nowiki>​OpenVPN</​nowiki>​ client in Red Hat likes we can use the follow command
 +<sxh bash;>
 +yum install openvpn -y
 +</​sxh>​
 +
 +After that we need to create the log directory
 +<sxh bash;>
 +mkdir -p /​var/​log/​openvpn/​
 +</​sxh>​
 +
 +Now we need to create a client configuration file with extension .conf in /​etc/​openvpn/​
 +<sxh bash;>
 +vim /​etc/​openvpn/​douglas.conf
 +### OpenVPN client configuration file
 +
 +# A helper directive designed to simplify the configuration of OpenVPN'​s client mode. 
 +client
 +
 +# TUN/TAP virtual network device. ​ You must use either tun devices on both ends of the connection or tap devices on both ends.
 +# You cannot mix them, as they represent different underlying network layers.
 +dev tun
 +
 +# Indicates the protocol to use when connecting with the remote, and may be "​tcp"​ or "​udp"​.
 +proto tcp
 +
 +# Remote host name or IP address. On the client, multiple --remote options may be specified for redundancy, each referring to a different ​
 +# OpenVPN server. Specifying multiple --remote options for this purpose is a special case of the more general connection-profile feature.
 +remote 192.168.25.121 1194
 +
 +# If hostname resolve fails for --remote, retry resolve for n seconds before failing. ​
 +# Set n to "​infinite"​ to retry indefinitely. ​
 +resolv-retry infinite
 +
 +# Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic ​
 +# port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option. ​
 +nobind
 +
 +# Optional user to be owner of this tunnel.
 +user    nobody
 +
 +# Optional group to be owner of this tunnel.
 +group   ​nobody
 +
 +# Don't re-read key files across SIGUSR1 or --ping-restart. his option can be combined with --user nobody
 +# to allow restarts triggered by the SIGUSR1 signal. Normally if you drop root privileges in OpenVPN, the daemon cannot
 +# be restarted since it will now be unable to re-read protected key files.
 +persist-key
 + 
 +# Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.
 +# SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options.
 +persist-tun
 +
 +# Certificate authority (CA) file in .pem format, also referred to as the root certificate.
 +# This file can have multiple certificates in .pem format, concatenated together.
 +ca cacert.pem
 +
 +# If specified, this directive will cause OpenVPN to immediately forget username/​password inputs after they are used. 
 +# As a result, when OpenVPN needs a username/​password,​ it will prompt for input from stdin, which may be multiple times 
 +# during the duration of an OpenVPN session
 +auth-nocache
 + 
 +# Authenticate with server using username/​password. douglas.passwd is a file containing username/​password on 2 lines. ​
 +# If the password line is missing, OpenVPN will prompt for one. 
 +auth-user-pass douglas.passwd
 +
 +# Use fast LZO compression -- may add up to 1 byte per packet for incompressible data. mode may be "​yes",​ "​no",​ or "​adaptive"​ (default).
 +comp-lzo adaptive
 +
 +# Write operational status to file every n seconds.
 +# Status can also be written to the syslog by sending a SIGUSR2 signal.
 +status ​ /​var/​log/​openvpn/​openvpn-status.log
 + 
 +# Output logging messages to file, including output to stdout/​stderr which is generated by called scripts. If file already exists it will be
 +# truncated. This option takes effect immediately when it is parsed in the command line and will supercede syslog output if --daemon or --inetd
 +# is also specified. This option is persistent over the entire course of an OpenVPN instantiation and will not be reset by SIGHUP, SIGUSR1, or --ping-restart.
 +log /​var/​log/​openvpn/​openvpn.log
 + 
 +# Append logging messages to file. If file does not exist, it will be created. This option behaves exactly like --log except
 +# that it appends to rather than truncating the log file
 +log-append ​ /​var/​log/​openvpn/​openvpn.log
 + 
 +# Set output verbosity to n (default=1). Each level shows all info from the previous levels. Level 3 is recommended if you want a good
 +# summary of what's happening without being swamped by output.
 +# 0 -- No output except fatal errors.
 +# 1 to 4 -- Normal usage range.
 +# 5 -- Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
 +# 6 to 11 -- Debug info range (see errlevel.h for additional information on debug levels).
 +verb    4
 + 
 +# Log at most n consecutive messages in the same category. This is useful to limit repetitive logging of similar message types.
 +mute    20
 +</​sxh>​
 +
 +In some distributions we have differents user and groups to use usually is nobody/​nobody or nobody/​nogroup if you got some problems with the user configuration,​ please check your /​etc/​passwod and your /etc/group to make sure what are the user and group that exits.
 +
 +Now we need to create the passwd file
 +<sxh bash;>
 +vim /​etc/​openvpn/​douglas.passwd
 +douglas
 +sci134*
 +</​sxh>​
 +
 +Now we need to get the *.pem file, let's access the Endian/​VPN/<​nowiki>​OpenVPN</​nowiki>​ server now click in Download certificate
 +
 +{{:​endian-vpn-11.png?​600}}  ​
 +
 +
 +Now let's restart or start your <​nowiki>​OpenVPN</​nowiki>​ service e.g:
 +<sxh bash;>
 +/​etc/​init.d/​openvpn restart
 +</​sxh>​