Running and troubleshooting an OpenVPN server

Discussion in 'Tutorials and Guides' started by wlanboy, Oct 16, 2013.

Tags:
  1. wlanboy

    wlanboy Content Contributer

    2,126
    1,169
    May 16, 2013
    After helping some people (here and on irc) to setup their OpenVPN server I would like to start a collection of useful tips regarding the operation of an OpenVPN server.

    First the basic steps:

    • Click on the "enable TUN/TAP device" within for server panel and restart the vps. [for OpenVZ]
    • After that a

      cat /dev/net/tun

      [SIZE=small]should return:[/SIZE]
      Code:
      cat: /dev/net/tun: File descriptor in bad state
      
    • Installing openvpn
      Code:
      apt-get install openvpn
      
    • If /dev/net/tun is missing
      Easy way:
      Code:
      openvpn --mktun --dev tun0
      
      Hard way (yup there are still images out there which do not have a /dev/net):


      mkdir -p /dev/net
      mknod /dev/net/tun c 10 200
      chmod 600 /dev/net/tun

    • Setup configuration of openvpn
      Code:
      cp -r /usr/share/doc/openvpn/ /etc/ 
      cd /etc/openvpn/examples/easy-rsa/2.0
      nano vars
      
      Setup the last exports to save you some typing:


      export KEY_SIZE=2048

      export KEY_COUNTRY=""
      export KEY_PROVINCE=""
      export KEY_CITY=""
      export KEY_ORG=""
      export KEY_EMAIL=""
      export KEY_CN=changeme
      export KEY_NAME=changeme
      export KEY_OU=changeme

      Key size should be at least 2048 bit!
      Of course no empty values ...
       
    • If they key tools reporting that they cannot find the openssl lib...


      nano whichopensslcnf

      Change following line (the double [[:digit:]] is wrong):


      elif $OPENSSL version | grep -E "1\.0\.[[:digit:]]" > /dev/null; then

    • Start generating the keys:


      ./clean-all [to clean all generated stuff - if you want to start right from the beginning]
      ./build-ca [certificate authority of all your certs]
      ./build-key-server servername [cert for server]
      ./build-key clientname [certs per client]
      ./build-dh [dh parameter for key-exchange algorithm]

    • Copy keys to openvpn server


      mkdir /etc/openvpn/keys
      cd keys
      cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/keys
      [depends on your naming of the build-* calls, if you called your server mybox it is e.g.
      mybox.crt and mybox.key]
      chmod 600 /etc/openvpn/keys/*

    • Creating the server config


      cd /etc/openvpn/examples/sample-config-files/
      gunzip server.conf.gz
      cp server.conf /etc/openvpn/
      cd /etc/openvpn/
      nano /etc/openvpn/server.conf

    • Alterting the config


      port 1149 #[port you want to use]
      dev tun #[device type you want to use]
      #relative paths of the keys:
      ca keys/ca.crt
      cert keys/servch.crt
      key keys/servch.key
      dh keys/dh1024.pem
      server 10.10.10.0 255.255.255.0 #[network of openvpn server - server itself will get 10.10.10.1]
      push "redirect-gateway def1 bypass-dhcp" #[if you want to surf through the vpn]
      client-to-client #[if each openvpn client should see the other openvpn clients (gaming)]
      comp-lzo #[compression is good]
      max-clients 3 #[number of concurrent users]
      user nobody
      group nogroup #[downgrade rights of openvpn for security]
      persist-key
      persist-tun #[nobdy cannot alter devices - so persist there settings]
      status openvpn-status.log
      log-append openvpn.log #[logging is good for checking problems]

    • Track the usage of your openvpn server
      OpenVPN server does have some nice hookups that you can use to modify its workflow. One nice feature are following hooks (added to the server config):


      script-security 3 system
      client-connect /etc/openvpn/client-login.sh
      client-disconnect /etc/openvpn/client-logout.sh

      So the scripts are called whenever a client connects or disconnects!
       


      nano /etc/openvpn/client-login.sh

      Code:
      #!/bin/bash
      #Send an email when a client connects with today's time and date
      NOW="$(date +"%H:%M:%S - %Y-%m-%d")"
      
      sendmail [email protected] <<EOF
      FROM: [email protected]
      TO: [email protected]
      SUBJECT: OpenVPN - LOGIN: $common_name - $NOW
      At $NOW, $common_name logged out of the OpenVPN server red.
      
      IP: $trusted_ip
      PORT: $trusted_port
      MTU: $tun_mtu
      .
      EOF
      
      exit 0
      
      Code:
      nano client-logout.sh
      
      Code:
      #!/bin/bash
      #Send an email when a client connects with today's time and date
      NOW="$(date +"%H:%M:%S - %Y-%m-%d")"
      
      sendmail [email protected] <<EOF
      FROM: [email protected]
      TO: [email protected]
      SUBJECT: OpenVPN - LOGOUT: $common_name - $NOW
      At $NOW, $common_name logged out of the OpenVPN server red.
      
      IP: $trusted_ip
      PORT: $trusted_port
      MTU: $tun_mtu
      
      Sent: $bytes_sent byte
      Resc: $bytes_received byte
      .
      EOF
      
      exit 0
      
      Yup I really like this global vars. So this script can be altered to put this information into a csv file or into a database.
      You get all information you need - and the used bandwith too.


      chmod +x /etc/openvpn/*.ssh

      And we are done.
       
    • Next hook is the login mode
      Need a password instead of certs? Or an additional password to the certs?
       


      auth-user-pass-verify /etc/openvpn/auth.sh via-file

      This just has to return "0" or "1" for good and bad auth:
       


      nano /etc/openvpn/auth.sh

      Code:
      #!/bin/sh
      #Simplest way
      ALLOWED_USER1="vpsboard"
      ALLOWED_PASS1="supersecure"
      
      if [ "$username" == "$ALLOWED_USER1" ] && [ "$password" == "$ALLOWED_PASS1" ]
       then exit 0
      fi
      
      exit 1
      
      Want no client certs? Add this to the server.conf


      client-cert-not-required
      username-as-common-name

    • Networking
      Well nothing new if you read my iptables tutorial, but maybe you did not:


      device="venet0" #// OpenVZ
      yourexternalid="1.1.1.1" #// Change this value!
      yourvpnsubnet="10.10.10.0/24" #// Change this value!
      yourvpnport="1149" #//Change this value!

      # allow OPENVPN and enable ip forwarding
      iptables -A INPUT -i tun0 -j ACCEPT
      iptables -A FORWARD -i tun0 -j ACCEPT

      iptables -A FORWARD -o $device -i tun0 -j ACCEPT
      iptables -A FORWARD -o tun0 -i $device -m state --state RELATED,ESTABLISHED -j ACCEPT
      iptables -A INPUT -i $device -p udp --dport $yourvpnport -m state --state NEW -j ACCEPT
      iptables -t nat -A POSTROUTING -s $yourvpnsubnet -j SNAT --to $yourexternalid

      Depens on your choice if you are using a startup script or persist these iptables rules.
       
    • Revoking certs


      . ./vars
      ./revoke-full clientname


    So this is everything I am duing to setup a OpenVPN server.

    Looking forward to your input and your addons.
     
    Last edited by a moderator: Oct 28, 2013
    tdc-adm, fahad, peterw and 2 others like this.
  2. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    I *really* need to start monkeying with OpenVPN.   Long avoided to complexity and many steps like documented above.

    For the paranoids, is there a way/recommendation on how to increase the crypto security (different encryption uses, longer key length, etc.)?
     
  3. wlanboy

    wlanboy Content Contributer

    2,126
    1,169
    May 16, 2013
    Four points:

    • More bits for the keys

      nano vars

      Change this line too (e.g. to 2048):


      export KEY_SIZE=1024

    • Switching dh to 2048bit
      Code:
      openssl dhparam -out /etc/openvpn/dh2048.pem 2048
      
      server.conf:


      dh dh2048.pem

    • Activating AES-256-CBC in server.conf
      Code:
      cipher AES-256-CBC
      
    • Adding tls-auth
      Code:
      openvpn --genkey --secret /etc/openvpn/ta.key
      
      and server.conf
      Code:
      tls-auth ta.key 0
      
      and on client side:


      tls-auth ta.key 1



    Regardings tls:

     
  4. johnlth93

    johnlth93 New Member

    182
    14
    May 26, 2013
    If you browse through the openvpn man page you would see those parameters that mentioned by wlanboy on hardening the encryption.

    You could also customer --auth and --cipher if that's what you wanted.

    Anyway @wlan

    never really tried "openvpn --mktun --dev tun0" because usually there are all setup along with the template and some fancy button on solusvm but I did used the old fashion command back then


    mkdir -p
    /dev/net
    mknod /dev/net/tun
    c 10 200
    chmod 600
    /dev/net/tun
    Good job on the guide though, hope people take their time to read instead of asking the same question again and again :) 
     
  5. wlanboy

    wlanboy Content Contributer

    2,126
    1,169
    May 16, 2013
    That was my intention.

    We have to ensure that we cover the basics too.
     
  6. peterw

    peterw New Member

    800
    189
    Jun 14, 2013
    Good job.


    script-security 3 system
    client-connect /etc/openvpn/client-login.sh
    client-disconnect /etc/openvpn/client-logout.sh

    And thank you for this scripts!
     
  7. rupe

    rupe New Member

    23
    2
    Sep 6, 2013
    Minor typo (excess typing :) ) - you've got a double entry in 'save you some typing' code: 

    Code:
    export KEY_EMAIL
     
  8. wlanboy

    wlanboy Content Contributer

    2,126
    1,169
    May 16, 2013
    Thank you for the hint - I modified the post.

    Just checked the default config file and it does have the double entry too.
     
  9. peterw

    peterw New Member

    800
    189
    Jun 14, 2013
    You don't need a client config. Openvpn runs fine on the console

    Code:
    openvpn --remote SERVER_IP --dev tun1 --ifconfig 10.10.10.2 10.10.10.1 --ca ~/keys/ca.crt --cert ~/keys/client.crt --key ~/keys/client.key --reneg-sec 60 --verb 5
    
     
  10. tdc-adm

    tdc-adm New Member

    70
    6
    May 27, 2013
    For multi-clients/one-server model: each client certificate requires a unique Common Name. If you set a same Common Name for your clients then only one client can login, other clients will be kicked out automatically.
     
  11. wlanboy

    wlanboy Content Contributer

    2,126
    1,169
    May 16, 2013
    There is a parameter for that too (if you want to):

    Code:
    # Uncomment this directive if multiple clients
    # might connect with the same certificate/key
    # files or common names.  This is recommended
    # only for testing purposes.  For production use,
    # each client should have its own certificate/key
    # pair.
    #
    # IF YOU HAVE NOT GENERATED INDIVIDUAL
    # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
    # EACH HAVING ITS OWN UNIQUE "COMMON NAME",
    # UNCOMMENT THIS LINE OUT.
    ;duplicate-cn
    
    
     
  12. fixidixi

    fixidixi Active Member

    307
    71
    May 17, 2013
    yea and god save you from reboots.. ..or if you are running openvpn between vpses for instance.. the only reason i'd use params as you've written would be testing.. well even then i'd hit up a tail -f  logfile and modify config, restart service instead..