Monday, February 20, 2017

Openvpn - Ipfire setup


Archive of setup web page

Table of Contents

Introduction

This tutorial is a follow-up to the Install IPFire Linux Firewall tutorial. The goal is to configure OpenVPN from inside IPFire to support a client-to-network or host-to-net configuration. This can also be referred to as a "road warrior" configuration. It is most often used when you would like to establish a secure connection into the private network from various remote locations. This is in contrast with a network-to-network (site-to-site) configuration where you are linking two private networks that are each protected by IPFire or OpenVPN servers.

Requirements

Complete part one of the tutorial OR have an available IPFire virtual machine configured in your data center.
Access to the IPFire web interface. (Typically listens on port 444)
Optional: SSH access to the IPFire server. (Typically listens on port 222)

Configure OpenVPN on the IPFire Server

Open Services -> OpenVPN from the top navigation menu once you have logged in as admin.
OpenVPN Services Menu
Click Generate root/host certificates.
OpenVPN Services Main Screen
Fill out the required fields Organization Name and IPFire's Hostname. The hostname should be populated automatically. 2048 is a reasonable value to select from the Diffie-Hellman parameters length drop-down menu.
OpenVPN Generate Certificates
The WARNING in the screenshot above is valid. Generating the root and host certificate can take a long time. If you want to confirm that it is working, open a SSH session to the IPFire server and use the top command to see the openssl process running with significant %CPU activity while the certificates are being generated. The certificate generation process took 10 - 15 minutes to complete for this tutorial.
OpenVPN Generate Certificates top
You will be returned to the Services -> OpenVPN screen once the certificates have been generated. The Certificate Authorities and Keys section will contain new values for Subject and Action.
Click Advanced Server Options.
OpenVPN Generate Certificates done
Under Advanced server options you can select SHA2 (256 bit) for the Hash algorithm and also check the box for HMAC tls-auth. Use the Save advanced options button when you are done.
OpenVPN Advanced Options
Now check the boxes for OpenVPN on RED and LZO-Compression and then press the Save and Start OpenVPN Server buttons. We want to have OpenVPN listening on the "RED" interface so we can establish an OpenVPN connection across the public internet. The "LZO-Compression" option reduces bandwidth usage by compressing traffic that passes over the VPN.
OpenVPN Start
The OpenVPN server will start and this will be reflected by the value of Current OpenVPN server status changing from STOPPED to RUNNING.
OpenVPN Started

Verification

Now that OpenVPN has started, you can verify it is listening on port 1194 from the shell using netstat.
[root@ipfire ~]# netstat -na |grep 1194
udp        0      0 0.0.0.0:1194            0.0.0.0:*
or using ss with the -u for UDP and -l for LISTEN options, like this:
[root@ipfire ~]# ss -u -l |grep openvpn
State      Recv-Q Send-Q                 Local Address:Port          Peer Address:Port
UNCONN     0      0                       *:openvpn                  *:*

Add a User

In the Connection Status and -Control section, press the Add button to begin the process of adding a new user.
Connection Status Control Add
The Host-to-Net Virtual Private Network (Roadwarrior) connection type should be selected by default. Confirm the selection and press Add to continue.
Connection Status Control Add Host-to-Net
We will now complete the fields on this screen. Under Connection: we need to fill out Name:. You may wish to add a Remark: as a comment or note to yourself regarding who this user is. Please make sure Enabled: is checked.
Under Authentication: we want to Generate a certificate: so we will need to enter the User's full name or system hostname: and enter a password in the PKCS12 File Password fields. The Valid till (days) field controls the expiration date of the certificate. If your organization doesn't have to comply with any specific regulations regarding certificate replacement, then entering a value of 999 gives this user a little under three years until expiration.
Connection Status Control Add Host to Net User Details
For this tutorial, we will ignore the Advanced client options section. Additional details on the various configuration options available here can be found in the OpenVPN client config section of the IPFire Wiki.
When you have the necessary fields filled out, press the Save button.
NOTE: Keep track of the PKCS12 File Password assigned here as the client will need it to connect.
The Connection Status and -Control section of Services->OpenVPN should now show the newly-added user.
Connection Status Control New User

Download and Install the OpenVPN Client Software

The OpenVPN client can be downloaded from OpenVPN.net
You will want to choose the appropriate installer for the OS you are installing on. For Windows 10 64-bit, you would select the "Installer (64-bit) Windows Vista and Later". At the time of writing, the file you would end up downloading is called openvpn-install-2.3.8-1601-x86_64.exe. Be aware that this filename will change as new versions of the OpenVPN client software are released.
Once you have the installer file downloaded, go ahead and start the installation. The installation process on Windows 10 is quite typical with one exception. During the install you will be prompted to approve the installation of the 'device software' "TAP-Windows Provider V9 Network adapters"
TAP Network Adapter Prompt
Click the Install button to approve the installation and continue.
After a few minutes, you should see a screen indicating that the installation has completed successfully.
OpenVPN client install completed successfully
At this point, I would suggest that you do NOT launch the software, but instead take a look through the README file. For version 2.3.8, the following important information is contained in the INSTALL-win32.txt file:
Finally, install the new version of OpenVPN and copy over
your configuration files and certificates, which now go to

    C:\Program Files\OpenVPN\config

provided you did not install the 32-bit version on 64-bit
Windows.

IMPORTANT NOTE FOR WINDOWS VISTA/7 USERS

Note that on Windows Vista, you will need to run the OpenVPN
GUI with administrator privileges, so that it can add routes
to the routing table that are pulled from the OpenVPN server.
You can do this by right-clicking on the OpenVPN GUI
desktop icon, and selecting "Run as administrator".
We will follow that advice and copy the configuration files to our local system and put them in the appropriate directory.

Client Configuration

The config files are available in a zip archive which can be downloaded from the ipfire web interface.
OpenVPN download client package
Use the Download Client Package (zip) action icon to save a copy of the config files to your local system.
OpenVPN download client package save
Once the file is downloaded, extract the contents to a temporary location and we will proceed to copy the files to the correct location. For this tutorial there are three files in the zip archive:
JDoe.p12
JDoe-TO-IpFire.ovpn
ta.key
Here is a screenshot of the default config directory C:\Program Files\OpenVPN\config on Windows 10 (64-bit):
OpenVPN default config directory
We need to provide administrator permissions in order to copy the files into the config directory successfully.
OpenVPN config directory needs administrator permissions
Once the files have been copied in, you should have something similar to the following:
OpenVPN config directory
Finally we can connect to OpenVPN by launching the OpenVPN GUI with "Administrative Permissions". To do this, right-click the "OpenVPN GUI" shortcut or menu item, go to "More" and then "Run as administrator". Press the Yes button when the "User Account Control" warning pops up.
OpenVPN GUI launch as administrator
The OpenVPN GUI icon should appear in your task bar. Right-click it and you should see the options available, including one to Connect.
OpenVPN GUI connect
If the configuration files are NOT present, the menu is much shorter. So, if you happen to see something like this:
OpenVPN GUI connect no config
then double-check that you have copied the configuration files into the correct location.
When we Connect, we will be prompted for the PKCS12 File Password that we set earlier when adding the Host-to-Net user. Enter it now, and some information will scroll by as the connection is established.
OpenVPN GUI connecting
If successful, we will briefly see a notification in the lower right corner of the screen:
OpenVPN GUI connected
The OpenVPN GUI taskbar icon has changed to a green color indicating a successful active connection. If you want to see the status of your connection, you can right-click the taskbar icon and select Show Status from the menu.
OpenVPN GUI connected show status
Everything looks good, so we can proceed to test the connection. How you do this will somewhat depend on what other resources you have configured on your data center network. At the very least though, we should now be able to ping the GREEN network interface of the IPFire server from our local machine that is now connected via OpenVPN.
C:\>ping 172.16.1.1

Pinging 172.16.1.1 with 32 bytes of data: 
Reply from 172.16.1.1: bytes=32 time=43ms TTL=64
Reply from 172.16.1.1: bytes=32 time=44ms TTL=64
Reply from 172.16.1.1: bytes=32 time=43ms TTL=64
Reply from 172.16.1.1: bytes=32 time=44ms TTL=64

Ping statistics for 172.16.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 43ms, Maximum = 44ms, Average = 43ms
We should also be able to access the IPFire web interface over the GREEN network (https://172.16.1.1:444) via the VPN instead of having to access it over the RED network.

Troubleshooting

If you are having difficulty connecting to resources on the private network over the OpenVPN connection there are a few things you can check.
The OpenVPN client needs elevated permissions in order to modify the Windows system routing table. If your traffic is not being routed properly, make sure that you launched the OpenVPN client/GUI with Administrator permissions. Generally this is done by right-clicking the icon for the program and choosing "Run as administrator".
Make sure the appropriate route has been added so that you can access the private network from your OpenVPN client. If you are running the OpenVPN client on Windows, you can use netstat -nr to take a look at the system routing table.
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1   192.168.10.246     10
      10.71.202.1  255.255.255.255      10.71.202.5      10.71.202.6     20
      10.71.202.4  255.255.255.252         On-link       10.71.202.6    276
      10.71.202.6  255.255.255.255         On-link       10.71.202.6    276
       172.16.1.0    255.255.255.0      10.71.202.5      10.71.202.6     21
The last entry in the table above shows that traffic destined for the 172.16.1.0/24 network will be routed through 10.71.202.5 to the IPFire server running OpenVPN. This will allow us to access any servers using an IP address in the 172.16.1.0/24 ip range, including the management interface of IPFire itself. For the tutorial, we have IPFire listening on 172.16.1.1:444.
The route(s) the server automatically pushes to the client when connecting are controlled by an individual CCD (Client Configuration Directive) file on the server. These files are stored in /var/ipfire/ovpn/ccd/ with a filename that matches the user we added. For purposes of this tutorial, the full path to the file is /var/ipfire/ovpn/ccd/jdoe. If we take a look at that file, we can see that a route for our private 172.16.1.0/24 network is properly configured to be pushed to the connecting OpenVPN client.
[root@ipfire ccd]# more jdoe
# OpenVPN clientconfig from ccd extension by Copymaster#

#This client uses the dynamic pool

#Client gets routes to these networks (behind IPFire)
push "route 172.16.1.0 255.255.255.0"
You may find that a different route is set here if you have changed the ip network the GREEN/Private interface is using since initially configuring OpenVPN or adding the user.

Support

You are welcome to post questions or comments related to this tutorial and we will endeavor to provide assistance.

1 comment: