View previous topic :: View next topic |
Author |
Message |
sephora n00b
Joined: 28 Nov 2022 Posts: 40
|
Posted: Sat Dec 02, 2023 12:44 pm Post subject: Howto: OpenVPN server |
|
|
Hello everyone!
A few weeks back I build a OpenVPN server, which was a bit of a struggle to get everything working. So I decided to share my setup. Maybe someone finds this usefull.
This is a short summery and configuration example.
Scenario:
I have a router that's running Gentoo (of course!).
My router handles the internet connection for my LAN and WLAN.
I want remote clients to connect to my local LAN via OpenVPN.
All machines in the LAN should be able to see each other.
As network protocol I use UDP. UDP because I want the clients to access a TeamSpeak server located in my local LAN. The clients should also be able to play old LAN games together that often use UDP.
Step 1:
Build a bridge of the routers LAN device and a TAP device to be used by OpenVPN.
Kernel config:
Stop LAN device:
Your going to loose your SSH-session at this point if your access the router from local LAN!
Code: | rc-service stop enp3s0 |
Setup bridge device:
Code: |
ip link add br0 type bridge
ip link set dev enp3s0 master br0
ip link set dev tap0 master br0
ln -s /etc/init.d/net.lo /etc/init.d/net.tap0
ln -s /etc/init.d/net.lo /etc/init.d/net.br0
|
OpenRC net config:
Code: |
#bridge configuration
tuntap_tap0="tap"
config_tap0="null"
config_enp3s0="null"
bridge_br0="enp3s0 tap0"
config_br0="<static router ip address>/24"
bridge_forward_delay_br0=0
bridge_hello_time_br0=1000
depend_br0() {
need net.enp3s0
need net.tap0
}
|
OpenRC updates:
Code: |
rc-update del net.enp3s0 default
rc-update add net.tap0 default
rc-update add net.br0 default
|
More detailed information can be found in the Gentoo Wiki.
Step 2:
OpenVPN server configuration:
Code: |
port <myOpenVPN port>
proto udp
dev tap0
# keys configuration, use generated keys
askpass <myOpenVPN>/<myOpenVPN>.pass
ca <myOpenVPN>/ca.crt
cert <myOpenVPN>/<myOpenVPN>.crt
key <myOpenVPN>/<myOpenVPN>.key
dh <myOpenVPN>/dh.pem
# optional tls-auth key to secure identifying
tls-auth <myOpenVPN>/<myOpenVPN>_tls.key 0
# OpenVPN 'virtual' network information, network and mask
server-bridge
mode server
tls-server
push "route-gateway dhcp"
push "explicit-exit-notify 3"
# persistent device and key settings
persist-key
persist-tun
cipher AES-256-GCM
data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tun-mtu 1500
mssfix 1104
# connection
keepalive 10 120
max-clients 50
user nobody
group nobody
# logging
status openvpn-status.log
log /var/log/openvpn.log
verb 3
|
Step 3:
Generate root certificate.
I used Easy-RSA to create the server certificate and keypairs.
Here is the link to the OpenVPN-Wiki that I used to get the CA and keypairs: EasyRSA3-OpenVPN-Howto
Easy-RSA can be found here: Easy-RSA
Remember to also generate keys for the clients.
Code: | ./easyrsa build-client-full <client1> |
Generate shared key for tls-auth:
Code: | openvpn --genkey --secret <myOpenVPN>.key |
Create server config directory and copy certificate and keys:
Code: | cd /etc/openvpn
mkdir <myOpenVPN>
cp <Easy-RSA>/pki/ca.crt <myOpenVPN>
cp <Easy-RSA>/pki/<myOpenVPN>.key <myOpenVPN>
cp <Easy-RSA>/pki/dh.pem <myOpenVPN>
cp <Easy-RSA>/pki/issued/<myOpenVPN>.crt <myOpenVPN>
cp <Easy-RSA>/pki/issued/<client1>.crt <myOpenVPN>
cp <Easy-RSA>/pki/private/<client1>.key <myOpenVPN>
|
Step 4:
OpenVPN client config.
Code: | client
proto udp
dev tap0
key-direction 1
persist-key
persist-tun
cipher AES-256-GCM
data-ciphers AES-256-GCM
auth SHA512
remote <myOpenVPN public adress> <myOpenVPN port>
remote-cert-tls server
float
auth-nocache
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>
|
To ease the build of client config files I use this simple script that I found online (unfortunately I forgot where):
Code: | #!/bin/sh
# Default Variable Declarations
DEFAULT="client.conf"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".key"
CA="ca.crt"
TA="<myOpenVPN>.key"
kPath="/etc/openvpn/<myOpenVPN>/"
#Ask for a Client name
echo "Please enter an existing Client Name:"
read NAME
ovpnName=$NAME$FILEEXT
#echo "Please enter an Name for the output file"
#read ovpnName
#1st Verify that client's Public Key Exists
if [ ! -f $kPath$NAME$CRT ]; then
echo "[ERROR]: Client Public Key Certificate not found: $kPath$NAME$CRT"
exit
fi
echo "Client's cert found: $kPath$NAME$CRT"
#Then, verify that there is a private key for that client
if [ ! -f $kPath$NAME$KEY ]; then
echo "[ERROR]: Client 3des Private Key not found: $kPath$NAME$KEY"
exit
fi
echo "Client's Private Key found: $kPath$NAME$KEY"
#Confirm the CA public key exists
if [ ! -f $kPath$CA ]; then
echo "[ERROR]: CA Public Key not found: $kPath$CA"
exit
fi
echo "CA public Key found: $kPath$CA"
#Confirm the tls-auth ta key file exists
if [ ! -f $kPath$TA ]; then
echo "[ERROR]: tls-auth Key not found: $kPath$TA"
exit
fi
echo "tls-auth Private Key found: $kPath$TA"
#Ready to make a new .opvn file - Start by populating with the
cat $DEFAULT > $ovpnName
#Now, append the CA Public Cert
echo "<ca>" >> $ovpnName
cat $kPath$CA | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $ovpnName
echo "</ca>" >> $ovpnName
#Next append the client Public Cert
echo "<cert>" >> $ovpnName
cat $kPath$NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $ovpnName
echo "</cert>" >> $ovpnName
#Then, append the client Private Key
echo "<key>" >> $ovpnName
cat $kPath$NAME$KEY >> $ovpnName
echo "</key>" >> $ovpnName
#Finally, append the TA Private Key
echo "<tls-auth>" >> $ovpnName
cat $kPath$TA >> $ovpnName
echo "</tls-auth>" >> $ovpnName
echo "Done! $ovpnName Successfully Created."
|
To use this script you need a default config 'client.conf' which, in my case, looks like this:
Code: | proto udp
dev tap0
key-direction 1
persist-key
persist-tun
cipher AES-256-GCM
data-ciphers AES-256-GCM
auth SHA512
remote <myOpenVPN public adress> <myOpenVPN port>
remote-cert-tls server
float
auth-nocache |
And the certificates and keys for the client have to be placed in '/etc/openvpn/<myOpenVPN>'.
Step 5:
Start the OpenVPN-Server.
Create a link that matches your server config file name '/etc/openvpn/<myOpenVPN>.conf':
Code: | ln -s /etc/init.d/openvpn /etc/init.d/openvpn.<myOpenVPN>
rc-service openvpn.<myOpenVPN> start
|
Remember to open the UDP port for <myOpenVPN port> in your firewall!
Monitor your log file:
Code: | watch -cn 15 tail -n 40 /var/log/openvpn.log |
Step 6:
Client service.
In my setup the client machines are running Windows.
And since this config uses TAP as network device i use the OpenVPN community client you can find here:
OpenVPN 2.6.8
I won't go into Windows firewall setup here. Therefore just a hint:
Setting the TAP device on the Windows client to 'private network' makes it more easy to configure the firewall on the client machine. Also enabling 'ping' helps with trouble shooting.
Have fun! |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 892
|
Posted: Sat Dec 02, 2023 3:24 pm Post subject: |
|
|
Thanks for sharing your work and experience.
Be aware that the general advice is against tap unless you have a use-case that absolutely requires it (i've even seen claims like "if you need tap you're doing something wrong"). Configuration wise the difference is that tun doesn't require a bridge device, but you'll need to set up routing and probably firewalling. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
fedeliallalinea Administrator
Joined: 08 Mar 2003 Posts: 31387 Location: here
|
Posted: Sun Dec 03, 2023 7:41 am Post subject: |
|
|
Moved from Networking & Security to Documentation, Tips & Tricks. _________________ Questions are guaranteed in life; Answers aren't. |
|
Back to top |
|
|
sephora n00b
Joined: 28 Nov 2022 Posts: 40
|
Posted: Sun Dec 03, 2023 9:19 am Post subject: |
|
|
pa4wdh wrote: | Thanks for sharing your work and experience.
Be aware that the general advice is against tap unless you have a use-case that absolutely requires it (i've even seen claims like "if you need tap you're doing something wrong"). Configuration wise the difference is that tun doesn't require a bridge device, but you'll need to set up routing and probably firewalling. |
Yes. I read that too.
In fact my first approach was to setup TUN with TCP as protocol. And this did work.
Except for VoIP. I was able to connect to my TeamSpeak but audio didn't work. Since audio is transferred via UDP.
The same is true for the LAN-Lobbys in many (all) games. Though direct connect using the IP address did work.
To solve this issue I switched my OpenVPN server to UDP.
And this is the point were my struggle started. I wasn't able to connect the client to the server. It was a real challenge to find out what went wrong and why.
I have to say that the community client does a really good job in helping to debug the config. It's quite verbose and does also a good job in explaining whats going on.
For debugging the routing I used one or two VMs with Windows installed. The VMs were connect to the LAN via NAT and/or bridged, I played around with that. Using VMs is helpful but is also adds an additional level of complexity. Especially if NAT is used. But using VMs only brings you that far since they are all running on the same machine which is connected to my LAN.
So I ask one of my friends to help with the debugging from the outside. Manly to debug my firewall script.
After reading the logs and grepping network packets with tcpdump I came to the conclusion that for some reason when the clients try to connect the packets that the server sends back to the client get lost. Which points to a routing problem. But even after spending hours I couldn't get it to work. At some point the packets got lost. I still don't know why. Maybe it's routing or they get dropped. Either way there was no log entry and, at least for me, that didn't make sense.
And here I took a step back and rethought about what I really want to built here.
In the end I just want my friends to connect to my local LAN. Been able to talk to each other using TeamSpeak. And spend now and then a evening together playing games.
That's when I decided to go for the TAP device. Since it's totally sufficient to bridge the VPN-clients to my LAN. I know that using TAP adds latency. But since I have only a hand full machines connected that doesn't really matter. Also setting up the VPN via TAP makes the config and firewall (and routing) much cleaner and much easier to handle, in my opinion. I don't recommend using this config for large scale but for a small setup it's totally fine.
It's absolutely possible that I made a mistake somewhere along the line and maybe it's a easy fix to get the TUN setup to work. But at this point I'm happy with the solution I have. |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 892
|
Posted: Sun Dec 03, 2023 6:04 pm Post subject: |
|
|
Running a TCP based VPN always gives bad results, especially for latency sensitive protocols like VoIP, it's can even run into a deadlock when you run a TCP based protocol inside your VPN. UDP is the right choice .
The main difference between TUN and TAP is that TAP bridges the client to the server lan (layer 2) and TUN will make a subnet available to the clients and you'll have to route that to your server lan (layer 3). So with TAP the networks on both sides of the VPN are in the same subnet, with TUN you'll get a new subnet with your VPN clients and you'll have to take care of routing to create connectivity between them. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
sephora n00b
Joined: 28 Nov 2022 Posts: 40
|
Posted: Mon Dec 04, 2023 7:59 am Post subject: |
|
|
True.
And thank you for your feedback.
For some reason I couldn't get the UDP routing to play along while TCP was working fine.
I did spend a lot of time in debugging there.
Anyway, my VPN is working as it is right now.
Maybe, if I feel very bored, I give it another try.
But I have to say to debug firewalls and routing tables is one of my least favorite topics. -.- |
|
Back to top |
|
|
Hund Apprentice
Joined: 18 Jul 2016 Posts: 218 Location: Sweden
|
Posted: Mon Dec 04, 2023 8:07 am Post subject: |
|
|
What's your reasoning for choosing something like OpenVPN, when we have better options like Wireguard? :) _________________ Collect memories, not things. |
|
Back to top |
|
|
sephora n00b
Joined: 28 Nov 2022 Posts: 40
|
Posted: Mon Dec 04, 2023 3:30 pm Post subject: |
|
|
Good point.
The truth is: There's no particular reason. Except that I did work with OpenVPN before.
Maybe I'll give WireGuard a shot. But since OpenVPN is working for me now it's not a priority.
Thanks for the hint. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3477
|
Posted: Fri Dec 08, 2023 3:34 pm Post subject: |
|
|
Wireguard is only an IP tunnel (L3) and must be routed while openvpn can send ethernet frames (L2) as well and can be bridged. There are some thing that only be done at L2.
OpenVPN clients can have dynamic internal IPs, while wireguard must be configured manually but allows the clients to change their public IP without breaking the tunnel.
Both options will work just fine for _most_ people, but they both have their advantages in some corner cases. Use whatever gets the particular job done. |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 892
|
Posted: Fri Dec 08, 2023 6:02 pm Post subject: |
|
|
Indeed, both do VPN's and both do them well.
In my opinion OpenVPN is a but better suited for dynamic environments (like many clients connecting to a server) because you can push settings to clients. I usually try to make the VPN config as small as possible and push the rest from the server. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
jiminwilson n00b
Joined: 26 Nov 2024 Posts: 3
|
Posted: Wed Nov 27, 2024 11:41 am Post subject: |
|
|
Is this really workable solution? |
|
Back to top |
|
|
|