Client to Server OpenVPN: Difference between revisions

From KlavoWiki
Jump to navigationJump to search
 
(30 intermediate revisions by the same user not shown)
Line 1: Line 1:
<font size="5" color="red">Work in Progress</font>
My specific purpose for these instructions is so IP phones can establish a tunnel and communicate to a SIP server without the need of worrying about NAT, STUN or port forwards.  The Yealink SIP phones have inbuilt OpenVPN capabilities.
My specific purpose for these instructions is so IP phones can establish a tunnel and communicate to a SIP server without the need of worrying about NAT, STUN or port forwards.  The Yealink SIP phones have inbuilt OpenVPN capabilities.


The following instructions were performed on CentOS 7.2
The following instructions were performed on CentOS 7.2


= Installing =
= Server =
== Installing ==


Firstly [[Install_epel | install epel]] due to openvpn not been available in the default repository.  Once epel has been install then...
Firstly [[Install_epel | install epel]] due to openvpn not been available in the default repository.  Once epel has been install then...
Line 13: Line 12:
</pre>
</pre>


== Config Files ==
=== Config Files ===
Examples of Configuration Files
Examples of Configuration Files
<pre>
<pre>
/usr/share/doc/openvpn-2.3.11/sample/sample-config-files/server.conf
/usr/share/doc/openvpn-2.3.12/sample/sample-config-files/server.conf
</pre>
</pre>


== OpenVPN ==
=== OpenVPN ===
<pre>
<pre>
vi /etc/openvpn/server.conf
vi /etc/openvpn/server.conf
Line 35: Line 34:
dh  /etc/openvpn/keys/dh2048.pem
dh  /etc/openvpn/keys/dh2048.pem


server 172.21.18.0 255.255.254.0
cipher AES-256-CBC
#duplicate-cn
#tls-auth /etc/openvpn/keys/ta.key 0
 
server 10.121.18.0 255.255.254.0
ifconfig-pool-persist ipp.txt
ifconfig-pool-persist ipp.txt


push "route 172.21.18.0 255.255.254.0"
push "route 10.121.18.0 255.255.254.0"


client-to-client
client-to-client
Line 45: Line 48:
persist-key
persist-key
persist-tun
persist-tun
verb 3
verb 4
 
log access.log
log access.log
status connections.log
</pre>
</pre>


= Certificate Creation =
== Certificate Creation ==
'''NOTE''': Make sure the KeyName is different for each certificate generated otherwise the system can't keep track of the certfiicates generated and you will get errors like:
'''NOTE''': Make sure the KeyName is different for each certificate generated otherwise the system can't keep track of the certfiicates generated and you will get errors like:
<pre>
<pre>
Line 58: Line 63:
The default KeyName is : EasyRSA
The default KeyName is : EasyRSA


== Preparation ==
=== Preparation ===
<pre>
<pre>
mkdir /etc/openvpn/easy-rsa
mkdir /etc/openvpn/easy-rsa
Line 77: Line 82:


<pre>
<pre>
export EASY_RSA="/etc/openvpn/easy-rsa/keys"
export EASY_RSA="/etc/openvpn/easy-rsa"
</pre>
</pre>


Line 91: Line 96:
</pre>
</pre>


'''NOTE''': Do not populate the KEY_CN field if you are utilising individual client certificates.  If you are generate a single certificate for all clients then you can specify a default value here.
<pre>
<pre>
export KEY_CN="my.fqdn.server.name"
#export KEY_CN="my.fqdn.server.name"
</pre>
</pre>


Line 105: Line 112:
</pre>
</pre>


== Server Certificates ==
=== Server Certificates ===
Build Certificate Authority Certificate
Build Certificate Authority Certificate
<pre>
<pre>
Line 128: Line 135:
</pre>
</pre>


== Client Certificate ==
=== Client Certificate ===
For tightened security you would normally generate a client certificate for each client.  In this case I will use the one certificate for all clients.
 
Know Issues:<br>
1. For the tightened of security you would normally generate a client certificate for each client.  In this case I will use the one certificate for all clients.


The name client below is the name of the client certificate.  If generating multiple certificates you will have to name them differently.
The name client in the below command is the name of the client certificate.  If generating multiple certificates you will have to name them differently.
<pre>
<pre>
cd /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
source ./vars
./build-key client
./build-key client
</pre>
</pre>


= Openvpn Service =
2. If you are using the same client certificate name and the duplicate-cn variable then the ifconfig-pool-persist won't work as the client certificate name is used to map the IP address to keep it consistent.
Enable service
 
=== tls-auth Key ===
<pre>
openvpn --genkey --secret /etc/openvpn/keys/ta.key
</pre>
 
== Openvpn Service ==
 
=== Automatic ===
 
<pre>
vi /etc/default/openvpn
</pre>
 
Add or specific file without the conf.
<pre>
AUTOSTART="all"
</pre>
 
or
 
<pre>
AUTOSTART="server"
</pre>
 
Start Service
<pre>
systemctl restart openvpn
</pre>
 
=== Manually ===
 
While the openvpn service is stopped.
<pre>
<pre>
systemctl -f enable openvpn@server.service
openvpn --config /etc/openvpn/server.conf
</pre>
</pre>


Start service
= Client =
== Windows ==
=== VPN Config File ===
<pre>
<pre>
systemctl start openvpn@server
C:\Program Files\OpenVPN\config\office-vpn.ovpn
</pre>
</pre>
<pre>
client
dev tun
proto udp
remote my-vpn.server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
# tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3
</pre>
=== Copy Certificate Files ===
Copy the following files from the Openvpn server to your openvpn client config folder.
Source
<pre>
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key
/etc/openvpn/easy-rsa/keys/ta.key
</pre>
Destination
<pre>
C:\Program Files\OpenVPN\config
</pre>
== Yealink IP Phone ==
'''NOTE''': The Yealink phones don't seem to support tls-auth, which means you will nee to remove this setting from the server and client configuration files.
=== Copy Certificate Files ===
On the Linux server where the OpenVPN server is running:
<pre>
mkdir -p /tmp/yealink/keys
cd /etc/openvpn/easy-rsa/keys
cp ca.crt client.crt client.key /tmp/yealink/keys/
</pre>
=== Create VPN client config File ===
<pre>
vi /tmp/yealink/vpn.cnf
</pre>
<pre>
client
nobind
setenv SERVER_POLL_TIMEOUT 4
proto udp
remote my-vpn.server.com 1194
dev tun
dev-type tun
ns-cert-type server
persist-tun
persist-key
comp-lzo
verb 3
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key
cipher AES-256-CBC
</pre>
=== tar files ===
<pre>
cd /tmp/yealink
tar cvpf openvpn.tar *
</pre>
Copy openvpn.tar to your client computer. Open a web browser and enter the IP address of the handset.  Select Network, Advanced.  Go down to the VPN setting, upload the openvpn.tar file and then select enable.
Once the phone reboots you should see VPN located in the top right of the screen.  If you do not see VPN displayed then a VPN has not been successfully established to the server.


[[Category : Linux]]
[[Category : Linux]]

Latest revision as of 22:22, 30 October 2016

My specific purpose for these instructions is so IP phones can establish a tunnel and communicate to a SIP server without the need of worrying about NAT, STUN or port forwards. The Yealink SIP phones have inbuilt OpenVPN capabilities.

The following instructions were performed on CentOS 7.2

Server

Installing

Firstly install epel due to openvpn not been available in the default repository. Once epel has been install then...

yum -y install openssl lzo openvpn easy-rsa

Config Files

Examples of Configuration Files

/usr/share/doc/openvpn-2.3.12/sample/sample-config-files/server.conf

OpenVPN

vi /etc/openvpn/server.conf
local 192.168.1.1
port 1194
proto udp
dev tun

ca   /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key  /etc/openvpn/keys/server.key
dh   /etc/openvpn/keys/dh2048.pem

cipher AES-256-CBC
#duplicate-cn
#tls-auth /etc/openvpn/keys/ta.key 0

server 10.121.18.0 255.255.254.0
ifconfig-pool-persist ipp.txt

push "route 10.121.18.0 255.255.254.0"

client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 4

log access.log
status connections.log

Certificate Creation

NOTE: Make sure the KeyName is different for each certificate generated otherwise the system can't keep track of the certfiicates generated and you will get errors like:

failed to update database
TXT_DB error number 2

The default KeyName is : EasyRSA

Preparation

mkdir /etc/openvpn/easy-rsa
cp  /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
mkdir /etc/openvpn/easy-rsa/keys
mkdir /etc/openvpn/keys
cd /etc/openvpn/easy-rsa
vi vars

change

export EASY_RSA="`pwd`"

to

export EASY_RSA="/etc/openvpn/easy-rsa"


Change the other fields as required.

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"


NOTE: Do not populate the KEY_CN field if you are utilising individual client certificates. If you are generate a single certificate for all clients then you can specify a default value here.

#export KEY_CN="my.fqdn.server.name"

Source in our new variables.

source ./vars

Clean any previous builds. Should not be required if this is your first run at building certificates.

./clean-all

Server Certificates

Build Certificate Authority Certificate

./build-ca

Build Certificate and Key and name the certificate server

./build-key-server server

Build Diffie-Hellman key exchange

./build-dh


Copy certificate files to OpenVPN keys folder

cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/keys/

Client Certificate

Know Issues:
1. For the tightened of security you would normally generate a client certificate for each client. In this case I will use the one certificate for all clients.

The name client in the below command is the name of the client certificate. If generating multiple certificates you will have to name them differently.

cd /etc/openvpn/easy-rsa
source ./vars
./build-key client

2. If you are using the same client certificate name and the duplicate-cn variable then the ifconfig-pool-persist won't work as the client certificate name is used to map the IP address to keep it consistent.

tls-auth Key

openvpn --genkey --secret /etc/openvpn/keys/ta.key

Openvpn Service

Automatic

vi /etc/default/openvpn

Add or specific file without the conf.

AUTOSTART="all"

or

AUTOSTART="server"

Start Service

systemctl restart openvpn

Manually

While the openvpn service is stopped.

openvpn --config /etc/openvpn/server.conf

Client

Windows

VPN Config File

C:\Program Files\OpenVPN\config\office-vpn.ovpn
client
dev tun
proto udp
remote my-vpn.server.com 1194
resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key
# tls-auth ta.key 1

remote-cert-tls server

cipher AES-256-CBC

comp-lzo
verb 3

Copy Certificate Files

Copy the following files from the Openvpn server to your openvpn client config folder.

Source

/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key
/etc/openvpn/easy-rsa/keys/ta.key

Destination

C:\Program Files\OpenVPN\config

Yealink IP Phone

NOTE: The Yealink phones don't seem to support tls-auth, which means you will nee to remove this setting from the server and client configuration files.

Copy Certificate Files

On the Linux server where the OpenVPN server is running:

mkdir -p /tmp/yealink/keys
cd /etc/openvpn/easy-rsa/keys
cp ca.crt client.crt client.key /tmp/yealink/keys/

Create VPN client config File

vi /tmp/yealink/vpn.cnf
client
nobind
setenv SERVER_POLL_TIMEOUT 4

proto udp
remote my-vpn.server.com 1194
dev tun
dev-type tun
ns-cert-type server

persist-tun
persist-key
comp-lzo

verb 3

ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key

cipher AES-256-CBC

tar files

cd /tmp/yealink
tar cvpf openvpn.tar *

Copy openvpn.tar to your client computer. Open a web browser and enter the IP address of the handset. Select Network, Advanced. Go down to the VPN setting, upload the openvpn.tar file and then select enable.

Once the phone reboots you should see VPN located in the top right of the screen. If you do not see VPN displayed then a VPN has not been successfully established to the server.