Project

General

Profile

OpenVPN Integration with CMIX Firewall

This document guide you to install an OpenVPN server in a Viapps CMIX Firewall node, and how you can configure it.

Note: From Viapps version 1.4.0, OpenVPN is integrated in CMIX Firewall by default, so this configuration is not required. You can find the configuration documentation in Manage FW OpenVPN

Dependencies

The package dependencies are:
  • openvpn
  • pkcs11-helper
  • easy-rsa
  • cmix-fw_openvpn_radiusplugin_opennac

These packages can be found in Viapps repository.

Installation and configuration of OpenVPN

  • Install required packages:
    yum install openvpn pkcs11-helper easy-rsa cmix-fw_openvpn_radiusplugin_opennac
    
  • Copy OpenVPN sample configuration:
       cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
    
  • Edit the configuration file, /etc/openvpn/server.conf, and apply the required changes depending on your necessities. Take in consideration the following:
    • Uncomment the "user" and "group" lines, to enhance security.
    • At the end of configuration file, add radius plugin to authenticate user against a openNAC radius, with openNAC agent as a VPN client.
            plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
      
    • If you are not interested in use client certificates, you need the client-cert-not-required property
    • Push routes to the client to allow it to reach other private subnets behind the server.
  • In case openNAC radius is used, you have to configure the /etc/openvpn/radiusplugin.cnf file. You have to modify the following properties:
    • openNAC-Agent: indicates if openNAC agent will be used as client to connect VPN
    • NAS-IP-Address: the IP address of CMIX node used to connect with openNAC radius
    • server: all openNAC radius properties. Take in consideration wait value, because usually a greater value than 1 is necessary, if authentication is done through an Active Directory. In this case, a "wait=5" could be enough.

Keys and certificates

Usually, we will have our own self-signed Certificate Authority (CA), to manage the required keys and certificates.

  • First of all, create the destination folder and copy the required files:
       mkdir -p /etc/openvpn/easy-rsa/keys
       cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
    
  • Edit the /etc/openvpn/easy-rsa/vars file, to customize the "KEY_" attributes, as showed in the following example:
        export KEY_COUNTRY="ES" 
        export KEY_PROVINCE="BCN" 
        export KEY_CITY="Barcelona" 
        export KEY_ORG="OpenCloud Factory" 
        export KEY_EMAIL="admin@opencloudfactory.com" 
        export KEY_OU="IT" 
    
        # X509 Subject Field
        export KEY_NAME="OpenCloudFactory" 
    
  • Now we can build our Certificate Authority (CA):
       cd /etc/openvpn/easy-rsa
       source ./vars
       ./clean-all
       ./build-ca
    
  • Then, we create the OpenVPN server certificate, with our server hostname (server in this example). We can use the default values, included an empty challenge password:
       ./build-key-server server
    
  • We generate the Diffie Hellman key exchange files:
       ./build-dh
    
  • Finally, we copy the required certificate files to OpenVPN folder:
       cd /etc/openvpn/easy-rsa/keys
       cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
    
    Note: if the server name used is not server, the CRT and KEY files will be different names, and this name will have to be replaced in /etc/openvpn/server.conf file.
  • Start OpenVPN server and enable automatically startup in usually runlevels:
    service openvpn start
    chkconfig openvpn on
    

Routing configuration and firewall ports

  • Check if IP forwarding is enabled, in /etc/sysctl.conf file:
    net.ipv4.ip_forward = 1
    
    Note: if this file is modified, we have to reload the sysctl settings, using:
    sysctl -p
  • Allow routing of VPN subnet, using iptables. For example, where 10.8.0.0/24 is our VPN subnet and eth0 is the interface used to route traffic:
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    
  • Create the iptables rule to open VPN port. For example, where eth1 is the input VPN connections interface, UDP/1194 is protocol and port used:
    iptables -I INPUT -p udp -i eth1 --dport 1194 -j ACCEPT
    
  • Finally, save the iptables changes to be permanents:
    service iptables save
    

OpenVPN client

A simple client configuration file, where user credentials are required to connect to 1.2.3.4 VPN server, with the CA certificate file included in configuration file, could be:

client
dev tun
proto udp
remote 1.2.3.4 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIFPDCCBCSgAwIBAgIJAKv2BjAwo8mTMA0GCSqGSIb3DQEBCwUAMIHEMQswCQYD
...
VQZKKI7tzavDJRFtF4Lt4N3KHWqDvkwEQZlyy/gj6c2HFOvUP39GvbOEVG1zpiWz
-----END CERTIFICATE-----
</ca>
auth-user-pass
explicit-exit-notify
ns-cert-type server
Note: You have to include the corresponding content of ca.crt file, between <ca></ca>.

If this file would be called user.ovpn, the VPN tunnel could be launched from client:

openvpn --config user.ovpn
Note: You have to execute the openvpn program in privileged mode, with sudo or root user in *NIX and Administrator user in Windows, in order to create the desired routes in client environtment.

TLS-Auth

If we want enable tls-auth to use a static pre-shared key (PSK), providing an additional level of security, some changes are required in server and client configuration files.

  • This pre-shared key must be generated in advance and shared among all peers. The key will be stored in ta.key file:
    openvpn --genkey --secret ta.key
    
  • In server configuration file, add this line:
    tls-auth ta.key 0
    
  • And at last, add the following lines in client configuration file, with ta.key file content:
    <tls-auth>
    -----BEGIN OpenVPN Static key V1-----
    b856b4d272d281481d63ebebc6075614
    ...
    be77da366a423a39ec8b3d8f232a92de
    -----END OpenVPN Static key V1-----
    </tls-auth>
    key-direction 1