- Table of contents
- OpenVPN Integration with CMIX Firewall
OpenVPN Integration with CMIX Firewall¶
This document guide you to install an OpenVPN server in a Viapps CMIX Firewall node, and how you can configure it.
Note: From Viapps version 1.4.0, OpenVPN is integrated in CMIX Firewall by default, so this configuration is not required. You can find the configuration documentation in Manage FW OpenVPN
Dependencies¶The package dependencies are:
These packages can be found in Viapps repository.
Installation and configuration of OpenVPN¶
- Install required packages:
yum install openvpn pkcs11-helper easy-rsa cmix-fw_openvpn_radiusplugin_opennac
- Copy OpenVPN sample configuration:
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
- Edit the configuration file,
/etc/openvpn/server.conf, and apply the required changes depending on your necessities. Take in consideration the following:
- Uncomment the "user" and "group" lines, to enhance security.
- At the end of configuration file, add radius plugin to authenticate user against a openNAC radius, with openNAC agent as a VPN client.
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
- If you are not interested in use client certificates, you need the
- Push routes to the client to allow it to reach other private subnets behind the server.
- In case openNAC radius is used, you have to configure the
/etc/openvpn/radiusplugin.cnffile. You have to modify the following properties:
- openNAC-Agent: indicates if openNAC agent will be used as client to connect VPN
- NAS-IP-Address: the IP address of CMIX node used to connect with openNAC radius
- server: all openNAC radius properties. Take in consideration
waitvalue, because usually a greater value than 1 is necessary, if authentication is done through an Active Directory. In this case, a "wait=5" could be enough.
Keys and certificates¶
Usually, we will have our own self-signed Certificate Authority (CA), to manage the required keys and certificates.
- First of all, create the destination folder and copy the required files:
mkdir -p /etc/openvpn/easy-rsa/keys cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
- Edit the
/etc/openvpn/easy-rsa/varsfile, to customize the "KEY_" attributes, as showed in the following example:
export KEY_COUNTRY="ES" export KEY_PROVINCE="BCN" export KEY_CITY="Barcelona" export KEY_ORG="OpenCloud Factory" export KEY_EMAIL="firstname.lastname@example.org" export KEY_OU="IT" # X509 Subject Field export KEY_NAME="OpenCloudFactory"
- Now we can build our Certificate Authority (CA):
cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca
- Then, we create the OpenVPN server certificate, with our server hostname (
serverin this example). We can use the default values, included an empty challenge password:
- We generate the Diffie Hellman key exchange files:
- Finally, we copy the required certificate files to OpenVPN folder:
cd /etc/openvpn/easy-rsa/keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpnNote: if the server name used is not
server, the CRT and KEY files will be different names, and this name will have to be replaced in
- Start OpenVPN server and enable automatically startup in usually runlevels:
service openvpn start chkconfig openvpn on
Routing configuration and firewall ports¶
- Check if IP forwarding is enabled, in
net.ipv4.ip_forward = 1Note: if this file is modified, we have to reload the sysctl settings, using:
- Allow routing of VPN subnet, using
iptables. For example, where
10.8.0.0/24is our VPN subnet and
eth0is the interface used to route traffic:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
- Create the iptables rule to open VPN port. For example, where
eth1is the input VPN connections interface,
UDP/1194is protocol and port used:
iptables -I INPUT -p udp -i eth1 --dport 1194 -j ACCEPT
- Finally, save the iptables changes to be permanents:
service iptables save
A simple client configuration file, where user credentials are required to connect to
22.214.171.124 VPN server, with the CA certificate file included in configuration file, could be:
client dev tun proto udp remote 126.96.36.199 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 <ca> -----BEGIN CERTIFICATE----- MIIFPDCCBCSgAwIBAgIJAKv2BjAwo8mTMA0GCSqGSIb3DQEBCwUAMIHEMQswCQYD ... VQZKKI7tzavDJRFtF4Lt4N3KHWqDvkwEQZlyy/gj6c2HFOvUP39GvbOEVG1zpiWz -----END CERTIFICATE----- </ca> auth-user-pass explicit-exit-notify ns-cert-type serverNote: You have to include the corresponding content of
If this file would be called
user.ovpn, the VPN tunnel could be launched from client:
openvpn --config user.ovpnNote: You have to execute the
openvpnprogram in privileged mode, with
rootuser in *NIX and
Administratoruser in Windows, in order to create the desired routes in client environtment.
If we want enable
tls-auth to use a static pre-shared key (PSK), providing an additional level of security, some changes are required in server and client configuration files.
- This pre-shared key must be generated in advance and shared among all peers. The key will be stored in
openvpn --genkey --secret ta.key
- In server configuration file, add this line:
tls-auth ta.key 0
- And at last, add the following lines in client configuration file, with
<tls-auth> -----BEGIN OpenVPN Static key V1----- b856b4d272d281481d63ebebc6075614 ... be77da366a423a39ec8b3d8f232a92de -----END OpenVPN Static key V1----- </tls-auth> key-direction 1