OpenVPN

From Bashlinux
Jump to: navigation, search

Howt to setup OpenVPN on Ubuntu

  • Install dependencies for LDAP authentication via Perl script
apt-get -y install libnet-ldap-perl
  • Setup some useful parameters for OpenVPN servers
  • Force client to use the DNS provided by OpenVPN server
push "dhcp-option DNS 10.10.4.1"
  • Don't use certificate, use User/Password instead
client-cert-not-required
username-as-common-name
  • Authenticate using LDAP
plugin /usr/lib/openvpn-auth-ldap.so /etc/openvpn/ldap-auth-conf
  • Enable management console (Warning, avoid to use an address other than localhost)
management localhost 7505
  • Avoid Windows 7 overwrite the route tables

push "redirect-gateway def1 bypass-dhcp"

How to replicate OpenVPN from Zentyal to a plain Ubuntu host

UBUNTU (Pre-sync)

  • Install openvpn on the ubuntu box
apt-get -y install openvpn libnet-ldap-perl
  • Prepare the certs and logs directories
mkdir -p /var/lib/zentyal/CA
mkdir -p /var/log/openvpn
  • Enable IPv4 Forwarding
 sed -i -e '/net.ipv4.ip_forward/s/#//' /etc/sysctl.conf
 sysctl -p

ZENTYAL (Sync)

  • RSync OpenVPN settings from the Zentyal box to the Ubuntu box
rsync -avz /etc/openvpn/ ubuntu-box:/etc/openvpn/
  • RSync the certificates
rsync -avz /var/lib/zentyal/CA/ ubuntu-box:/var/lib/zentyal/CA/

UBUNTU (Post-sync)

  • Edit /etc/openvpn/${COLO}-vpn/${COLO}-vpn.conf and set
  • Listening address on the public interface
local x.y.z.$OCTECT
  • Subnet for the secondary VPN on 
server x.y.$SUBNET.0 255.255.255.0
  • Enable the VPN configuration at /etc/default/openvpn
AUTOSTART="${COLO}-vpn.d/${COLO}-vpn"
  • Start OpenVPN
service openvpn start

How to setup UFW to let OpenVPN traffic from tap0 pass through

Edit /etc/ufw/before.rules file and add at the top, before the header & after the *filter rules 

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s <openvpn_net/netmask> -o <internal_nic1> -j MASQUERADE
-A POSTROUTING -s <openvpn_net/netmask> -o <internal_nic2> -j MASQUERADE
COMMIT

Then on the same file, right after the loopback rules add the input and forwarding for tap0 

# Allow all traffic via our OpenVPN interface
-A ufw-before-input -i tap0 -j ACCEPT
-A ufw-before-forward -i tap0 -j ACCEPT
-A ufw-before-forward -o tap0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -o tap0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Retrieved from "http://wiki.bashlinux.com/index.php?title=OpenVPN&oldid=1224"