OpenVPN
From Bashlinux
Howt to setup OpenVPN on Ubuntu
- Install dependencies for LDAP authentication via Perl script
apt-get -y install libnet-ldap-perl
- Setup some useful parameters for OpenVPN servers
- Force client to use the DNS provided by OpenVPN server
push "dhcp-option DNS 10.10.4.1"
- Don't use certificate, use User/Password instead
client-cert-not-required username-as-common-name
- Authenticate using LDAP
plugin /usr/lib/openvpn-auth-ldap.so /etc/openvpn/ldap-auth-conf
- Enable management console (Warning, avoid to use an address other than localhost)
management localhost 7505
- Avoid Windows 7 overwrite the route tables
push "redirect-gateway def1 bypass-dhcp"
How to replicate OpenVPN from Zentyal to a plain Ubuntu host
UBUNTU (Pre-sync)
- Install openvpn on the ubuntu box
apt-get -y install openvpn libnet-ldap-perl
- Prepare the certs and logs directories
mkdir -p /var/lib/zentyal/CA mkdir -p /var/log/openvpn
- Enable IPv4 Forwarding
sed -i -e '/net.ipv4.ip_forward/s/#//' /etc/sysctl.conf sysctl -p
ZENTYAL (Sync)
- RSync OpenVPN settings from the Zentyal box to the Ubuntu box
rsync -avz /etc/openvpn/ ubuntu-box:/etc/openvpn/
- RSync the certificates
rsync -avz /var/lib/zentyal/CA/ ubuntu-box:/var/lib/zentyal/CA/
UBUNTU (Post-sync)
- Edit /etc/openvpn/${COLO}-vpn/${COLO}-vpn.conf and set
- Listening address on the public interface
local x.y.z.$OCTECT
- Subnet for the secondary VPN on
server x.y.$SUBNET.0 255.255.255.0
- Enable the VPN configuration at /etc/default/openvpn
AUTOSTART="${COLO}-vpn.d/${COLO}-vpn"
- Start OpenVPN
service openvpn start
How to setup UFW to let OpenVPN traffic from tap0 pass through
Edit /etc/ufw/before.rules file and add at the top, before the header & after the *filter rules
# NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 -A POSTROUTING -s <openvpn_net/netmask> -o <internal_nic1> -j MASQUERADE -A POSTROUTING -s <openvpn_net/netmask> -o <internal_nic2> -j MASQUERADE COMMIT
Then on the same file, right after the loopback rules add the input and forwarding for tap0
# Allow all traffic via our OpenVPN interface -A ufw-before-input -i tap0 -j ACCEPT -A ufw-before-forward -i tap0 -j ACCEPT -A ufw-before-forward -o tap0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -o tap0 -m state --state RELATED,ESTABLISHED -j ACCEPT