OpenVPN

From Alessandro's Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Entrare nella VPN

Installazione Client

  • Download:
Linux http://openvpn.net/download.html
Mac http://www.tunnelblick.net/
Windows http://www.openvpn.se/

Client Windows

spostarsi nella cartella 

%ProgramFiles%\OpenVPN\config

copiare qui dentro i tre file dei certificati ricevuti da noi 

hostname.crt hostname.key ca.crt

creare un file di testo chiamandolo 

client.ovpn

aprirlo con BloccoNote e incollarci quanto segue 

client
remote 1.2.3.4 1194
dev tun
nobind
ca ca.crt
persist-key
persist-tun
comp-lzo
resolv-retry infinite
cert hostname.crt
key hostname.key

copiare i tre files che vi sono stati inviati nella directory /etc/openvpn/ aprire eventuali porte nel firewall

  • on windows vista you'll need to add the following to your onfiguration:
route-method exe
route-delay 2

Client Linux

installare openvpn a seconda della distribuzione che si usa: copiare il seguente testo in /etc/openvpn/openvpn.conf 

client
remote 1.2.3.4 1194
dev tun
nobind
ca ca.crt
persist-key
persist-tun
comp-lzo
resolv-retry infinite
cert hostname.crt
key hostname.key

copiare i tre files che vi sono stati inviati nella directory /etc/openvpn/ aggiustare i permessi; 

chmod 600 hostname.key

aprire eventuali porte nel firewall 

iptables -A INPUT -p tcp -m tcp --dport 1194    -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1194    -j ACCEPT

riavviare openvpn e settarlo che parta all'avvio (questo dipende dalla distro): 

/etc/init.d/openvpn start

DDWRT

Follows how to configure A DDWRT router to be a client of a PtP Openvpn connection. Useful for subnet routing

  • Services->VPN->OpenVPN Server/Daemon
  • OpenVPN -> Enable
  • Start Type -> UpSystem
  • Inbound Firewall on TUN [NO]
  • Config as -> Daemon
  • Additional Config
remote 1.2.3.4
port 31194
proto udp
ifconfig 10.0.3.1 10.0.3.2
dev tun
link-mtu 1472
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
route 10.0.3.0 255.255.255.0

<secret>
-----BEGIN OpenVPN Static key V1-----
4.....t
-----END OpenVPN Static key V1-----
</secret>


  • Firewall command (adjust for your subnets)
iptables  -t  nat  -A  POSTROUTING   -d 10.0.0.0/24 -o  tun0  -j  MASQUERADE
iptables  -t  nat  -A  POSTROUTING   -s 10.0.0.0/24 -o  tun0  -j  MASQUERADE
iptables -I FORWARD 10 -s 10.0.0.0/24 -i tun0 -j ACCEPT
iptables -I INPUT 3 -s 10.0.0.0/24 -i tun0 -j ACCEPT

Client Mac OS/X (intel e non)

scaricare Tunnelblick Universal e installarlo www.tunnelblick.net

copiare il seguente testo in /etc/openvpn/openvpn.conf 

client
remote 1.2.3.4 1194
dev tun
nobind
ca ca.crt
persist-key
persist-tun
comp-lzo
resolv-retry infinite
cert hostname.crt
key hostname.key

copiare i tre files che vi sono stati inviati nella directory /etc/openvpn/ aggiustare i permesi; 

chmod 600 hostname.key

aprire eventuali porte nel firewall 

iptables -A INPUT -p tcp -m tcp --dport 1194    -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1194    -j ACCEPT

riavviare openvpn e settarlo che parta all'avvio (questo dipende dalla distro): 

/etc/init.d/openvpn start

client rejecting options

  • in my case I wanted to skip the dns nameserver setting from my linux client.

push option

Push a config file option back to the client for remote execution. Note that option must be enclosed in double quotes (""). The client must specify --pull in its config file. The set of options which can be pushed is limited by both feasibility and security. Some options such as those which would execute scripts are banned, since they would effectively allow a compromised server to execute arbitrary code on the client. Other options such as TLS or MTU parameters cannot be pushed because the client needs to know them before the connection to the server can be initiated.

This is a partial list of options which can currently be pushed: --route, --route-gateway, --route-delay, --redirect-gateway, --ip-win32, --dhcp-option, --inactive, --ping, --ping-exit, --ping-restart, --setenv, --persist-key, --persist-tun, --echo, --comp-lzo, --socket-flags, --sndbuf, --rcvbuf

push-reset

Don't inherit the global push list for a specific client instance. Specify this option in a client-specific context such as with a --client-config-dir configuration file. This option will ignore --push options at the global config file level.

disable

Disable a particular client (based on the common name) from connecting. Don't use this option to disable a client due to key or password compromise. Use a CRL (certificate revocation list) instead (see the --crl-verify option). This option must be associated with a specific client instance, which means that it must be specified either in a client instance config file using --client-config-dir or dynamically generated using a --client-connect script.


Server

  • listare gli ip connessi
grep openvpn /var/log/messages|grep 'ifconfig 10.8.0'|awk '{print $18}'|sort|uniq

oppure 

cat /var/log/openvpn-status.log
  • route statica per accedere alla VPN dalla rete locale
route add -net 10.8.0.0/24 gw 192.168.82.1


troubleshooting

packet HMAC authentication failed

Authenticate/Decrypt packet error: packet HMAC authentication failed


Solution: "auth SHA512" was not set in the config file

test port udp 1194

nmap <server.address> -sU -pU:1194 -Pn

UDPv4 []: No buffer space available (code=105)

  • "Increase the required free memory. I recommend at least 2 MB, which you can set with:"
echo 2048 >/proc/sys/vm/min_free_kbytes
Retrieved from "https://wiki.alessandro.delgallo.net//index.php?title=OpenVPN&oldid=6381"