Easy OpenVPN Version 1.

2
(Version 1.2 specific to Centos 6) Creates clients with login & password option.

Install Guide

Easy OpenVPN was created to quickly implement an OpenVPN server with basic client username & password functionality. Requirements: A static public IP address or any dynamic DNS account. You will need to port forward TCP port 1194 in your firewall/router to your new VPN server. Proxmox VE Server

Installation:

Download the Easy OpenVPN templates located at the following link(s):

https://docs.google.com/open?id=0Bw0sSl-g4aaSNGRjZWYyODctZDI0ZS00YTZiLThiNjEtNjdkNGYxZjI5Zjdh

Make sure to check the MD5SUM and verify the file downloaded correctly without any errors: proxmox:/var/lib/vz/template/cache# md5sum centos-6-EasyOpenVPNLoginPassword_v1.2_amd64.tar.gz 2794ae652d413a5ad5568ebd7f08a235 centos-6-EasyOpenVPNLoginPassword_v1.2_amd64.tar.gz

Create the Easy OpenVPN server using the template. Make sure to select Bridged Ethernet (veth)

interface. All other settings can be left as default. After the Easy OpenVPN has been created, log in and edit the network interface information for eth0. The file is located at /etc/sysconfig/network-scripts/ifcfg-eth0. Edit the items highlighted in yellow to reflect your network settings: # Primary network interface DEVICE=eth0 ONBOOT=yes IPADDR=192.168.100.250 NETMASK=255.255.255.0 GATEWAY=192.168.100.1 At this point you should have a Centos 6 server running with networking. Make sure your networking is working by pinging www.google.com. Generate new SSH keys. This is a generic template. You will need to generate you own keys! ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa Verify the date/time are correct on your new VM. If not correct, adjust before continuing. Below is an example of how to correct the date/time: In HD node, run: Stop VE: vzctl stop 101 vzctl set 101 --capability sys_time:on --save Start VE: vzctl start 101 Enter VE: vzctl enter 101 In VE, run:

Rename /etc/localtime file: mv /etc/localtime /etc/localtime.old Link to your timezone file: ln -s /usr/share/zoneinfo/America/New_York /etc/localtime run date to check your time is right. If correct, that's it! openvpn# date Sun Jan 22 20:00:14 EST 2012 On the Proxmox server, load the tun module. Type modpobe tun and then edit /etc/modules and add tun to the last line. See below..... proxmox:/etc# modprobe tun proxmox:/etc# vi modules # /etc/modules: kernel modules to load at boot time. # # This file contains the names of kernel modules that should be loaded # at boot time, one per line. Lines beginning with "#" are ignored. # Parameters can be specified after the module name. tun There are 4 scripts located in /root/EasyOpenVPN: STEP1_create-proxmox_tun_commands.sh STEP2_install-EasyOpenVPN_part1.sh STEP3_install-EasyOpenVPN_part2.sh create-EasyOpenVPN_client.sh

Run STEP1_create-proxmox_tun_commands.sh. This script will create several commands that YOU WILL NEED TO MANUALLY CUT AND PASTE INTO YOUR PROXMOX SERVER. These commands will enable your VM to create a tun device for your VPN interface. Run the script and enter the CT of your Easy OpenVPN server.

SAMPLE OUTPUT: [root@CentosVPN ~]# ./ STEP1_create-proxmox_tun_commands.sh Please enter VMID 101 Please enter these commands into your Proxmox server: vzctl set 101 --devices c:10:200:rw --save (may need to shut down VM prior to running the next command) vzctl set 101 --capability net_admin:on save (if VM was stopped, restart VM prior to running the next command) vzctl exec 101 mkdir -p /dev/net vzctl exec 101 mknod /dev/net/tun c 10 200 vzctl exec 101 chmod 600 /dev/net/tun vzctl set 101 --devnodes net/tun:rw save Note: vzctl set 101 --capability net_admin:on save may require stopping the VM

Run the script STEP2_install-EasyOpenVPN_part1.sh. This script does nothing but display which file to edit for your certificate, all software is already installed. Enter your information.

Run the script STEP3_install-EasyOpenVPN_part2.sh. This script will ask for name & address info for your certificates and then create your certificates. MAKE SURE EACH QUESTION. Most default answers are selected from the file edited in previous step. Do not change the server common name when asked, the script expects to see the name "server".

After STEP3 is complete, type ifconfig and see if you have a tun0 interface as below. SAMPLE OUTPUT:

root@pbx:~ $ ifconfig tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) At this point you should have a basic functioning OpenVPN server. The script create-EasyOpenVPN-client.sh creates your Openvpn client config files. Run the createopenvpn-client.sh script and answer the questions (client name, server ip/fqdn address, etc.) The client OpenVPN configuration files will be placed into the dir /root/key/<client-name>. Repeat this script for each client, giving each client a NEW NAME. After creating the client configs, place the <client-name>.tar file on your client. Client setup up is not covered here yet and differs from distro distro. Google is your friend! SAMPLE OUTPUT: ./create-EasyOpenVPN-client.sh Please enter name for cert Example: Desktop Remote-PBX Please enter your FQDN Example: mypbx.homelinux.com mypbx.homelinux.com

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys Generating a 1024 bit RSA private key ......................................++++++ .............++++++ writing new private key to 'Remote-PBX.key' ----Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'NY' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' commonName :PRINTABLE:'Remote-PBX' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until Dec 19 15:47:54 2020 GMT (3650 days) Write out database with 1 new entries Data Base Updated rm: cannot remove `/etc/openvpn/client.conf.tmp*': No such file or directory tar: ./Remote-PBX.tar: file is the archive; not dumped Client config files saved to /root/keys/Remote-PBX

Copy the tar file to the new client.

Adding users to the VPN server:

Before you can connect a client to the VPN server, you must first add a user to the VPN server:
# adduser <newuser> # passwd <newuser>

Client setup: Ubuntu

sudo apt-get install openvpn network-manager-openvpn Copy the tar file created by the create-EasyOpenVPN-client.sh script above to the /etc/openvpn directory and untar the file. Click on the network-manager applet (top right of desktop), select configure VPN, and setup a new open-vpn connection. Configure setting accordingly, making sure to set the gateway address, set authentication to Password , select the path to your ca.crt (/etc/openvpn/ca.crt) and under advanced select use a TCP conection and port 1194.

Windows An OpenVPN GUI and instructions can be found here. http://openvpn.se/download.html Make sure to rename your <client>.conf file to <client>.ovpn!

NOTE(s) and Optional configuration:

IP MASQUERADE & ROUTING:

To enable routing between the VPN LAN and local LAN perform the edits on the Easy OpenVPN VM: iptables -t nat -A PREROUTING -i tun0 -j DNAT --to VM.ip" (where VM.ip is the ipaddress of eth0) To save these changes to the firewall type service iptables save Also, edit file /etc/sysctl.conf and change the line net.ipv4.ip_forward = 0 to read net.ipv4.ip_forward =

1. Execute the following command: $ /sbin/sysctl -w net.ipv4.ip_forward=1

Next, you will need to tell your firewall/router how your local LAN can reach your new VPN LAN. In your router add a static route that points to 10.8.0.0 to the eth0 interface IP of your OpenVPN server. If you are using DD-WRT firmware, these setting are located under Setup>Advanced Routing.

PROXMOX IPTABLES:

These edits to /etc/vz/vz.conf will be need to be completed for iptables to work correctly in Easy OpenVPN. See here for more detail. sed -i 's|ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length|ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp|' /etc/vz/vz.conf /etc/init.d/vz restart

TUN: I noticed that after upgrading/rebooting my Proxmox host that the tun module was not auto loading. I added tun to the end of /etc/modules to fix this issue. Ive also noticed that restarting OpenVPN will cause tun0 issues and OpenVPN will not restart. Rebooting the VM will solve this issue. STATIC IP ADDRESSES: Here is a quick how-to. 1) Edit /etc/openvpn/server.conf and add the following line: client-config-dir ccd

2) Create a file in directory /etc/openvpn/ccd with the EXACT name of the client that was created with the Easy OpenVPN client script(example: bbfs). Note, you may have to create the directory /etc/openvpn/ccd. If you want your client to have an IP address of 10.5.0.5 the contents of file would look like the following: [root@CentosVPN ccd]# cat bbfs ifconfig-push 10.5.0.5 10.5.0.6 3) After the above edits restart Openvpn to read the new configuration options. All the above info was taken from the OpenVPN web site. I would strongly suggest reading this page and this page.

COMMUNICATION BETWEEN CLIENTS:

To enable communication between VPN clients uncomment client-to-client line in /etc/openvpn/server.conf.

Email Setup:
This Easy OpenVPN as the abilty to email encypted client config file. Below is a basic how-to for setting up a Gmail email relay.

# yum install sendmail sendmail-cf cyrus-sasl-plain cyrus-sasl-md5

# mkdir /etc/mail/auth

# chmod 700 /etc/mail/auth # cd /etc/mail/auth

Edit the file /etc/mail/auth/client-info with your Gmail username and password.

# makemap -r hash client-info.db < client-info # chmod 600 client-info client-info.db #service sendmail restart

WEBMIN:
To access the Webmin GUI goto https://localLANip:10000