Tuesday, January 23, 2018

Installing VPN server using OpenVPN

This document was created based on Centos7:

$ cat /etc/redhat-releaseCentOS Linux release 7.3.1611 (Core) 
$ uname -a
Linux kvm.depa.mx 3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Go to https://openvpn.net > VPN Solution > Access Server Software Packages > Centos > (Choose architecture and copy link)

Install needed packages
yum install wget firewalld -y
Download and install package
wget http://swupdate.openvpn.org/as/openvpn-as-2.1.12-CentOS7.x86_64.rpm (Using copied link)
rpm -ivh openvpn-as-2.1.12-CentOS7.x86_64.rpm
Set an initial password
passwd openvpn
Open Ports using firewalld
- Start and enable the service

systemctl enable firewalld
systemctl start firewalld
 - And interfcae to use

firewall-cmd --add-interface=eth1 --permanent --zone=public
- Add 1194 & 443 ports for Access

firewall-cmd --add-port=1194/udp --permanent --zone=public
firewall-cmd --add-port=443/tcp --permanent --zone=public
** Note that althoug 1194 is listening and firewall allows traffic it will be marked as closed with no real VPN traffic
- Add services to the rule

firewall-cmd --add-service=https --permanent --zone=public
firewall-cmd --add-service=openvpn --permanent --zone=public
- Reload service to tae effects

firewall-cmd --reload

Add an admin user
adduser -c "Administartor" -m -s /bin/bash admin
Add admin user in OpenVPN Web
- Go to Admin Web

Login using openvpn user and its password
https://ipaddress/admin > User Management > User Permission
Add "admin" user and make it admin > Save Settings > Update Running Server , Once added logout and login again using admin and delete the default one (openvpn user)

Allow client to access internal LAN
In user Permission click on show and check out "Use NAT" and add bellow CIRD - Classless Inter-Domain Routing - (Add the networks you need)
172.16.0.0/12
192.168.1.0/24
Also we have to check out the next checkboxes in order to have access internally

- Allow Access From: all server-side private subnets
- Allow Access From: all other VPN clients
Click on "Save Settings" > "Update Running Server"

Enable ipv4 forwarding (Executed in the server)
-Review if it is enabled

sysctl net.ipv4.ip_forward
Enable using sysctl

sysctl -w net.ipv4.ip_forward=1
Enable TFA - Google Authenticator
Configuration > Client Settings > Configure Google Authenticator support > Check the box below
Logout and Login
Download Google autenticator in your device > Add new (in your device) > Scan QR and click on "I scanned the QR code"
See user's details
cd /usr/local/openvpn_as/scripts
./confdba -us -p admin
Create a new code to configure TFA
./sacli --user admin GoogleAuthRegen
On the client side
- Fedora/CentOS/RedHat:

yum install openvpn
- Ubuntu/Debian:

apt-get install openvpn
Once installed executed bellow command (You'll be promped for user/password/TFA code)

openvpn --config client.ovpn

If issues with Google Authenticator

- Encoding issue and was resolved by changing verbosity level from verb 3 to verb 4 in client.ovpn (AUTH_FAILED,Google Authenticator Code must be a number | Triggered when tyring to log into VPN thru command)
sed 's/verb 3/verb 4/' -i client.ovpn
- If issues in Web Admin only review date and time in the server


References
Google authenticator reset
https://forums.openvpn.net/viewtopic.php?t=15366
IPv4 Forwarding
http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/
Commands for openvpn and user management
https://docs.openvpn.net/command-line/managing-user-and-group-properties-from-command-line/
Connect to OpenVPN
https://openvpn.net/index.php/access-server/docs/admin-guides/182-how-to-connect-to-access-server-with-linux-clients.html