This document was created based on Centos7:
$ cat /etc/redhat-releaseCentOS Linux release 7.3.1611 (Core)$ uname -a
Linux kvm.depa.mx 3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Go to https://openvpn.net > VPN Solution > Access Server Software Packages > Centos > (Choose architecture and copy link)
Install needed packagesyum install wget firewalld -y
Download and install package
wget http://swupdate.openvpn.org/as/openvpn-as-2.1.12-CentOS7.x86_64.rpm (Using copied link)
rpm -ivh openvpn-as-2.1.12-CentOS7.x86_64.rpm
Set an initial password
passwd openvpn
Open Ports using firewalld
- Start and enable the service
systemctl enable firewalld
systemctl start firewalld
- And interfcae to usesystemctl start firewalld
firewall-cmd --add-interface=eth1 --permanent --zone=public
- Add 1194 & 443 ports for Access
firewall-cmd --add-port=1194/udp --permanent --zone=public
firewall-cmd --add-port=443/tcp --permanent --zone=public
** Note that althoug 1194 is listening and firewall allows traffic it will be marked as closed with no real VPN traffic
- Add services to the rulefirewall-cmd --add-port=443/tcp --permanent --zone=public
** Note that althoug 1194 is listening and firewall allows traffic it will be marked as closed with no real VPN traffic
firewall-cmd --add-service=https --permanent --zone=public
firewall-cmd --add-service=openvpn --permanent --zone=public
- Reload service to tae effects
firewall-cmd --reload
Add an admin user
adduser -c "Administartor" -m -s /bin/bash admin
Add admin user in OpenVPN Web
- Go to Admin Web
Login using openvpn user and its password
https://ipaddress/admin > User Management > User Permission
https://ipaddress/admin > User Management > User Permission
Add "admin" user and make it admin > Save Settings > Update Running Server , Once added logout and login again using admin and delete the default one (openvpn user)
Allow client to access internal LAN
In user Permission click on show and check out "Use NAT" and add bellow CIRD - Classless Inter-Domain Routing - (Add the networks you need)
172.16.0.0/12
192.168.1.0/24
Also we have to check out the next checkboxes in order to have access internally
- Allow Access From: all server-side private subnets
- Allow Access From: all other VPN clients
Click on "Save Settings" > "Update Running Server"
- Allow Access From: all other VPN clients
Enable ipv4 forwarding (Executed in the server)
-Review if it is enabled
sysctl net.ipv4.ip_forward
Enable using sysctl
sysctl -w net.ipv4.ip_forward=1
Enable TFA - Google AuthenticatorConfiguration > Client Settings > Configure Google Authenticator support > Check the box below
Logout and Login
Download Google autenticator in your device > Add new (in your device) > Scan QR and click on "I scanned the QR code"
See user's details
cd /usr/local/openvpn_as/scripts
./confdba -us -p admin
Create a new code to configure TFA
./sacli --user admin GoogleAuthRegen
On the client side
- Fedora/CentOS/RedHat:
yum install openvpn
- Ubuntu/Debian:
apt-get install openvpn
Once installed executed bellow command (You'll be promped for user/password/TFA code)
openvpn --config client.ovpn
If issues with Google Authenticator
- Encoding issue and was resolved by changing verbosity level from verb 3 to verb 4 in client.ovpn (AUTH_FAILED,Google Authenticator Code must be a number | Triggered when tyring to log into VPN thru command)
sed 's/verb 3/verb 4/' -i client.ovpn
- If issues in Web Admin only review date and time in the server
References
Google authenticator reset
https://forums.openvpn.net/viewtopic.php?t=15366
IPv4 Forwarding
http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/
Commands for openvpn and user management
https://docs.openvpn.net/command-line/managing-user-and-group-properties-from-command-line/
Connect to OpenVPN
https://openvpn.net/index.php/access-server/docs/admin-guides/182-how-to-connect-to-access-server-with-linux-clients.html
No comments:
Post a Comment