Linux/OpenVPN: Unterschied zwischen den Versionen

Aus VivaLV
Zur Navigation springen Zur Suche springen
 
(7 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 12: Zeile 12:
  username-as-common-name
  username-as-common-name


Add this line for TLS Authentication (the client then also has to import '''ta.key'''):
Add this line for TLS Authentication (the client then also has to import '''ta.key''' and use direction '''1'''):
  tls-auth ta.key 0
  tls-auth ta.key 0


Zeile 33: Zeile 33:
  modprobe iptable_nat # if compiled as module
  modprobe iptable_nat # if compiled as module
  iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
  iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
For verifying, list nat rules:
iptables -t nat -v -L -n --line-number


Open port '''12112 UDP''' on your router.
Open port '''12112 UDP''' on your router.
Zeile 38: Zeile 41:
Start OpenVPN:
Start OpenVPN:
  /etc/init.d/openvpn start
  /etc/init.d/openvpn start
 
If everything works, add OpenVPN to the default runlevel, so that it starts during boot:
If everything works, add OpenVPN to the default runlevel, so that it starts during boot:
  rc-update add openvpn
  rc-update add openvpn
Zeile 45: Zeile 48:
Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn.  
Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn.  


Import client openvpn.conf. Enable "User/PW + Certificates" and "Use default route". Disable "LZO Compression", if you disabled it on the server because of ChromeOS clients.
Import client '''openvpn.conf'''. Enable '''User/PW + Certificates''' and '''Use default route'''.  
 
Disable '''LZO Compression''', if you disabled it on the server because of simple ChromeOS clients.


If you want to use TLA Authentication then import also ta.key.
If you want to use '''TLA Authentication''' then import also '''ta.key''' and choose TLS direction '''1'''.


= ChromeOS =
= ChromeOS =


== Simple ==
== Simple ==
Restrictions of simple method:
* no compression
* no tlsauth
* only UDP
On the Linux server:
  openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12
  openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12


Zeile 72: Zeile 83:


= WiFi Hotspots =
= WiFi Hotspots =
Some Hotspots (for example Telekom Germany) do not allow UDP packets. In that case, configure OpenVPN to use TCP.
Some Hotspots (for example Telekom Germany) do not allow '''UDP''' packets. In that case, configure OpenVPN to use '''TCP'''.


= Multiple OpenVPN servers on one machine (Gentoo) =
= Multiple OpenVPN servers on one machine (Gentoo) =

Aktuelle Version vom 27. Juni 2019, 16:24 Uhr

Setup for an OpenVPN server which handles ALL traffic

First install and configure OpenVPN: https://wiki.gentoo.org/wiki/OpenVPN

Do not forget to first setup the key infrastructure: https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts

Add these lines to /etc/openvpn/openvpn.conf for routing all traffic:

push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"

Add these lines for user/password authentication in addition to the certificate:

plugin openvpn-plugin-auth-pam.so /etc/pam.d/login
username-as-common-name

Add this line for TLS Authentication (the client then also has to import ta.key and use direction 1):

tls-auth ta.key 0

Check the necessary kernel options (can be set as Modul):

CONFIG_TUN
CONFIG_IP_NF_CONNTRACK 
CONFIG_IP_NF_IPTABLES 
CONFIG_IP_NF_NAT

Allow IP forwarding in /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Check that it is allowed:

cat /proc/sys/net/ipv4/ip_forward

Allow on the fly:

echo 1 > /proc/sys/net/ipv4/ip_forward

Activate IP forwarding/routing (necessary after each reboot, so put it for example in /etc/local.d/baselayout1.start):

modprobe iptable_nat # if compiled as module
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE

For verifying, list nat rules:

iptables -t nat -v -L -n --line-number

Open port 12112 UDP on your router.

Start OpenVPN:

/etc/init.d/openvpn start

If everything works, add OpenVPN to the default runlevel, so that it starts during boot:

rc-update add openvpn

Android

Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn.

Import client openvpn.conf. Enable User/PW + Certificates and Use default route.

Disable LZO Compression, if you disabled it on the server because of simple ChromeOS clients.

If you want to use TLA Authentication then import also ta.key and choose TLS direction 1.

ChromeOS

Simple

Restrictions of simple method:

  • no compression
  • no tlsauth
  • only UDP

On the Linux server:

openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12
  • import ca.crt and client1.p12 at chrome://settings/certificates and then use the OpenVPN connection wizard of ChromeOS.
  • disable comp-lzo and tlsauth and use proto udp in /etc/openvpn/openvpn.conf and restart OpenVPN
  • use servername:12112 in ChromeOS OpenVPN connection settings

Source: https://www.errietta.me/blog/openvpn-chromebook/

Advanced

For advanced configuration, you also have to import the certificates and then you have to create a .onc config file and import it at chrome://net-internals/#chromeos.

Advanced configuration is necessary for LZO compression or TLS Authentication or TCP protocol.

More info: https://darranboyd.wordpress.com/2017/03/24/chromeos-openvpn-tlsauth/ or https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub.

Note: If you want to import multiple config files for multiple connections, the UUIDs in the files must be unique.

Alternative method (did not work for me): https://unfix.org/projects/chromeos-openvpn-onc/

WiFi Hotspots

Some Hotspots (for example Telekom Germany) do not allow UDP packets. In that case, configure OpenVPN to use TCP.

Multiple OpenVPN servers on one machine (Gentoo)

Create 2 config files server1.conf and server2.conf in /etc/openvpn with the content from above. Then change the following lines:

server1.conf:

port 12112
proto udp
dev tun0
server 10.100.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

server2.conf:

port 3389
proto tcp
dev tun1
server 10.200.0.0 255.255.255.0
ifconfig-pool-persist ipp2.txt

Open both ports on your router.

Link to OpenRC config:

ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server1
ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server2

Create 2 routes:

iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.200.0.0/24 -o eth0 -j MASQUERADE

Start both servers:

/etc/init.d/openvpn.server1 start
/etc/init.d/openvpn.server2 start

Configure autostart:

rc-update add openvpn.server1
rc-update add openvpn.server2