Howto: OpenVPN server

[sephora]

Hello everyone!

A few weeks back I build a OpenVPN server, which was a bit of a struggle to get everything working. So I decided to share my setup. Maybe someone finds this usefull.

This is a short summery and configuration example.

Scenario:
I have a router that's running Gentoo (of course!).
My router handles the internet connection for my LAN and WLAN.
I want remote clients to connect to my local LAN via OpenVPN.
All machines in the LAN should be able to see each other.
As network protocol I use UDP. UDP because I want the clients to access a TeamSpeak server located in my local LAN. The clients should also be able to play old LAN games together that often use UDP.

Step 1:
Build a bridge of the routers LAN device and a TAP device to be used by OpenVPN.

Kernel config:

Code: Select all

CONFIG_BRIDGE=y

Stop LAN device:
Your going to loose your SSH-session at this point if your access the router from local LAN!

Code: Select all

rc-service stop enp3s0

Setup bridge device:

Code: Select all

ip link add br0 type bridge
ip link set dev enp3s0 master br0
ip link set dev tap0 master br0
ln -s /etc/init.d/net.lo /etc/init.d/net.tap0 
ln -s /etc/init.d/net.lo /etc/init.d/net.br0 

OpenRC net config:

Code: Select all

#bridge configuration
tuntap_tap0="tap"
config_tap0="null"
config_enp3s0="null"
bridge_br0="enp3s0 tap0"
config_br0="<static router ip address>/24"
bridge_forward_delay_br0=0
bridge_hello_time_br0=1000

depend_br0() {
    need net.enp3s0
    need net.tap0
}

OpenRC updates:

Code: Select all

rc-update del net.enp3s0 default
rc-update add net.tap0 default
rc-update add net.br0 default

More detailed information can be found in the Gentoo Wiki.

Step 2:
OpenVPN server configuration:

Code: Select all

port <myOpenVPN port>
proto udp
dev tap0

# keys configuration, use generated keys
askpass <myOpenVPN>/<myOpenVPN>.pass
ca   <myOpenVPN>/ca.crt
cert <myOpenVPN>/<myOpenVPN>.crt
key  <myOpenVPN>/<myOpenVPN>.key
dh   <myOpenVPN>/dh.pem

# optional tls-auth key to secure identifying
tls-auth <myOpenVPN>/<myOpenVPN>_tls.key 0

# OpenVPN 'virtual' network information, network and mask
server-bridge
mode server
tls-server

push "route-gateway dhcp"
push "explicit-exit-notify 3"

# persistent device and key settings
persist-key
persist-tun
cipher                AES-256-GCM
data-ciphers          AES-256-GCM
data-ciphers-fallback AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

tun-mtu 1500
mssfix 1104

# connection
keepalive 10 120

max-clients 50

user nobody
group nobody

# logging
status openvpn-status.log
log /var/log/openvpn.log
verb 3

Step 3:
Generate root certificate.
I used Easy-RSA to create the server certificate and keypairs.
Here is the link to the OpenVPN-Wiki that I used to get the CA and keypairs: EasyRSA3-OpenVPN-Howto
Easy-RSA can be found here: Easy-RSA

Remember to also generate keys for the clients.

Code: Select all

./easyrsa build-client-full <client1>

Generate shared key for tls-auth:

Code: Select all

openvpn --genkey --secret <myOpenVPN>.key

Create server config directory and copy certificate and keys:

Code: Select all

cd /etc/openvpn
mkdir <myOpenVPN>
cp <Easy-RSA>/pki/ca.crt <myOpenVPN>
cp <Easy-RSA>/pki/<myOpenVPN>.key <myOpenVPN>
cp <Easy-RSA>/pki/dh.pem <myOpenVPN>
cp <Easy-RSA>/pki/issued/<myOpenVPN>.crt <myOpenVPN>
cp <Easy-RSA>/pki/issued/<client1>.crt <myOpenVPN>
cp <Easy-RSA>/pki/private/<client1>.key <myOpenVPN>

Step 4:
OpenVPN client config.

Code: Select all

client
proto udp
dev tap0
key-direction 1
persist-key
persist-tun
cipher AES-256-GCM
data-ciphers AES-256-GCM
auth SHA512
remote <myOpenVPN public adress> <myOpenVPN port>
remote-cert-tls server
float
auth-nocache
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>

To ease the build of client config files I use this simple script that I found online (unfortunately I forgot where):

Code: Select all

#!/bin/sh

# Default Variable Declarations
DEFAULT="client.conf"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".key"
CA="ca.crt"
TA="<myOpenVPN>.key"
kPath="/etc/openvpn/<myOpenVPN>/"

#Ask for a Client name
echo "Please enter an existing Client Name:"
read NAME

ovpnName=$NAME$FILEEXT

#echo "Please enter an Name for the output file"
#read ovpnName

#1st Verify that client's Public Key Exists
if [ ! -f $kPath$NAME$CRT ]; then
   echo "[ERROR]: Client Public Key Certificate not found: $kPath$NAME$CRT"
   exit
fi
echo "Client's cert found: $kPath$NAME$CRT"

#Then, verify that there is a private key for that client
if [ ! -f $kPath$NAME$KEY ]; then
   echo "[ERROR]: Client 3des Private Key not found: $kPath$NAME$KEY"
   exit
fi
echo "Client's Private Key found: $kPath$NAME$KEY"

#Confirm the CA public key exists
if [ ! -f $kPath$CA ]; then
   echo "[ERROR]: CA Public Key not found: $kPath$CA"
   exit
fi
echo "CA public Key found: $kPath$CA"

#Confirm the tls-auth ta key file exists
if [ ! -f $kPath$TA ]; then
   echo "[ERROR]: tls-auth Key not found: $kPath$TA"
   exit
fi
echo "tls-auth Private Key found: $kPath$TA"

#Ready to make a new .opvn file - Start by populating with the

cat $DEFAULT > $ovpnName

#Now, append the CA Public Cert
echo "<ca>" >> $ovpnName
cat $kPath$CA | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $ovpnName
echo "</ca>" >> $ovpnName

#Next append the client Public Cert
echo "<cert>" >> $ovpnName
cat $kPath$NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $ovpnName
echo "</cert>" >> $ovpnName

#Then, append the client Private Key
echo "<key>" >> $ovpnName
cat $kPath$NAME$KEY >> $ovpnName
echo "</key>" >> $ovpnName

#Finally, append the TA Private Key
echo "<tls-auth>" >> $ovpnName
cat $kPath$TA >> $ovpnName
echo "</tls-auth>" >> $ovpnName

echo "Done! $ovpnName Successfully Created."

To use this script you need a default config 'client.conf' which, in my case, looks like this:

Code: Select all

proto udp
dev tap0
key-direction 1
persist-key
persist-tun
cipher AES-256-GCM
data-ciphers AES-256-GCM
auth SHA512
remote <myOpenVPN public adress> <myOpenVPN port>
remote-cert-tls server
float
auth-nocache

And the certificates and keys for the client have to be placed in '/etc/openvpn/<myOpenVPN>'.

Step 5:
Start the OpenVPN-Server.
Create a link that matches your server config file name '/etc/openvpn/<myOpenVPN>.conf':

Code: Select all

ln -s /etc/init.d/openvpn /etc/init.d/openvpn.<myOpenVPN>
rc-service openvpn.<myOpenVPN> start

Remember to open the UDP port for <myOpenVPN port> in your firewall!

Monitor your log file:

Code: Select all

watch -cn 15 tail -n 40 /var/log/openvpn.log

Step 6:
Client service.
In my setup the client machines are running Windows.
And since this config uses TAP as network device i use the OpenVPN community client you can find here:
OpenVPN 2.6.8

I won't go into Windows firewall setup here. Therefore just a hint:
Setting the TAP device on the Windows client to 'private network' makes it more easy to configure the firewall on the client machine. Also enabling 'ping' helps with trouble shooting.


Have fun!

[pa4wdh]

Thanks for sharing your work and experience.

Be aware that the general advice is against tap unless you have a use-case that absolutely requires it (i've even seen claims like "if you need tap you're doing something wrong"). Configuration wise the difference is that tun doesn't require a bridge device, but you'll need to set up routing and probably firewalling.

[fedeliallalinea]

Moved from Networking & Security to Documentation, Tips & Tricks.

[sephora]

Thanks for sharing your work and experience.

Be aware that the general advice is against tap unless you have a use-case that absolutely requires it (i've even seen claims like "if you need tap you're doing something wrong"). Configuration wise the difference is that tun doesn't require a bridge device, but you'll need to set up routing and probably firewalling.

Yes. I read that too.
In fact my first approach was to setup TUN with TCP as protocol. And this did work.
Except for VoIP. I was able to connect to my TeamSpeak but audio didn't work. Since audio is transferred via UDP.
The same is true for the LAN-Lobbys in many (all) games. Though direct connect using the IP address did work.

To solve this issue I switched my OpenVPN server to UDP.
And this is the point were my struggle started. I wasn't able to connect the client to the server. It was a real challenge to find out what went wrong and why.
I have to say that the community client does a really good job in helping to debug the config. It's quite verbose and does also a good job in explaining whats going on.
For debugging the routing I used one or two VMs with Windows installed. The VMs were connect to the LAN via NAT and/or bridged, I played around with that. Using VMs is helpful but is also adds an additional level of complexity. Especially if NAT is used. But using VMs only brings you that far since they are all running on the same machine which is connected to my LAN.
So I ask one of my friends to help with the debugging from the outside. Manly to debug my firewall script.

After reading the logs and grepping network packets with tcpdump I came to the conclusion that for some reason when the clients try to connect the packets that the server sends back to the client get lost. Which points to a routing problem. But even after spending hours I couldn't get it to work. At some point the packets got lost. I still don't know why. Maybe it's routing or they get dropped. Either way there was no log entry and, at least for me, that didn't make sense.

And here I took a step back and rethought about what I really want to built here.
In the end I just want my friends to connect to my local LAN. Been able to talk to each other using TeamSpeak. And spend now and then a evening together playing games.

That's when I decided to go for the TAP device. Since it's totally sufficient to bridge the VPN-clients to my LAN. I know that using TAP adds latency. But since I have only a hand full machines connected that doesn't really matter. Also setting up the VPN via TAP makes the config and firewall (and routing) much cleaner and much easier to handle, in my opinion. I don't recommend using this config for large scale but for a small setup it's totally fine.

It's absolutely possible that I made a mistake somewhere along the line and maybe it's a easy fix to get the TUN setup to work. But at this point I'm happy with the solution I have.

[pa4wdh]

Running a TCP based VPN always gives bad results, especially for latency sensitive protocols like VoIP, it's can even run into a deadlock when you run a TCP based protocol inside your VPN. UDP is the right choice .

The main difference between TUN and TAP is that TAP bridges the client to the server lan (layer 2) and TUN will make a subnet available to the clients and you'll have to route that to your server lan (layer 3). So with TAP the networks on both sides of the VPN are in the same subnet, with TUN you'll get a new subnet with your VPN clients and you'll have to take care of routing to create connectivity between them.

[sephora]

True.
And thank you for your feedback.

For some reason I couldn't get the UDP routing to play along while TCP was working fine.
I did spend a lot of time in debugging there.

Anyway, my VPN is working as it is right now.
Maybe, if I feel very bored, I give it another try.
But I have to say to debug firewalls and routing tables is one of my least favorite topics. -.-

[Hund]

What's your reasoning for choosing something like OpenVPN, when we have better options like Wireguard? :)

[sephora]

Good point.

The truth is: There's no particular reason. Except that I did work with OpenVPN before.
Maybe I'll give WireGuard a shot. But since OpenVPN is working for me now it's not a priority.

Thanks for the hint.

[szatox]

Wireguard is only an IP tunnel (L3) and must be routed while openvpn can send ethernet frames (L2) as well and can be bridged. There are some thing that only be done at L2.
OpenVPN clients can have dynamic internal IPs, while wireguard must be configured manually but allows the clients to change their public IP without breaking the tunnel.

Both options will work just fine for _most_ people, but they both have their advantages in some corner cases. Use whatever gets the particular job done.

[pa4wdh]

Indeed, both do VPN's and both do them well.
In my opinion OpenVPN is a but better suited for dynamic environments (like many clients connecting to a server) because you can push settings to clients. I usually try to make the VPN config as small as possible and push the rest from the server.

[jiminwilson]

Is this really workable solution?