OpenVPN on Ubuntu 16.04

Index > Help Tutorials > OpenVPN on Ubuntu 16.04

Contents
Installtion & Configuration
Authentication Modules
IP Table rules

Installtion & Configuration

apt install openvpn easy-rsa

make separate directory for keys

mkdir -pv /etc/openvpn/easy-rsa

copy key tools to easy-rsa direcoty

cp -rv /usr/share/easy-rsa/* /etc/openvpn/easy-rsa

modify the variables, make changes to listed item in below example

nano /etc/openvpn/easy-rsa/vars

export KEY_COUNTRY="US"
export KEY_PROVINCE="NC"
export KEY_CITY="Winston-Salem"
export KEY_ORG="Example Company"
export KEY_EMAIL="steve@example.com"
export KEY_CN=MyVPN
export KEY_NAME=MyVPN
export KEY_OU=MyVPN
export KEY_ALTNAMES="MyVPN"

change directory to keys directory

cd /etc/openvpn/easy-rsa

cache all variables you setup earlier

source vars

run the clean-up tool/script

./clean-all

build certification authority

./build-ca

build server key, change the server (dc1) name to yours

./build-key-server dc1

build dh file

./build-dh

copy the sample server configuration zipped file to openvpn directory

cp -v /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn

unzip the configuration file

gzip -dv /etc/openvpn/server.conf.gz

edit the configuration file

nano /etc/openvpn/server.conf

make sure the following are pointing to your keys

ca 	easy-rsa/keys/ca.crt
cert 	easy-rsa/keys/dc1.crt
key 	easy-rsa/keys/dc1.key 
dh 	easy-rsa/keys/dh2048.pem

make log direcoty

mkdir -pv /var/log/openvpn

relocate the status logs

sed -i 's,status openvpn-status.log,status /var/log/openvpn/openvpn-status.log,g' /etc/openvpn/server.conf

sed -i 's,;log-append openvpn.log,log-append  /var/log/openvpn/openvpn.log,g' /etc/openvpn/server.conf

push route for your subnet, optional

cat << eot >> /etc/openvpn/server.conf

# private/natted lan
push "route 192.168.0.0 255.255.255.0"
eot

start vpn server

/etc/init.d/openvpn start

check it whether it up or not, if not reboot server

ifconfig tun0

try to ping vpn ip

ping -c4 10.8.0.1

Go up

Authentication Modules

lets make a separate direcoty for all plugin, any module configuration will go there. Its not required but just to keep things neat

mkdir -pv /etc/openvpn/plugin

1. Certificate
generate client certificate and keys

cd /etc/openvpn/easy-rsa/
source vars
./build-key client

Client Setup (Windows)
copy ca.crt,clien1.crt,client.key from /etc/openvpn/easy-rsa/keys to c:\Program Files\OpenVPN\config
create the client configuration c:\Program Files\OpenVPN\config\client.ovpn with following contents

# C:\Program Files\OpenVPN\config\client.ovpn
client
remote dc1
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
comp-lzo yes
verb 3
ca ca.crt
cert client.crt ; This certificate is needed for authentication
key client.key ; This key is needed for authentication
; Set the name of the Windows TAP network interface device here
dev-node VPN

2. Pluggable Authentication Modules (PAM)
append following to /etc/openvpn/server.conf

cat << eot >> /etc/openvpn/server.conf

# user authentication
client-cert-not-required

# pam authentication
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
eot

now create openvpn profile in pam.d direcoty

cat << eot >> /etc/pam.d/openvpn
auth    required        pam_unix.so    shadow    nodelay
auth    requisite       pam_succeed_if.so uid >= 500 quiet
auth    requisite       pam_succeed_if.so user ingroup openvpn quiet
account required        pam_unix.so
eot

line 2 mean that user uid must be greater than or equal to 500.
line 3 mean that user must be member of openvpn group. Create group if needed
now create user openvpn and group openvpn

useradd openvpn

setup the password for openvpn, I will set test just for the ease

passwd openvpn

Client Setup (Windows)
copy ca.crt from /etc/openvpn/easy-rsa/keys to c:\Program Files\OpenVPN\config
create the client configuration c:\Program Files\OpenVPN\config\client.ovpn with following contents

# C:\Program Files\OpenVPN\config\client.ovpn
client
remote servername
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
comp-lzo yes
verb 3
ca ca.crt
cert client.crt ; This certificate is needed for authentication
key client.key ; This key is needed for authentication
auth-nocache
auth-user-pass
auth-retry interact
; Set the name of the Windows TAP network interface device here
dev-node VPN

Now try to connect from windows client using openvpn account, mine was working at this point so should yours 3. Freeradius install packages

 apt-get install openvpn-auth-radius

copy the radius configuration file

cp -v /usr/share/doc/openvpn-auth-radius/examples/radiusplugin.cnf /etc/openvpn/plugin

edit the config file /etc/openvpn/plugin/radiusplugin.cnf and change the server name or ip and secret, change it to yours

sed -i 's,name=192.168.0.153,name=192.168.0.2,g' /etc/openvpn/plugin/radiusplugin.cnf

configure openvpn to use the new radius authentication module

cat << eot >> /etc/openvpn/server.conf

# ldap/ad authentication 
plugin /usr/lib/openvpn/radiusplugin.so /etc/openvpn/plugin/radiusplugin.cnf
eot

Note: To make this work, you want to make sure that none of the other authentication module is not in use so adjust /etc/openvpn/server.conf and comment any other modules
restart openvpn

/etc/init.d/openvpn restart

# C:\Program Files\OpenVPN\config\client.ovpn
client
remote servername
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
comp-lzo yes
verb 3
ca ca.crt
cert client.crt ; This certificate is needed for authentication
key client.key ; This key is needed for authentication
auth-nocache
auth-user-pass
auth-retry interact
; Set the name of the Windows TAP network interface device here
dev-node VPN

4. LDAP/Active Directory install package

apt-get install openvpn-auth-ldap

copy the ldap configuration file

cp -v /usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf /etc/openvpn/plugin

edit the ldap configuration file and change the authentication setting to your enviornment, file is pretty simple and self explanatory

nano /etc/openvpn/plugin/auth-ldap.conf

now tell openvpn server to use new setting

cat << eot >> /etc/openvpn/server.conf

# ldap/ad authentication
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/plugin/auth-ldap.conf
eot

Note: To make this work, you want to make sure that none of the other authentication module is not in use so adjust server.conf and comment any other modules Client Setup (Windows)
copy ca.crt from /etc/openvpn/easy-rsa/keys to c:\Program Files\OpenVPN\config
create the client configuration c:\Program Files\OpenVPN\config\client.ovpn with following contents

# C:\Program Files\OpenVPN\config\client.ovpn
client
remote servername
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
comp-lzo yes
verb 3
ca ca.crt
cert client.crt ; This certificate is needed for authentication
key client.key ; This key is needed for authentication
auth-nocache
auth-user-pass
auth-retry interact
; Set the name of the Windows TAP network interface device here
dev-node VPN

Go up

IP Table rules

set ipv4 forwarding

sed -i s,'#net.ipv4.ip_forward = 1','net.ipv4.ip_forward = 1',g /etc/sysctl.conf

echo 1 > /proc/sys/net/ipv4/ip_forward

allow openvpn in default iptables configuration

cat << eot >>

# allow openvpn
-A INPUT -p udp -m multiport --dport 1194 -j ACCEPT
eot

ip tables rules to allow forwarding openvpn traffic to lan

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

at this point you should be able to talk to your lan via openvpn tunnel, try pinging your lan from windows client connected via openvpn
if everything work as expected then let make these rules apply on reboot as well, paste following in /etc/rc.loca right above exit 0 like

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Go up

References

https://help.ubuntu.com/lts/serverguide/openvpn.html
http://safesrv.net/setup-freeradius-plugin-and-openvpn-source
http://www.linuxsysadmintutorials.com/setup-pam-authentication-with-openvpns-auth-pam-module
https://networklessons.com/linux/openvpn-server-usernamepassword-authentication
https://www.howtoforge.com/setting-up-an-openvpn-server-with-authentication-against-openldap-on-ubuntu-10.04-lts
http://www.emind.co/how-to/configure-openvpn-authentication-using-active-directory

Commands

connect via command line

openvpn --config client.ovpn

connect via saved credentials

openvpn --config client.ovpn --auth-user-pass credfile