Get Mozilla Firefox
OpenVPN has many parameters to play with.
Here I'll give some configuration tips I use. I traditionnaly use Debian to configure my OpenVPN server. Consequently, the manipulations presented below will be strongly debian-oriented.
We can choose to set the configurations wherever we like (on the server or client side). The main difference is that we need to add the push keyword on the server side, and it will of course be applied to all clients.
Let's see the difference if we want to define the same configuration on both sides. Here's an example with a DNS entry.
dhcp-option DNS 192.168.0.200
push "dhcp-option DNS 192.168.0.200"
dhcp-option DNS 192.168.0.200
dhcp-option DOMAIN domain.local
It may be useful to authorize only certain network flows on our VPN.
root@host:~# iptables -A FORWARD -o enp4s0 -p tcp --dport 3389 -j ACCEPT
root@host:~# iptables -A FORWARD -i enp4s0 -p tcp --sport 3389 -j ACCEPT
root@host:~# iptables -A FORWARD -o enp4s0 -p tcp --dport 53 -j ACCEPT
root@host:~# iptables -A FORWARD -o enp4s0 -p udp --dport 53 -j ACCEPT
root@host:~# iptables -A FORWARD -i enp4s0 -p udp --sport 53 -j ACCEPT
root@host:~# iptables -A FORWARD -i enp4s0 -p tcp --sport 53 -j ACCEPT
root@host:~# iptables -A FORWARD -o enp4s0 -j DROP
Here's how to enable VPN routing on Debian.
net.ipv4.ip_forward = 1
root@host:~# sysctl -p /etc/sysctl.conf
root@host:~# iptables -t nat -A POSTROUTING -s 10.50.8.0/24 -o ens192 -j MASQUERADE
route 192.168.1.0 255.255.255.0
Here's an example, where we want only addresses 192.168.0.251 and 192.168.0.250 to be accessible through the VPN, while the rest of 192.168.0.0/24 network will be accessible via the local network. Particulary useful when Client and Server are on the same subnet.
route 192.168.0.251 255.255.255.255
route 192.168.0.250 255.255.255.255
route 192.168.0.0 255.255.255.0 net_gateway
To prevent Portscanning, DOS attacks on the OpenVPN UDP port, SSL/TLS handshake initiations from unauthorized machines and any potential buffer overflow vulnerabilities in the SSL/TLS implementation (see: https://wiki.archlinux.org/), we can add the HMAC key protection.
root@host:~# openvpn --genkey --secret /etc/openvpn/pki/issued/ta.key
tls-crypt /etc/openvpn/pki/issued/ta.key 0
tls-crypt ta.key 1
OpenVPN adds the ability to pevent possible Man-in-the-Middle attack. If this is not set, you should see this message in the client log: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.. Here's how to set it up.
remote-cert-tls server
root@host:~# /etc/init.d/openvpn restart
If certificates have been compromised (e.g. a user's laptop has been stolen) or if a user no longer works for the company, it can be useful to know how to revoke a certificate to render its use useless.
root@host:~# . ./vars
root@host:~# ./revoke-full user
[…]
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
[…]
#Sets EasyRSA certificate revocation list validity to 10 years.
set_var EASYRSA_CRL_DAYS 3650
root@host:~# /usr/share/easy-rsa/easyrsa revoke user
Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021
Please confirm you wish to revoke the certificate with the following subject:
subject=
commonName = client_revoker
Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: yes
Using configuration from /etc/openvpn/pki/easy-rsa-1425.nUpHJc/tmp.r2wWDy
Revoking Certificate 1EA551CC14F3856B8A30CD92BAE6F3BE.
Data Base Updated
IMPORTANT!!!
Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
root@host:~# /usr/share/easy-rsa/easyrsa gen-crl
Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021
Using configuration from /etc/openvpn/pki/easy-rsa-1468.2IiBpN/tmp.0UJjU8
An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem
[…]
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
[…]
root@host:~# systemctl restart openvpn@server.service
For the message WARNING: Your certificate has expired!.
root@host:~# openssl x509 -in /etc/openvpn/pki/issued/server.crt -noout -text | grep -i "not after"
root@host:~# ./easyrsa renew server nopass
root@host:~# copy server.crt /etc/openvpn/pki/issued/server.crt
root@host:~# copy server.key /etc/openvpn/pki/private/server.key
root@host:~# systemctl restart openvpn@server.service
root@host:~# ./easyrsa renew user01 nopass
Finally, replace the newly created ./private/user01.key and ./issued/user01.crt files in the client workstation's openvpn configuration folder.
status /var/log/openvpn-status.log
root@host:~# cat /var/log/openvpn-status.log
Contact :
