OpenVPN as many parameters that we can play with.
I will put here some configuration tips that I've used. I traditionnaly use a Debian to set up my OpenVPN server.
We can choose to set configurations wherever we want. The main difference is that we need to add the push keyword on the server side, and it will of course be applied to all clients.
Let's see the difference if we want to set a same configuration on each side. Exemple here with a DNS entry.
dhcp-option DNS 192.168.0.200
push "dhcp-option DNS 192.168.0.200"
dhcp-option DNS 192.168.0.200 dhcp-option DOMAIN domain.local
It could be useful to only authorize some network flows on our VPN.
root@host:~# iptables -A FORWARD -o enp4s0 -p tcp --dport 3389 -j ACCEPT root@host:~# iptables -A FORWARD -i enp4s0 -p tcp --sport 3389 -j ACCEPT root@host:~# iptables -A FORWARD -o enp4s0 -p tcp --dport 53 -j ACCEPT root@host:~# iptables -A FORWARD -o enp4s0 -p udp --dport 53 -j ACCEPT root@host:~# iptables -A FORWARD -i enp4s0 -p udp --sport 53 -j ACCEPT root@host:~# iptables -A FORWARD -i enp4s0 -p tcp --sport 53 -j ACCEPT root@host:~# iptables -A FORWARD -o enp4s0 -j DROP
If we want to enable routing.
net.ipv4.ip_forward = 1
root@host:~# sysctl -p /etc/sysctl.conf
root@host:~# iptables -t nat -A POSTROUTING -s 10.50.8.0/24 -o ens192 -j MASQUERADE
route 192.168.1.0 255.255.255.0
Here a case where 192.168.0.251 and 192.168.0.250 will be reachable through the VPN, the rest of 192.168.0.0/24 network will reach via LAN default gateway. Particulary useful when the Client and the Server are on the same subnet.
route 192.168.0.251 255.255.255.255 route 192.168.0.250 255.255.255.255 route 192.168.0.0 255.255.255.0 net_gateway
To prevent Portscanning, DOS attacks on the OpenVPN UDP port, SSL/TLS handshake initiations from unauthorized machines and any eventual buffer overflow vulnerabilities in the SSL/TLS implementation (source) we can add the HMAC key protection.
root@host:~# openvpn --genkey --secret /etc/openvpn/pki/issued/ta.key
tls-crypt /etc/openvpn/pki/issued/ta.key 0
tls-crypt ta.key 1
OpenVPN add the capacity to avoid possible Man-in-the-Middle attack. If not set, you should see this message from the client log : WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info..
remote-cert-tls server
root@host:~# /etc/init.d/openvpn restart
In case certificates have been compromised (a user laptop has been stolen) or if a user no longer works for the company, it may be useful to know how to revoke a certificate.
root@host:~# . ./vars
root@host:~# ./revoke-full user
[…] crl-verify /etc/openvpn/easy-rsa/keys/crl.pem […]
root@host:~# /usr/share/easy-rsa/easyrsa revoke user
Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021
Please confirm you wish to revoke the certificate with the following subject:
subject=
commonName = client_revoker
Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: yes
Using configuration from /etc/openvpn/pki/easy-rsa-1425.nUpHJc/tmp.r2wWDy
Revoking Certificate 1EA551CC14F3856B8A30CD92BAE6F3BE.
Data Base Updated
IMPORTANT!!!
Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
root@host:~# /usr/share/easy-rsa/easyrsa gen-crl Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021 Using configuration from /etc/openvpn/pki/easy-rsa-1468.2IiBpN/tmp.0UJjU8 An updated CRL has been created. CRL file: /etc/openvpn/pki/crl.pem
[…] crl-verify /etc/openvpn/easy-rsa/keys/crl.pem […]
root@host:~# systemctl restart openvpn@server.service
status /var/log/openvpn-status.log
root@host:~# cat /etc/openvpn/openvpn-status.log
For the WARNING: Your certificate has expired! message.
root@host:~# openssl x509 -in /etc/openvpn/pki/issued/server.crt -noout -text | grep -i "not after"
root@host:~# ./easyrsa renew server nopass
root@host:~# copy server.crt /etc/openvpn/pki/issued/server.crt
root@host:~# copy server.key /etc/openvpn/pki/private/server.key
root@host:~# ./easyrsa renew user01 nopass
root@host:~# systemctl restart openvpn@server.service
Contact :