OpenVPN my configuration notes

Last updated: Jun 28, 2023

Intro

OpenVPN has many parameters that we can play with.

I will put here some configuration tips that I've used. I traditionnaly use a Debian to set up my OpenVPN server.

Server or Client side?

We can choose to set configurations wherever we want. The main difference is that we need to add the push keyword on the server side, and it will of course be applied to all clients.

Example

Let's see the difference if we want to set a same configuration on each side. Exemple here with a DNS entry.

Client side :

dhcp-option DNS 192.168.0.200

Server side :

push "dhcp-option DNS 192.168.0.200"

DNS

Set dns configuration

If we want to define specific DNS server and DOMAIN :

dhcp-option DNS 192.168.0.200
dhcp-option DOMAIN domain.local

Filtering

It could be useful to only authorize some network flows on our VPN.

Netfilter - iptables

Accept RDP and dns traffic only :

root@host:~# iptables -A FORWARD -o enp4s0 -p tcp --dport 3389 -j ACCEPT
root@host:~# iptables -A FORWARD -i enp4s0 -p tcp --sport 3389 -j ACCEPT
root@host:~# iptables -A FORWARD -o enp4s0 -p tcp --dport 53 -j ACCEPT
root@host:~# iptables -A FORWARD -o enp4s0 -p udp --dport 53 -j ACCEPT
root@host:~# iptables -A FORWARD -i enp4s0 -p udp --sport 53 -j ACCEPT
root@host:~# iptables -A FORWARD -i enp4s0 -p tcp --sport 53 -j ACCEPT
root@host:~# iptables -A FORWARD -o enp4s0 -j DROP

Routing

Gateway mode

If we want to enable routing.

Edit /etc/sysctl.conf :

net.ipv4.ip_forward = 1

Run

root@host:~# sysctl -p /etc/sysctl.conf

Use iptables command to enable NAT and allow clients to reach internal network :

root@host:~# iptables -t nat -A POSTROUTING -s 10.50.8.0/24 -o ens192 -j MASQUERADE

Add a network route configuration

The 192.168.1.0/24 network will be reachable through the OpenVPN tunnel :

route 192.168.1.0 255.255.255.0

Excluding routes

Here a case where 192.168.0.251 and 192.168.0.250 will be reachable through the VPN, the rest of 192.168.0.0/24 network will reach via LAN default gateway. Particulary useful when the Client and the Server are on the same subnet.

route 192.168.0.251 255.255.255.255
route 192.168.0.250 255.255.255.255
route 192.168.0.0 255.255.255.0 net_gateway

Improve Security

ta.key

To prevent Portscanning, DOS attacks on the OpenVPN UDP port, SSL/TLS handshake initiations from unauthorized machines and any eventual buffer overflow vulnerabilities in the SSL/TLS implementation (source) we can add the HMAC key protection.

Generate key :

root@host:~# openvpn --genkey --secret /etc/openvpn/pki/issued/ta.key

Add this line inside /etc/openvpn/server.conf :

tls-crypt /etc/openvpn/pki/issued/ta.key 0

Add ta.key file and this line inside the client configuration file :

tls-crypt ta.key 1

Server Certificate Verification Method

OpenVPN add the capacity to avoid possible Man-in-the-Middle attack. If not set, you should see this message from the client log : WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info..

Add this line to the client configuration file :

remote-cert-tls server

Restart the OpenVPN service :

root@host:~# /etc/init.d/openvpn restart

Revoking certificate

In case certificates have been compromised (a user laptop has been stolen) or if a user no longer works for the company, it may be useful to know how to revoke a certificate.

Old method with old versions of easy-rsa

Load vars and run revoke-full :

root@host:~# . ./vars root@host:~# ./revoke-full user

Edit /etc/openvpn/server.conf and add (to be adapted according to the location of its crl.pem file) :

[…]
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
[…]

New method with easy-rsa 3

Edit /etc/openvpn/pki/vars file :

#Sets EasyRSA certificate revocation list validity to 10 years.
set_var EASYRSA_CRL_DAYS       3650

Run the revoke certificate command :

root@host:~# /usr/share/easy-rsa/easyrsa revoke user
Using SSL: openssl OpenSSL 1.1.1k  25 Mar 2021


Please confirm you wish to revoke the certificate with the following subject:

subject=
    commonName                = client_revoker


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /etc/openvpn/pki/easy-rsa-1425.nUpHJc/tmp.r2wWDy
Revoking Certificate 1EA551CC14F3856B8A30CD92BAE6F3BE.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

Generate a crl.pem file :

root@host:~# /usr/share/easy-rsa/easyrsa gen-crl
Using SSL: openssl OpenSSL 1.1.1k  25 Mar 2021
Using configuration from /etc/openvpn/pki/easy-rsa-1468.2IiBpN/tmp.0UJjU8

An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem

Edit /etc/openvpn/server.conf and add :

[…]
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
[…]

Restart the OpenVPN service :

root@host:~# systemctl restart openvpn@server.service

Miscellaneous

Show current sessions

Add this line to server.conf :

status /var/log/openvpn-status.log

To see current sessions :

root@host:~# cat /var/log/openvpn-status.log

Renewing certificates

For the WARNING: Your certificate has expired! message.

Check the validity of the certificate :

root@host:~# openssl x509 -in /etc/openvpn/pki/issued/server.crt -noout -text | grep -i "not after"

Renew the server certificates :

root@host:~# ./easyrsa renew server nopass

Copy the newly created certificates :

root@host:~# copy server.crt /etc/openvpn/pki/issued/server.crt root@host:~# copy server.key /etc/openvpn/pki/private/server.key

Renewing the client certificates :

root@host:~# ./easyrsa renew user01 nopass

Restart service :