OpenVPN

From VyOS Wiki
Jump to: navigation, search

OpenVPN

OpenVPN's greatest strength is its extremely high degree of configuration flexibility. It is truly a "Swiss Army Knife" VPN tool that handily accomplishes pretty much any "VPNish" task.

Traditionally, routers and firewalls have leveraged IPSec-based VPN solutions for site-to-site VPN functionality due to the ability to implement much of IPSec in hardware. As a software router and firewall, VyOS does not see a performance gain for IPSec, or rather, a performance penalty for SSL VPN solutions such as OpenVPN.

If building a VPN solution using VyOS exclusively, OpenVPN will generally provide the best results in terms of ease-of-use, stability, and performance; while maintaining strong encryption on par with IPSec VPN solutions.

OpenVPN Client/server

Certificates and keys

VyOS CLI requires TLS Authentication for client/server implementation. You need to have your certificates and keys.

OpenVPN provides scripts to easily generate the PKI and all the certificates required : https://openvpn.net/index.php/open-source/documentation/howto.html#pki

These scripts are available in VyOS. You need to type linux commands in the VyOS CLI.

Here is a quick howto

Copy "easy rsa" folder and edit fields values to match your company

 cp -rv /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /config/easy-rsa2-my
 vi /config/easy-rsa2-my/vars

Initiate PKI

 cd /config/easy-rsa2-my/
 source ./vars
 ./clean-all

Build ca, dh, keys and certs.  !Do not set password for certs.

 ./build-ca
 ./build-dh
 ./build-key-server server
 ./build-key client

Copy server files to correct location. Under /config/auth/ is a good place.

 sudo mkdir /config/auth/ovpn
 sudo cp keys/ca.crt /config/auth/ovpn/
 sudo cp keys/dh1024.pem /config/auth/ovpn/
 sudo cp keys/server.key /config/auth/ovpn/
 sudo cp keys/server.crt /config/auth/ovpn/

Save files for the client instance : ca.crt, client.key and client.crt

To copy files to your VyOS you can use scp. As keys and certificates are text files, you can also copy and paste them.

Certificates and keys: EasyRSA 3.0.5

Here is a quick howto for implementing an EasyRSA 3.0 certificate authority on VyOS. This has been tested and verified on VyOS 1.1.8 and VyOS 1.2-rc6

Initial Setup

  1. Download EasyRSA 3.0.x (link: https://github.com/OpenVPN/easy-rsa/releases)
  2. Extract and uncompress tar file.
  3. Become root user (sudo su -)
  4. Copy EasyRSA-3.0.5 to /config/auth/<ca directory>
    • Best Practice #1: If you are planning or need to implement a multi-tenant OpenVPN server, then copy the EasyRSA files to separate directories (e.g. Accounting, Engineering, MIS, etc.)
    • Best Practice #2: Check the permissions of the EasyRSA directory and files in /config/auth. I have found that the permission get a bit munged (chown -R root:vyattacfg <directory>)

CLI Commands

 wget <copy link address>
 tar -xzf <filename>

Create CA

Change directory to the CA directory (e.g. cd /config/auth/<ca directory>

./easyrsa init-pki
./easyrsa build-ca <CA Name> nopass
./easyrsa build-server-full <OpenVPN Server Name> nopass
./easyrsa gen-dh

Create Client Key

./easyrsa build-client-full <OpenVPN Client Name>
./easyrsa export-p12 <OpenVPN Client Name>

Changes from EasyRSA 2.0

  • It is no longer necessary to source vars file.
  • EasyRSA 3.0 includes vars.example, copy to vars and edit as needed.
  • By default EasyRSA 3.0 creates crt, key and other files in pki directory
    • root of pki - this is where ca.crt and dh.pem are located
    • private - location of private keys
    • issued - location of issued public certificates
    • reqs - location of certificate requests

Certificates and keys: 2cca Alternative

The Examples Directory no longer ships with Vyos images. A safer and more useful alternative to Easy-RSA is 2cca. This example places all of your key material on your Vyos machine. This is not a good practice from a security perspective.

Installations is accomplished by copying 2cca.py to your Vyos install. I placed my copy in /config/auth, and I removed the '.py' extension.

 cd /config/auth
 openssl dhparam -outform PEM -out /config/auth/dh1024.pem 1024
 python 2cca root cn=MyDomain.Net
 python 2cca server cn=gl1.MyDomain.Net
 python 2cca server cn=gl1.MyDomain.Net ca=MyDomain.Net

This will create the root CA Key and Cert, "MyDomain.Net.crt", and "MyDomain.Net.key". It also sets up the OpenVPN server certificate and key 'gl1.MyDomain.Net.crt' and '..key'.

 python 2cca client cn=david.MyDomain.Net ca=MyDomain.Net
 python 2cca client cn=joshua.MyDomain.Net ca=MyDomain.Net

This creates two user keys and certs which can be distributed to clients.

Server

 set interfaces openvpn vtun0 mode 'server'
 set interfaces openvpn vtun0 server subnet '192.168.10.0/24'
 set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt'
 set interfaces openvpn vtun0 tls cert-file '/config/auth/ovpn/server.crt'
 set interfaces openvpn vtun0 tls dh-file '/config/auth/ovpn/dh1024.pem'
 set interfaces openvpn vtun0 tls key-file '/config/auth/ovpn/server.key'

Client

 set interfaces openvpn vtun0 mode 'client'
 set interfaces openvpn vtun0 remote-host <server ip>
 set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt'
 set interfaces openvpn vtun0 tls cert-file '/config/auth/ovpn/client.crt'
 set interfaces openvpn vtun0 tls key-file '/config/auth/ovpn/client.key'

OpenVPN Site to site

Shared Secret authentication

While many are aware of OpenVPN as a Client VPN solution, it is often overlooked as a site-to-site VPN solution due to lack of router and firewall support.

In this example, we'll configure a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key.

First, one one of the systems generate the key using the operational command generate openvpn key <filename>. This will generate a key with the name provided in the /config/auth/ directory. Once generated, you will need to copy this key to the remote router.

In our example, we used the filename openvpn-1.key which we will reference in our configuration.

  • The public IP address of the local side of the VPN will be 198.51.100.10
  • The remote will be 203.0.113.11
  • The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote.
  • OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, while TCP will work better for lossy connections; generally UDP is preferred when possible.
  • The official port for OpenVPN is 1194, which we reserve for client VPN; we will use 1195 for site-to-site VPN.
  • The persistent-tunnel directive will allow us to configure tunnel-related attributes, such as firewall policy as we would on any normal network interface.
  • If known, the IP of the remote router can be configured using the remote-host directive; if unknown, it can be omitted. We will assume a dynamic IP for our remote router.

Local Configuration:

 set interfaces openvpn vtun1 mode site-to-site
 set interfaces openvpn vtun1 protocol udp
 set interfaces openvpn vtun1 persistent-tunnel
 set interfaces openvpn vtun1 remote-port '1195'
 set interfaces openvpn vtun1 remote-address '10.255.1.2'
 set interfaces openvpn vtun1 remote-host '198.51.100.10'
 set interfaces openvpn vtun1 local-host '198.51.100.10'
 set interfaces openvpn vtun1 local-port '1195'
 set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
 set interfaces openvpn vtun1 local-address '10.255.1.1'


Remote Configuration:

 set interfaces openvpn vtun1 mode site-to-site
 set interfaces openvpn vtun1 protocol udp
 set interfaces openvpn vtun1 persistent-tunnel
 set interfaces openvpn vtun1 remote-host '198.51.100.10'
 set interfaces openvpn vtun1 remote-address '10.255.1.1'
 set interfaces openvpn vtun1 remote-port '1195'
 set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
 set interfaces openvpn vtun1 local-address '10.255.1.2'
 set interfaces openvpn vtun1 local-port '1195'
 set interfaces openvpn vtun1 local-host '203.0.113.11'

The configurations above will default to using 128-bit Blowfish in CBC mode for encryption and SHA-1 for HMAC authentication. These are both considered weak, but a number of other encryption and hashing algorithms are available:

For Encryption:

vyos@vyos# set interfaces openvpn vtun1 encryption
Possible completions:
  des          DES algorithm
  3des         DES algorithm with triple encryption
  bf128        Blowfish algorithm with 128-bit key
  bf256        Blowfish algorithm with 256-bit key
  aes128       AES algorithm with 128-bit key
  aes192       AES algorithm with 192-bit key
  aes256       AES algorithm with 256-bit key

For Hashing:

vyos@vyos# set interfaces openvpn vtun1 hash
Possible completions:
  md5          MD5 algorithm
  sha1         SHA-1 algorithm
  sha256       SHA-256 algorithm
  sha512       SHA-512 algorithm

If you change the default encryption and hashing algorithms, be sure that the local and remote ends have matching configurations, otherwise the tunnel will not come up.

Static routes can be configured referencing the tunnel interface; for example, the local router will use a network of 10.0.0.0/16, while the remote has a network of 10.1.0.0/16:

Local Configuration:

 set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1

Remote Configuration:

 set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1

Firewall policy can also be applied to the tunnel interface for local, in, and out directions and function identically to ethernet interfaces.

If making use of multiple tunnels, OpenVPN must have a way to distinguish between different tunnels aside from the pre-shared-key. This is either by referencing IP address or port number. One option is to dedicate a public IP to each tunnel. Another option is to dedicate a port number to each tunnel (e.g. 1195,1196,1197...)

OpenVPN status can be verified using the show openvpn operational commands. See the built-in help for a complete list of options.

Certificate authentication

PKI

  • You have to create a PKI like for client/server
    • One end point will have the passive (server) role for authentication
    • The other one will have the active (client) role

Certificate generation (take over from certificate generation in client/server)

source ./vars
./build-key-server site2site_passive
./build-key site2site_active


Active site configuration

files in /config/auth/

  • ca.crt,
  • site2site_active.key,
  • site2site_active.crt
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 tls role active
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 tls key-file /config/auth/site2site_active.key
set interfaces openvpn vtun0 tls cert-file /config/auth/site2site_active.crt

Passive site configuration

files in /config/auth/

  • ca.crt,
  • site2site_passive.key,
  • site2site_passive.crt,
  • dh1024.pem
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 tls role passive
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 tls key-file /config/auth/site2site_passive.key
set interfaces openvpn vtun0 tls cert-file /config/auth/site2site_passive.crt
set interfaces openvpn vtun0 tls dh-file /config/auth/dh1024.pem

References

Bridge VPN

To create a Bridge (L2) VPN simply integrate the tunnel into a bridge :

 set interfaces bridge br0 address '192.168.0.1'
 set interfaces bridge br0 description 'Bridge VPN'
 set interfaces openvpn vtun0 bridge-group bridge 'br0'
 set interfaces openvpn vtun0 mode 'server'
 set interfaces openvpn vtun0 server subnet '192.168.1.10/24'
 set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt'
 set interfaces openvpn vtun0 tls cert-file '/config/auth/ovpn/server.crt'
 set interfaces openvpn vtun0 tls dh-file '/config/auth/ovpn/dh1024.pem'
 set interfaces openvpn vtun0 tls key-file '/config/auth/ovpn/server.key'

Note: As of 1.1.7, the server subnet parameter is useless for bridge VPN but required by the CLI to commit.

OpenVPN parameters

OpenVPN is highly configurable. The VyOS CLI focus on:

  • Integration with VyOS (firewall, policy...)
  • Minimal subset of parameters to set OpenVPN in standard configuration (Client/Server, Site-to-site, bridged...) with basic settings.

All other OpenVPN parameters have to be set through the openvpn-option command.

Possible completions:
 > bridge-group Interface to be added to a bridge group
   description  Description for the interface
   device-type  OpenVPN interface device-type
   disable      Interface to be disabled
   encryption   Data encryption algorithm option
 > firewall     Firewall options
   hash         Hashing algorithm option
 > ip           IPv4 routing parameters
 > ipv6         IPv6 routing parameters
+> local-address
                Local IP address of tunnel
   local-host   Local IP address to accept connections (all if not set)
   local-port   Local port number to accept connections
   mode         OpenVPN mode of operation
+  openvpn-option
                Additional OpenVPN options
   persistent-tunnel
                Do not close and reopen interface (TUN/TAP device) on client restarts
 > policy       Policy route options
   protocol     OpenVPN communication protocol
   redirect     Incoming packet redirection destination
   remote-address
                IP address of remote end of tunnel
+  remote-host  Remote host to connect to (dynamic if not set)
   remote-port  Remote port number to connect to
 > replace-default-route
                OpenVPN tunnel to be used as the default route
 > server       Server-mode options
   shared-secret-key-file
                File containing the secret key shared with remote end of tunnel
 > tls          Transport Layer Security (TLS) options
 > traffic-policy
                Traffic-policy for interface


Refer to OpenVPN man page for a list of parameters.

Example: to disable encryption and compression

 set interfaces openvpn vtun0 openvpn-option "cipher none"
 set interfaces openvpn vtun0 openvpn-option "comp-lzo no"

Troubleshooting

Use the show openvpn command to show server, client or site-to-site openvpn instances. For server instances:

 show openvpn server status


To restart openvpn (server side)

reset openvpn interface vtun0

or

reset openvpn client <client_name>

Display openvpn command line:

 show configuration commands | grep openvpn
 ps -ef | grep openvpn

use monitor openvpn to monitor events or directly dump /var/log/messages:

 monitor openvpn &
 grep openvpn /var/log/messages