Developers Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


OpenVPN

The OpenVPN server is a secure and cost effective way to provide road warrior VPN access to resources on the network. Unlike the PPTP VPN server, OpenVPN is more robust in getting through other firewalls and gateways.

An OpenVPN client is available at no cost and available for almost any OS (Windows, Mac, GNU/Linux, Android) and form-factor (PC, Smartphone).

Installation

If your system does not have this app available, you can install it via the Marketplace.

Once installed, you can find this feature in the menu system at the following location:

Network|VPN|OpenVPN

Configuration

Configuring the Server

Security Certificates Information

Before you can configure OpenVPN, you may be directed to the Certificate Manager configuration page in the web-based administration tool. The information is required to create the necessary security certificates used in OpenVPN.

Automatic Configuration

The OpenVPN app has an automatic configuration feature that selects default settings based on your server's configuration. It will also update them if you make modifications to your server (eg. change LAN subnet).

Unless you are an advanced user, this feature should be left enabled. To disable the feature, click on in the information dialog.

Settings - Automatic Configuration Enabled

Internet Domain

The Internet Domain field is auto-populated using the server's Default Domain, set in the IP Settings app. This field entry should be a publicly available hostname that VPN users will use in their configuration as the VPN hostname to connect to.

DNS Server

A DNS server to use while connected through the VPN. This setting can be useful if accessing locally addressed/internal hostnames (eg. hp-laserjet.lan). Like Internet domain, this field is populated from the DNS server settings on the IP Settings app.

WINS Server

Windows Internet Name Service (WINS) is a NetBIOS name resolution service that allows client computers to register their NetBIOS names and IP addresses in a dynamic, distributed database and to resolve the NetBIOS names of network resources to their IP addresses. If you have a Microsoft[TM] server (or another server running Samba) on the LAN providing WINS, you would want to override the auto-configuration settings and set this to the IP of the server providing this service.

If you are running Samba locally, the automatic configuration settings is fine. If you are not running Samba or a MS WINS server anywhere on the network, this setting is irrelevant and can safely be ignored.

Depending on your network configuration, you may need to specify the WINS settings in VPN client configuration.

Managing User Accounts

Users must be configured with both OpenVPN and Security Certificate access. To manage users:

  • Go to the Users page in the web-based administration tool
  • Edit a selected user
  • Make sure both OpenVPN User and Security Certificates User are enabled

If you are using the Active Directory Connector, the selected AD user must be a member of both the openvpn_plugin and user_certificates_plugin groups. See the Active Directory Connector documentation for details.

Configuring the Client

Microsoft Windows[tm]

To configure the Windows OpenVPN client, you'll first need to install Microsoft's .Net framework (minimum version 3.5). You can download it here.

Ensure you have installed the .NET framework before you start the OpenVPN client installation.

Using the web-based administration tool, logout (if applicable) as root once the basic settings and user configuration as outlined above have been achieved.

Login as the road warrior user account that is to have access to the network via OpenVPN.

User Login

Under My Account, select on User Certificates.

User Certificates

Select Windows as your client and click on the Download button in the OpenVPN Configuration File download utility.

Download the following files into the same directory as the OpenVPN configuration file above:

  1. Certificate
  2. Certificate Authority
  3. Private Key

Download and install the OpenVPN client software from the OpenVPN download page. When the download is complete, double click the msi file that you downloaded to start the install wizard.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=e058e2&media=omedia:ss_openvpn_win_1.png

Depending on your settings, you'll probably get warning about running executable files. OpenVPN is OK to install.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=1352a2&media=omedia:ss_openvpn_win_2.png

Continue through the install wizard by clicking Next.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=4cabc6&media=omedia:ss_openvpn_win_3.png

Allow OpenVPN to install in the default (recommended) path or select a location where you would like the installation files to reside.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=6ca70f&media=omedia:ss_openvpn_win_4.png

You can safely ignore the Hardware Installation warning…a virtual interface will be created through which, your VPN tunnels will connect. Click on the Continue Anyway button.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=79d24f&media=omedia:ss_openvpn_win_6.png

Allow the wizard to continue through to completion. At the end of a successful install, you should see the following dialog:

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=0ca656&media=omedia:ss_openvpn_win_7.png

Go ahead and start OpenVPN by either leaving the Launch OpenVPN Client checkbox checked, or starting the application from Microsoft's Start menu.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=e3656b&media=omedia:ss_openvpn_win_8.png

Next to the Connection Profiles field, click on the Plus (+) icon. Select Import Profile from Local File. Navigate to the folder where you downloaded the OpenVPN configuration files from the ClearOS users certificate page. Select the file and click Import.

If you did not save the certificate, private key and CA to the same folder, OpenVPN will fail to find all the required credentials to auto-configure itself.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=38f2fc&media=omedia:ss_openvpn_win_9.png

Now that you have a saved Connection Profile to connect to the OpenVPN service on ClearOS, double click on the icon. You will be asked to provide a username and password. This is the username and password used when the the user was created on the ClearOS system (or via Active Directory connector on a Windows domain).

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=ac85e5&media=omedia:ss_openvpn_win_10.png

A progress dialog will be displayed, providing information on the status of the connection.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=949384&media=omedia:ss_openvpn_win_11.png

If all went according to plan, you'll see the following dialog providing information on your connect and a link to disconnect when you are finished using the VPN tunnel.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=20d618&media=omedia:ss_openvpn_win_12.png

Ubuntu Linux

Logout of the web-based administration tool as root once the basic settings and user configuration as outlined above have been achieved.

Login as the road warrior user account that is to have access to the network via OpenVPN.

User Login

Under My Account, select on User Certificates.

User Certificates

Select Linux as your client and click on the Download button in the OpenVPN Configuration File download utility.

Download Linux Config

You'll also need the PKCS12 file containing the associated certificates. The PKCS12 file will ask you to password protect the package the first time you use it. Don't forget this password…Your Ubuntu client will need it to extract the certificates later.

You're now done with the server/ClearOS. In Ubuntu's Network Manager, right click on the Network Manager, select Edit Connections, select the VPN tab, and click Import.

Network Manager Select the configuration file you saved earlier.

Ensure that the server hostname is accessible from outside your LAN (eg. it is not a local domain like network.lan).

Under Authentication, select type “Password with Certificates”. Populate the username and password fields with the user authentication credentials.

Under User Certificates, click on the file/folder icon and select the PKCS12 file you also downloaded from the ClearOS server. Enter the password used to authenticate the file.

Setup

Click on the Advanced button and ensure you check (enable) Use LZO Compression.

Click Apply. Your VPN settings should now be configured. It is good practice to test your connection (if possible) with the client still on the LAN. That way, if there are any problems, you have a narrow set of possibilities to troubleshoot against.

Click on the Network Manager link and select VPN Connections and the name of the VPN connection named from your ClearOS configuration.

Connect

If all goes well, you will see a lock appear on your Network Manager icon signifying the tunnel was successfully deployed.

Mac OS X

Logout of the web-based administration tool as root once the basic settings and user configuration as outlined above have been achieved.

Login as the road warrior user account that is to have access to the network via OpenVPN.

User Login

Under My Account, select on User Certificates.

Download the OpenVPN Client for Mac in addition to the user certificates…Take note of the directory/folder you save these files to.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=0b339b&media=omedia:ss_openvpn_osx_1.png

Download and install the OpenVPN client software for Mac OS X from the Google Code.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=ce65b4&media=omedia:ss_openvpn_osx_2.png

Click on the Download Tunnelbrick link.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=99c94a&media=omedia:ss_openvpn_osx_3.png

Click on the latest Tunnelbrick .dmg image to begin the download.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=b9b76d&media=omedia:ss_openvpn_osx_4.png

After double clicking on the dmg file you download, a dialog will open asking if you wish to proceed.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=97f507&media=omedia:ss_openvpn_osx_5.png

Once the application is successfully installed, you will get an pop-up notifying you. Either launch the application or find the application in your Applications folder using Finder and click on the Tunnelbrick app.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=ef8fb5&media=omedia:ss_openvpn_osx_6.png

When prompted with a question for config files, select I have configuration files.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=d5b0fe&media=omedia:ss_openvpn_osx_7.png

Unless you are an advanced user, at the next dialog prompt, select Tunnelbrick VPN Configuration.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=81e7eb&media=omedia:ss_openvpn_osx_8.png

After the step above, Tunnelbrick will have created a folder for you, usually on our desktop named “Empty Tunnelbrick Configuration” or something similar. Rename this folder so it is easily identifiable. Add your configuration file and certificates to this folder that you downloaded from ClearOS web-based administration tool's certificate manager.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=d08b78&media=omedia:ss_openvpn_osx_9.png

Once done with the inline instructions, rename the folder and add the extension .tblk.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=59afbf&media=omedia:ss_openvpn_osx_10.png

Double click on your new archive to install the configuration.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=b6adcc&media=omedia:ss_openvpn_osx_11.png

Select whether you want all users on the system access to this tunnel or just your current user.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=17c99e&media=omedia:ss_openvpn_osx_12.png

You'll be notified that the configuration has been installed. Time to test the VPN connection.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=1621d0&media=omedia:ss_openvpn_osx_13.png

In the upper right hand corner of your desktop, you'll see the Tunnelbrick icon. Click on it once and select Connect XYZ where XYZ is the name of your OpenVPN configuration as set when you renamed the folder containing the configuration and certificates.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=6b56c0&media=omedia:ss_openvpn_osx_14.png

You'll see a status message displayed as OpenVPN attempts to connect to the ClearOS VPN server.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=55fcf9&media=omedia:ss_openvpn_osx_15.png

If all sent according to plan, you'll be notified that a connection has been made. An icon change will indicate when you are connected through the tunnel and when you are not.

https://clearos.com/dokuwiki2/lib/exe/fetch.php?w=300&tok=942d78&media=omedia:ss_openvpn_osx_16.png

Site to Site VPN Tunnels

OpenVPN provides a secure and robust VPN for connecting both road warriors as well as multiple networks. The solution also gets around the realities of today's Internet:

  • Native support in NAT (network address translation) environments
  • Native support for dynamic IP addresses
  • Robust connection monitoring and automatic reconnections

In other words, OpenVPN can be used in many environments where IPsec just won't work (or work reliably).

In the section below, we will use the terms headquarters and remote office. Just know that this is just simple terminology used for this implementation guide. You can create hub and spoke VPN solutions (many remote offices connecting to a single headquarters) as well asmesh VPN solutions (where each site connects to all other sites).

Selecting the Headquarters Node

In our example, we have selected the system in the main office to be the headquarters node. There are two reasons for this decision:

  • The main office has the most robust network connection
  • The ClearOS system is connected directly to the Internet

The second point is important. If you find yourself in a situation where a ClearOS system is behind another router (particularly a NAT-based router), know you can still create a network-to-network VPN.

Create the Secret Key

Login to a command line shell environment and run the following to create the secret key used verify VPN endpoints:

openvpn --genkey --secret /etc/openvpn/static.key

This key must be copied to the other ClearOS system involved in the OpenVPN connection.

Create the Headquarters Configuration

Now that the secret key has been created, it is time to move on to the configuration file. Create a file in /etc/openvpn with the .conf file extension, for example /etc/openvpn/connect_to_remote.conf. Here's a sample configuration:

dev tun
port 1195
ifconfig 10.8.222.40 10.8.222.41
route 192.168.11.0 255.255.255.0
comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody
secret static.key
KeyComment
portThe UDP port for the connection
ifconfigThe IP addresses are used internally by OpenVPN
routeThis is the LAN of the remote office!

You can use this configuration file as-is but the route must be changed! Please specify the LAN network range used by the remote office.

Create the Remote Office Configuration

The remote office configuration is nearly identical. Create a configuration with the .conf suffix in /etc/openvpn, for example /etc/openvpn/connect_to_headquarters.conf:

dev tun
port 1195
remote my-hq.poweredbyclear.com 1195
ifconfig 10.8.222.41 10.8.222.40
route 192.168.22.0 255.255.255.0
comp-lzo
keepalive 10 60
persist-key
persist-tun
user nobody
group nobody
secret static.key

The configuration file is nearly identical, but a few changes are required:

  • Specify the hostname or IP of the headquarters system for the remote parameter
  • Swap the IPs specified in the ifconfig parameter
  • Change the route to match the network range used by headquarters

Update Firewall

Almost there. In the web-based administration tool, go to Network|Firewall|Incoming Firewall in the menu. UDP port 1195 was specified in our OpenVPN configuration, so access to this port is required. Add this firewall rule:

  • UDP port 1195

Start/Restart OpenVPN

Now it is time to start the OpenVPN software on the headquarters and remote office.

service openvpn restart

Troubleshooting

Log Files

The /var/log/messages and /var/log/secure log files can provide clues when troubleshooting.

Cannot connect to server

Go to the OpenVPN configuration page in the web-based administration tool Service Status and ensure the service is started. If the status says Stopped, click on the Start. If the services fails to start, you can get more information from the logs. The following log files may contain clues:

  • /var/log/messages
  • /var/log/system
  • /var/log/secure

Log file contents are available for display and/or download via the web-based administration tool. You will need to install (if you haven't done so already) the Log Viewer app from the Marketplace.

If the server is also your gateway to the Internet, navigate to Incoming Firewall and ensure the OpenVPN service is an allowed incoming firewall rule (port 1194).

Incoming Firewall

Multi-WAN Environments

In some multi-WAN environments (eg. two external interfaces configured), OpenVPN can fail to connect from clients when the client configuration is using the default UDP. Try forcing the use of TCP protocol in the client, remembering to open 1194/TCP in your firewall.

300

Troubleshooting

OpenVPN is very verbose in its logging and logs of authentications and errors will be registered to the /var/log/messages log file on the ClearOS side. On the client side it will log what is happening in the details log of the client application. These logs, while very technical, are EXTREMELY helpful in determining issues with the connection. The OpenVPN team has done a fantastic job at creating precise logs which are often the last place you need to go to find out why you cannot connect.

DNS

If you are having issues with DNS on your OpenVPN connection, it can be that you are using an external DNS server to resolve internal hosts or an internal which doesn't resolve external hosts. If you use the ClearOS gateway to resolve the DNS from its cache, you can split the resolution of external and internal domains using this guide.

content/en_us/6_openvpn.txt · Last modified: 2016/03/16 12:18 by dloper

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3A6_openvpn&1710813868