Openvpn

From Wiki of WFilter NG Firewall
(Difference between revisions)
Jump to: navigation, search
(User&Pass Clients)
 
(8 intermediate revisions by one user not shown)
Line 9: Line 9:
 
= OpenVPN Server =
 
= OpenVPN Server =
 
== Server Settings ==
 
== Server Settings ==
* Auth Type: "by certificate" or "by user&pass".
+
* Auth by: "by certificate" or "by user&pass".
** Certificate: authenticate by certificate, client need to import the certificate created by the server.
+
** Users & Pass(recommended): authenticate by user & password, only "local users" with "VPN" privilege have VPN access.
** Users & Pass: authenticate by user & password, only "local users" with "VPN" privilege have VPN access.  
+
** Certificate: authenticate by certificate, client need to import the certificate created by the server.  
 
* Protocol and port: connection protocol and port, shall be consistent with the client settings.
 
* Protocol and port: connection protocol and port, shall be consistent with the client settings.
 
* Client Subnet: WFilter's openVPN works in "subnet" mode. In this mode, OpenVPN will setup a new subnet, which can not same as existing LAN subnets.
 
* Client Subnet: WFilter's openVPN works in "subnet" mode. In this mode, OpenVPN will setup a new subnet, which can not same as existing LAN subnets.
 
* Push Route: The subnets will be pushed to clients routing table, so client can access server's subnets. For example: '''route 192.168.126.0 255.255.255.0'''
 
* Push Route: The subnets will be pushed to clients routing table, so client can access server's subnets. For example: '''route 192.168.126.0 255.255.255.0'''
 +
* Auth Type:
 +
** "Local Auth": authenticate with username and password of local accounts. Only "local users" with "VPN" priviledge have VPN access.
 +
** "Email Auth": send credentials to a pop/imap email server for authentication.
 +
** "Ldap Auth": send credentials to a ldap server for authentication.
 +
** "Radius Auth": send credentials to a remote radius server for authentication.
 +
  
 
[[File:openvpn_settings1.png|800px]]
 
[[File:openvpn_settings1.png|800px]]
Line 22: Line 28:
 
* "Client Subnets" defines client subnets for site-to-site VPN.
 
* "Client Subnets" defines client subnets for site-to-site VPN.
 
* "Client Subnets" defines client subnets for server to access client networks. For example: '''192.168.126.0 255.255.255.0'''
 
* "Client Subnets" defines client subnets for server to access client networks. For example: '''192.168.126.0 255.255.255.0'''
 +
* For "Client IP", DHCP is enough for most cases. You also can setup a static ip address for a client, so you can configure firewall ACL rules to limit the accessible resources for this ip address.
 
* For user & pass authentication clients, the client id shall be client username.
 
* For user & pass authentication clients, the client id shall be client username.
 
* For certificate authentication clients, you need to download and import the client certificate in client side.
 
* For certificate authentication clients, you need to download and import the client certificate in client side.
Line 51: Line 58:
  
 
[[File:openvpn_clientsettings2.png|600px]]
 
[[File:openvpn_clientsettings2.png|600px]]
 
== Import certificates from other openvpn servers ==
 
WFilter NGF can import the exported certificates from other WFilter systems. However, if you need to import certificates from other openvpn servers, you need to pay attention to the file format and path.
 
* Import client CA:
 
** The file format shall be tar.gz.
 
** File path: /etc/config/openvpn/ca.crt and /etc/config/openvpn/ca.key
 
** Commands:
 
<code>
 
$tar -cvzf /tmp/ca.tar.gz /etc/openvpn/ca.*
 
</code>
 
* Import client certificates:
 
** The file format shall be tar.gz.
 
** File path: /tmp/clientkeys/xxx.crt and /tmp/clientkeys/xxx.key
 
** Commands:
 
<code>
 
$mkdir -p /tmp/clientkeys
 
 
$rm -f /tmp/clientkeys/*
 
 
$cp -f client1.crt /tmp/clientkeys/
 
 
$cp -f client1.key /tmp/clientkeys/
 
 
$tar -czf /tmp/client1.tar.gz /tmp/clientkeys/
 
 
</code>
 
  
 
= Windows Clients =
 
= Windows Clients =
== User&Pass Clients ==
 
 
* Download and install the offical openvpn client: https://openvpn.net/index.php/open-source/downloads.html
 
* Download and install the offical openvpn client: https://openvpn.net/index.php/open-source/downloads.html
 
* Download CA certificate in WFilter NG Firewall, copy it to openvpn's config directoy with name "ca.crt".
 
* Download CA certificate in WFilter NG Firewall, copy it to openvpn's config directoy with name "ca.crt".
* In config directory of openvpn, create a new text file named "myvpn.ovpn", with below content:
+
* Download client configuration.
 +
 
 +
[[File:openvpn_exportconfig.png|800px]]
 +
 
 +
== User&Pass Clients ==
 +
 
 +
* Download the config file into the config directory of openvpn, with file content format:
 
<pre>
 
<pre>
 
client
 
client
Line 94: Line 80:
 
verb 3
 
verb 3
 
auth-user-pass              #auth by username
 
auth-user-pass              #auth by username
 +
<ca>
 +
#embeded CA certificate, you can post CA content here. If your client supports embeded CA, "ca ca.crt" is not needed.
 +
-----BEGIN CERTIFICATE-----
 +
......
 +
-----END CERTIFICATE-----
 +
</ca>
 
</pre>
 
</pre>
  
Line 123: Line 115:
  
 
VPN access to LAN is controlled by firewall rules. For example, if you want to allow vpn access to all LAN clients, you need to add a firewall rule(Interface:WAN, Type: FORWARD, Action: Allow):
 
VPN access to LAN is controlled by firewall rules. For example, if you want to allow vpn access to all LAN clients, you need to add a firewall rule(Interface:WAN, Type: FORWARD, Action: Allow):
 +
 +
* Example 1, allow VPN users to access all LAN resources:
  
 
[[File:openvpn_firewall01.png|800px]]
 
[[File:openvpn_firewall01.png|800px]]
 +
 +
* Example 2, allow access to target subnet only:
 +
 +
[[File:openvpn_firewall02.png|800px]]
  
 
[[Category:VPN]]
 
[[Category:VPN]]

Latest revision as of 17:19, 30 June 2023


Contents

[edit] 1 Introduction

  • OpenVPN is an open-source software application that implements VPN based on SSL. These two modules can setup OpenVPN tunnels in WFilter NG Firewall.
    • OpenVPN Server: provide VPN service for remote access and site-to-site VPN server.
    • OpenVPN Client: VPN client to connect other OpenVPN servers.

[edit] 2 OpenVPN Server

[edit] 2.1 Server Settings

  • Auth by: "by certificate" or "by user&pass".
    • Users & Pass(recommended): authenticate by user & password, only "local users" with "VPN" privilege have VPN access.
    • Certificate: authenticate by certificate, client need to import the certificate created by the server.
  • Protocol and port: connection protocol and port, shall be consistent with the client settings.
  • Client Subnet: WFilter's openVPN works in "subnet" mode. In this mode, OpenVPN will setup a new subnet, which can not same as existing LAN subnets.
  • Push Route: The subnets will be pushed to clients routing table, so client can access server's subnets. For example: route 192.168.126.0 255.255.255.0
  • Auth Type:
    • "Local Auth": authenticate with username and password of local accounts. Only "local users" with "VPN" priviledge have VPN access.
    • "Email Auth": send credentials to a pop/imap email server for authentication.
    • "Ldap Auth": send credentials to a ldap server for authentication.
    • "Radius Auth": send credentials to a remote radius server for authentication.


Openvpn settings1.png

[edit] 2.2 Client Subnets

  • "Client Subnets" defines client subnets for site-to-site VPN.
  • "Client Subnets" defines client subnets for server to access client networks. For example: 192.168.126.0 255.255.255.0
  • For "Client IP", DHCP is enough for most cases. You also can setup a static ip address for a client, so you can configure firewall ACL rules to limit the accessible resources for this ip address.
  • For user & pass authentication clients, the client id shall be client username.
  • For certificate authentication clients, you need to download and import the client certificate in client side.

Openvpn serverclient.png

[edit] 2.3 CA Certificate

  • CA certificate: the CA certificate which shall be imported into openVPN client directory, you can click "Replace" to generate a new certificate.

Openvpn settings2.png

[edit] 3 OpenVPN Client

OpenVPN client can connect to multiple OpenVPN servers.

  • Server ID:unique server ID, alphabet and numeric charactors only.
  • Remote server: remote openvpn server domains or IP addresses. You can have multiple remote entries for load balance between servers. One server per line.
  • Protocol and port.
  • Proxy: connect to remote proxy OpenVPN server via a HTTP proxy.
  • Auth Type:
    • User & Pass: Authenticate by username and password.
    • Certificate: Authenticate by certificate files created in server.

Openvpn clientsettings1.png

  • CA Certificate

You can check and import CA certificate. A client shall have the server's CA to establish a SSL connection.

Openvpn clientsettings2.png

[edit] 4 Windows Clients

Openvpn exportconfig.png

[edit] 4.1 User&Pass Clients

  • Download the config file into the config directory of openvpn, with file content format:
client
dev tun
proto udp                   #Connection protocol, same as the server settings.
remote 192.168.1.246 1194   #Server IP(domain) and port
nobind
persist-key
persist-tun
ca ca.crt                   #ca.crt filename, same directory with the myvpn.ovpn
verb 3
auth-user-pass              #auth by username
<ca>
#embeded CA certificate, you can post CA content here. If your client supports embeded CA, "ca ca.crt" is not needed.
-----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE-----
</ca>

[edit] 4.2 Certificate Clients

  • configure file:
client
dev tun
proto udp                   #Connection protocol, same as the server settings.
remote 192.168.1.246 1194   #Server IP(domain) and port
nobind
persist-key
persist-tun
ca ca.crt                   #ca.crt filename, same directory with the myvpn.ovpn
verb 3
cert vpnuser.crt            #Exported client certificate
key vpnuser.key             #Exported client certificate key
  • Now you can launch "OpenVPN GUI" with administrator privilege, input correct username and password to access VPN.

Openvpn winclient01.png

Openvpn winclient02.png

Openvpn winclient03.png

[edit] 5 Firewall Rules

VPN access to LAN is controlled by firewall rules. For example, if you want to allow vpn access to all LAN clients, you need to add a firewall rule(Interface:WAN, Type: FORWARD, Action: Allow):

  • Example 1, allow VPN users to access all LAN resources:

Openvpn firewall01.png

  • Example 2, allow access to target subnet only:

Openvpn firewall02.png

Personal tools
Namespaces

Variants
Actions
Navigation
Tools