Topic: VPN suggestions

[DanB35]

I'm looking for a VPN solution that I can use with my Mac and my iOS devices to access my SME Server's LAN remotely.  It should be more secure than PPTP.  I've installed the OpenVPN Bridge contrib, and it's working just fine with Tunnelblick on my Mac, but not so much on the iOS devices because they can't deal with TAP interfaces, or so I understand.  I'm not concerned with the ability to route through my SME Server to remote hosts (i.e., remote network -> VPN -> SME Server -> Internet), but I do need to access other hosts on the SME Server's LAN, not just the SME Server itself.

Is there a single contrib that will work with both the Mac and the iOS devices for this purpose?  I'm reasonably comfortable with the certificate management for OpenVPN on the iPhone/iPad, but it's not essential that I use OpenVPN if a different solution would cover all my client systems.

[Daniel B.]

I have an unpolished and undocumented contrib for this. You can try:

Code: [Select]

yum --enablerepo=fws install smeserver-openvpn-routed

Then (assuming you already have openvpn-bridge configured and running, especially the certificate parts):

Code: [Select]

cp -a /etc/openvpn/bridge/priv/* /etc/openvpn/routed/priv/
cp -a /etc/openvpn/bridge/pub/* /etc/openvpn/routed/pub/
db configuration setprop openvpn-routed UDPPort 1195 Network 192.168.10.0/255.255.255.0
signal-event openvpn-routed-update

This daemon has no panel in the server-manager, but it work a bit like OpenVPN Bridge (except that's using OpenVPN in routed mode, with a tun interface that's working with iOS and Android). In this example 192.168.10.0/255.255.255.0 is a new virtual network which will be created for VPN usage. Your SME Server will take 192.168.10.1 and clients will get IP allocated from this network.

See http://wiki.contribs.org/OpenVPN_Routed

Cheers,
Daniel

[DanB35]

I presume corresponding changes would need to be made to the .ovpn configuration file?  At a minimum, it looks like I'd need to change the rport and dev lines.

If I'm understanding correctly, the bridge contrib sets the client up on an IP within the SME Server's subnet (say 192.168.1.0/24).  This contrib sets the client up on a different subnet (192.168.10.0/24 in your example--BTW, will it take this notation rather than /255.255.255.0?), and establishes a route between the two.  Is there any particular reason that one configuration would be more desirable than the other?  I recall seeing recommendations in the openvpn forums to use routed mode when possible, but I don't think I dug deep enough to understand why that would be.

[Daniel B.]

- Yes, you have to adjust your client config, at least dev tun and rport 1195 (in this example, the routed daemon is using port 1195)
- No, you need to set 192.168.10.0/255.255.255.0 syntax
- There're a few differences between bridge and routed mode. Bridge mode creates a level 2 virtual NIC (tap) and connects VPN clients exactly the same way they would be on the local network (same network address, can pass non IP traffic, work for broadcast, multicast traffic so things like mDNS/Bonjour work out of the box). On the other hand, routed mode create a level 3 virtual NIC (tun). In theory, routed mode will provide better performances (in practice, I couldn't see any measurable difference though), but mostly: routed mode works with iOS, Android, ChromeOS and other castrated OS

[Stefano]

if you need to connect via iOS and/or Android devices, you have to use the routed mode

[ReetP]

As another option :

http://wiki.contribs.org/Openswan_IPSEC

Note this thread here :
http://forums.contribs.org/index.php/topic,51111.0.html

And this bug :
http://bugs.contribs.org/show_bug.cgi?id=8677

I am also looking at LibreSwan, but when I installed using the same settings it failed to work and I am investigating why. If I can make it work then I will try and build a contrib for it - theoretically it should not be too difficult.

I am also going to look at IPSEC/L2TPD when I get 5 minutes - this should allow Android devices at least to work 'out of the box' though I have no idea about Mac devices.

B. Rgds
John

[DanB35]

I've installed the smeserver-openvpn-routed contrib, which completed without apparent issues.  Unfortunately, my iPhone is still trying to connect on port 1194, even though I've changed the .ovpn file to specify port 1195 and dev tun.  Strange.

Code: [Select]

[root@e-smith ~]# config show openvpn-routed
openvpn-routed=service
    Authentication=CrtOnly
    ManagementPassword=(redacted)
    Network=192.168.10.0/255.255.255.0
    UDPPort=1195
    access=public
    status=enabled

Here's the .ovpn file:

Code: [Select]

rport 1195
proto udp
#dev tap
dev tun
nobind
# Uncomment the following line if your system
# support passtos (not supported on Windows)
# passtos
remote e-smith.mydomain.org

tls-client
ns-cert-type server

#auth-user-pass

# Replace user.p12 with the certificate
# bundle in PKCS12 format
#pkcs12 dan.p12

# You can replace the pkcs12
# directive with the old ones
#ca cacert.pem
#cert user.pem
#key user-key.pem

mtu-test
comp-lzo
pull

<ca>
-----BEGIN CERTIFICATE-----
(redacted)
-----END CERTIFICATE-----
</ca>

I'm puzzled as to why it's still hitting port 1194 (and thus the openvpn-bridge instance) rather than 1195.  On the off chance that the client was remembering the old .ovpn file, I created a new one with the above content--still the same result.

[Daniel B.]

Replace the lines rport, proto and remote with a single one like:

Code: [Select]

remote server.example.tld 1195 udp

[DanB35]

OK, partial success.  I made that change, uncommented auth-user-pass, deleted the Authentication property from the config db, and entered a username/password in the OpenVPN client.  And now, success!  It connects!  Unfortunately, I can't connect to anything on the SME Server's LAN, whether to the SME server itself or to other hosts there--the connection times out.

I'd like to be able to authenticate using only the certificates, but that's secondary to being able to connect at all.  I notice that the OpenVPN client shows a "VPN IPv4" of 192.168.10.x, but does not show a "Client IP"--not sure if this is significant.

[Daniel B.]

Nothing interesting in /var/log/openvpn-routed/current ?

[DanB35]

Here's what shows there when I connect:

Code: [Select]

@40000000547f5e222b203304 Dan Brown/71.229.35.232:55559 SIGTERM[soft,remote-exit] received, client-instance exiting
@40000000547f5fb200100b6c 71.229.35.232:53246 TLS: Initial packet from [AF_INET]71.229.35.232:53246, sid=228ea5d8 31f336a5
@40000000547f5fb31e3861ac 71.229.35.232:53246 CRL CHECK OK: C=US, ST=South Carolina, L=Hartsville, O=Familybrown.org, OU=Certificate Authority, CN=Familybrown.org Certificate Authority, emailAddress=admin@familybrown.org
@40000000547f5fb31e386594 71.229.35.232:53246 VERIFY OK: depth=1, C=US, ST=South Carolina, L=Hartsville, O=Familybrown.org, OU=Certificate Authority, CN=Familybrown.org Certificate Authority, emailAddress=admin@familybrown.org
@40000000547f5fb31e3d052c 71.229.35.232:53246 CRL CHECK OK: C=US, ST=South Carolina, L=Hartsville, O=Familybrown.org, O=21232f297a57a5a743894a0e4a801fc3, OU=OpenVPN Server, CN=Dan Brown, emailAddress=dan@familybrown.org
@40000000547f5fb31e3d0cfc 71.229.35.232:53246 VERIFY OK: depth=0, C=US, ST=South Carolina, L=Hartsville, O=Familybrown.org, O=21232f297a57a5a743894a0e4a801fc3, OU=OpenVPN Server, CN=Dan Brown, emailAddress=dan@familybrown.org
@40000000547f5fb324d09944 71.229.35.232:53246 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
@40000000547f5fb324d11a2c 71.229.35.232:53246 TLS: Username/Password authentication succeeded for username 'dan'
@40000000547f5fb324d29514 71.229.35.232:53246 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
@40000000547f5fb324d2a89c 71.229.35.232:53246 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
@40000000547f5fb324d32984 71.229.35.232:53246 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
@40000000547f5fb324d33d0c 71.229.35.232:53246 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
@40000000547f5fb32ea3c414 71.229.35.232:53246 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
@40000000547f5fb32ea3c414 71.229.35.232:53246 [Dan Brown] Peer Connection Initiated with [AF_INET]71.229.35.232:53246
@40000000547f5fb32ea3fac4 Dan Brown/71.229.35.232:53246 MULTI_sva: pool returned IPv4=192.168.10.2, IPv6=(Not enabled)
@40000000547f5fb32ea448e4 Dan Brown/71.229.35.232:53246 MULTI: Learn: 192.168.10.2 -> Dan Brown/71.229.35.232:53246
@40000000547f5fb32ea4643c Dan Brown/71.229.35.232:53246 MULTI: primary virtual IP for Dan Brown/71.229.35.232:53246: 192.168.10.2
@40000000547f5fb32eafd9d4 Dan Brown/71.229.35.232:53246 PUSH: Received control message: 'PUSH_REQUEST'
@40000000547f5fb32eb00c9c Dan Brown/71.229.35.232:53246 send_push_reply(): safe_cap=940
@40000000547f5fb32eb08d84 Dan Brown/71.229.35.232:53246 SENT CONTROL [Dan Brown]: 'PUSH_REPLY,dhcp-option DOMAIN familybrown.org,dhcp-option DNS 192.168.1.1,dhcp-option WINS 192.168.1.1,comp-lzo adaptive,route-gateway 192.168.10.1,topology subnet,ping 40,ping-restart 180,ifconfig 192.168.10.2 255.255.255.0' (status=1)
@40000000547f5fb5010da164 Dan Brown/71.229.35.232:53246 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.

Nothing shows there when I try to browse on my phone to the server-manager.

[Daniel B.]

Can you ping 192.168.10.1 from the iOS device ?

[DanB35]

I can ping 10.1, but not 1.1 or 1.10.

[Daniel B.]

Ok, so, the vpn itself is working, but there's  a problem with routes pushed to the client. I'll try to look at this, but waiting for a proper fix, this should work around the issue:

Code: [Select]

db configuration setprop openvpn-routed RedirectGateway enabled
signal-event openvpn-routed-update


[DanB35]

Yep, with that change, it seems to be working.

[Daniel B.]

smeserver-openvpn-routed-0.1.3-1.sme is available in fws' repo and should fix this. Could you try and report if it's working without RedirectGateway please ?

[DanB35]

It appears to be working.  The iPhone connects, I can ping 1.1 and 1.10, and I can browse to servers on the SME Server's LAN.  Thanks!

[Daniel B.]

You're welcome. If you have some time to document the client configuration on the wiki, that'd be great (I don't have any iOS device myself, so cannot write step by step instructions)

[DanB35]

Sure thing--it may take a day or two before I can get to it, though.

[DanB35]

I've put instructions in the wiki, though I'm having trouble getting some of my screen shots to show up.