Linux as server

Sme -Linux gateway server-

My Sme7 howto's-

Linux commands

Just pretty photos

Howto build a vpn tunnel between two Sme7 servers with Openvpn

Intro

You have two sites with computers and you want computers on one site to access some or all on the other site (or/and the other way around). One solution is to connect those sites via the internet. But that leaves your data going back and forth over the internet for eavesdropping.
A good solution is to connect the sites via a VPN solution. A good solution would be IPSEC, but that often becomes very complex and has problems with natting. Pptp is not really a good solution. Based on two sme7 gateway servers you can connect the sites via Openvpn. In linuxjournal I have already explained howto let road-warriors use openvpn to connect to your networks in a save manner.
Begin 2007 I have set up a roadwarrior setup with openvpn 2.0.9. I have documented the config files of server and client for you. It uses some extras like password authentication as well as certificates to authenticate.
OpenVPN is a full-featured SSL VPN solution as they write on their site, and it is. In a very simple setup you can easily and safely root traffic over ssl between your sites. If you do not want an sme7 host as your bordergateway but do want to use openvpn you can also set up sme7 on some internal or DMZ machine, as long as you can route udpport 1194 packets from the internet to it.

In the setup layed out below we will be doing the following:

Network setup


The setup we will be making is as follows:
We have two seperate networks that are connected over the internet. Both have an sme7 server/gateway firewalling and natting internal networks to the internet. They will be endpoints to a Openvpn SSl tunnel with public-key encryption. We will be our own certificate authority for the used certificates. The details we will be using in the examples below are:

So the network can be visualized like this:

Overview
network ------sme7client -----internet--------sme7server --- network

Tunnel-layer
.............10.0.4.2=============vpn==================10.0.4.1.........

Ip-adresses
....10.22.22.1/Eth0--Eth1/213.4.3.2-internet---213.4.3.1/Eth1--Eth0/10.12.12.1..

Internal networks
10.22.22.0.............................................................10.12.12.0

So lets get to work

Install the sme7 openvpn packages on the server

Follow the howto of sme.swerts-knudsen.com:
cd /root
mkdir openvpn
cd openvpn
wget http://sme.swerts-knudsen.com/downloads/OpenVPN/SME7/lzo-1.08-4.2.el4.rf.i386.rpm
wget http://sme.swerts-knudsen.com/downloads/OpenVPN/SME7/openvpn-2.0.2-1.2.el4.rf.i386.rpm
wget http://sme.swerts-knudsen.com/downloads/OpenVPN/smeserver-openvpn-0.0.1-2.noarch.rpm
rpm -Uvh *.rpm

Next Enable the service.
config set openvpn service status enabled access public UDPPort 1194
signal-event remoteaccess-update

Create keys on the server

Now its time to create the SSL (TLS )keys and the master-certificate to issue those.
We will be using ssl encryption (TLS) with certificates to authenticate. The next steps are needed to make the certificates and the DH (Diffie-Hellman) parameters (DH is used to exchange a secret key to set up an ancrypted tunnel).
The openvpn configs live in /etc/openvpn. First we need to edit the file with default values to match our installation. Open the file "vars" and Edit the default values to reflect your setup at the bottom of the file. The paths should be correct.
cd /etc/openvpn/easy-rsa
vi vars (or pico vars)

Now we can create the master certificate (used since we are our own certificate authority). Choose the defaults as entered into the vars file. You will need to enter values for the "Organizational Unit Name" which you can set to "VPN" and "Common Name" could be set to "Server"

. vars
./clean-all
./build-ca

Below are the variables I used:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Generating a 1024 bit RSA private key

Country Name (2 letter code) [EDIT]:nl
State or Province Name (full name) [EDIT]:
Locality Name (eg, city) [EDIT]:Nijmegen
Organization Name (eg, company) [contribstest.org]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server
Email Address [hanscees@contribstest.org]:

Now we build the certificate/private-key pairs for both the server and clients. Again choose choose "Organizational Unit Name" and "Common Name" as above.
Do not add "A Challenge  password" when asked, just press <ENTER>.
The same goes for "An optional company name". Sign the certificate in the end.

./build-key server
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Generating a 1024 bit RSA private key

This is what I used:
countryName           :PRINTABLE:'nl'
stateOrProvinceName   :PRINTABLE:'EDIT'
localityName          :PRINTABLE:'Nijmegen'
organizationName      :PRINTABLE:'contribstest.org'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'hanscees@contribstest.org'
Certificate is to be certified until Mar 13 23:19:31 2016 GMT (3650
days)

Now its time for the Client certificate which is pretty much the same as before. Use "Client" as "Common Name" and "VPN" for "Organizational Unit Name". Do not add "A Challenge  password" when asked, just press <ENTER>.
 The same goes for "An optional company name". Sign the certificate in the end.
./build-key client
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Generating a 1024 bit RSA private key

The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'nl'
stateOrProvinceName   :PRINTABLE:'EDIT'
localityName          :PRINTABLE:'Nijmegen'
organizationName      :PRINTABLE:'contribstest.org'
commonName            :PRINTABLE:'client'
emailAddress          :IA5STRING:'hanscees@contribstest.org'
Certificate is to be certified until Mar 13 23:20:49 2016 GMT (3650
days) Sign the certificate? [y/n]:y

Finally we build the Diffie Hellman parameters

./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................

And it can take a long time. Your generated keys will be in /etc/openvpn/easy-rsa/keys. The key names - "Server" and "Client" are simply descriptive. Choose names that suit your setup. You can create as many keys as you like using the above method. ./clean-all will clean out your keys directory - so be careful.

[root@sme7pre4 easy-rsa]# pwd
/etc/openvpn/easy-rsa

Now be carefull! Do NOT share the dh1024.pem or server.key or client.key files. If you do and someone else has them, they can log into your network and get to your data and worse. Keep those files private!!


The newly generated keys for the server need to be copied to the the OpenVPN directory.
cp keys/ca.crt ..
cp keys/server.crt ..
cp keys/server.key ..
cp keys/client.crt ..
cp keys/client.key ..
cp keys/dh1024.pem ..

make a logfile
mkdir -p /var/log/openvpn

For client copy these files to the sme7client /etc/openvpn directory later on in this howto:
/etc/openvpn/ca.crt
/etc/openvpn/client.crt
/etc/openvpn/client.key
/etc/openvpn/dh1024.pem

Install openvpn on client

Now we will install openvpn exactly the same on the client. Use the same steps as above for the server. Only do not make keys and certificates:
cd /root
mkdir openvpn
cd openvpn
wget http://sme.swerts-knudsen.com/downloads/OpenVPN/SME7/lzo-1.08-4.2.el4.rf.i386.rpm
wget http://sme.swerts-knudsen.com/downloads/OpenVPN/SME7/openvpn-2.0.2-1.2.el4.rf.i386.rpm
wget http://sme.swerts-knudsen.com/downloads/OpenVPN/smeserver-openvpn-0.0.1-2.noarch.rpm
rpm -Uvh *.rpm

Next Enable the service.
config set openvpn service status enabled access public UDPPort 1194
signal-event remoteaccess-update

copy these clientfiles to the /etc/openvpn directory on the sme7 client using ssh (sftp) for instance (winscp on windows):
/etc/openvpn/ca.crt
/etc/openvpn/client.crt
/etc/openvpn/client.key
/etc/openvpn/dh1024.pem

Preparing the config files

Now we need to install two files on both server and client: a conf file (client.conf or server.conf)and a script (openvpn.up). The files live in /etc/openvpn. Openvpn will use server.conf or client.conf automatically. (It will choose client.conf first if it exists)

Server config

The server conf with ip-addresses as described above should look like this:
###########server.conf##################
# server.conf see http://openvpn.net/howto.html
#either use remote, or use mode server
##remote
remote 213.4.3.2
ifconfig 10.4.0.1 10.4.0.2
##mode server
#mode server
#server 10.4.0.0 255.255.255.0

proto udp
port 1194
#optional what address to listen to
#local 213.4.3.1
dev tun
tls-server
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key #should be kept secret
#secret static.key #you could do without certificates, please don't
comp-lzo # Enable compression on the VPN link.
user nobody
group nobody
daemon
keepalive 10 60
ping-timer-rem
up ./openvpn.up
persist-tun
persist-key
status-version 2
status /var/log/openvpn/openvpn-status.log
verb 3
#########################################

The openvpn.up script in the same directory of the server should look like this:
###########################
#!/bin/sh
#on server route network to the other side's tun-ip
#you should add this route in sme7 server-manager or it will dissappear
route add -net 10.22.22.0 netmask 255.255.255.0 gw 10.4.0.2
#let openvpn traffic in and out (not needed on sme due to service)
#iptables -A INPUT -p udp --dport 1194 -j ACCEPT
#iptables -A OUTPUT -p udp --sport 1194 -j ACCEPT
#traffic over the tunnel to the server itsself (only icmp for ping)
iptables -A INPUT -i tun+ -p icmp -j ACCEPT
iptables -A OUTPUT -o tun+ -p icmp -j ACCEPT
#allow a network over the tun devices
iptables -A FORWARD -i tun+ -j ACCEPT
logger "openvpn is up"
######################################

Make the script executable:
chmod 700 *.up

For the route above to stick between events on the sme7 machine you will need to add the VPN address range on the other side of the tunnel as a local networks in the server-manager (https://yoursme7server/server-manager, login as admin)under the Security section. Add a local network "10.22.22.0" with gateway "10.4.0.2"

fire it up!
service openvpn start
Obviously you can stop the service by issuing "stop" and restart it also by "restart"

ps waux now shows:
nobody    3622  0.0  0.8  5096 2072 ?        Ss   00:40   0:00
/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid -- config server.conf --cd /etc/openvpn

So now openvpn runs on the server. Ifconfig shows your tunnel device tun0:
ifconfig:
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-
00-00-00-00-00
          inet addr:10.4.0.1  P-t-P:10.4.0.2  Mask:255.255.255.255 UP
          POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1 RX
          packets:0 errors:0 dropped:0 overruns:0 frame:0 TX
packets:0
          errors:0 dropped:0 overruns:0 carrier:0 collisions:0
          txqueuelen:100 RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

If you don't see what ps and ifconfig show above, see the troubleshooting section.

Client config

On the client in /etc/openvpn make a client.conf:

###########client.conf##################
#client.conf
remote 213.4.3.1 1194
##either use "ifconfig" or use "client". When remote uses "server",
#client should use "client"
##only use ifconfig if server also uses "remote".
ifconfig 10.4.0.2 10.4.0.1
#client

proto udp
dev tun
tls-client
#ns-cert-type server #todo in cert make step
#remote-cert-tls server
dh dh1024.pem
ca ca.crt
cert client.crt
key client.key
comp-lzo
user nobody
group nobody
daemon
keepalive 10 60
ping-timer-rem
up ./openvpn.up
persist-tun
persist-key
status-version 2
status /var/log/openvpn/openvpn-status.log
verb 3
#########################################

make a openvpn.up on the client:
###########################
#!/bin/sh
#on client route network to the other side's tun-ip
#you should add this route in severmanager as well or it will dissappear on sme7 route add -net 10.12.12.0 netmask 255.255.255.0 gw 10.4.0.1
#let openvpn traffic in and out
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp --sport 1194 -j ACCEPT
#traffic over the tunnel to the server itsself (only icmp for ping)
iptables -A INPUT -i tun+ -p icmp -j ACCEPT
iptables -A OUTPUT -o tun+ -p icmp -j ACCEPT
#allow a network over the tun devices
iptables -A FORWARD -i tun+ -j ACCEPT
logger "openvpn is up"
######################################

Make the script executable:
chmod 700 *.up

For the route above to stick between events on the sme7 machine you will need to add the VPN address range on the other side of the tunnel as a local networks in the server-manager (https://yoursme7server/server-manager, login as admin)under the Security section. Add a local network "10.12.12.0" with gateway "10.4.0.1"

fire it up!
service openvpn start
Obviously you can stop the service by issuing "stop" and restart it also by "restart"

As with the server, you can use "ps waux" and "ifconfig" to check if openvpn is up and if tun0 is up.

Test the tunnel

To test the tunnel firstly you should be able to ping from sme7 server to client and back. On server do:
ping 10.4.0.2
And that should work. On client do:
ping 10.4.0.1
And that should work.
Then you should try to ping to and from the internal networks.

Troubleshooting


If this does not work troubleshooting can really be a b*tch. Basically your best bet is to:

check with a simple openvpn setup

First shut down openvpn on both server and client:
service openvpn stop
kilall openvpn
ps waux | egrep openv should show no more openvpn.
On the server do:
openvpn --remote 213.4.3.2 --dev tun0 --ifconfig 10.4.0.1 10.4.0.2 --verb 9
on client
openvpn --remote 213.4.3.1 --dev tun0 --ifconfig 10.4.0.2 10.4.0.1 --verb 9

Now pinging should work:
on server:
ping 10.4.0.2
on client:
ping 10.4.0.1
If pinging succeeds the iptables rules are good. If not, they have a problem. I wish you well....

On the client add a route to the other side:
route add -net 10.12.12.0 netmask 255.255.255.0 gw 10.4.0.1
and you should be able to ping 10.12.12.1 via the tunnel.

You can check this on the server:
tcpdump tun0:
23:25:20.189752 IP 10.4.0.2 > 10.12.12.1: icmp 64: echo request seq 5
23:25:20.189782 IP 10.12.12.1 > 10.4.0.2: icmp 64: echo reply seq 5

check this also with TLS certificates:
on server
openvpn --remote 213.4.3.2 --dev tun0 --ifconfig 10.4.0.1 10.4.0.2 --tls-server --dh dh1024.pem --ca ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5

on client
openvpn --remote 213.4.3.1 --dev tun0 --ifconfig 10.4.0.2 10.4.0.1 --tls-client --ca ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5
You should be able to ping again.

Conclusion

If all went well you now have built yourself an SSL vpn with Openvpn. You can tinker with the iptables rules to open up or lock down things more precisely. Sucess!

Feedback

If you have questions on this howto please open a question in the forums at contribs.org and send me an email about it.

todo

The iptables rules we use are not really well integrated with the sme7 iptables script called "masq". If this script restarts it can be that your iptables rules are flushed. If you find the tunnel "stops" working chech the /var/log/messages file and look for events around the time trouble began. If this does happen let me know and we can find a solution.