rss logo

My OpenVPN Configuration Notes

OpenVPN Logo

Intro

OpenVPN has many parameters to play with.

Here I'll give some configuration tips I use. I traditionally use Debian to configure my OpenVPN server. Consequently, the manipulations presented below will be strongly debian-oriented.

Server-side or Client-side?

We can choose to set the configurations wherever we like (on the server or client side). The main difference is that we need to add the push keyword on the server side, and it will of course be applied to all clients.

Example

Let's see the difference if we want to define the same configuration on both sides. Here's an example with a DNS entry.

  • Client side:
dhcp-option DNS 192.168.0.200
  • Server side:
push "dhcp-option DNS 192.168.0.200"

DNS

Set DNS configuration

  • If we want to define a specific DNS server and DOMAIN:
dhcp-option DNS 192.168.0.200
dhcp-option DOMAIN domain.local

Filtering

It may be useful to authorize only certain network flows on our VPN.

Netfilter/iptables

  • Accept RDP and DNS traffic only:
root@host:~# iptables -A FORWARD -o enp4s0 -p tcp --dport 3389 -j ACCEPT
root@host:~# iptables -A FORWARD -i enp4s0 -p tcp --sport 3389 -j ACCEPT
root@host:~# iptables -A FORWARD -o enp4s0 -p tcp --dport 53 -j ACCEPT
root@host:~# iptables -A FORWARD -o enp4s0 -p udp --dport 53 -j ACCEPT
root@host:~# iptables -A FORWARD -i enp4s0 -p udp --sport 53 -j ACCEPT
root@host:~# iptables -A FORWARD -i enp4s0 -p tcp --sport 53 -j ACCEPT
root@host:~# iptables -A FORWARD -o enp4s0 -j DROP

Routing

Gateway mode

Here's how to enable VPN routing on Debian.

  • Edit /etc/sysctl.conf:
net.ipv4.ip_forward = 1
  • Run the sysctl command to take the change into account:
root@host:~# sysctl -p /etc/sysctl.conf
  • Use the iptables command to enable NAT and allow clients access the internal network:
root@host:~# iptables -t nat -A POSTROUTING -s 10.50.8.0/24 -o ens192 -j MASQUERADE

Add network route configuration

  • The 192.168.1.0/24 network will be accessible via the OpenVPN tunnel:
route 192.168.1.0 255.255.255.0

Excluding routes

Here's an example, where we want only addresses 192.168.0.251 and 192.168.0.250 to be accessible through the VPN, while the rest of 192.168.0.0/24 network will be accessible via the local network. Particularly useful when Client and Server are on the same subnet.

route 192.168.0.251 255.255.255.255
route 192.168.0.250 255.255.255.255
route 192.168.0.0 255.255.255.0 net_gateway

Improve Security

ta.key

To prevent Portscanning, DOS attacks on the OpenVPN UDP port, SSL/TLS handshake initiations from unauthorized machines and any potential buffer overflow vulnerabilities in the SSL/TLS implementation (see: https://wiki.archlinux.org/), we can add the HMAC key protection.

  • Generate a ta.key:
root@host:~# openvpn --genkey --secret /etc/openvpn/pki/issued/ta.key
  • Add this line to /etc/openvpn/server.conf:
tls-crypt /etc/openvpn/pki/issued/ta.key 0
  • Add the file ta.key, and this line to the client configuration file:
tls-crypt ta.key 1

Server Certificate Verification Method

OpenVPN adds the ability to prevent possible Man-in-the-Middle attacks. If this is not set, you should see this message in the client log: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.. Here's how to set it up.

  • Add this line to the client configuration file:
remote-cert-tls server
  • Restart the OpenVPN service:
root@host:~# /etc/init.d/openvpn restart

Revoking certificate

If certificates have been compromised (e.g. a user's laptop has been stolen) or if a user no longer works for the company, it can be useful to know how to revoke a certificate to render its use ineffective.

Old method with old versions of easy-rsa

  • Load vars and run revoke-full:
root@host:~# . ./vars
root@host:~# ./revoke-full user
  • Edit /etc/openvpn/server.conf and add (depending on the location of its crl.pem file):
[…]
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
[…]

New method with easy-rsa 3

  • Edit the file /etc/openvpn/pki/vars:
#Sets EasyRSA certificate revocation list validity to 10 years.
set_var EASYRSA_CRL_DAYS       3650
  • Run the revoke certificate command:
root@host:~# /usr/share/easy-rsa/easyrsa revoke user
Using SSL: openssl OpenSSL 1.1.1k  25 Mar 2021


Please confirm you wish to revoke the certificate with the following subject:

subject=
    commonName                = client_revoker


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /etc/openvpn/pki/easy-rsa-1425.nUpHJc/tmp.r2wWDy
Revoking Certificate 1EA551CC14F3856B8A30CD92BAE6F3BE.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
  • Generate a crl.pem file:
root@host:~# /usr/share/easy-rsa/easyrsa gen-crl
Using SSL: openssl OpenSSL 1.1.1k  25 Mar 2021
Using configuration from /etc/openvpn/pki/easy-rsa-1468.2IiBpN/tmp.0UJjU8

An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem
  • Edit /etc/openvpn/server.conf and add:
[…]
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
[…]
  • Restart the OpenVPN service:
root@host:~# systemctl restart openvpn@server.service

Renew the crl certificate

  • To renew the CRL certificate, simply run these commands:
root@host:~# /usr/share/easy-rsa/easyrsa gen-crl
root@host:~# systemctl restart openvpn@server.service

Check user certificate validity

  • We can check if a user certificate has been revoked or not with this command:
root@host:~# openssl verify -crl_check -CRLfile /etc/openvpn/easy-rsa/keys/crl.pem -CAfile /etc/openvpn/pki/ca.crt /etc/openvpn/pki/issued/user.crt
  • We can check all certificates with this command:
root@host:~# openssl verify -crl_check -CRLfile /etc/openvpn/easy-rsa/keys/crl.pem -CAfile /etc/openvpn/pki/ca.crt /etc/openvpn/pki/issued/*

Renewing certificates

Renew Server Certificates

For the message WARNING: Your certificate has expired!.

  • Check the validity of the certificate:
root@host:~# openssl x509 -in /etc/openvpn/pki/issued/server.crt -noout -text | grep -i "not after"
  • Renew the server certificates:
root@host:~# ./easyrsa renew server nopass
  • Copy the newly created certificates:
root@host:~# copy server.crt /etc/openvpn/pki/issued/server.crt
root@host:~# copy server.key /etc/openvpn/pki/private/server.key
  • Restart the service:
root@host:~# systemctl restart openvpn@server.service

Renew a Client certificates

  • Renewing client certificates:
root@host:~# ./easyrsa renew user01 nopass

Finally, replace the newly created ./private/user01.key and ./issued/user01.crt files in the client workstation's openvpn configuration folder.

Miscellaneous

Show current sessions

  • Add this line to server.conf:
status /var/log/openvpn-status.log
  • To view current sessions:
root@host:~# cat /var/log/openvpn-status.log