How to connect to the vpn
From HSG Wiki
Client Information[edit]
Note: you will need an LDAP account to authenticate with the VPN.
The VPN is implemented using OpenVPN. You can either download the client for Windows here, or use NetworkManager with the OpenVPN plugin, or by other means.
Create a file called HSG.ovpn and paste the following content to import it.
client remote vpn.hackerspace.gent port 1194 remote-cert-tls server verify-x509-name "CN=openvpn" <ca> -----BEGIN CERTIFICATE----- MIIDTjCCAjagAwIBAgIUcOFvJu512Mp0VUX+kx/Tn7wNpFwwDQYJKoZIhvcNAQEL BQAwFzEVMBMGA1UEAwwMb3BlbnZwbi4weDIwMB4XDTIxMDcxNDIxMzkzMVoXDTMx MDcxMjIxMzkzMVowFzEVMBMGA1UEAwwMb3BlbnZwbi4weDIwMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHpcpaS5r/NGWbY1mGjn22IGUDQjh2v2/eA/ 3hbcxoQpaXzAqEp0fPw3GTBW46fYQt0CjFTvR8JNhagBV1tKibiTRO09/grOpEcQ v0qV1mp2HStVHqkGiNtEoMREUQOJxuJuWlrh18dnoZDaWR/JIwd0ZDdOmdZ6kPk/ oY/ao988K91XANQwdTR+1IOiClES22XBNWvC8AQ1Q7nM8pEk6YUWdemhcRgum76K 4tbyy6wsmZtROzAvVHUcQlkpYxQfsiHzJcKA+encMczVe6AyEf+0obw7L8RDW9yK brSFrnTnSbznQT2LbaBFBkT1RjUD7HNOktM9K/p56vAhRNDg8QIDAQABo4GRMIGO MB0GA1UdDgQWBBQnz9dqDg5KT7WO4sFhTINo9v+njzBSBgNVHSMESzBJgBQnz9dq Dg5KT7WO4sFhTINo9v+nj6EbpBkwFzEVMBMGA1UEAwwMb3BlbnZwbi4weDIwghRw 4W8m7nXYynRVRf6TH9OfvA2kXDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAN BgkqhkiG9w0BAQsFAAOCAQEAtpbG+0QlDFy1AZcLnBTESrcV7wo9kXIAkGLmdCoU p3vvx0GGu0zlRTEgVYT6f3TtzSYfvUKxPINRECoO7o0kL8WFtqDJegNoq4N0cpIA qO9RcZ5ikWcmWRsdLr+jOqGJrtlVVxsbtcKnOPqRjKvweqPJK2dQLuSK0Kskb59M /3nqGjexICzCa1lhDee1uitYZ8dM6o+/jGauRRNWP8wVTYy0XLmFBJDNFsrwyPiM Vppch0z6EpnftbkoAS13xdXfHeqR5pRmVn2osv4048HPSGqHi5UahtDoxwDg6jJK WDHx35Tw7ZUy6vb7mz6TzxZ/tZFr5U3/lZvkvwKohsUhzg== -----END CERTIFICATE----- </ca> auth-user-pass setenv CLIENT_CERT 0 cipher AES-256-GCM dev tun proto tcp nobind auth-nocache script-security 2 persist-key persist-tun key-direction 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- 4282eb477aef2533a9b03e1cbd6e771e 3f4ec1a0a17e249c56680d6e112bb17e 5b6c2ecffea7c51754983652bb6fb135 fae8c88e479aa8dfdbf11e4d767f2088 a26d8115e0019a8c0fa962602f6f0b3f 24d92567be153119aa8d65beba1a56fd 39420b16d28c2fde26aa984d87386216 52874410651c76d46f46a3f19bc3ef68 ed7dbb6c9421a1b982edea7c6692de63 2e480e5895e21df36963f565cf133ecf c578c9be5dab8d7c852536de45c73ebf 02dc73b5ca7ef2913307c184a89797d6 f3a888558eb076d40cbe0e4c152f97a7 b0fa90aa14c99a9314b9eea7a8928c2c 67a03984578916d2ea14fba252b6e53f 946a1b18d7864cc0341f91915d1640b5 -----END OpenVPN Static key V1----- </tls-auth>
Server installation[edit]
OS of choice: Rocky Linux release 8.4 (Green Obsidian)
Prepare the OS[edit]
# Update the OS dnf update # Install epel-release dnf install -y epel-release # Install necessary packages dnf install -y wget openvpn https://download-ib01.fedoraproject.org/pub/fedora/linux/releases/33/Everything/x86_64/os/Packages/o/openvpn-auth-ldap-2.0.4-3.fc33.x86_64.rpm
Configure certificates using EasyRSA[edit]
# Download EasyRSA and store it in /tmp wget -O /tmp/easyrsa https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz # Extract tar xfz /tmp/easyrsa # Copy the binary easyrsa to /usr/bin # Do the Crypto dance cd /etc/openvpn/ easyrsa init-pki # Copy some files from the originally extracted folder of EasyRSA cp EasyRSA-3.0.8/openssl-easyrsa.cnf /etc/openvpn/pki/ cp -rf EasyRSA-3.0.8/x509-types/ /etc/openvpn/pki/ # Generate all the things cd /etc/openvpn/ easyrsa build-ca easyrsa gen-req openvpn nopass easyrsa gen-dh easyrsa build-server-full openvpn easyrsa sign-req server openvpn # Generate the static TLS key cd /etc/openvpn/server/ openvpn --genkey --secret ta.key
Prepare LDAP authentication[edit]
# Copy paste the following in /etc/openvpn/auth/ldap.conf <LDAP> # LDAP server URL URL ldap://ipa.hackerspace.gent:389 # Bind DN (If your LDAP server doesn't support anonymous binds) BindDN "uid=openvpn,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent" # Bind Password Password "**************" # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable no # Follow LDAP Referrals (anonymously) FollowReferrals yes </LDAP> <Authorization> # Base DN BaseDN "cn=users,cn=accounts,dc=hackerspace,dc=gent" # User Search Filter SearchFilter "(uid=%u)" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_vpn_users # Uncomment and set to true to support OpenVPN Challenge/Response #PasswordIsCR false #<Group> # Default is true. Match full user DN if true, uid only if false. # RFC2307bis true # Default is true. Uncomment and set to false if you want to use a Search operation to determine group # membership instead of Compare. Lower performance, so Compare should generally be used, but Search is # required in certain LDAP environments. # UseCompareOperation true #BaseDN "ou=Groups,dc=example,dc=com" #SearchFilter "(|(cn=developers)(cn=artists))" #MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_vpn_eng #</Group> </Authorization>
Configure OpenVPN[edit]
# Copy server configuration in /etc/openvpn/server/server.conf # Load LDAP authentication plugin plugin /usr/lib64/openvpn/plugins/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf # Set Server Port port 1194 # Protocol proto tcp # Router Tunnel dev tun # Network topology topology subnet # VPN network server 10.20.3.0 255.255.255.0 # Push routes to client push "route 10.20.0.0 255.255.0.0" # Push DHCP options push "dhcp-option DOMAIN-SEARCH 0x20" push "dhcp-option DNS 10.20.0.253" # Extra TLS shizzel tls-auth /etc/openvpn/server/ta.key 0 # As we're using LDAP, each client can use the same certificate duplicate-cn # Do not force renegotiation of client reneg-sec 0 verify-client-cert optional username-as-common-name # Le Ca key /etc/openvpn/pki/private/openvpn.key cert /etc/openvpn/pki/issued/openvpn.crt ca /etc/openvpn/pki/ca.crt # Diffie-Helman dh /etc/openvpn/pki/dh.pem # Allow clients to see each-other client-to-client # Keepalive keepalive 10 120 # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Notify the client that when the server restarts so it # can automatically reconnect. (udp only) #explicit-exit-notify 1 # Logging log /var/log/openvpn.log
Enable IP Routing[edit]
echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/10-ip4-forwarding.conf # Restart networking for the change to take effect systemctl restart network.service
Start OpenVPN[edit]
systemctl enable openvpn-server@server systemctl start openvpn-server@server
Configure the Firewall[edit]
# Enable masquerading firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.20.3.0/24 -o ens18 -j MASQUERADE # Open OpenVPN ports firewall-cmd --zone=public --add-port=1194/tcp --permanent firewall-cmd --zone=public --add-port=1194/udp --permanent # Apply changes firewall-cmd --reload
Troubleshoot[edit]
OpenVPN writes its logs in /var/log/openvpn.log
Successful connection[edit]
Connection has been successfully established and user has authenticated through LDAP and was allocated an IP address.
TCP connection established with [AF_INET]10.20.2.2:51306 10.20.2.2:51306 peer info: IV_VER=2.5.1 10.20.2.2:51306 peer info: IV_PLAT=linux 10.20.2.2:51306 peer info: IV_PROTO=6 10.20.2.2:51306 peer info: IV_NCP=2 10.20.2.2:51306 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM 10.20.2.2:51306 peer info: IV_LZ4=1 10.20.2.2:51306 peer info: IV_LZ4v2=1 10.20.2.2:51306 peer info: IV_LZO=1 10.20.2.2:51306 peer info: IV_COMP_STUB=1 10.20.2.2:51306 peer info: IV_COMP_STUBv2=1 10.20.2.2:51306 peer info: IV_TCPNL=1 10.20.2.2:51306 [carroarmato0] Peer Connection Initiated with [AF_INET]10.20.2.2:51306 carroarmato0/10.20.2.2:51306 MULTI_sva: pool returned IPv4=10.20.3.2, IPv6=(Not enabled)
LDAP failure / User not found[edit]
TCP connection established with [AF_INET]10.20.2.2:51310 10.20.2.2:51310 peer info: IV_VER=2.5.1 10.20.2.2:51310 peer info: IV_PLAT=linux 10.20.2.2:51310 peer info: IV_PROTO=6 10.20.2.2:51310 peer info: IV_NCP=2 10.20.2.2:51310 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM 10.20.2.2:51310 peer info: IV_LZ4=1 10.20.2.2:51310 peer info: IV_LZ4v2=1 10.20.2.2:51310 peer info: IV_LZO=1 10.20.2.2:51310 peer info: IV_COMP_STUB=1 10.20.2.2:51310 peer info: IV_COMP_STUBv2=1 10.20.2.2:51310 peer info: IV_TCPNL=1 LDAP user "carroarmato00" was not found. 10.20.2.2:51310 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-auth-ldap.so 10.20.2.2:51310 TLS Auth Error: Auth Username/Password verification failed for peer 10.20.2.2:51310 Peer Connection Initiated with [AF_INET]10.20.2.2:51310 10.20.2.2:51310 Connection reset, restarting [0]
LDAP failure / Incorrect user password[edit]
TCP connection established with [AF_INET]10.20.2.2:51308 10.20.2.2:51308 peer info: IV_VER=2.5.1 10.20.2.2:51308 peer info: IV_PLAT=linux 10.20.2.2:51308 peer info: IV_PROTO=6 10.20.2.2:51308 peer info: IV_NCP=2 10.20.2.2:51308 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM 10.20.2.2:51308 peer info: IV_LZ4=1 10.20.2.2:51308 peer info: IV_LZ4v2=1 10.20.2.2:51308 peer info: IV_LZO=1 10.20.2.2:51308 peer info: IV_COMP_STUB=1 10.20.2.2:51308 peer info: IV_COMP_STUBv2=1 10.20.2.2:51308 peer info: IV_TCPNL=1 LDAP bind failed: Invalid credentials Incorrect password supplied for LDAP DN "uid=carroarmato0,cn=users,cn=accounts,dc=hackerspace,dc=gent". 10.20.2.2:51308 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-auth-ldap.so 10.20.2.2:51308 TLS Auth Error: Auth Username/Password verification failed for peer 10.20.2.2:51308 Peer Connection Initiated with [AF_INET]10.20.2.2:51308 10.20.2.2:51308 Connection reset, restarting [0]
Incorrect TLS certificate[edit]
Potentially someone is trying to connect without a correct static TLS cert to authenticate themselves.
TCP connection established with [AF_INET]10.20.2.2:51264 10.20.2.2:51264 Connection reset, restarting [0] TCP connection established with [AF_INET]10.20.2.2:51266 10.20.2.2:51266 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] 10.20.2.2:51266 Connection reset, restarting [0]