How to connect to the vpn

From HSG Wiki
Jump to: navigation, search

Client Information

Note: you will need an LDAP account to authenticate with the VPN.

The VPN is implemented using OpenVPN. You can either download the client for Windows here, or use NetworkManager with the OpenVPN plugin, or by other means.

Create a file called HSG.ovpn and paste the following content to import it.

client
remote vpn.hackerspace.gent
port 1194
remote-cert-tls server
verify-x509-name "CN=openvpn"
<ca>
-----BEGIN CERTIFICATE-----
MIIDTjCCAjagAwIBAgIUcOFvJu512Mp0VUX+kx/Tn7wNpFwwDQYJKoZIhvcNAQEL
BQAwFzEVMBMGA1UEAwwMb3BlbnZwbi4weDIwMB4XDTIxMDcxNDIxMzkzMVoXDTMx
MDcxMjIxMzkzMVowFzEVMBMGA1UEAwwMb3BlbnZwbi4weDIwMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHpcpaS5r/NGWbY1mGjn22IGUDQjh2v2/eA/
3hbcxoQpaXzAqEp0fPw3GTBW46fYQt0CjFTvR8JNhagBV1tKibiTRO09/grOpEcQ
v0qV1mp2HStVHqkGiNtEoMREUQOJxuJuWlrh18dnoZDaWR/JIwd0ZDdOmdZ6kPk/
oY/ao988K91XANQwdTR+1IOiClES22XBNWvC8AQ1Q7nM8pEk6YUWdemhcRgum76K
4tbyy6wsmZtROzAvVHUcQlkpYxQfsiHzJcKA+encMczVe6AyEf+0obw7L8RDW9yK
brSFrnTnSbznQT2LbaBFBkT1RjUD7HNOktM9K/p56vAhRNDg8QIDAQABo4GRMIGO
MB0GA1UdDgQWBBQnz9dqDg5KT7WO4sFhTINo9v+njzBSBgNVHSMESzBJgBQnz9dq
Dg5KT7WO4sFhTINo9v+nj6EbpBkwFzEVMBMGA1UEAwwMb3BlbnZwbi4weDIwghRw
4W8m7nXYynRVRf6TH9OfvA2kXDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAN
BgkqhkiG9w0BAQsFAAOCAQEAtpbG+0QlDFy1AZcLnBTESrcV7wo9kXIAkGLmdCoU
p3vvx0GGu0zlRTEgVYT6f3TtzSYfvUKxPINRECoO7o0kL8WFtqDJegNoq4N0cpIA
qO9RcZ5ikWcmWRsdLr+jOqGJrtlVVxsbtcKnOPqRjKvweqPJK2dQLuSK0Kskb59M
/3nqGjexICzCa1lhDee1uitYZ8dM6o+/jGauRRNWP8wVTYy0XLmFBJDNFsrwyPiM
Vppch0z6EpnftbkoAS13xdXfHeqR5pRmVn2osv4048HPSGqHi5UahtDoxwDg6jJK
WDHx35Tw7ZUy6vb7mz6TzxZ/tZFr5U3/lZvkvwKohsUhzg==
-----END CERTIFICATE-----
</ca>
auth-user-pass
setenv CLIENT_CERT 0
cipher AES-256-GCM
dev tun
proto tcp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
4282eb477aef2533a9b03e1cbd6e771e
3f4ec1a0a17e249c56680d6e112bb17e
5b6c2ecffea7c51754983652bb6fb135
fae8c88e479aa8dfdbf11e4d767f2088
a26d8115e0019a8c0fa962602f6f0b3f
24d92567be153119aa8d65beba1a56fd
39420b16d28c2fde26aa984d87386216
52874410651c76d46f46a3f19bc3ef68
ed7dbb6c9421a1b982edea7c6692de63
2e480e5895e21df36963f565cf133ecf
c578c9be5dab8d7c852536de45c73ebf
02dc73b5ca7ef2913307c184a89797d6
f3a888558eb076d40cbe0e4c152f97a7
b0fa90aa14c99a9314b9eea7a8928c2c
67a03984578916d2ea14fba252b6e53f
946a1b18d7864cc0341f91915d1640b5
-----END OpenVPN Static key V1-----
</tls-auth>

Server installation

OS of choice: Rocky Linux release 8.4 (Green Obsidian)

Prepare the OS

# Update the OS
dnf update

# Install epel-release
dnf install -y epel-release

# Install necessary packages
dnf install -y wget openvpn https://download-ib01.fedoraproject.org/pub/fedora/linux/releases/33/Everything/x86_64/os/Packages/o/openvpn-auth-ldap-2.0.4-3.fc33.x86_64.rpm

Configure certificates using EasyRSA

# Download EasyRSA and store it in /tmp
wget -O /tmp/easyrsa https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz

# Extract
tar xfz /tmp/easyrsa

# Copy the binary easyrsa to /usr/bin

# Do the Crypto dance
cd /etc/openvpn/
easyrsa init-pki

# Copy some files from the originally extracted folder of EasyRSA
cp EasyRSA-3.0.8/openssl-easyrsa.cnf /etc/openvpn/pki/
cp -rf EasyRSA-3.0.8/x509-types/ /etc/openvpn/pki/

# Generate all the things
cd /etc/openvpn/
easyrsa build-ca
easyrsa gen-req openvpn nopass
easyrsa gen-dh
easyrsa build-server-full openvpn
easyrsa sign-req server openvpn

# Generate the static TLS key
cd /etc/openvpn/server/
openvpn --genkey --secret ta.key

Prepare LDAP authentication

# Copy paste the following in /etc/openvpn/auth/ldap.conf

<LDAP>
	# LDAP server URL
        URL             ldap://ipa.hackerspace.gent:389
	# Bind DN (If your LDAP server doesn't support anonymous binds)
        BindDN          "uid=openvpn,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent"
	# Bind Password
	Password	"**************"
	# Network timeout (in seconds)
	Timeout		15
	# Enable Start TLS
	TLSEnable	no
	# Follow LDAP Referrals (anonymously)
	FollowReferrals yes
</LDAP>

<Authorization>
	# Base DN
        BaseDN          "cn=users,cn=accounts,dc=hackerspace,dc=gent"
	# User Search Filter
	SearchFilter	"(uid=%u)"
	# Require Group Membership
	RequireGroup	false
	# Add non-group members to a PF table (disabled)
	#PFTable	ips_vpn_users

	# Uncomment and set to true to support OpenVPN Challenge/Response
	#PasswordIsCR	false
	#<Group>
		# Default is true. Match full user DN if true, uid only if false.
		# RFC2307bis   true

		# Default is true. Uncomment and set to false if you want to use a Search operation to determine group
		# membership instead of Compare. Lower performance, so Compare should generally be used, but Search is
		# required in certain LDAP environments.
		# UseCompareOperation   true

		#BaseDN		"ou=Groups,dc=example,dc=com"
		#SearchFilter	"(|(cn=developers)(cn=artists))"
		#MemberAttribute	uniqueMember
		# Add group members to a PF table (disabled)
		#PFTable	ips_vpn_eng
	#</Group>
</Authorization>

Configure OpenVPN

# Copy server configuration in /etc/openvpn/server/server.conf

# Load LDAP authentication plugin
plugin /usr/lib64/openvpn/plugins/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf

# Set Server Port
port 1194

# Protocol
proto tcp

# Router Tunnel
dev tun

# Network topology
topology subnet

# VPN network
server 10.20.3.0 255.255.255.0

# Push routes to client
push "route 10.20.0.0 255.255.0.0"

# Push DHCP options
push "dhcp-option DOMAIN-SEARCH 0x20"
push "dhcp-option DNS 10.20.0.253"

# Extra TLS shizzel
tls-auth /etc/openvpn/server/ta.key 0

# As we're using LDAP, each client can use the same certificate
duplicate-cn

# Do not force renegotiation of client
reneg-sec 0

verify-client-cert optional
username-as-common-name

# Le Ca
key /etc/openvpn/pki/private/openvpn.key
cert /etc/openvpn/pki/issued/openvpn.crt
ca /etc/openvpn/pki/ca.crt

# Diffie-Helman
dh /etc/openvpn/pki/dh.pem

# Allow clients to see each-other
client-to-client

# Keepalive
keepalive 10 120

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Notify the client that when the server restarts so it
# can automatically reconnect. (udp only)
#explicit-exit-notify 1

# Logging
log /var/log/openvpn.log

Enable IP Routing

echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/10-ip4-forwarding.conf

# Restart networking for the change to take effect
systemctl restart network.service

Start OpenVPN

systemctl enable openvpn-server@server
systemctl start openvpn-server@server

Configure the Firewall

# Enable masquerading
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.20.3.0/24 -o ens18 -j MASQUERADE

# Open OpenVPN ports
firewall-cmd --zone=public --add-port=1194/tcp --permanent
firewall-cmd --zone=public --add-port=1194/udp --permanent

# Apply changes
firewall-cmd --reload 

Troubleshoot

OpenVPN writes its logs in /var/log/openvpn.log

Successful connection

Connection has been successfully established and user has authenticated through LDAP and was allocated an IP address.

TCP connection established with [AF_INET]10.20.2.2:51306
10.20.2.2:51306 peer info: IV_VER=2.5.1
10.20.2.2:51306 peer info: IV_PLAT=linux
10.20.2.2:51306 peer info: IV_PROTO=6
10.20.2.2:51306 peer info: IV_NCP=2
10.20.2.2:51306 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
10.20.2.2:51306 peer info: IV_LZ4=1
10.20.2.2:51306 peer info: IV_LZ4v2=1
10.20.2.2:51306 peer info: IV_LZO=1
10.20.2.2:51306 peer info: IV_COMP_STUB=1
10.20.2.2:51306 peer info: IV_COMP_STUBv2=1
10.20.2.2:51306 peer info: IV_TCPNL=1
10.20.2.2:51306 [carroarmato0] Peer Connection Initiated with [AF_INET]10.20.2.2:51306
carroarmato0/10.20.2.2:51306 MULTI_sva: pool returned IPv4=10.20.3.2, IPv6=(Not enabled)

LDAP failure / User not found

TCP connection established with [AF_INET]10.20.2.2:51310
10.20.2.2:51310 peer info: IV_VER=2.5.1
10.20.2.2:51310 peer info: IV_PLAT=linux
10.20.2.2:51310 peer info: IV_PROTO=6
10.20.2.2:51310 peer info: IV_NCP=2
10.20.2.2:51310 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
10.20.2.2:51310 peer info: IV_LZ4=1
10.20.2.2:51310 peer info: IV_LZ4v2=1
10.20.2.2:51310 peer info: IV_LZO=1
10.20.2.2:51310 peer info: IV_COMP_STUB=1
10.20.2.2:51310 peer info: IV_COMP_STUBv2=1
10.20.2.2:51310 peer info: IV_TCPNL=1
LDAP user "carroarmato00" was not found.
10.20.2.2:51310 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-auth-ldap.so
10.20.2.2:51310 TLS Auth Error: Auth Username/Password verification failed for peer
10.20.2.2:51310 Peer Connection Initiated with [AF_INET]10.20.2.2:51310
10.20.2.2:51310 Connection reset, restarting [0]

LDAP failure / Incorrect user password

TCP connection established with [AF_INET]10.20.2.2:51308
10.20.2.2:51308 peer info: IV_VER=2.5.1
10.20.2.2:51308 peer info: IV_PLAT=linux
10.20.2.2:51308 peer info: IV_PROTO=6
10.20.2.2:51308 peer info: IV_NCP=2
10.20.2.2:51308 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
10.20.2.2:51308 peer info: IV_LZ4=1
10.20.2.2:51308 peer info: IV_LZ4v2=1
10.20.2.2:51308 peer info: IV_LZO=1
10.20.2.2:51308 peer info: IV_COMP_STUB=1
10.20.2.2:51308 peer info: IV_COMP_STUBv2=1
10.20.2.2:51308 peer info: IV_TCPNL=1
LDAP bind failed: Invalid credentials
Incorrect password supplied for LDAP DN "uid=carroarmato0,cn=users,cn=accounts,dc=hackerspace,dc=gent".
10.20.2.2:51308 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-auth-ldap.so
10.20.2.2:51308 TLS Auth Error: Auth Username/Password verification failed for peer
10.20.2.2:51308 Peer Connection Initiated with [AF_INET]10.20.2.2:51308
10.20.2.2:51308 Connection reset, restarting [0]

Incorrect TLS certificate

Potentially someone is trying to connect without a correct static TLS cert to authenticate themselves.

TCP connection established with [AF_INET]10.20.2.2:51264
10.20.2.2:51264 Connection reset, restarting [0]
TCP connection established with [AF_INET]10.20.2.2:51266
10.20.2.2:51266 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
10.20.2.2:51266 Connection reset, restarting [0]