OpenVPN
The OpenVPN server is a secure and cost effective way to provide road warrior VPN access to resources on the network. Unlike the PPTP VPN server, OpenVPN is more robust in getting through other firewalls and gateways.
An OpenVPN client is available at no cost and available for almost any OS (Windows, Mac, GNU/Linux, Android) and form-factor (PC, Smartphone).
Installation
If your system does not have this app available, you can install it via the Marketplace.
Menu
Once installed, you can find this feature in the menu system at the following location:
Configuration
Configuring the Server
Security Certificates Information
Before you can configure OpenVPN, you may be directed to the Certificate Manager configuration page in the web-based administration tool. The information is required to create the necessary security certificates used in OpenVPN.
Automatic Configuration
The OpenVPN app has an automatic configuration feature that selects default settings based on your server's configuration. It will also update them if you make modifications to your server (eg. change LAN subnet).
Unless you are an advanced user, this feature should be left enabled. To disable the feature, click on in the information dialog.
Settings - Automatic Configuration Enabled
Internet Domain
The Internet Domain field is auto-populated using the server's Default Domain, set in the IP Settings app. This field entry should be a publicly available hostname that VPN users will use in their configuration as the VPN hostname to connect to.
DNS Server
A DNS server to use while connected through the VPN. This setting can be useful if accessing locally addressed/internal hostnames (eg. hp-laserjet.lan). Like Internet domain, this field is populated from the DNS server settings on the IP Settings app.
WINS Server
Windows Internet Name Service (WINS) is a NetBIOS name resolution service that allows client computers to register their NetBIOS names and IP addresses in a dynamic, distributed database and to resolve the NetBIOS names of network resources to their IP addresses. If you have a Microsoft[TM] server (or another server running Samba) on the LAN providing WINS, you would want to override the auto-configuration settings and set this to the IP of the server providing this service.
If you are running Samba locally, the automatic configuration settings is fine. If you are not running Samba or a MS WINS server anywhere on the network, this setting is irrelevant and can safely be ignored.
Depending on your network configuration, you may need to specify the WINS settings in VPN client configuration.
Managing User Accounts
Users must be configured with both OpenVPN and Security Certificate access. To manage users:
- Go to the Users page in the web-based administration tool
- Edit a selected user
- Make sure both OpenVPN User and Security Certificates User are enabled
If you are using the Active Directory Connector, the selected AD user must be a member of both the openvpn_plugin and user_certificates_plugin groups. See the Active Directory Connector documentation for details.
Configuring the Client
Microsoft Windows[tm]
To configure the Windows OpenVPN client, you'll first need to install Microsoft's .Net framework (minimum version 3.5). You can download it here.
Using the web-based administration tool, logout (if applicable) as root once the basic settings and user configuration as outlined above have been achieved.
Login as the road warrior user account that is to have access to the network via OpenVPN.
Under My Account, select on User Certificates.
Select Windows as your client and click on the Download button in the OpenVPN Configuration File download utility.
Download the following files into the same directory as the OpenVPN configuration file above:
- Certificate
- Certificate Authority
- Private Key
Download and install the OpenVPN client software from the OpenVPN download page. When the download is complete, double click the msi file that you downloaded to start the install wizard.
Depending on your settings, you'll probably get warning about running executable files. OpenVPN is OK to install.
Continue through the install wizard by clicking Next.
Allow OpenVPN to install in the default (recommended) path or select a location where you would like the installation files to reside.
You can safely ignore the Hardware Installation warning…a virtual interface will be created through which, your VPN tunnels will connect. Click on the Continue Anyway button.
Allow the wizard to continue through to completion. At the end of a successful install, you should see the following dialog:
Go ahead and start OpenVPN by either leaving the Launch OpenVPN Client checkbox checked, or starting the application from Microsoft's Start menu.
Next to the Connection Profiles field, click on the Plus (+) icon. Select Import Profile from Local File. Navigate to the folder where you downloaded the OpenVPN configuration files from the ClearOS users certificate page. Select the file and click Import.
Now that you have a saved Connection Profile to connect to the OpenVPN service on ClearOS, double click on the icon. You will be asked to provide a username and password. This is the username and password used when the the user was created on the ClearOS system (or via Active Directory connector on a Windows domain).
A progress dialog will be displayed, providing information on the status of the connection.
If all went according to plan, you'll see the following dialog providing information on your connect and a link to disconnect when you are finished using the VPN tunnel.
Ubuntu Linux
Logout of the web-based administration tool as root once the basic settings and user configuration as outlined above have been achieved.
Login as the road warrior user account that is to have access to the network via OpenVPN.
Under My Account, select on User Certificates.
Select Linux as your client and click on the Download button in the OpenVPN Configuration File download utility.
You'll also need the PKCS12 file containing the associated certificates. The PKCS12 file will ask you to password protect the package the first time you use it. Don't forget this password…Your Ubuntu client will need it to extract the certificates later.
You're now done with the server/ClearOS. In Ubuntu's Network Manager, right click on the Network Manager, select Edit Connections, select the VPN tab, and click Import.
Select the configuration file you saved earlier.
Ensure that the server hostname is accessible from outside your LAN (eg. it is not a local domain like network.lan).
Under Authentication, select type “Password with Certificates”. Populate the username and password fields with the user authentication credentials.
Under User Certificates, click on the file/folder icon and select the PKCS12 file you also downloaded from the ClearOS server. Enter the password used to authenticate the file.
Click on the Advanced button and ensure you check (enable) Use LZO Compression.
Click Apply. Your VPN settings should now be configured. It is good practice to test your connection (if possible) with the client still on the LAN. That way, if there are any problems, you have a narrow set of possibilities to troubleshoot against.
Click on the Network Manager link and select VPN Connections and the name of the VPN connection named from your ClearOS configuration.
If all goes well, you will see a lock appear on your Network Manager icon signifying the tunnel was successfully deployed.
Mac OS X
Logout of the web-based administration tool as root once the basic settings and user configuration as outlined above have been achieved.
Login as the road warrior user account that is to have access to the network via OpenVPN.
Under My Account, select on User Certificates.
Download the OpenVPN Client for Mac in addition to the user certificates…Take note of the directory/folder you save these files to.
Download and install the OpenVPN client software for Mac OS X from the Google Code.
Click on the Download Tunnelbrick link.
Click on the latest Tunnelbrick .dmg image to begin the download.
After double clicking on the dmg file you download, a dialog will open asking if you wish to proceed.
Once the application is successfully installed, you will get an pop-up notifying you. Either launch the application or find the application in your Applications folder using Finder and click on the Tunnelbrick app.
When prompted with a question for config files, select I have configuration files.
Unless you are an advanced user, at the next dialog prompt, select Tunnelbrick VPN Configuration.
After the step above, Tunnelbrick will have created a folder for you, usually on our desktop named “Empty Tunnelbrick Configuration” or something similar. Rename this folder so it is easily identifiable. Add your configuration file and certificates to this folder that you downloaded from ClearOS web-based administration tool's certificate manager.
Once done with the inline instructions, rename the folder and add the extension .tblk.
Double click on your new archive to install the configuration.
Select whether you want all users on the system access to this tunnel or just your current user.
You'll be notified that the configuration has been installed. Time to test the VPN connection.
In the upper right hand corner of your desktop, you'll see the Tunnelbrick icon. Click on it once and select Connect XYZ where XYZ is the name of your OpenVPN configuration as set when you renamed the folder containing the configuration and certificates.
You'll see a status message displayed as OpenVPN attempts to connect to the ClearOS VPN server.
If all sent according to plan, you'll be notified that a connection has been made. An icon change will indicate when you are connected through the tunnel and when you are not.
Site to Site VPN Tunnels
OpenVPN provides a secure and robust VPN for connecting both road warriors as well as multiple networks. The solution also gets around the realities of today's Internet:
- Native support in NAT (network address translation) environments
- Native support for dynamic IP addresses
- Robust connection monitoring and automatic reconnections
In other words, OpenVPN can be used in many environments where IPsec just won't work (or work reliably).
In the section below, we will use the terms headquarters and remote office. Just know that this is just simple terminology used for this implementation guide. You can create hub and spoke VPN solutions (many remote offices connecting to a single headquarters) as well asmesh VPN solutions (where each site connects to all other sites).
Selecting the Headquarters Node
In our example, we have selected the system in the main office to be the headquarters node. There are two reasons for this decision:
- The main office has the most robust network connection
- The ClearOS system is connected directly to the Internet
The second point is important. If you find yourself in a situation where a ClearOS system is behind another router (particularly a NAT-based router), know you can still create a network-to-network VPN.
Create the Secret Key
Login to a command line shell environment and run the following to create the secret key used verify VPN endpoints:
openvpn --genkey --secret /etc/openvpn/static.key
This key must be copied to the other ClearOS system involved in the OpenVPN connection.
Create the Headquarters Configuration
Now that the secret key has been created, it is time to move on to the configuration file. Create a file in /etc/openvpn with the .conf file extension, for example /etc/openvpn/connect_to_remote.conf. Here's a sample configuration:
dev tun port 1195 ifconfig 10.8.222.40 10.8.222.41 route 192.168.11.0 255.255.255.0 comp-lzo keepalive 10 60 persist-key persist-tun user nobody group nobody secret static.key
Key | Comment |
---|---|
port | The UDP port for the connection |
ifconfig | The IP addresses are used internally by OpenVPN |
route | This is the LAN of the remote office! |
You can use this configuration file as-is but the route must be changed! Please specify the LAN network range used by the remote office.
Create the Remote Office Configuration
The remote office configuration is nearly identical. Create a configuration with the .conf suffix in /etc/openvpn, for example /etc/openvpn/connect_to_headquarters.conf:
dev tun port 1195 remote my-hq.poweredbyclear.com 1195 ifconfig 10.8.222.41 10.8.222.40 route 192.168.22.0 255.255.255.0 comp-lzo keepalive 10 60 persist-key persist-tun user nobody group nobody secret static.key
The configuration file is nearly identical, but a few changes are required:
- Specify the hostname or IP of the headquarters system for the remote parameter
- Swap the IPs specified in the ifconfig parameter
- Change the route to match the network range used by headquarters
Update Firewall
Almost there. In the web-based administration tool, go to
- UDP port 1195
Start/Restart OpenVPN
Now it is time to start the OpenVPN software on the headquarters and remote office.
service openvpn restart
Troubleshooting
Log Files
The /var/log/messages and /var/log/secure log files can provide clues when troubleshooting.
Cannot connect to server
Go to the OpenVPN configuration page in the web-based administration tool and ensure the service is started. If the status says Stopped, click on the Start. If the services fails to start, you can get more information from the logs. The following log files may contain clues:
- /var/log/messages
- /var/log/system
- /var/log/secure
Log file contents are available for display and/or download via the web-based administration tool. You will need to install (if you haven't done so already) the Log Viewer app from the Marketplace.
If the server is also your gateway to the Internet, navigate to Incoming Firewall and ensure the OpenVPN service is an allowed incoming firewall rule (port 1194).
Multi-WAN Environments
In some multi-WAN environments (eg. two external interfaces configured), OpenVPN can fail to connect from clients when the client configuration is using the default UDP. Try forcing the use of TCP protocol in the client, remembering to open 1194/TCP in your firewall.
Troubleshooting
OpenVPN is very verbose in its logging and logs of authentications and errors will be registered to the /var/log/messages log file on the ClearOS side. On the client side it will log what is happening in the details log of the client application. These logs, while very technical, are EXTREMELY helpful in determining issues with the connection. The OpenVPN team has done a fantastic job at creating precise logs which are often the last place you need to go to find out why you cannot connect.
DNS
If you are having issues with DNS on your OpenVPN connection, it can be that you are using an external DNS server to resolve internal hosts or an internal which doesn't resolve external hosts. If you use the ClearOS gateway to resolve the DNS from its cache, you can split the resolution of external and internal domains using this guide.