VPN client

Revision as of 20:26, 25 April 2016 by WikiFreak (talk | contribs)



Introduction

See VPN introduction


Client

Client files

The client requires:

  • Authority of certification ca.cert
  • Client private key client.key
  • Client certificate client.crt

Then, you can setup client configuration.


Client configuration

Copy / paste the following configuration - just adjust your path according to your OS and file system:

#################################################
# OpenVPN 2.0 client config                     #
# --------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz
# version 1.2 - June 2013 - Guillaume Diaz
#                           conf update + chroot
#################################################


# OpenVPN configuration
##########################
# Client mode
client
# VPN mode
dev tun

########
# IPV4 #
########
proto udp

########
# IPV6 #
########
# Enable IPv6 support
tun-ipv6
# Protocol
proto udp6

##########
# Remote server
remote dev.daxiongmao.eu 8080
# Do not bind to a specific local port number
nobind
# Keep trying indefinitely to resolve the hostname of the OpenVPN server.
resolv-retry infinite
# Compression of data exchange
comp-lzo



# SECURITY
########################
# SSL/TLS root certificate (ca)
# The server and all clients will use the same ca file.
ca "C:\\Apps\\OpenVPN\\config\\ca.crt"
# Client certificate and private key
cert "C:\\Apps\\OpenVPN\\config\\xinxiongmao.crt"
key "C:\\Apps\\OpenVPN\\config\\xinxiongmao.key"


# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun

# Encryption of data exchange
cipher AES-256-CBC
# Integrity check
auth SHA256
# Control server certificate
ns-cert-type server 


##-- Logs --##
# Set log file verbosity.
verb 4
# Wireless networks often produce a lot of duplicate packets.  
# Set this flag to silence duplicate packet warnings.
mute-replay-warnings
# Silence repeating messages
mute 10


# Allow DNS entries to be received and programs to be called before / after OpenVPN start|stop
script-security 2
### Ubuntu 16.04 bug
# See http://www.ubuntubuzz.com/2015/09/how-to-fix-openvpn-dns-leak-in-linux.html
up /etc/openvpn/update-resolv-conf  
down /etc/openvpn/update-resolv-conf


Notes:

You have to edit the configuration file.

  • Adjust paths on lines 30-38
  • On Windows you must you the double slash \\
  • On Linux don’t forget to uncomment the following lines for better security:
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
  • Linux: depending on your distribution you might need to adjust user / group default name.


Ubuntu VPN DNS

If DNS resolution doesn't work well you need to add the following line to your client configuration:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf


Source: http://blog.nicolargo.com/2015/02/resolution-du-probleme-de-dns-avec-openvpn-sous-ubuntu.html


Software

Linux

Installation

# VPN software
apt-get install openssl openssh-server openvpn 
# VPN manager (UI)
apt-get install network-manager-openvpn network-manager-openvpn-gnome


Security

See Firewall VPN


You must enable global FORWARDING

vim /etc/sysctl.conf


# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1


# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1


DNS

You can set some DNS entries.

  • Network manager > Edit connections > VPN > Edit > IPv4 > Additional DNS servers
  • Add: 8.8.8.8, 8.8.4.4
Ubuntu additional DNS entries



Windows

On windows, many clients are available. The best one, for me, is: « OpenVPN.net Community » https://openvpn.net/index.php/open-source/downloads.html

  • Take the Installer (64-bit), Windows XP and later

Then, you have to copy your .OVPN configuration & certificates inside the ~/openvpn/config/ folder.


To use the VPN:

  • Run the OpenVPN client as administrator ==> right click on the icon ==> run as administrator
  • Right click on the icon close to the system clock ==> connect


!! Hint !! You can create a 1 click shortcut.

  • Edit the default shortcut
  • Set target = C:\apps\OpenVPN\bin\openvpn-gui.exe --connect devDaxiongmao.ovpn
VPN windows shortcut howto 01

In target the --connect option allows you to start a specific profile automatically. :-)


  • In Compatibility tab set the run as administrator option.
VPN windows shortcut howto 02



MacOSX

The best VPN client is “tunnelblick” http://code.google.com/p/tunnelblick

  • Configuration files are in ~/librairies/openvpn
  • That’s the libraries [“bibliothèque”] folder of the current user