Difference between revisions of "VPN client"

 
(One intermediate revision by the same user not shown)
Line 2: Line 2:
  
  
 +
This page describes how to configure OpenVPN client for IPv4 and IPv6.
  
=Introduction=
 
  
See [[VPN|VPN introduction]]
+
Related articles:
 +
* See [[VPN|VPN introduction]]
 +
* See [[VPN server configuration]]
  
  
Line 15: Line 17:
  
 
The client requires:
 
The client requires:
* Authority of certification ca.cert
+
* Authority of certification ca.cert (or content as text, section between ---begin certificate--- ---end certificate---- included)
* Client private key client.key
+
* Client private key client.key     (or content as text)
* Client certificate client.crt
+
* Client certificate client.crt     (or content as text)
  
 
Then, you can setup client configuration.
 
Then, you can setup client configuration.
 +
 +
 +
'''IMPORTANT NOTE for iOS''':
 +
* '''You must have the CONTENT of each file and include it in the ".ovpn" file'''
  
  
Line 28: Line 34:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
#################################################
+
##################################################
# OpenVPN 2.0 client config                     #
+
# OpenVPN 2.4 config file                        #
# --------------------------------------------- #
+
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz
+
# version 1.0 - April 2011 - Guillaume Diaz     #
# version 1.2 - June 2013 - Guillaume Diaz
+
# version 1.2 - June 2013 - Guillaume Diaz       #
#                          conf update + chroot
+
#                          conf update + chroot #
#################################################
+
# version 1.3 - April 2016 - Guillaume Diaz      #
 +
#                          security increase    #
 +
##################################################
  
  
# OpenVPN configuration
+
# OpenVPN binding
 
##########################
 
##########################
# Client mode
+
# Tell TLS that we are building a CLIENT configuration
 
client
 
client
# VPN mode
+
 
 +
# Network interface to use
 
dev tun
 
dev tun
  
########
+
# To support both IPv4 + IPv6
# IPV4 #
+
proto udp6
########
 
proto udp
 
  
########
+
# VPN server @:port
# IPV6 #
+
remote myserver.mydomain 8080
########
 
# Enable IPv6 support
 
tun-ipv6
 
# Protocol
 
proto udp6
 
  
##########
+
# Do not bind to a specific port number
# Remote server
 
remote dev.daxiongmao.eu 8080
 
# Do not bind to a specific local port number
 
 
nobind
 
nobind
# Keep trying indefinitely to resolve the hostname of the OpenVPN server.
+
 
 +
# keep trying indefinitely to resolve until connection is made
 
resolv-retry infinite
 
resolv-retry infinite
# Compression of data exchange
+
 
comp-lzo
+
# Try to preserve state across restarts
 +
persist-key
 +
persist-tun
  
  
  
# SECURITY
+
# SECURITY - certificates
 
########################
 
########################
 
# SSL/TLS root certificate (ca)
 
# SSL/TLS root certificate (ca)
 
# The server and all clients will use the same ca file.
 
# The server and all clients will use the same ca file.
ca "C:\\Apps\\OpenVPN\\config\\ca.crt"
+
ca "C:/Apps/OpenVPN/config/ca.crt"
 +
 
 
# Client certificate and private key
 
# Client certificate and private key
cert "C:\\Apps\\OpenVPN\\config\\xinxiongmao.crt"
+
<cert>
key "C:\\Apps\\OpenVPN\\config\\xinxiongmao.key"
+
-----BEGIN CERTIFICATE-----
 +
my_client_certificate
 +
..
 +
..
 +
-----END CERTIFICATE-----
 +
</cert>
 +
 
 +
 
 +
<key>
 +
-----BEGIN PRIVATE KEY-----
 +
my_private_key
 +
..
 +
..
 +
-----END PRIVATE KEY-----
 +
</key>
  
  
# Downgrade privileges after initialization (non-Windows only)
+
# Security details (cryptography and communication settings)
user nobody
+
##############################################################
group nogroup
 
# Try to preserve some state across restarts.
 
persist-key
 
persist-tun
 
  
 
# Encryption of data exchange
 
# Encryption of data exchange
 
cipher AES-256-CBC
 
cipher AES-256-CBC
 +
 
# Integrity check
 
# Integrity check
auth SHA256
+
auth SHA512
# Control server certificate
 
ns-cert-type server
 
  
 +
# Downgrade privileges after initialization (non-Windows only)
 +
#user nobody
 +
#group nogroup
  
##-- Logs --##
+
# Compression of data exchange
# Set log file verbosity.
+
# (i) Main setting will be push once connect
verb 4
 
# Wireless networks often produce a lot of duplicate packets. 
 
# Set this flag to silence duplicate packet warnings.
 
mute-replay-warnings
 
# Silence repeating messages
 
mute 10
 
  
 +
# Enable standard compression for the connection phase, it acts as failover too
 +
comp-lzo
  
# Allow DNS entries to be received and programs to be called before / after OpenVPN start|stop
+
# Ensure VPN server certificate is of type "server": this reduce the man-in-the-middle attacks risks
script-security 2
+
remote-cert-tls server
### Ubuntu 16.04 bug
 
# See http://www.ubuntubuzz.com/2015/09/how-to-fix-openvpn-dns-leak-in-linux.html
 
up /etc/openvpn/update-resolv-conf 
 
down /etc/openvpn/update-resolv-conf
 
  
  
</syntaxhighlight>
+
# CLIENTS CONF
 +
##########################
 +
# Server security level
 +
#script-security 2
  
  
'''Notes:'''
+
# LOGS
 +
##########################
 +
# Log in a dedicated file instead of /var/log/messages
 +
#log        "C:\Apps\OpenVPN\log\code.daxiongmao.eu.log"
  
You have to edit the configuration file.
+
# Log level
 +
# 0 is silent, except for fatal errors
 +
# 4 is reasonable for general usage
 +
# 5 and 6 can help to debug connection problems
 +
# 9 is extremely verbose
 +
verb 4
  
* Adjust paths on lines 30-38
+
# Silence repeating messages.
* On Windows you must you the double slash \\
+
# At most xx sequential same messages will be output to the log file.
* On Linux don’t forget to uncomment the following lines for better security:
+
mute 10
 
 
<syntaxhighlight lang="bash">
 
# Downgrade privileges after initialization (non-Windows only)
 
user nobody
 
group nogroup
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
* Linux: depending on your distribution you might need to adjust user / group default name.
 
  
  
Line 145: Line 157:
  
 
Source: http://blog.nicolargo.com/2015/02/resolution-du-probleme-de-dns-avec-openvpn-sous-ubuntu.html
 
Source: http://blog.nicolargo.com/2015/02/resolution-du-probleme-de-dns-avec-openvpn-sous-ubuntu.html
 +
  
  
Line 183: Line 196:
 
net.ipv6.conf.all.forwarding=1
 
net.ipv6.conf.all.forwarding=1
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
  
  

Latest revision as of 21:26, 1 November 2019


This page describes how to configure OpenVPN client for IPv4 and IPv6.


Related articles:


Client

Client files

The client requires:

  • Authority of certification ca.cert (or content as text, section between ---begin certificate--- ---end certificate---- included)
  • Client private key client.key (or content as text)
  • Client certificate client.crt (or content as text)

Then, you can setup client configuration.


IMPORTANT NOTE for iOS:

  • You must have the CONTENT of each file and include it in the ".ovpn" file


Client configuration

Copy / paste the following configuration - just adjust your path according to your OS and file system:

##################################################
# OpenVPN 2.4 config file                        #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz      #
# version 1.2 - June 2013 - Guillaume Diaz       #
#                           conf update + chroot #
# version 1.3 - April 2016 - Guillaume Diaz      #
#                           security increase    #
##################################################


# OpenVPN binding
##########################
# Tell TLS that we are building a CLIENT configuration
client

# Network interface to use
dev tun

# To support both IPv4 + IPv6
proto udp6

# VPN server @:port
remote myserver.mydomain 8080

# Do not bind to a specific port number
nobind

# keep trying indefinitely to resolve until connection is made
resolv-retry infinite

# Try to preserve state across restarts
persist-key
persist-tun



# SECURITY - certificates
########################
# SSL/TLS root certificate (ca)
# The server and all clients will use the same ca file.
ca "C:/Apps/OpenVPN/config/ca.crt"

# Client certificate and private key
<cert>
-----BEGIN CERTIFICATE-----
my_client_certificate
..
..
-----END CERTIFICATE-----
</cert>


<key>
-----BEGIN PRIVATE KEY-----
my_private_key
..
..
-----END PRIVATE KEY-----
</key>


# Security details (cryptography and communication settings)
##############################################################

# Encryption of data exchange
cipher AES-256-CBC

# Integrity check
auth SHA512

# Downgrade privileges after initialization (non-Windows only)
#user nobody
#group nogroup

# Compression of data exchange
# (i) Main setting will be push once connect

# Enable standard compression for the connection phase, it acts as failover too
comp-lzo

# Ensure VPN server certificate is of type "server": this reduce the man-in-the-middle attacks risks
remote-cert-tls server


# CLIENTS CONF
##########################
# Server security level
#script-security 2


# LOGS
##########################
# Log in a dedicated file instead of /var/log/messages
#log         "C:\Apps\OpenVPN\log\code.daxiongmao.eu.log"

# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4

# Silence repeating messages.
# At most xx sequential same messages will be output to the log file.
mute 10


Ubuntu VPN DNS

If DNS resolution doesn't work well you need to add the following line to your client configuration:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf


Source: http://blog.nicolargo.com/2015/02/resolution-du-probleme-de-dns-avec-openvpn-sous-ubuntu.html


Software

Linux

Installation

# VPN software
apt-get install openssl openssh-server openvpn 
# VPN manager (UI)
apt-get install network-manager-openvpn network-manager-openvpn-gnome


Security

See Firewall VPN


You must enable global FORWARDING

vim /etc/sysctl.conf


# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1


# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1


DNS

You can set some DNS entries.

  • Network manager > Edit connections > VPN > Edit > IPv4 > Additional DNS servers
  • Add: 8.8.8.8, 8.8.4.4
Ubuntu additional DNS entries



Windows

On windows, many clients are available. The best one, for me, is: « OpenVPN.net Community » https://openvpn.net/index.php/open-source/downloads.html

  • Take the Installer (64-bit), Windows XP and later

Then, you have to copy your .OVPN configuration & certificates inside the ~/openvpn/config/ folder.


To use the VPN:

  • Run the OpenVPN client as administrator ==> right click on the icon ==> run as administrator
  • Right click on the icon close to the system clock ==> connect


!! Hint !! You can create a 1 click shortcut.

  • Edit the default shortcut
  • Set target = C:\apps\OpenVPN\bin\openvpn-gui.exe --connect devDaxiongmao.ovpn
VPN windows shortcut howto 01

In target the --connect option allows you to start a specific profile automatically. :-)


  • In Compatibility tab set the run as administrator option.
VPN windows shortcut howto 02



MacOSX

The best VPN client is “tunnelblick” http://code.google.com/p/tunnelblick

  • Configuration files are in ~/librairies/openvpn
  • That’s the libraries [“bibliothèque”] folder of the current user