From Ever changing code
Jump to navigation Jump to search

Install OpenVPN3 client

mkdir openvpn3 && cd $_
DISTRO=focal # Ubuntu 20.04
wget -O /etc/apt/sources.list.d/openvpn3.list$DISTRO.list
vim /etc/apt/sources.list.d/openvpn3.list # update sources to use 64bit arch
  -deb focal main
  +deb [arch=amd64] focal main
sudo apt update
sudo apt install openvpn3

Note: Version 14~beta+focal results sometimes with an error: Session Manager !! CRITICAL !!: Failed communicating with VPN backend: Failed calling D-Bus method Connect: Timeout was reached

Downgrade or install a specific version of a package using apt-get (Ubuntu 20.04)

#  Before 
openvpn3 version 
OpenVPN 3/Linux v14_beta (openvpn3)
OpenVPN core 3.git:HEAD:fce979ec linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

# Show available packages
apt-cache madison openvpn3
  openvpn3 | 14~beta+focal | focal/main amd64 Packages
  openvpn3 | 13~beta-1+focal | focal/main amd64 Packages

# Install the desired verion of the package
sudo apt install openvpn3=13~beta-1+focal

# INstalled version
OpenVPN 3/Linux v13_beta (openvpn3)
OpenVPN core 3.git:HEAD:ce0c9963 linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

# Lock package at given version
sudo apt-mark hold openvpn3
sudo apt-mark showhold


Navigate to OpenVPN Access Server URL, login with username and password and optionally 2FA. After successful login you should be able to download 'Yourself (user-locked profile) file that can be imported into Ubuntu > Settings > Network > VPN > Add > Import from a file or provide as a command like argument.

$ OPENVPN_CONFIG=~/environment/
$ openvpn3 session-start --config ${OPENVPN_CONFIG}
Using configuration profile from file:
Session path: /net/openvpn/v3/sessions/180fa892s3ca1s4bf7s84eesdfe524d70a63
Auth User name: piotr
Auth Password: ****
Enter Authenticator Code: 111111

Once connected you can see the session details

$ openvpn3 sessions-list
        Path: /net/openvpn/v3/sessions/180fa892s3ca1s4bf7s84eesdfe524d70a63
     Created: Thu Jul 23 17:58:31 2020                  PID: 67947
       Owner: piotr                                     Device: tun0
 Config name:  (Config not available)
Session name:
      Status: Connection, Client connected

New tunnel interface gets created
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet brd scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::1113:3fa4:2d6b:e8a9/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

New routes get installed, note that only VPN ranges are routed via VPN
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         vodafone.connec         UG    600    0        0 wlp0s20f3       UG    0      0        0 tun0      # <- route installed by vpn   U     0      0        0 tun0      # <- vpn route
ec2-54-194-14-6 vodafone.connec UGH   0      0        0 wlp0s20f3
link-local     U     1000   0        0 wlp0s20f3     UG    0      0        0 tun0      # <- vpn route     UG    0      0        0 tun0      # <- vpn route   U     600    0        0 wlp0s20f3

tail -f /var/log/syslog
journalctl -u dbus --follow
Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info>  [1595523552.1879] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')
Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info>  [1595523552.1882] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')
Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info>  [1595523552.1894] device (tun0): Activation: successful, device activated.
Jul 23 17:59:22 laptop-1 systemd[1]: NetworkManager-dispatcher.service: Succeeded.

Session stats
$ openvpn3 session-stats --interface tun0
Connection statistics:

Manage session(s)
# Disconnect
openvpn3 session-manage --interface tun0 --disconnect 
Initiated session shutdown.

Connection statistics:
# Available agrs/actions
# --cleanup --config --disconnect --interface --path --pause --restart --resume --session-path

Manage configs
# Import the config file
openvpn3 config-import --config
Configuration imported.  Configuration path: /net/openvpn/v3/configuration/87c840abxfd0bx4f19x94b0x9940a0bdcbba

# Show configs
$ openvpn3 configs-list 
Configuration path
Imported                        Last used                 Used
Name                                                      Owner
Thu Jul 23 18:28:33 2020                                  0                                         piotr

OpenVPN Server

A few useful commands:

cd /usr/local/openvpn_as/scripts
sudo ./confdba -us        # display all users
sudo ./confdba -us -p joe # display info about a specific user
  "joe": {
    "access_to.0": "+NAT:",
    "pvt_google_auth_secret": "AAAAAAAAAEXAMPLE", # this is GoogleAuth MFA secret_token that a user scans as QR code
    "pvt_google_auth_secret_locked": "false",     # | it also works with 'oathtool'
    "pvt_password_digest": "30******bb71",        # | oathtool --base32 --totp AAAAAAAAAEXAMPLE
    "type": "user_compile"

sudo ./confdba -u -m -k pvt_google_auth_secret_locked -v false -p joe #unlock locked out user

#Disable/enable Google Authenticator for a specific user or group:
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" --value "false" UserPropPut #disable
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" --value "true" UserPropPut  #enable

#Undo an enable/disable override for Google Authenticator on a group or user, so that it inherits the setting instead
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" UserPropDel

#To unlock an already scanned and locked secret for a user, so the user can obtain/scan it again
./sacli --user <USER> --lock 0 GoogleAuthLock

#To manually lock a secret key, for example when you as administrator have already set up the user’s device yourself
./sacli --user <USER> --lock 1 GoogleAuthLock

#To generate a new secret key and lock or leave it unlocked
./sacli --user <USER> --lock 0 GoogleAuthRegen #unlocked, user can scan
./sacli -u     joe             GoogleAuthRegen #regenerate Google token, so a user can scan QR code again
['AAAAAAAAAEXAMPLE', 'otpauth://totp/']

#-u, --user

The GoogleAuthLock and GoogleAuthRegen functions that actually handle these two keys, which can also be edited manually

./sacli --user <USER> --key "pvt_google_auth_secret"        --value <GOOGLE_AUTH_SECRET> UserPropPut
./sacli --user <USER> --key "pvt_google_auth_secret_locked" --value <SCANNED/LOCKED>     UserPropPut


tail -f /var/log/openvpnas.log

When new MFA/Google secret has been generated user need to login to Access Server, scann QR code, then download the Connection Client that the bundle contains the new user settings; this will enable VPN login.