Actions

Openvpn

From Ever changing code

Install OpenVPN3 client

mkdir openvpn3 && cd $_
DISTRO=focal # Ubuntu 20.04
wget -O /etc/apt/sources.list.d/openvpn3.list https://swupdate.openvpn.net/community/openvpn3/repos/openvpn3-$DISTRO.list
vim /etc/apt/sources.list.d/openvpn3.list # update sources to use 64bit arch
  -deb https://swupdate.openvpn.net/community/openvpn3/repos focal main
  +deb [arch=amd64] https://swupdate.openvpn.net/community/openvpn3/repos focal main
sudo apt update
sudo apt install openvpn3


Note: Version 14~beta+focal results sometimes with an error: Session Manager !! CRITICAL !!: Failed communicating with VPN backend: Failed calling D-Bus method Connect: Timeout was reached


Downgrade or install a specific version of a package using apt-get (Ubuntu 20.04)

#  Before 
openvpn3 version 
OpenVPN 3/Linux v14_beta (openvpn3)
OpenVPN core 3.git:HEAD:fce979ec linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

# Show available packages
apt-cache madison openvpn3
  openvpn3 | 14~beta+focal | https://swupdate.openvpn.net/community/openvpn3/repos focal/main amd64 Packages
  openvpn3 | 13~beta-1+focal | https://swupdate.openvpn.net/community/openvpn3/repos focal/main amd64 Packages

# Install the desired verion of the package
sudo apt install openvpn3=13~beta-1+focal

# INstalled version
openvpn3
OpenVPN 3/Linux v13_beta (openvpn3)
OpenVPN core 3.git:HEAD:ce0c9963 linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

# Lock package at given version
sudo apt-mark hold openvpn3
sudo apt-mark showhold


Connect

Navigate to OpenVPN Access Server URL, login with username and password and optionally 2FA. After successful login you should be able to download 'Yourself (user-locked profile) file that can be imported into Ubuntu > Settings > Network > VPN > Add > Import from a file or provide as a command like argument.

$ OPENVPN_CONFIG=~/environment/vpn.acme.net.ovpn
$ openvpn3 session-start --config ${OPENVPN_CONFIG}
Using configuration profile from file: vpn.acme.net.ovpn
Session path: /net/openvpn/v3/sessions/180fa892s3ca1s4bf7s84eesdfe524d70a63
Auth User name: piotr
Auth Password: ****
Enter Authenticator Code: 111111
Connected


Once connected you can see the session details

$ openvpn3 sessions-list
-----------------------------------------------------------------------------
        Path: /net/openvpn/v3/sessions/180fa892s3ca1s4bf7s84eesdfe524d70a63
     Created: Thu Jul 23 17:58:31 2020                  PID: 67947
       Owner: piotr                                     Device: tun0
 Config name: vpn.acme.net.ovpn  (Config not available)
Session name: vpn.acme.net
      Status: Connection, Client connected
-----------------------------------------------------------------------------


New tunnel interface gets created
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 10.10.11.9/24 brd 10.10.11.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::1113:3fa4:2d6b:e8a9/64 scope link stable-privacy
       valid_lft forever preferred_lft forever


New routes get installed, note that only VPN ranges are routed via VPN
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         vodafone.connec 0.0.0.0         UG    600    0        0 wlp0s20f3
10.0.0.0        10.10.11.1      255.0.0.0       UG    0      0        0 tun0      # <- route installed by vpn 
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0      # <- vpn route
ec2-54-194-14-6 vodafone.connec 255.255.255.255 UGH   0      0        0 wlp0s20f3
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 wlp0s20f3
172.16.0.0      10.10.11.1      255.240.0.0     UG    0      0        0 tun0      # <- vpn route
192.168.0.0     10.10.11.1      255.255.0.0     UG    0      0        0 tun0      # <- vpn route
192.168.1.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp0s20f3


Logs
tail -f /var/log/syslog
journalctl -u dbus --follow
...
Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info>  [1595523552.1879] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')
Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info>  [1595523552.1882] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')
Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info>  [1595523552.1894] device (tun0): Activation: successful, device activated.
Jul 23 17:59:22 laptop-1 systemd[1]: NetworkManager-dispatcher.service: Succeeded.


Session stats
$ openvpn3 session-stats --interface tun0
Connection statistics:
     BYTES_IN....................8688
     BYTES_OUT..................40207
     PACKETS_IN...................139
     PACKETS_OUT..................322
     TUN_BYTES_IN...............27836
     TUN_PACKETS_IN...............210


Manage session(s)
# Disconnect
openvpn3 session-manage --interface tun0 --disconnect 
Initiated session shutdown.

Connection statistics:
...
# Available agrs/actions
# --cleanup --config --disconnect --interface --path --pause --restart --resume --session-path


Manage configs
# Import the config file
openvpn3 config-import --config vpn.acme.net.ovpn
Configuration imported.  Configuration path: /net/openvpn/v3/configuration/87c840abxfd0bx4f19x94b0x9940a0bdcbba

# Show configs
$ openvpn3 configs-list 
Configuration path
Imported                        Last used                 Used
Name                                                      Owner
------------------------------------------------------------------------------
/net/openvpn/v3/configuration/87c840abxfd0bx4f19x94b0x9940a0bdcbba
Thu Jul 23 18:28:33 2020                                  0
vpn.acme.net.ovpn                                         piotr
------------------------------------------------------------------------------

OpenVPN Server

A few useful commands:

cd /usr/local/openvpn_as/scripts
sudo ./confdba -us        # display all users
sudo ./confdba -us -p joe # display info about a specific user
{
  "joe": {
    "access_to.0": "+NAT:10.0.0.0/8",
    "pvt_google_auth_secret": "AAAAAAAAAEXAMPLE", # this is GoogleAuth MFA secret_token that a user scans as QR code
    "pvt_google_auth_secret_locked": "false",     # | it also works with 'oathtool'
    "pvt_password_digest": "30******bb71",        # | oathtool --base32 --totp AAAAAAAAAEXAMPLE
    "type": "user_compile"
  }
}

sudo ./confdba -u -m -k pvt_google_auth_secret_locked -v false -p joe #unlock locked out user

#Disable/enable Google Authenticator for a specific user or group:
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" --value "false" UserPropPut #disable
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" --value "true" UserPropPut  #enable

#Undo an enable/disable override for Google Authenticator on a group or user, so that it inherits the setting instead
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" UserPropDel

#To unlock an already scanned and locked secret for a user, so the user can obtain/scan it again
./sacli --user <USER> --lock 0 GoogleAuthLock

#To manually lock a secret key, for example when you as administrator have already set up the user’s device yourself
./sacli --user <USER> --lock 1 GoogleAuthLock

#To generate a new secret key and lock or leave it unlocked
./sacli --user <USER> --lock 0 GoogleAuthRegen #unlocked, user can scan
./sacli -u     joe             GoogleAuthRegen #regenerate Google token, so a user can scan QR code again
['AAAAAAAAAEXAMPLE', 'otpauth://totp/OpenVPN:joe@ivpn.acme.com?secret=AAAAAAAAAEXAMPLE&issuer=OpenVPN']

#./sacli 
#-u, --user

The GoogleAuthLock and GoogleAuthRegen functions that actually handle these two keys, which can also be edited manually

./sacli --user <USER> --key "pvt_google_auth_secret"        --value <GOOGLE_AUTH_SECRET> UserPropPut
./sacli --user <USER> --key "pvt_google_auth_secret_locked" --value <SCANNED/LOCKED>     UserPropPut

Logs

#Logs
tail -f /var/log/openvpnas.log

When new MFA/Google secret has been generated user need to login to Access Server, scann QR code, then download the Connection Client that the bundle contains the new user settings; this will enable VPN login.

Resources