Difference between revisions of "Openvpn"
Jump to navigation
Jump to search
| Line 12: | Line 12: | ||
;Connect | |||
Navigate to OpenVPN Access Server URL, login with username and password and optionally 2FA. After successful login you should be able to download 'Yourself (user-locked profile) file that can be imported into <tt>Ubuntu > Settings > Network > VPN > Add > Import from a file</tt> or provide as a command like argument. | |||
<source lang=bash> | <source lang=bash> | ||
$ OPENVPN_CONFIG=~/environment/vpn.acme.net.ovpn | |||
openvpn3 session-start --config ${ | $ openvpn3 session-start --config ${OPENVPN_CONFIG} | ||
Using configuration profile from file: vpn-eu.contactengine.net-3.ovpn | |||
Session path: /net/openvpn/v3/sessions/180fa892s3ca1s4bf7s84eesdfe524d70a63 | |||
Auth User name: piotr | |||
Auth Password: **** | |||
Enter Authenticator Code: 111111 | |||
Connected | |||
</source> | |||
;New tunnel interface | |||
<source lang=bash> | |||
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 | |||
link/none | |||
inet 10.10.11.9/24 brd 10.10.11.255 scope global tun0 | |||
valid_lft forever preferred_lft forever | |||
inet6 fe80::1113:3fa4:2d6b:e8a9/64 scope link stable-privacy | |||
valid_lft forever preferred_lft forever | |||
</source> | |||
;New routes get installed, note that only VPN ranges are routed via VPN | |||
<source lang=bash> | |||
Kernel IP routing table | |||
Destination Gateway Genmask Flags Metric Ref Use Iface | |||
default vodafone.connec 0.0.0.0 UG 600 0 0 wlp0s20f3 | |||
10.0.0.0 10.10.11.1 255.0.0.0 UG 0 0 0 tun0 # <- route installed by vpn | |||
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 # <- vpn route | |||
ec2-54-194-14-6 vodafone.connec 255.255.255.255 UGH 0 0 0 wlp0s20f3 | |||
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 wlp0s20f3 | |||
172.16.0.0 10.10.11.1 255.240.0.0 UG 0 0 0 tun0 # <- vpn route | |||
192.168.0.0 10.10.11.1 255.255.0.0 UG 0 0 0 tun0 # <- vpn route | |||
192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp0s20f3 | |||
</source> | |||
;Logs | |||
<source lang=bash> | |||
tail -f /var/log/syslog | |||
... | |||
Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info> [1595523552.1879] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external') | |||
Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info> [1595523552.1882] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external') | |||
Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info> [1595523552.1894] device (tun0): Activation: successful, device activated. | |||
Jul 23 17:59:22 laptop-1 systemd[1]: NetworkManager-dispatcher.service: Succeeded. | |||
</source> | </source> | ||
Revision as of 19:20, 23 July 2020
Install OpenVPN3 client
mkdir openvpn3 && cd $_ DISTRO=focal # Ubuntu 20.04 wget -O /etc/apt/sources.list.d/openvpn3.list https://swupdate.openvpn.net/community/openvpn3/repos/openvpn3-$DISTRO.list vim /etc/apt/sources.list.d/openvpn3.list # update sources to use 64bit arch -deb https://swupdate.openvpn.net/community/openvpn3/repos focal main +deb [arch=amd64] https://swupdate.openvpn.net/community/openvpn3/repos focal main sudo apt update sudo apt install openvpn3
- Connect
Navigate to OpenVPN Access Server URL, login with username and password and optionally 2FA. After successful login you should be able to download 'Yourself (user-locked profile) file that can be imported into Ubuntu > Settings > Network > VPN > Add > Import from a file or provide as a command like argument.
$ OPENVPN_CONFIG=~/environment/vpn.acme.net.ovpn
$ openvpn3 session-start --config ${OPENVPN_CONFIG}
Using configuration profile from file: vpn-eu.contactengine.net-3.ovpn
Session path: /net/openvpn/v3/sessions/180fa892s3ca1s4bf7s84eesdfe524d70a63
Auth User name: piotr
Auth Password: ****
Enter Authenticator Code: 111111
Connected
- New tunnel interface
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.10.11.9/24 brd 10.10.11.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::1113:3fa4:2d6b:e8a9/64 scope link stable-privacy
valid_lft forever preferred_lft forever
- New routes get installed, note that only VPN ranges are routed via VPN
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default vodafone.connec 0.0.0.0 UG 600 0 0 wlp0s20f3 10.0.0.0 10.10.11.1 255.0.0.0 UG 0 0 0 tun0 # <- route installed by vpn 10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 # <- vpn route ec2-54-194-14-6 vodafone.connec 255.255.255.255 UGH 0 0 0 wlp0s20f3 link-local 0.0.0.0 255.255.0.0 U 1000 0 0 wlp0s20f3 172.16.0.0 10.10.11.1 255.240.0.0 UG 0 0 0 tun0 # <- vpn route 192.168.0.0 10.10.11.1 255.255.0.0 UG 0 0 0 tun0 # <- vpn route 192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp0s20f3
- Logs
tail -f /var/log/syslog ... Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info> [1595523552.1879] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external') Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info> [1595523552.1882] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external') Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info> [1595523552.1894] device (tun0): Activation: successful, device activated. Jul 23 17:59:22 laptop-1 systemd[1]: NetworkManager-dispatcher.service: Succeeded.
OpenVPN Server
A few useful commands:
cd /usr/local/openvpn_as/scripts
sudo ./confdba -us -p joe #display info about a user
{
"joe": {
"access_to.0": "+NAT:10.0.0.0/8",
"pvt_google_auth_secret": "Z********B", #this is GoogleAuth MFA secret_token that a user scans as QR code
"pvt_google_auth_secret_locked": "false",
"pvt_password_digest": "30******bb71",
"type": "user_compile"
}
}
sudo ./confdba -u -m -k pvt_google_auth_secret_locked -v false -p joe #unlock locked out user
#Disable/enable Google Authenticator for a specific user or group:
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" --value "false" UserPropPut #disable
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" --value "true" UserPropPut #enable
#Undo an enable/disable override for Google Authenticator on a group or user, so that it inherits the setting instead
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" UserPropDel
#To unlock an already scanned and locked secret for a user, so the user can obtain/scan it again
./sacli --user <USER> --lock 0 GoogleAuthLock
#To manually lock a secret key, for example when you as administrator have already set up the user’s device yourself
./sacli --user <USER> --lock 1 GoogleAuthLock
#To generate a new secret key and lock or leave it unlocked
./sacli --user <USER> --lock 0 GoogleAuthRegen #unlocked, user can scan
./sacli -u joe GoogleAuthRegen #regenerate Google token, so a user can scan QR code again
['Z*********B', 'otpauth://totp/OpenVPN:joe@ivpn.acme.com?secret=Z*******B&issuer=OpenVPN']
#./sacli
#-u, --user
The GoogleAuthLock and GoogleAuthRegen functions that actually handle these two keys, which can also be edited manually
./sacli --user <USER> --key "pvt_google_auth_secret" --value <GOOGLE_AUTH_SECRET> UserPropPut ./sacli --user <USER> --key "pvt_google_auth_secret_locked" --value <SCANNED/LOCKED> UserPropPut
Logs
#Logs tail -f /var/log/openvpnas.log
When new MFA/Google secret has been generated user need to login to Access Server, scann QR code, then download the Connection Client that the bundle contains the new user settings; this will enable VPN login.
Resources
- Additional security command line options Openvpn.net