Openvpn
Install OpenVPN3 client
mkdir openvpn3 && cd $_ DISTRO=focal # Ubuntu 20.04 wget -O /etc/apt/sources.list.d/openvpn3.list https://swupdate.openvpn.net/community/openvpn3/repos/openvpn3-$DISTRO.list vim /etc/apt/sources.list.d/openvpn3.list # update sources to use 64bit arch -deb https://swupdate.openvpn.net/community/openvpn3/repos focal main +deb [arch=amd64] https://swupdate.openvpn.net/community/openvpn3/repos focal main sudo apt update sudo apt install openvpn3
Note: Version 14~beta+focal results sometimes with an error: Session Manager !! CRITICAL !!: Failed communicating with VPN backend: Failed calling D-Bus method Connect: Timeout was reached
Downgrade or install a specific version of a package using apt-get (Ubuntu 20.04)
# Before openvpn3 version OpenVPN 3/Linux v14_beta (openvpn3) OpenVPN core 3.git:HEAD:fce979ec linux x86_64 64-bit Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved. # Show available packages apt-cache madison openvpn3 openvpn3 | 14~beta+focal | https://swupdate.openvpn.net/community/openvpn3/repos focal/main amd64 Packages openvpn3 | 13~beta-1+focal | https://swupdate.openvpn.net/community/openvpn3/repos focal/main amd64 Packages # Install the desired verion of the package sudo apt install openvpn3=13~beta-1+focal # INstalled version openvpn3 OpenVPN 3/Linux v13_beta (openvpn3) OpenVPN core 3.git:HEAD:ce0c9963 linux x86_64 64-bit Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved. # Lock package at given version sudo apt-mark hold openvpn3 sudo apt-mark showhold
- Connect
Navigate to OpenVPN Access Server URL, login with username and password and optionally 2FA. After successful login you should be able to download 'Yourself (user-locked profile) file that can be imported into Ubuntu > Settings > Network > VPN > Add > Import from a file or provide as a command like argument.
$ OPENVPN_CONFIG=~/environment/vpn.acme.net.ovpn
$ openvpn3 session-start --config ${OPENVPN_CONFIG}
Using configuration profile from file: vpn.acme.net.ovpn
Session path: /net/openvpn/v3/sessions/180fa892s3ca1s4bf7s84eesdfe524d70a63
Auth User name: piotr
Auth Password: ****
Enter Authenticator Code: 111111
Connected
Once connected you can see the session details
$ openvpn3 sessions-list
-----------------------------------------------------------------------------
Path: /net/openvpn/v3/sessions/180fa892s3ca1s4bf7s84eesdfe524d70a63
Created: Thu Jul 23 17:58:31 2020 PID: 67947
Owner: piotr Device: tun0
Config name: vpn.acme.net.ovpn (Config not available)
Session name: vpn.acme.net
Status: Connection, Client connected
-----------------------------------------------------------------------------
- New tunnel interface gets created
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.10.11.9/24 brd 10.10.11.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::1113:3fa4:2d6b:e8a9/64 scope link stable-privacy
valid_lft forever preferred_lft forever
- New routes get installed, note that only VPN ranges are routed via VPN
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default vodafone.connec 0.0.0.0 UG 600 0 0 wlp0s20f3 10.0.0.0 10.10.11.1 255.0.0.0 UG 0 0 0 tun0 # <- route installed by vpn 10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 # <- vpn route ec2-54-194-14-6 vodafone.connec 255.255.255.255 UGH 0 0 0 wlp0s20f3 link-local 0.0.0.0 255.255.0.0 U 1000 0 0 wlp0s20f3 172.16.0.0 10.10.11.1 255.240.0.0 UG 0 0 0 tun0 # <- vpn route 192.168.0.0 10.10.11.1 255.255.0.0 UG 0 0 0 tun0 # <- vpn route 192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp0s20f3
- Logs
tail -f /var/log/syslog journalctl -u dbus --follow ... Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info> [1595523552.1879] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external') Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info> [1595523552.1882] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external') Jul 23 17:59:12 laptop-1 NetworkManager[1148]: <info> [1595523552.1894] device (tun0): Activation: successful, device activated. Jul 23 17:59:22 laptop-1 systemd[1]: NetworkManager-dispatcher.service: Succeeded.
- Session stats
$ openvpn3 session-stats --interface tun0
Connection statistics:
BYTES_IN....................8688
BYTES_OUT..................40207
PACKETS_IN...................139
PACKETS_OUT..................322
TUN_BYTES_IN...............27836
TUN_PACKETS_IN...............210
- Manage session(s)
# Disconnect openvpn3 session-manage --interface tun0 --disconnect Initiated session shutdown. Connection statistics: ... # Available agrs/actions # --cleanup --config --disconnect --interface --path --pause --restart --resume --session-path
- Manage configs
# Import the config file openvpn3 config-import --config vpn.acme.net.ovpn Configuration imported. Configuration path: /net/openvpn/v3/configuration/87c840abxfd0bx4f19x94b0x9940a0bdcbba # Show configs $ openvpn3 configs-list Configuration path Imported Last used Used Name Owner ------------------------------------------------------------------------------ /net/openvpn/v3/configuration/87c840abxfd0bx4f19x94b0x9940a0bdcbba Thu Jul 23 18:28:33 2020 0 vpn.acme.net.ovpn piotr ------------------------------------------------------------------------------
OpenVPN Server
A few useful commands:
cd /usr/local/openvpn_as/scripts
sudo ./confdba -us # display all users
sudo ./confdba -us -p joe # display info about a specific user
{
"joe": {
"access_to.0": "+NAT:10.0.0.0/8",
"pvt_google_auth_secret": "AAAAAAAAAEXAMPLE", # this is GoogleAuth MFA secret_token that a user scans as QR code
"pvt_google_auth_secret_locked": "false", # | it also works with 'oathtool'
"pvt_password_digest": "30******bb71", # | oathtool --base32 --totp AAAAAAAAAEXAMPLE
"type": "user_compile"
}
}
sudo ./confdba -u -m -k pvt_google_auth_secret_locked -v false -p joe #unlock locked out user
#Disable/enable Google Authenticator for a specific user or group:
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" --value "false" UserPropPut #disable
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" --value "true" UserPropPut #enable
#Undo an enable/disable override for Google Authenticator on a group or user, so that it inherits the setting instead
./sacli --user <USER_OR_GROUP> --key "prop_google_auth" UserPropDel
#To unlock an already scanned and locked secret for a user, so the user can obtain/scan it again
./sacli --user <USER> --lock 0 GoogleAuthLock
#To manually lock a secret key, for example when you as administrator have already set up the user’s device yourself
./sacli --user <USER> --lock 1 GoogleAuthLock
#To generate a new secret key and lock or leave it unlocked
./sacli --user <USER> --lock 0 GoogleAuthRegen #unlocked, user can scan
./sacli -u joe GoogleAuthRegen #regenerate Google token, so a user can scan QR code again
['AAAAAAAAAEXAMPLE', 'otpauth://totp/OpenVPN:joe@ivpn.acme.com?secret=AAAAAAAAAEXAMPLE&issuer=OpenVPN']
#./sacli
#-u, --user
The GoogleAuthLock and GoogleAuthRegen functions that actually handle these two keys, which can also be edited manually
./sacli --user <USER> --key "pvt_google_auth_secret" --value <GOOGLE_AUTH_SECRET> UserPropPut ./sacli --user <USER> --key "pvt_google_auth_secret_locked" --value <SCANNED/LOCKED> UserPropPut
Logs
#Logs tail -f /var/log/openvpnas.log
When new MFA/Google secret has been generated user need to login to Access Server, scann QR code, then download the Connection Client that the bundle contains the new user settings; this will enable VPN login.
Resources
- Additional security command line options Openvpn.net