December 1, 2011

OpenVPN server on Fedora 16 connecting Cyanogenmod (7.1) Android phone [bridged]

[toc]

Intro

I have already posted about openVPN on Ubuntu  but the config for Fedora is a little different so here's a updated post. I did the following setup using I've used this quite a lot and its been very stable :D Have to say OpenVPN is pretty awesome. Seems very stable even when transitioning between 2G & 3G.

There is a more up to date version of this topic [here]. It shows how to configure a routed connection but that is the recommended connection type unless you need bridged.
<h3>Server Setup</h3>
First of all we need to make sure we have bridge-utils and the OpenVPN package installed.
<pre>yum install -y openvpn bridge-utils</pre>
<h4>Network interfaces</h4>
For this to work we need to create a logical bridge interface and then add physical interfaces to the bridge. So first we create a file <code>/etc/sysconfig/network-scripts/ifcfg-br0</code> and add the following:
<pre>DEVICE=br0
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=static
IPADDR=10.10.10.21
NETMASK=255.255.255.0
GATEWAY=10.10.10.21
DELAY=0
STP=off</pre>
Save the file and open the file <code>/etc/sysconfig/network-scripts/ifcfg-Wired_connection_1</code> (file names may vary depending on the setup of your machine). Basically we want to remove IP addressing and add it to the bridge group. Change this file accordingly (there's no need to change the HWADDR info that's already there)
<pre></pre>
<pre>HWADDR=BE:EF:BE:EF:BE:EF
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
BRIDGE=br0</pre>
Now we should be able to restart the network service and have full connectivity to/from the server.
<pre>service network restart</pre>
If you still can browse to/from the server as usual dont carry on any further something is b0rked. Check /etc/resolve.conf has valid DNS servers etc.
<h4>Server Certificates</h4>
Now we need to generate certificates for our server to use. OpenVPN comes with some scripts to take most of the pain out of this. To keep things where I can find them I like to move these to <code>/etc/openvpn/easy-rsa</code>. First off we make a new directory and copy the scripts into it.
<pre>mkdir /etc/openvpn/easy-rsa
cd /etc/openvpn
cp -R /usr/share/openvpn/easy-rsa/2.0/* easy-rsa/
cd easy-rsa</pre>
Edit the following in the vars file of this directory
<pre>export KEY_COUNTRY=&quot;UK&quot;
export KEY_PROVINCE=&quot;M0&quot;
export KEY_CITY=&quot;m00nieTown&quot;
export KEY_ORG=&quot;m00nie.co&quot;
export KEY_EMAIL=&quot;spam@weeeeeimaspamer.com&quot;</pre>
Now just run the following commands
<pre>source ./vars ## execute your new vars file
./clean-all  ## Setup the easy-rsa directory (Deletes all keys)
./build-dh  ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key  ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
cd ../..</pre>
<h4>Server Config</h4>
Create a directory and two files. One called ifup.sh and one called ifdown.sh. These will be used to control bringing the interfaces up/down and should contain the following.
<pre>mkdir /etc/openvpn/ifupdown
touch /etc/openvpn/ifupdown/ifup.sh
touch /etc/openvpn/ifupdown/ifdown.sh
sudo chmod +x /etc/openvpn/ifupdown/ifup.sh /etc/openvpn/ifupdown/ifdown.sh</pre>
ifup.sh
<pre>#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ip link set &quot;$DEV&quot; up promisc on mtu &quot;$MTU&quot;
/usr/sbin/brctl addif $BR $DEV</pre>
ifdown.sh
<pre>#!/bin/sh

BR=$1
DEV=$2

/usr/sbin/brctl delif $BR $DEV
/sbin/ip link set &quot;$DEV&quot; down</pre>
Now to edit the /etc/openvpn/server.conf file. Mine looks like the following
<pre>mode server
tls-server
local 10.10.10.21 ## ip/hostname of server
port 12345 ## My Custom port
proto udp
#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
up &quot;/etc/openvpn/ifupdown/ifup.sh br0&quot;
down “/etc/openvpn/ifupdown/ifdown.sh br0″
persist-key
persist-tun
#certificates and encryption
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret
cipher BF-CBC # Blowfish (default)
comp-lzo
#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 10.10.10.21 255.255.255.0 10.10.10.240 10.10.10.250
push “dhcp-option DNS 8.8.8.8″
push “dhcp-option DOMAIN m00nie.com”
max-clients 10 ## set this to the max number of clients that should be connected at a time
#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
script-security 2 ## This needed added
verb 4 ##Changed the logging level</pre>
You should be able to run the server with the following command and recieve no errors. If you do fix them first
<pre>openvpn --config server.conf --script-security 2</pre>
If it all looks good lets make OpenVPN run as a service and start when the server boots
<pre>systemctl start openvpn.service
systemctl enable openvpn.service</pre>
<h3>Client Setup</h3>
We need to create some certificates for our client (the phone)
<pre>cd /etc/openvpn/easy-rsa
source ./vars             ## execute the vars file
./pkitool phone          ## create a cert and key named &quot;phone&quot;</pre>
Now to make it easy to import to my phone I made a p12 file
<pre>cd keys
openssl pkcs12 -export -in phone.crt -inkey phone.key -certfile ca.crt -out phone.p12
mv phone.p12 /var/www/html</pre>
Now browse to the file on your phone E.g <code>http://10.10.10.21/phone.p12</code>. Your phone will then store the certificates into is credential store :) Finally we configure the VPN under Settings &gt; Wireless &amp; networks &gt; VPN settings &gt; Add VPN like so

The main config:

<a href="http://www.m00nie.com/wp-content/uploads/2011/04/VPN_big.png"><img title="VPN_small" src="http://www.m00nie.com/wp-content/uploads/2011/04/VPN_small.png" alt="" width="240" height="400" /></a>

Menu &gt; Advanced OpenVPN Settings:

<a href="http://www.m00nie.com/wp-content/uploads/2011/04/Avd_bot_big.png"><img title="Avd_bot_sml" src="http://www.m00nie.com/wp-content/uploads/2011/04/Avd_bot_sml.png" alt="" width="240" height="400" /></a><a href="http://www.m00nie.com/wp-content/uploads/2011/04/Avd_top_big.png"><img title="Avd_top_sml" src="http://www.m00nie.com/wp-content/uploads/2011/04/Avd_top_sml.png" alt="" width="240" height="400" /></a>

At the moment there is no gui setting to configure tls-auth but they did give us the Extra arguments option. In here I added (I used FTP to copy the ta.key file to the phone in a directory called VPN.
<pre>--tls-auth /mnt/sdcard/VPN/ta.key 1 --explicit-exit-notify 2</pre>
<h3>Router Setup</h3>
Time for some evil NAT. The basic syntax is
<pre>ip nat inside source static udp &lt;fedora server IP&gt; &lt;server port&gt; interface &lt;outside address&gt;  &lt;some port&gt;</pre>
so mine was
<pre>ip nat inside source static udp 10.10.10.21 12345 interface dialer 0 12345</pre>
Now we can see the static translation:
<pre>m00nies_router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 192.168.1.1:12345 10.10.10.21:12345 --- ---</pre>
Now the port is forwarding to the OpenVPN server but my zone based firewall config is dropping the packets.
<pre>Apr 13 18:14:04.136: %FW-6-DROP_PKT: Dropping udp session 172.16.1.1 10.1.1.10:12345 on zone-pair out-in class class-default due to DROP action found in policy-map with ip ident 0</pre>
At the moment there is no explicit zone-pair for outside to inside so the default is deny all. Lets define one
<pre>m00nies_router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
m00nies_router(config)#access-list 199 permit udp any any eq 12345
m00nies_router(config)#class-map type inspect match-all OPENVPN
m00nies_router(config-cmap)# match access-group 199
m00nies_router(config-cmap)# exit
m00nies_router(config)#policy-map type inspect OPENVPN_POLICY
m00nies_router(config-pmap)#class type inspect OPENVPN
m00nies_router(config-pmap-c)#pass log
m00nies_router(config-pmap-c)#exit
m00nies_router(config-pmap)#exit
m00nies_router(config)#zone-pair security out-in source out-zone destination in-zone
m00nies_router(config-sec-zone-pair)# service-policy type inspect OPENVPN_POLICY
m00nies_router(config-sec-zone-pair)#^Z
m00nies_router#</pre>
First off we classify the traffic we want the allow it to pass but log it. Next we apply that policy to a zone pair. Theres more info about configuring ZBFW <a title="http://www.m00nie.com/2011/03/simple-zone-based-ios-firewall-gns3-lab/" href="http://www.m00nie.com/2011/03/simple-zone-based-ios-firewall-gns3-lab/">[here]</a>. Below we can see the default that catches all other traffic is still drop.
<pre>m00nies_router#show policy-map type inspect OPENVPN_POLICY
Policy Map type inspect OPENVPN_POLICY
Class OPENVPN
Pass log
Class class-default
Drop</pre>
Now we can try our VPN access.
It passes the router ok
<pre>Apr 13 18:31:00.085: %FW-6-PASS_PKT: (target:class)-(out-in:OPENVPN) Passing udp pkt 172.16.1.1:52585 =&gt; 10.10.10.21:12345 with ip ident 0</pre>
And the OpenVPN server logs confirm it works ok too. Its been very stable on both 2 and 3G.

moonie :)