Configure new openvpn server for remote-access with NAT

From Notes_Wiki

Home > CentOS > CentOS 6.x > Openvpn server configuration > Configure new openvpn server for remote-access with NAT

OpenVPN is a very good choice for remote-access VPN. In case routing changes in the destination (campus / site network) which ensure VPN host is added as gateway for VPN networks in not possible, then iptables NAT can be used to change all packets arriving from VPN clients to VPN servers local LAN IP.


Configure OpenVPN server

To configure openVPN server following steps can be used:

  1. Download and setup easy-rsa scripts
  2. Create CA certificate and server certificate, key for VPN server
  3. yum -y install epel-release
  4. yum -y install openvpn
  5. Copy server.conf from /usr/share/doc/openvpn-<ver>/sample/sample-config-files/ folder to /etc/openvpn
  6. Copy ca certificate, vpn server certificate and vpn server key to /etc/openvpn
  7. Edit server.conf as follows
    1. Change value of 'ca' to name of ca file (eg ca.crt)
    2. Update value of 'key' to vpn server key file (eg vpn.sbarjatiya.com.key)
    3. Update value of 'cert' to vpn server certificate file (eg. vpn.sbarjatiya.com.crt)
    4. Change value of dh to dh2048.pem (Assuming 2048 bit keys). Generate 2048 bit DH key using 'openssl dhparam -out dh2048.pem 2048'
    5. Change value of server to desired server network. For example if it is desired that VPN users get IPs in 10.10.0.0/16 network then set server value as "10.10.0.0 255.255.0.0"
    6. Add one 'push "route 192.168.10.0 255.255.255.0"' for every local VLAN on site/campus for which routes should be pushed to VPN clients. This would make VPN client host try to reach these networks over VPN.
    7. If same client certificate would be used by more than one user (all.sbarjatiya.com.crt, etc.) then uncomment 'duplicate-cn' directive
    8. Preferably generate ta.key using 'openvpn --genkey --secret ta.key' and uncomment "tls-auth ta.key 0" line
  8. Start vpn service using 'service openvpn start'


Configure NAT for VPN range

For the given setup to work all machines in the campus/site network must send packets for 10.10.0.0/16 network to VPN host. This requires changes in main L3 switch / gateway / firewall / core switch of the site. If that is not possible then a simple (but not very secure) solution is to NAT all VPN clients packets to VPN hosts LAN IP using iptables NAT.

Iptables command which can help with this is 

iptables -t nat -A POSTROUTING -s 10.10.0.0/16 \! -d 10.10.0.0/16 -j MASQUERADE

or 

iptables -t nat -A POSTROUTING -s 10.10.0.0/16 \! -d 10.10.0.0/16 -j SNAT --to-source <VPN-server-LAN-IP>

On openVZ containers MASQUERADE target seems to give issues hence SNAT is preferable if IP of VPN-server is known and fixed (as it should be).


LDAP authentication for openVPN

LDAP authentication for openVPN can be learned from Configuring_LDAP_based_authentication_for_openVPN


Configuring openVPN client

To configure openvpn client use following steps:

  1. Copy client.conf from /usr/share/doc/openvpn-<ver>/sample/sample-config-files/ folder to /etc/openvpn
  2. Copy ca, client certificate and client key file to /etc/openvpn/
  3. Edit client.conf as follows:
    1. Put proper server IP or FQDN in "remote my-server-1 1194" configuration line. If VPN server port is changed from 1194 to something else then change port number as well
    2. Update value of ca to point to ca certificate file (eg ca.crt
    3. Update value of key to point to client certificate file (eg saurabh@sbarjatiya.com.crt)
    4. Update value of cert to point to client key file (eg saurabh@sbarjatiya.com.key)
    5. Comment "ns-cert-type server" or "remote-cert-tls server" whichever is present. New easy-rsa scripts do not seem to put proper value for nsCertType even when './easyrsa build-server-full' is used to create server certificates. This can change anytime. First try without commenting this line and if there are issues then comment and try again. Server is considerably more secure if the line is not commented, so it is worth it to try without commenting the line.
    6. Copy ta.key from server if it was generated. Uncomment "tls-auth ta.key 1"
    7. If authentication is configured then add appropriate lines as explained at Configuring_LDAP_based_authentication_for_openVPN

Note that you cannot do successful VPN connection from VPN server to VPN server itself for testing. If you are trying something like this then you are wrong person for configuring VPN server. VPN should only be tried from outside current network for proper testing.

In case of windows client, the files should be copied to "C:\Program Files\OpenVPN\config" folder with client.conf renamed to client.ovpn


Home > CentOS > CentOS 6.x > Openvpn server configuration > Configure new openvpn server for remote-access with NAT

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Configure_new_openvpn_server_for_remote-access_with_NAT&oldid=6515"