Setting up OpenVPN on Mageia and iOS

It had been my intention for quite some time to setup a VPN server for those times when I or family members would be travelling and had to use strange ISPs for Internet access. The last time I tried, it was half-hearted attempt two years ago and the result was a waste of time. It was only this week that I decided to look into this properly and the result is a success.

A few weeks ago, on an episode of Hak5, the host had shown a method of setting a very easy way to setup a PPTP server on Ubuntu with the help of a script . I figured it should be easy enough to adapt it to Mageia . It turned out that I did not have a sufficient enough grasp of the differences in Ubuntu and Mageia to make the changes. So I turned to the forums asking for help. Turned out that none frequenting the forum had ever had a need for a PPTP server and were therefore unable to help. So after brooding for a couple of days, I decided to go for a more robust VPN solution.

Let me describe the setup. There are 4 LANs in the 10.x.x.x range. The first LAN in the 10.1.0.0/16 network has a gateway that connects it to the Internet. For the remaining three LANs, the traffic goes to the 10.1.0.0 network before going onto the Internet. One machine in the 10.4.x.x is statically NATted to a public IP. Thus, although this machine is behind two LANs, it is still visible to the public world. The intermediate routers and the front-end firewall take care of the routing. It is this machine (say 10.4.0.2), running Mageia 2.0, that we desired to use as the VPN server.

The more easy to setup software based on SSL and TLS is OpenVPN . I started drakconf as root, selected Software Management->Install and Remove Software, searched for openvpn and installed it. Since I had openssl already installed on the system, the openvpn install was quick and easy. I took the help from an article (issue 127) in the Linux User and Developer magazine as well as the HowTo on OpenVPN website to setup the server.

Creating the CA and the certificates.

Drop down to the command line using your favourite terminal. Become root.

	  su -
	  cd /etc/openvpn/
	  cp /usr/share/openvpn/sample-config-files/server.conf .
	  cp -v -R /usr/share/openvpn/easy-rsa/ .
	  cd easy-rsa/2.0/
	  vi vars
	
In vars, at a minimum, we need to change the values of the following parameters: KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL. I noticed there were two KEY_EMAIL parameters in vars and from trial and error I figured out that only one is needed, so delete the other one. When we create the master certificate authority (CA), we will need a common name. Choose something that reflects the name of your organization or you can go with OpenVPN-CA since this is a self-signed certificate anyway.
	  . ./vars
	  ./clean-all
	  ./build-ca
	
The CA is built (keys/ca.crt, keys/ca.key). Now we create certificates for the machine hosting the VPN server and all the clients that will connect to the VPN server. Each client will have its own cerficate (i.e. no certificate sharing). Finally, we build the Diffie-Hellman keys. The database of certificates is a list of .pem files. As before all certificates (.crt, .key) will be in the keys subdirectory.
	  ./build-key-server server
	  ./build-key myipad
	  ./build-key myandroid
	  ./build-key toshibalaptop
	  ./build-dh
	
Note that the script for building client and server keys are different. If you don't pay attention here (like I did), later on you will see unrecognized certificate errors in the logs of the clients or the server.

Creating the configuration file for OpenVPN server and the firewall rules

First, we will configure the openvpn server's configuration file. Next we will configure shorewall to allow VPN traffic into the subnet as well as out ONTO the Internet.

	  su -
	  cd /etc/openvpn/
	  vi server.conf
	
I won't go through all the settings in the file. Just highlight the changes I made. They appear in green in the block below. The two most important changes are the server entry which dictates what IP addresses will be assigned to VPN clients. I chose 10.66.77.0/24 because it seems very unlikely that our network will every go there and it seems very unlikely that the network from which the remote client is connecting to the VPN server will have this as its subnet. The second most important change is the redirect-gateway entry. I enabled this so that remote clients connect to the Internet via our network; in other words, all traffic goes through the VPN.
	  # /etc/openvpn/server.conf

	  script-security 2
	  ;local a.b.c.d
	  port 1194
	  ;proto tcp
	  proto udp
	  ;dev tap
	  dev tun
	  ;dev-node MyTap
	  ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
	  cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
	  key /etc/openvpn/easy-rsa/2.0/keys/server.key  # This file should be kept secret
	  dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
	  server 10.66.77.0 255.255.255.0
	  ifconfig-pool-persist ipp.txt
	  ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
	  ;server-bridge
	  ;push "route 192.168.10.0 255.255.255.0"
	  ;push "route 192.168.20.0 255.255.255.0"
	  ;client-config-dir ccd
	  ;route 192.168.40.128 255.255.255.248
	  ;client-config-dir ccd
	  ;route 10.9.0.0 255.255.255.252
	  ;learn-address ./script
	  push "redirect-gateway def1 bypass-dhcp"
	  ;push "dhcp-option DNS 208.67.222.222"
	  ;push "dhcp-option DNS 208.67.220.220"
	  ;client-to-client
	  ;duplicate-cn
	  keepalive 10 300
	  ;tls-auth ta.key 0 # This file is secret
	  ;cipher BF-CBC        # Blowfish (default)
	  ;cipher AES-128-CBC   # AES
	  ;cipher DES-EDE3-CBC  # Triple-DES
	  comp-lzo
	  ;max-clients 100
	  user openvpn
	  group openvpn
	  persist-key
	  persist-tun
	  status /var/log/openvpn-status.log
	  ;log         openvpn.log
	  log-append  /var/log/openvpn.log
	  verb 3
	  ;mute 20
	
Finally, in Mageia 2.0, there appears to be some issue with starting openvpn via the service command. So the most direct way to start it is through the command line: /usr/sbin/openvpn /etc/openvpn/server.conf &

Configuring the firewalls for OpenVPN traffic

In Mageia, the default firewall is shorewall. It manages the iptables entries. Hence, the changes we need to make in order to allow the VPN traffic to flow into the network (10.4.0.0) is as follows.
	# /etc/shorewall/interfaces
	net    eth0    detect
	road   tun+ 
      
	# /etc/shorewall/policy
	road    net     ACCEPT
	fw      net     ACCEPT
	net     all     DROP    info
	all     all     REJECT  info
      
	# /etc/shorewall/zones
	net     ipv4
	fw      firewall
	road    ipv4
      
	# /etc/shorewall/tunnels
	openvpnserver:1194      net     0.0.0.0/0
      
Finally, in order to allow the VPN traffic to traverse beyond the 10.4.0.0 network, I added a masquerading rule and enabled packet forwarding on the Linux server.
	 iptables -t nat -A POSTROUTING -s 10.66.77.0/24 -o eth0 -j MASQUERADE
	 echo 1 > /proc/sys/net/ipv4/ip_forward
      
And we are done with the server!

Configuring the iPad

This was the easiest part. On the iPad, the best way to connect to the VPN is to use the official OpenVPN client. My iPad had iOS 6.1.3 but I believe any iOS 5+ should work fine. I had the good fortune to obtain instructions from this blog post of Remi Bergsma on how to configure my iPad. It worked perfectly.

In short, you can do one of two things

Hope this is useful to others. Have fun!