It had been my intention for quite some time to setup a VPN server for those times when I or family members would be travelling and had to use strange ISPs for Internet access. The last time I tried, it was half-hearted attempt two years ago and the result was a waste of time. It was only this week that I decided to look into this properly and the result is a success.
A few weeks ago, on an episode of Hak5, the host had shown a method of setting a very easy way to setup a PPTP server on Ubuntu with the help of a script . I figured it should be easy enough to adapt it to Mageia . It turned out that I did not have a sufficient enough grasp of the differences in Ubuntu and Mageia to make the changes. So I turned to the forums asking for help. Turned out that none frequenting the forum had ever had a need for a PPTP server and were therefore unable to help. So after brooding for a couple of days, I decided to go for a more robust VPN solution.
Let me describe the setup. There are 4 LANs in the 10.x.x.x range. The first LAN in the 10.1.0.0/16 network has a gateway that connects it to the Internet. For the remaining three LANs, the traffic goes to the 10.1.0.0 network before going onto the Internet. One machine in the 10.4.x.x is statically NATted to a public IP. Thus, although this machine is behind two LANs, it is still visible to the public world. The intermediate routers and the front-end firewall take care of the routing. It is this machine (say 10.4.0.2), running Mageia 2.0, that we desired to use as the VPN server.
The more easy to setup software based on SSL and TLS is OpenVPN . I started drakconf as root, selected Software Management->Install and Remove Software, searched for openvpn and installed it. Since I had openssl already installed on the system, the openvpn install was quick and easy. I took the help from an article (issue 127) in the Linux User and Developer magazine as well as the HowTo on OpenVPN website to setup the server.
Creating the CA and the certificates.
Drop down to the command line using your favourite terminal. Become root.
su - cd /etc/openvpn/ cp /usr/share/openvpn/sample-config-files/server.conf . cp -v -R /usr/share/openvpn/easy-rsa/ . cd easy-rsa/2.0/ vi varsIn vars, at a minimum, we need to change the values of the following parameters: KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL. I noticed there were two KEY_EMAIL parameters in vars and from trial and error I figured out that only one is needed, so delete the other one. When we create the master certificate authority (CA), we will need a common name. Choose something that reflects the name of your organization or you can go with OpenVPN-CA since this is a self-signed certificate anyway.
. ./vars ./clean-all ./build-caThe CA is built (keys/ca.crt, keys/ca.key). Now we create certificates for the machine hosting the VPN server and all the clients that will connect to the VPN server. Each client will have its own cerficate (i.e. no certificate sharing). Finally, we build the Diffie-Hellman keys. The database of certificates is a list of .pem files. As before all certificates (.crt, .key) will be in the keys subdirectory.
./build-key-server server ./build-key myipad ./build-key myandroid ./build-key toshibalaptop ./build-dhNote that the
Creating the configuration file for OpenVPN server and the firewall rules
First, we will configure the openvpn server's configuration file. Next we will configure shorewall to allow VPN traffic into the subnet as well as out ONTO the Internet.
su - cd /etc/openvpn/ vi server.confI won't go through all the settings in the file. Just highlight the changes I made. They appear in green in the block below. The two most important changes are the server entry which dictates what IP addresses will be assigned to VPN clients. I chose 10.66.77.0/24 because it seems very unlikely that our network will every go there and it seems very unlikely that the network from which the remote client is connecting to the VPN server will have this as its subnet. The second most important change is the redirect-gateway entry. I enabled this so that remote clients connect to the Internet via our network; in other words, all traffic goes through the VPN.
# /etc/openvpn/server.conf script-security 2 ;local a.b.c.d port 1194 ;proto tcp proto udp ;dev tap dev tun ;dev-node MyTap ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key # This file should be kept secret dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.66.77.0 255.255.255.0 ifconfig-pool-persist ipp.txt ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 ;server-bridge ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 ;learn-address ./script push "redirect-gateway def1 bypass-dhcp" ;push "dhcp-option DNS 188.8.131.52" ;push "dhcp-option DNS 184.108.40.206" ;client-to-client ;duplicate-cn keepalive 10 300 ;tls-auth ta.key 0 # This file is secret ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES comp-lzo ;max-clients 100 user openvpn group openvpn persist-key persist-tun status /var/log/openvpn-status.log ;log openvpn.log log-append /var/log/openvpn.log verb 3 ;mute 20Finally, in Mageia 2.0, there appears to be some issue with starting openvpn via the service command. So the most direct way to start it is through the command line:
/usr/sbin/openvpn /etc/openvpn/server.conf &
Configuring the firewalls for OpenVPN trafficIn Mageia, the default firewall is shorewall. It manages the iptables entries. Hence, the changes we need to make in order to allow the VPN traffic to flow into the network (10.4.0.0) is as follows.
# /etc/shorewall/interfaces net eth0 detect road tun+
# /etc/shorewall/policy road net ACCEPT fw net ACCEPT net all DROP info all all REJECT info
# /etc/shorewall/zones net ipv4 fw firewall road ipv4
# /etc/shorewall/tunnels openvpnserver:1194 net 0.0.0.0/0Finally, in order to allow the VPN traffic to traverse beyond the 10.4.0.0 network, I added a masquerading rule and enabled packet forwarding on the Linux server.
iptables -t nat -A POSTROUTING -s 10.66.77.0/24 -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forwardAnd we are done with the server!
Configuring the iPad
This was the easiest part. On the iPad, the best way to connect to the VPN is to use the official OpenVPN client. My iPad had iOS 6.1.3 but I believe any iOS 5+ should work fine. I had the good fortune to obtain instructions from this blog post of Remi Bergsma on how to configure my iPad. It worked perfectly.
In short, you can do one of two things
- First create a certificate in pkcs12 format and add it to the iPad (mind you we are not adding this certificate to the OpenVPN app but iOS itself). Next create a .ovpn file for the OpenVPN app and add that to the app. The app asks for a certificate once you open the .ovpn, point it to the certificate you had added earlier and you are done.
- Create a .ovpn file as above but now additionally your client certificate and your key. Incorporate this .ovpn to the app and you don't need to add a certificate separately to the iPad. This method however is less secure as anyone who can access your iPad can perform mischief after getting hold of your key.
Hope this is useful to others. Have fun!