Modify SELinux policy policy
semanage port -a -t openvpn_port_t -p udp 1194
If you get Error message: "-bash: semanage: command not found" then install policycoreutils-python package via yum
yum -y install policycoreutils-python
Make sure you have the EPEL repository installed. If it is not installed, install epel yum repository with command below.
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
Install openvpn and easy-rsa packages
yum install openvpn easy-rsa
Create directory to store rsa keys and copy contents of easy-rsa executable to the directory
mkdir /etc/openvpn/rsa
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/rsa
Export variable and start building the keys.
export KEY_SIZE=4096
export CA_EXPIRE=3654
export KEY_EXPIRE=3654
export KEY_COUNTRY="NP"
export KEY_PROVINCE="Bagmati"
export KEY_CITY="Kathmandu"
export KEY_ORG="Organization"
export KEY_EMAIL="info@dilli.com.np"
export KEY_OU="Technical"
export KEY_NAME="vpnkeys"
cd /etc/openvpn/rsa/
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
Create configuration file with the following settings.
cd /etc/openvpn
vi server.conf
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/rsa/keys/ca.crt
cert /etc/openvpn/rsa/keys/server.crt
key /etc/openvpn/rsa/keys/server.key
dh /etc/openvpn/rsa/keys/dh2048.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
server 10.251.0.0 255.255.255.0
push "route 202.79.55.140 255.255.255.255" # Mailservers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
log-append /var/log/openvpn.log
client-connect /etc/openvpn/scripts/up.sh
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/rsa/keys/ca.crt
cert /etc/openvpn/rsa/keys/server.crt
key /etc/openvpn/rsa/keys/server.key
dh /etc/openvpn/rsa/keys/dh2048.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
server 10.251.0.0 255.255.255.0
push "route 202.79.55.140 255.255.255.255" # Mailservers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
log-append /var/log/openvpn.log
client-connect /etc/openvpn/scripts/up.sh
Create symbolic link for the openvpn-auth-pam.so file.
mkdir -p /usr/share/openvpn/plugin/lib/
ln -s /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
Modify /etc/sysctl.conf to allow ipv4 forwarding
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Masquerade all the traffic via eth0(eth0 is my interface with public IP address)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Create OS user gauth that is the owner for the google authenticator.
useradd gauth
Download google-authenticator-libpam from the URL below and compile it.
wget https://github.com/google/google-authenticator-libpam/archive/master.zip
unzip master.zip
cd google-authenticator-libpam-master
./bootstrap.sh
./configure
make
make install
Configure google authenticator.
Create directory to store google authenticator files and change ownership to gauth.
mkdir /etc/openvpn/google-authenticator
chown gauth:gauth /etc/openvpn/google-authenticator
chmod 700 /etc/openvpn/google-authenticator
Create script file with the content below for the creation of the OTP username.
cat > /root/create-gauth.sh
#!/bin/sh
# Parse arguments
USERNAME="$1"
if [ -z "$USERNAME" ]; then
echo "Usage: $(basename $0) "
exit 2
fi
# Set the label the user will see when importing the token:
LABEL='OpenVPN Server'
su -c "google-authenticator -t -d -r3 -R30 -W -f -l \"${LABEL}\" -s /etc/openvpn/google-authenticator/${USERNAME}" - gauth
Make the script file executable for owner of the script file.
chmod 700 /root/create-gauth.sh
Create file /etc/pam.d/openvpn with the contents below.
cat > /etc/pam.d/openvpn
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth required /usr/local/lib/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass
auth include system-auth
account include system-auth
password include system-auth
Create vpn user with the OS command below
useradd -M -c "Mr. Dilli Raj Maharjan,email@dilli.com.np" -s /sbin/false vpn_dilliraj
passwd vpn_dilliraj
/root/create-gauth.sh
Create script file that will be automatically executed once the vpn connection is successful. This script file is helpful in send the email with the details. Following is the contents used for sending mail.
cat > /etc/openvpn/scripts/up.sh
#!/bin/bash
smtp="A.B.C.D"
from="vpnadmin@dilli.com.np"
full_name=$(/usr/bin/getent passwd $common_name | /usr/bin/cut -d: -f5 | /usr/bin/awk -F "," '{print $1}')
email_address=$(/usr/bin/getent passwd $common_name | /usr/bin/cut -d: -f5 | /usr/bin/awk -F "," '{print $2}')
subject="VPN connected from $untrusted_ip\nContent-Type: text/html"
date_n_time=$(date +%c)
Message=$(echo "Dear ${full_name},
Your VPN Username $common_name has been connected from IP Address: $untrusted_ip. Make sure it is you or you are aware of it.
Please change your password if it is not you and contact System administrator for further assistance.
Following is the details
==========================================
Connected Since: ${date_n_time}
Public Address: $untrusted_ip
Virtual Address: $ifconfig_pool_remote_ip
Name: $common_name
Full Name: $full_name
Email Address: $email_address
Regards,
IT Team
Idealab.")
echo $Message | /bin/mailx -r ${from} -s "$(echo -e ${subject})" -S smtp="${smtp}" ${email_address}
Make the file executable
chmod 755 /etc/openvpn/scripts/up.sh
Start openvpn server process and make sure it will start automatically at run level 3,5
chkconfig openvpn --list
chkconfig openvpn on --level=35
chkconfig openvpn --list
/etc/init.d/openvpn start
Create configuration file for client with following details and copy ca.crt to client machine. Configure Google authenticator app on your smart phone. Use the key provided while creating the google authenticator account.
vi idealab_vpn.ovpn
client
dev tun
proto udp
remote 202.166.166.251
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3
We can login with the Password+OTP.
can you give an example of password+otp .. do you mean like password123456 or password 123456? what would you change if you jsut wanted just otp?
ReplyDelete