Arch linux настройка vpn

Openswan L2TP/IPsec VPN client setup

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

This article describes how to configure and use a L2TP/IPsec Virtual Private Network client on Arch Linux. It covers the installation and setup of several needed software packages. L2TP refers to the w:Layer 2 Tunneling Protocol and for w:IPsec, the Openswan implementation is employed.

This guide is primarily targeted for clients connecting to a Windows Server machine, as it uses some settings that are specific to the Microsoft implementation of L2TP/IPsec. However, it is adaptable with any other common L2TP/IPsec setup. The Openswan wiki features instructions to set up a corresponding L2TP/IPSec Linux server.

Contents

Installation

To use with NetworkManager, install the networkmanager-l2tp and strongswan packages.

Now you can start openswan.service . If it’s not running you may get an error message about a missing pluto_ctl connect(pluto_ctl) failed: No such file or directory .

Run ipsec verify to check your configuration and resolve possible issues before continuing.

Configuration

NetworkManager

Open the NetworkManager UI, then:

1. Go to Network > VPN. Click «+»
2. Select «Layer 2 Tunneling Protocol (L2TP).»
3. You can choose a name for the VPN.
4. Enter Your VPN Server IP for the Gateway.
5. Enter Your VPN Username for the User name.
6. Right-click the ? in the Password field, select Store the password only for this user. (If this option gives you trouble, you might want to use «Store password for all users»)
7. Enter Your VPN Password for the Password.
8. Leave the NT Domain field blank.
9. Click the IPsec Settings. button.
10. Check the Enable IPsec tunnel to L2TP host checkbox.
11. Leave the Gateway ID field blank.
12. Enter Your VPN IPsec PSK for the Pre-shared key.
13. OK, then click Add to save the VPN connection information.

Now you should be able to start the VPN, by switching the Toggle-Button on.

OpenSwan

Edit /etc/ipsec.conf to contain the following lines:

This file contains the basic information to establish a secure IPsec tunnel to the VPN server. It enables NAT Traversal for if your machine is behind a NAT’ing router (most people are), and various other options that are necessary to connect correctly to the remote IPsec server. The next file contains your pre-shared key (PSK) for the server.

Create the file /etc/ipsec.secrets : It should contain the following line:

Remember to replace the local ( 192.168.0.123 ) and remote ( 68.68.32.79 ) IP addresses with the correct numbers for your location. The pre-shared key will be supplied by the VPN provider and will need to be placed in this file in cleartext form. You may find this file already exists and already have some data, try to back it up and create a new file only with your PSK if you will see «Can’t authenticate: no preshared key found for . » when enabling connection in next section. Do not forget to set proper permissions (600) for this file or you will get error message «We cannot identify ourselves with either end of this connection.».

Add the connection, so it’s available to use:

At this point the IPsec configuration is complete and we can move on to the L2TP configuration.

Running Openswan in a container

Do not forget to add CAP_SYS_MODULE capability and access to host module tree. Example for nspawn:

xl2tpd

Edit /etc/xl2tpd/xl2tpd.conf so it has the following contents:

This file configures xl2tpd with the connection name, server IP address (which again, please remember to change to your servers address) and various options that will be passed to pppd once the tunnel is set up.

Now create /etc/ppp/options.l2tpd.client with the following contents:

Place your assigned username and password for the VPN server in this file. A lot of these options are for interoperability with Windows Server L2TP servers. If your VPN server uses PAP authentication, replace require-mschap-v2 with require-pap .

This concludes the configuration of the applicable software suites to connect to a L2TP/IPsec server. To start the connection do the following:

At this point the tunnel is up and you should be able to see the interface for it if you type:

You should see a pppX device that represents the tunnel. Right now, nothing is going to get routed through it. You need to add some routing rules to make it work right:

Routing

Routing traffic to a single IP address or subnet through the tunnel

This is as easy as adding a routing rule to your kernel table:

Note xxx.xxx.xxx.xxx is the specific ip address (e.g. 192.168.3.10) or subnet (e.g. 192.168.3.0/24) that you wish to communicate with through the tunnel device (e.g. ppp0).

Note yyy.yyy.yyy.yyy is «peer ip» of your pppX device used to route traffic to tunnel destination xxx.xxx.xxx.xxx.

See example below for command to identify tunnel device name and peer ip and then add route. :

Routing all traffic through the tunnel

This is a lot more complex, but all your traffic will travel through the tunnel. Start by adding a special route for the actual VPN server through your current gateway:

This will ensure that once the default gateway is changed to the ppp interface that your network stack can still find the VPN server by routing around the tunnel. If you miss this step you will lose connectivity to the Internet and the tunnel will collapse. Now add a default route that routes to the PPP remote end:

The remote PPP end can be discovered by following the step in the previous section. Now to ensure that ALL traffic is routing through the tunnel, delete the original default route:

To restore your system to the previous state, you can reboot or reverse all of the above steps.

The route creation can also be automated by placing a script in /etc/ppp/ip-up.d.

Troubleshooting

Issue: journalctl logs VPN connection: failed to connect: ‘Could not restart the ipsec service.

Solution Make sure you have strongswan installed

Issue: I get a message from pppd saying «Failed to authenticate ourselves to peer» and I have verified my password is correct. What could be wrong?

Solution 1: If you see the following in your /var/log/daemon.log:

then you are authenticating against a SonicWALL LNS that does not know how to handle CHAP-style authentication correctly.

The solution to this is to add the following to your options.l2tp.client file:

This will cause the SonicWALL to default to the next authentication mechanism, namely MSCHAP-v2. This should authenticate successfully, and from this point xl2tpd should successfully construct a tunnel between you and the remote L2TP server.

Solution 2: If you see the following in your journal after running journalctl -ru xl2tpd as root:

Try adding domain name in front of username in your options.l2tpd.client file (note the double backslash), i.e:

Tips and tricks

Script start up and shut down

You can create some scripts either in your home directory or elsewhere(remember where you put them) to bring up the tunnel then shut it back down.

First, a utility script to automatically discover PPP distant ends:

Next, the script to bring the tunnel up. This will replace the default route, so all traffic will pass via the tunnel:

Finally, the shutdown script, it simply reverses the process:

A further script

Above script really help me work. And notice the script use fixed ip, and someone like me may change net vpn addr, i would like to put my further script below(not sure how to add attachment, so just raw ):

Script to resolve dns names and connect

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

Very useful if you have dynamic IP for the server.

Источник

PPTP Client

pptpclient is a program implementing the Microsoft PPTP protocol. As such, it can be used to connect to a Microsoft VPN network (or any PPTP-based VPN) provided by a school or workplace.

Contents

Installation

Configure

To configure pptpclient you will need to collect the following information from your network administrator:

• The IP address or hostname of the VPN server.
• The username you will use to connect.
• The password you will use to connect.
• The authentication (Windows) domain name. This is not necessary for certain networks.

You must also decide what to name the tunnel.

Configure using pptpsetup

You can configure and delete tunnels by running the pptpsetup tool as root. For example:

You can #Connect after a tunnel has been configured.

Configure by hand

You can also edit all necessary configuration files by hand, rather than relying on pptpsetup.

Edit The options File

The /etc/ppp/options file sets security options for your VPN client. If you have trouble connecting to your network, you may need to relax the options. At a minimum, this file should contain the options lock , noauth , nobsdcomp and nodeflate .

Edit The chap-secrets File

The /etc/ppp/chap-secrets file contains credentials for authenticating a tunnel. Make sure no one except root can read this file, as it contains sensitive information.

Edit the file. It has the following format:

Replace each bracketed term with an appropriate value. Omit \\ if your connection does not require a domain.

Name Your Tunnel

The /etc/ppp/peers/ file contains tunnel-specific configuration options. is the name you wish to use for your VPN connection. The file should look like this:

Again, omit \\ if your connection does not require a domain. is the remote address of the VPN server, is the domain your user belongs to, is the name you will use to connect to the server, and is the name of the connection.

in the /etc/ppp/chap-secrets File.

Connect

To make sure that everything is configured properly, as root execute:

If everything has been configured correctly, the pon command should not terminate. Once you are satisfied that it has connected successfully, you can terminate the command.

To connect to your VPN normally, simply execute:

Where is the name of the tunnel you established earlier. Note that this command should be run as root.

Routing

Once you have connected to your VPN, you should be able to interact with anything available on the VPN server. To access anything on the remote network, you need to add a new route to your routing table.

For more information on how to add routes, you can read this article which has many more examples: PPTP Routing Howto

Split Tunneling

Packets with a destination of your VPN’s network should be routed through the VPN interface (usually ppp0 ). To do this, you create the route:

This will route all the traffic with a destination of 192.168.10.* through your VPN’s interface, ( ppp0 ).

Route All Traffic

It may be desirable to route all traffic through your VPN connection. You can do this by running:

Route All Traffic by /etc/ppp/ip-up.d

Make sure the script is executable.

Split Tunneling based on port by /etc/ppp/ip-up.d

Make sure the script is executable and that the vpn table is added to /etc/iproute2/rt_tables

Disconnect

Execute the following to disconnect from a VPN:

is the name of your tunnel.

Making A VPN Daemon and Connecting On Boot

This article or section is out of date.

You can create a simple daemon for your VPN connection by creating an appropriate /etc/rc.d/* script:

To resolve this issue, you can patch your /usr/bin/poff file by making the following changes on line 93:

Troubleshooting

If client connections keep timing out with «LCP: timeout sending Config-Requests», make sure that GRE is allowed through the client firewall. For iptables, the necessary command is:

Alternatively, if you only want to allow PPTP traffic that corresponds to a connection request coming from your local machine, you can use the conntrack PPTP helper:

The second line should autoload the nf_conntrack_pptp and nf_conntrack_proto_gre kernel modules, which are needed for this.

If you get “EAP: unknown authentication type 26; Naking”, open /etc/ppp/options.pptp and commented out the lines refuse-chap and refuse-mschap and add the options file entry to the tunnel file like this:

Remarks

You can find more information about configuring pptpclient at their website: pptpclient website. The contents of this article were adapted from their Ubuntu How-To which also provides some hints on how to do things such as connecting on boot. These examples should be easy to adapt into daemons or other scripts to help automate your configuration.

Источник

OpenVPN

This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use. For more detailed information, please see the OpenVPN 2.4 man page and the OpenVPN documentation. OpenVPN is a robust and highly flexible VPN daemon. It supports SSL/TLS security, Ethernet bridging, TCP or UDP tunnel transport through proxies or NAT. Additionally it has support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.

OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it. It supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.

OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of IPSec but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL).

Contents

Installation

Install the openvpn package, which provides both server and client mode.

Kernel configuration

OpenVPN requires TUN/TAP support, which is already configured in the default kernel. Users of custom kernel should make sure to enable the tun module:

Read Kernel modules for more information.

Connect to a VPN provided by a third party

To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Begin with #The client configuration profile and skip ahead to #Starting OpenVPN after that. One should use the provider certificates and instructions, see Category:VPN providers for examples that can be adapted to other providers. OpenVPN client in Linux Containers also has general applicable instructions, while it goes a step further by isolating an OpenVPN client process into a container.

Create a Public Key Infrastructure (PKI) from scratch

When setting up an OpenVPN server, users need to create a Public Key Infrastructure (PKI) which is detailed in the Easy-RSA article. Once the needed certificates, private keys, and associated files are created via following the steps in the separate article, one should have 5 files in /etc/openvpn/server at this point:

Alternatively, as of OpenVPN 2.4, one can use Easy-RSA to generate certificates and keys using elliptic curves. See the OpenVPN documentation for details.

A basic Layer-3 IP routing configuration

OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both servers and clients.

With the release of v2.4, server configurations are stored in /etc/openvpn/server and client configurations are stored in /etc/openvpn/client and each mode has its own respective systemd unit, namely, openvpn-client@.service and openvpn-server@.service .

Example configuration

The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:

• Uses Public Key Infrastructure (PKI) for authentication.
• Creates a VPN using a virtual TUN network interface (OSI Layer-3 IP routing).
• Listens for client connections on UDP port 1194 (OpenVPN’s official IANA port number[1]).
• Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.

For more advanced configurations, please see the openvpn(8) man page and the OpenVPN documentation.

The server configuration file

Copy the example server configuration file /usr/share/openvpn/examples/server.conf to /etc/openvpn/server/server.conf .

Edit the file making a minimum of the following changes:

If TLS with elliptic curves is used, specify dh none and ecdh-curve secp521r1 . DH parameters file is not used when using elliptic curves. Starting from OpenVPN 2.4.8, it is required to specify the type of elliptic curves in server configuration. Otherwise the server would fail to recognize the curve type and possibly use an incompatible one, resulting in authentication errors.

Hardening the server

If security is a priority, additional configuration is recommended including: limiting the server to use a strong cipher/auth method and (optionally) limiting the set of enabled TLS ciphers to the newer ciphers. Starting from OpenVPN 2.4, the server and the client will automatically negotiate AES-256-GCM in TLS mode.

Add the following to /etc/openvpn/server/server.conf :

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

Bleeding edge security

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

Compatibility with most devices

Enabling compression

Enabling compression is not recommended by upstream; doing so opens to the server the so-called VORACLE attack vector. See this article.

Deviating from the standard port and/or protocol

It is generally recommended to use OpenVPN over UDP, because TCP over TCP is a bad idea[2].

Some networks may disallow OpenVPN connections on the default port and/or protocol. One strategy to circumvent this is to mimic HTTPS traffic which is very likely unobstructed.

To do so, configure /etc/openvpn/server/server.conf as such:

Running multiple instances of OpenVPN on different ports on the physical machine

One can have multiple, concurrent instances of OpenVPN running on the same box. Each server needs to be defined in /etc/openvpn/server/ as a separate .conf file. At a minimum, the parallel servers need to be running on different ports. A simple setup directs traffic connecting in to a separate IP pool. More advanced setups are beyond the scope of this guide.

Consider this example, running 2 concurrent servers, one port 443/udp and another on port 80/tcp.

First modify /etc/openvpn/server/server.conf created as so:

Now copy it and modify the copy to run on 80/tcp:

Be sure to setup the corresponding entries in the firewall, see the relevant sections in #Firewall configuration.

The client configuration profile

Copy the example client configuration file /usr/share/openvpn/examples/client.conf to /etc/openvpn/client/ .

Edit the following:

• The remote directive to reflect either the server’s Fully Qualified Domain Name, hostname (as known to the client), or its IP address.
• Uncomment the user and group directives to drop privileges.
• The ca , cert , and key parameters to reflect the path and names of the keys and certificates.
• Enable the TLS HMAC handshake protection ( —tls-crypt or —tls-auth ).

Run as unprivileged user

Using the options user nobody and group nobody in the configuration file makes OpenVPN drop its root privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, then lingering routes may be considered beneficial. It can also happen, however, that the OpenVPN server pushes updates to routes at runtime of the tunnel. A client with dropped privileges will be unable to perform the update and exit with an error.

As it could seem to require manual action to manage the routes, the options user nobody and group nobody might seem undesirable. Depending on setup, however, there are different ways to handle these situations:

• For errors of the unit, a simple way is to edit it and add a Restart=on-failure to the [Service] section. Though, this alone will not delete any obsoleted routes, so it may happen that the restarted tunnel is not routed properly.
• The package contains the /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so , which can be used to let openvpn fork a process with root privileges with the only task to execute a custom script when receiving a down signal from the main process, which is handling the tunnel with dropped privileges (see also its README).

The OpenVPN HowTo’s linked below go further by creating a dedicated non-privileged user/group, instead of the already existing nobody . The advantage is that this avoids potential risks when sharing a user among daemons:

• The OpenVPN HowTo explains another way how to create an unprivileged user mode and wrapper script to have the routes restored automatically.
• It is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see this OpenVPN wiki (howto). The howto assumes the presence of System V init, rather than Systemd and does not cover the handling of —up / —down scripts — those should be handled the same way as the ip command, with additional attention to access rights.
• It is also possible to run OpenVPN from within unprivileged podman container, see this section of OpenVPN HowTo

Converting certificates to encrypted .p12 format

Some software will only read VPN certificates that are stored in a password-encrypted .p12 file. These can be generated with the following command:

Testing the OpenVPN configuration

Run openvpn /etc/openvpn/server/server.conf (as the root user) on the server, and openvpn /etc/openvpn/client/client.conf (as the root user) on the client. Example output should be similar to the following:

Find the IP address assigned to the tunX interface on the server, and ping it from the client.

Find the IP address assigned to the tunX interface on the client, and ping it from the server.

Configure the MTU with Fragment and MSS

If experiencing issues when using (remote) services over OpenVPN (e.g. web browsing, DNS, NFS), it may be needed to set a MTU value manually.

The following message may indicate the MTU value should be adjusted:

In order to get the maximum segment size (MSS), the client needs to discover the smallest MTU along the path to the server. In order to do this ping the server and disable fragmentation, then specify the maximum packet size [3]:

Decrease the 1500 value by 10 each time, until the ping succeeds.

Update the client configuration to use the succeeded MTU value, e.g.:

OpenVPN may be instructed to test the MTU every time on client connect. Be patient, since the client may not inform about the test being run and the connection may appear as nonfunctional until finished. The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless a client will be connecting over many different networks and the bottle neck is not on the server side:

Connect to the server via IPv6

Starting from OpenVPN 2.4, OpenVPN will use AF_INET defined by the OS when just using proto udp or proto tcp , which in most cases will be IPv4 only. To use both IPv4 and IPv6, use proto udp6 or proto tcp6 . To enforce only IPv4-only, use proto udp4 or proto tcp4 . On older OpenVPN versions, one server instance can only support either IPv4 or IPv6.

Provide IPv6 inside the tunnel

In order to provide IPv6 inside the tunnel, have an IPv6 prefix routed to the OpenVPN server. Either set up a static route on the gateway (if a static block is assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see IPv6 Prefix delegation for details). Also consider using a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:

• Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so change the server.conf every time the prefix is changed (Maybe can be automated with a script).
• ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. This means one cannot route the entire traffic over the tunnel. Those wanting to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, may want to use the ULA addresses for ease.

Alternatively, a NDP proxy should work. See this StackExchange post.

After having received a prefix (a /64 is recommended), append the following to the server.conf:

This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.

Those wanting to push a route to a home network (192.168.1.0/24 equivalent), need to also append:

OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The OpenVPN Wiki provides some other configuration options.

Starting OpenVPN

Manual startup

To troubleshoot a VPN connection, start the client’s daemon manually with openvpn /etc/openvpn/client/client.conf as root. The server can be started the same way using its own configuration file (e.g., openvpn /etc/openvpn/server/server.conf ).

systemd service configuration

To start the OpenVPN server automatically at system boot, enable openvpn-server@configuration.service on the applicable machine. For a client, enable openvpn-client@configuration.service instead. (Leave .conf out of the configuration string.)

For example, if the client configuration file is /etc/openvpn/client/client.conf , the service name is openvpn-client@client.service . Or, if the server configuration file is /etc/openvpn/server/server.conf , the service name is openvpn-server@server.service .

Letting NetworkManager start a connection

One might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to /etc/NetworkManager/dispatcher.d/ . In the following example «Provider» is the name of the NetworkManager connection:

NetworkManager-native VPN configuration

GUI configuration

In your desktop environment network settings (or nm-connection-editor ). Click the plus sign to add a new connection and choose OpenVPN and manually enter the settings. You also can optionally import #The client configuration profile by selecting Import a saved VPN configuration. and selecting the appropriate file.

CLI configuration

For importing a configuration:

To do a manual configuration:

Sync state with connection

NetworkManager supports syncing the VPN state with a interface connection state, i.e start the VPN together with the connection and bringing it down when the connection goes down.

To achieve this, open nm-connection-editor and select a network connection (not the VPN), then head to the General section, tick Automatically connect to VPN and select the appropriate config in the dropdown menu.

Troubleshooting

No certificate password

Routing client traffic through the server

Without further configuration only traffic directly to and from the OpenVPN server’s IP passes through the VPN. To have other traffic, like web traffic pass through the VPN, correspondent routes must be added. Either add routes in the client’s configuration or configure the server to push these routes to the client.

To redirect traffic to and from a subnet of the server, add push «route » right before the remote

To redirect all traffic including Internet traffic to the server, add the following in the client’s configuration:

If running an IPv4-only server, drop the ipv6 option. If running IPv6-only, use redirect-gateway ipv6 !ipv4 .

To make the server push routes, append push «redirect-gateway def1 bypass-dhcp ipv6» to the configuration file (i.e. /etc/openvpn/server/server.conf ) [4] of the server. Note this is not a requirement and may even give performance issue:

If running an IPv4-only server, drop the ipv6 option. If running IPv6-only, use push «redirect-gateway ipv6 !ipv4»

Optionally, push local DNS settings to clients (e.g. the DNS-server of the router and domain prefix .internal):

After setting up the configuration file, enable packet forwarding on the server. Additionally, the server’s firewall needs to be adjusted to allow VPN traffic, which is described below for both ufw and iptables.

Firewall configuration

firewalld

If using the default port 1194, enable the openvpn service. Otherwise, create a new service with a different port.

Now add masquerade to the zone:

Make these changes permanent:

In order to allow ufw forwarding (VPN) traffic append the following to /etc/default/ufw :

Change /etc/ufw/before.rules , and append the following code after the header and before the «*filter» line:

• Change the IP/subnet mask to match the server set in the OpenVPN server configuration.
• Change the network interface to the connection used by OpenVPN server.

Make sure to open the chosen OpenVPN port (default 1194/udp):

To apply the changes. reload/restart ufw:

iptables

In order to allow VPN traffic through an iptables firewall, first create an iptables rule for NAT forwarding [5] on the server. An example (assuming the interface to forward to is named eth0 ):

If running multiple servers on different IP pools, add a corresponding line for each one, for example:

If the server cannot be pinged through the VPN, one may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following [6]:

Additionally be sure to accept connections from the OpenVPN port (default 1194) and through the physical interface:

When satisfied, make the changes permanent as shown in iptables#Configuration and usage.

Those with multiple tun or tap interfaces, or more than one VPN configuration can «pin» the name of the interface by specifying it in the OpenVPN config file, e.g. tun22 instead of tun . This is advantageous if different firewall rules for different interfaces or OpenVPN configurations are wanted.

Prevent leaks if VPN goes down

This prevents all traffic through the default interface (enp3s0 for example) and only allows traffic through tun0. If the OpenVPN connection drops, the system will lose its internet access thereby preventing connections through the default network interface.

One may want to set up a script to restart OpenVPN if it goes down.

Alternatively, one can allow DNS leaks. Be sure to trust your DNS server!

vpnfailsafe

Alternatively, the vpnfailsafe ( vpnfailsafe-git AUR ) script can be used by the client to prevent DNS leaks and ensure that all traffic to the internet goes over the VPN. If the VPN tunnel goes down, internet access will be cut off, except for connections to the VPN server(s). The script contains the functionality of update-resolv-conf, so the two do not need to be combined.

Layer-3 IPv4 routing

This section describes how to connect client/server LANs to each other using Layer-3 IPv4 routing.

Prerequisites for routing a LAN

For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device. See Internet sharing#Enable packet forwarding for configuration details.

Routing tables

The factual accuracy of this article or section is disputed.

By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.

• Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway’s IP address.
• Add a static route on each host on the LAN that needs to send IP packets back to the VPN.
• Use iptables’ NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.

Connect the server LAN to a client

The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:

Connect the client LAN to a server

• Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.
• Each client’s certificate has a unique Common Name, in this case bugs.
• The server may not use the duplicate-cn directive in its config file.
• The CCD folder must be accessible via user and group defined in the server config file (typically nobody:nobody)

Create a client configuration directory on the server. It will be searched for a file named the same as the client’s common name, and the directives will be applied to the client when it connects.

Create a file in the client configuration directory called bugs, containing the iroute 192.168.4.0 255.255.255.0 directive. It tells the server what subnet should be routed to the client:

Add the client-config-dir and the route 192.168.4.0 255.255.255.0 directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:

If accessing a machine in the client LAN from a machine in the server LAN, remember that packet forwarding needs to be enabled on the client (Internet sharing#Enable packet forwarding).

Connect both the client and server LANs

Combine the two previous sections:

Connect clients and client LANs

By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file:

In order for another client or client LAN to see a specific client LAN, add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):

For Linux, the OpenVPN client can receive DNS host information from the server, but the client expects an external command to act on this information. No such commands are configured by default. They must be specified with the up and down config options. There are a few alternatives for what scripts to use, but none are officially recognised by OpenVPN, so in order for any of them to work, script-security must be set to 2. The down-root plugin can be used instead of the down option if running as an unprivileged user.

The pull-resolv-conf custom scripts

These scripts are maintained by OpenVPN. They are client.up and client.down , and they are packaged in /usr/share/openvpn/contrib/pull-resolv-conf/ . The following is an excerpt of a resulting client configuration using the scripts in conjunction with the down-root plugin:

These scripts use the resolvconf command if present. Systemd-resolvconf and Openresolv both implement this command. See their wiki pages for more information on getting a working resolvconf implementation.

If no implementation of resolvconf is present, client.up preserves the existing resolv.conf at /etc/resolv.conf.ovpnsave and writes a new one. This new one will not have any of the original DNS servers.

When editing these scripts, copy them somewhere else and edit them there, so that the changes do not get overwritten by the next openvpn package upgrade. /etc/openvpn/client is a pretty good place.

The update-resolv-conf custom script

The openvpn-update-resolv-conf script is available as an alternative to packaged scripts. It needs to be saved for example at /etc/openvpn/update-resolv-conf and made executable.

Users preferring a package may use openvpn-update-resolv-conf-git AUR but will still need to do the following:

Once the script is installed add lines like the following into the OpenVPN client configuration file:

Now, when launching the OpenVPN connection, resolv.conf should be updated accordingly, and also should get returned to normal when the connection is closed.

The update-systemd-resolved custom script

The update-systemd-resolved script links OpenVPN with systemd-resolved via DBus to update the DNS records.

Copy the script into /etc/openvpn/scripts and mark as executable (or install openvpn-update-systemd-resolved AUR ) and append the following lines into the OpenVPN client configuration file:

In order to send all DNS traffic through the VPN tunnel and prevent DNS leaks, also add the following line (see [7]):

Make sure that the systemd-resolved service is configured and running. Also, since openvpn 2.5.0-3 scripts are running as openvpn user instead of root. Thus, add a PolicyKit rule to allow OpenVPN systemd units to call DBus with SetLinkDNS:

Override DNS servers using NetworkManager

By default networkmanager-openvpn plugin appends DNS servers provided by OpenVPN to /etc/resolv.conf .

To verify that the correct DNS server(s) are configured, see resolvectl status if systemd-resolved is in use, for other resolvers see Domain name resolution.

Layer-2 Ethernet bridging

Establishing an Ethernet bridge enables access to other devices within a subnet of the server. For example, accessing other machines in the local network of the OpenVPN server via Samba would be possible with this approach. Clients would be assigned an IP address as if it were within the same subnet.

This is generally a two step process: 1) establishing the tap interface and the network bridge on the OpenVPN server to bridge the tap interface and the Ethernet interface, and 2) configuring the OpenVPN server.

Config generators

ovpngen

The ovpngen AUR package provides a simple shell script that creates OpenVPN compatible tunnel profiles in the unified file format suitable for the OpenVPN Connect app for Android and iOS.

Simply invoke the script with 5 tokens:

1. Server Fully Qualified Domain Name of the OpenVPN server (or IP address).
2. Full path to the CA cert.
3. Full path to the client cert.
4. Full path to the client private key.
5. Full path to the server TLS shared secret key.
6. Optionally a port number.
7. Optionally a protocol (udp or tcp).

If the server is configured to use tls-crypt, as is suggested in #The server configuration file, manually edit the resulting foo.ovpn replacing and with and .

The resulting foo.ovpn can be edited if desired as the script does insert some commented lines. foo.ovpn will not automatically route all traffic through the VPN, so consider following #Routing client traffic through the server to enable redirection.

The client expects this file to be located in /etc/openvpn/client/foo.conf . Note the change in file extension from ‘ovpn’ to ‘conf’ in this case.

openvpn-unroot

The steps necessary for OpenVPN to #Run as unprivileged user, can be performed automatically using openvpn-unroot ( openvpn-unroot-git AUR ).

It automates the actions required for the OpenVPN howto by adapting it to systemd, and also working around the bug for persistent tun devices mentioned in the note.

Troubleshooting

Client daemon not reconnecting after suspend

openvpn-reconnect AUR , available on the AUR, solves this problem by sending a SIGHUP to openvpn after waking up from suspend.

Alternatively, restart OpenVPN after suspend by creating the following systemd service:

Enable this service for it to take effect.

Connection drops out after some time of inactivity

If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a keepalive directive to the server’s configuration:

In this case the server will send ping-like messages to all of its clients every 10 seconds, thus keeping the tunnel up. If the server does not receive a response within 120 seconds from a specific client, it will assume this client is down.

A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on the connection, also try lower intervals than 10 seconds.

PID files not present

The default systemd service file for openvpn-client does not have the —writepid flag enabled, despite creating /run/openvpn-client. If this breaks a config (such as an i3bar VPN indicator), simply change openvpn-client@.service using a drop-in snippet:

Route configuration fails with systemd-networkd

When using systemd-networkd to manage network connections and attempting to tunnel all outgoing traffic through the VPN, OpenVPN may fail to add routes. This is a result of systemd-networkd attempting to manage the tun interface before OpenVPN finishes configuring the routes. When this happens, the following message will appear in the OpenVPN log.

From systemd-233, systemd-networkd can be configured to ignore the tun connections and allow OpenVPN to manage them. To do this, create the following file:

Restart systemd-networkd.service to apply the changes. To verify that the changes took effect, start the previously problematic OpenVPN connection and run networkctl . The output should have a line similar to the following:

tls-crypt unwrap error: packet too short

This error shows up in the server log when a client that does not support tls-crypt, or a client that is misconfigured to use tls-auth while the server is configured to use tls-crypt, attempts to connect.

Источник