Page 1 of 1

A little unorthodox, but it seems to work fine

Posted: Sun Apr 27, 2014 10:10 pm
by buzz89
I've been running this OpenVPN setup for a few weeks now and I want to see what people that know what they're doing think.

My goal like most people messing with OpenVPN was to access my home setup over the open internet as "securely" as possible without exposing other services i.e. SSH, Samba. I couldn't get OpenVPN to work for crap at first, so I messed with Openswan/l2tpd in my test environment for awhile. And reminded how much IPsec sucks. Softether is not quite “Finished” yet, and let's face it PPTP is just dumb nowadays. So let's give OpenVPN another try. And this is what I've come up with after what felt like weeks of Documentation reading, forum lurking, testing, brute trial/error, etc.

After installing OpenVPN, I guess the first order of business is building your CA, Certs, Keys, etc.

Openswan/l2tpd had me all burnt out with building keypairs with Openssl. I chose to go the easy-rsa way, and also my first time ever using git as oppose to apt.

git clone

Once you've cloned easyrsa, you build the CA with.

./easyrsa init-pki
./easyrsa build-ca

Generate the DH parameters file with

./easyrsa gen-dh

And now I guess you're ready to build the Server and client keys perspectively. Although once you've built the CA, the order in which you do things doesn't seem to matter here.

./easyrsa build-server-full server
./easyrsa build-cleint-full client1
./easyrsa build-cleint-full client2, Etc

I've read the guide on how to run OpenVPN as unprivileged at ... ilegedUser

Some ideas I liked, some I don't. For 2 reasons.

1. I couldn't find the lines in the init.d file to alter. (Maybe the documentation's out of date, idk)
2. I'm no expert on how init.d really works, so best not mess with it.

I don't like the idea of the OpenVPN running as nobody, there's less accountability there, and I couldn't make it work anyway. So I made a User/group for OpenVPN as a compromise. Just as long as it's not running as root.

sudo addgroup --system openvpn
sudo adduser --no-create-home --ingroup openvpn --system openvpn

Now I come to the networking part of things. My linux home server has a lot going on with it already. The internets facing side. Internal wired network Wireless 2.4 Ghz network w/ hostapd Wireless 5 Ghz network w/ hostapd The OpenVPN Tap network

The recommended way to do this is to bridge the Tap network with the Wired network. But I didn't want to go messing the interface setup more than necessary so I went the routed way. Thus my windows client config looks something like this.

remote “server remote IP” 443
proto tcp-client
dev tap
ca “”
cert “”
key “”
route “the internal wired network here”, “the subnet mask of the internal network”, “The Tap network server side IP” “The routing metric”
cipher aes-256-cbc

And with that in mind my server.conf ended up looking something like this.

dev tap0
proto tcp-server
ifconfig “Internal TAP network here”
lport 443
ca “CA Cert path”
dh “DH path”
cert “Server Cert Path”
key “Server private key path”
askpass “Path to private key secret”
verb 3
daemon openvpn
user openvpn
group openvpn
cipher AES-256-CBC

Notice there's no network settings push. All that is handled from my client. And I'm doing TCP over 443, to penetrate any firewalls in between consistently.

But this is where it hits the fan...

Since I didn't alter the init.d script, not running OpenVPN as root, and made my own system group. OpenVPN has a hard time it seems binding to a TCP socket. Or more specifically rebinding after a disconnect or a failed TLS negotiation. If I were using UDP it would be a bit more persistent. But I need TCP!

What to do then... I employed a favored technique for insuring service availability. A simple “cron automated bash script service checker of save your job thingy”.


stat=$(service openvpn status | grep -o "VPN 'server' is not running")
if [ "$stat" = "VPN 'server' is not running" ]; then
service openvpn restart

Give or take a few lines for reporting options.

Automate this with cron with

sudo crontab -e

*/5 * * * * sudo bash “path to the script”

And now if I use it then disconnect, or if someone with less-than-ethical intentions tries to connect to it. It dies. And in the syslog it looks a little something like this.

Apr 26 17:37:25 "hostname here" openvpn[1315]: TCP connection established with [AF_INET]”Less than ethical persons IP here”
Apr 26 17:37:25 "hostname here" openvpn[1315]: TCPv4_SERVER link local (bound): [undef]
Apr 26 17:37:25 "hostname here" openvpn[1315]: TCPv4_SERVER link remote: [AF_INET]”Less than ethical persons IP here”
Apr 26 17:37:25 "hostname here" openvpn[1315]: WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1591 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Apr 26 17:37:25 "hostname here" openvpn[1315]: Connection reset, restarting [0]
Apr 26 17:37:25 "hostname here" openvpn[1315]: TCP/UDP: Closing socket
Apr 26 17:37:25 "hostname here" openvpn[1315]: SIGUSR1[soft,connection-reset] received, process restarting
Apr 26 17:37:25 "hostname here" openvpn[1315]: Restart pause, 1 second(s)
Apr 26 17:37:26 "hostname here" openvpn[1315]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 26 17:37:26 "hostname here" openvpn[1315]: Re-using SSL/TLS context
Apr 26 17:37:26 "hostname here" openvpn[1315]: Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Apr 26 17:37:26 "hostname here" openvpn[1315]: Socket Buffers: R=[87380->131072] S=[16384->131072]
Apr 26 17:37:26 "hostname here" openvpn[1315]: TCP/UDP: Socket bind failed on local address [undef]: Permission denied
Apr 26 17:37:26 "hostname here" openvpn[1315]: Exiting
Apr 26 17:37:26 "hostname here" openvpn[1315]: Closing TUN/TAP interface
Apr 26 17:37:26 "hostname here" openvpn[1315]: /sbin/ifconfig tap0
Apr 26 17:37:26 "hostname here" openvpn[1315]: Linux ip addr del failed: external program exited with error status: 255

This causes OpenVPN to stop for up to five minutes before cron restarts it. Which works well enough for me. At the end of the day, I just need something that works consistently, securely with “good enough” availability. And has the added side effect of giving an attacker a real headache with a five minute one attempt time out.

I didn't cover the iptables firewall configuration in here. If anyone can think of some better ways to do things, or if you see something I'm doing really wrong please post!

Re: A little unorthodox, but it seems to work fine

Posted: Mon Apr 28, 2014 6:20 am
by maikcat
just my 2 cents here....

port 443 IS priviledged port and daemon MUST start as root if you want to bind to this port
and drop privs later,googling it and you will find various posts like ... -1024-on-l ... privileged

start openvpn as ROOT but yet include your newly user/group inside openvpn config.