roast my config

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
antioch
OpenVpn Newbie
Posts: 9
Joined: Fri Sep 10, 2021 7:17 pm

roast my config

Post by antioch » Sat May 21, 2022 11:09 pm

objectives:
  1. reach vpn clients located behind firewalls i dont control
  2. reach devices on my home network, whose wan connection forwards no externally initiated traffic
  3. prevent authorized vpn clients belonging to one entity from reaching anothers'
i had previously accomplished numbers one and two, but now need to adjust for number three by disabling client-to-client and putting each entity's vpn clients into that entity's own subnet, so that i can then restrict access among them.

environment:
  • ubuntu 20.04 server
  • virtualmin standard lamp stack, openvpn server 2.5.6
im leaving the vpn server on its lonesome at 172.16.0.254 and doling out the remaining /24's to each entity, starting with myself at 172.16.1.0. client1 and client2 are my devices, with the former being attached to a lan at 10.0.0.254. client3 belongs to another entity.

Code: Select all

openvpn-server.conf

port 1194
proto udp4
dev tun0
ca ca.crt
cert server.crt
key server.key
dh none
topology subnet
#server 172.16.0.0 255.255.0.0
mode server
tls-server
push "topology subnet"
ifconfig 172.16.0.254 255.255.0.0
#ifconfig-pool 172.16.0.1 172.16.0.253 255.255.0.0
push "route-gateway 172.16.0.254"
route 10.0.0.0 255.255.255.0 172.16.0.254
#push "route 10.0.0.0 255.255.255.0"
client-config-dir ccd
#client-to-client
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
max-clients 64
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth SHA256

Code: Select all

ccd/client1

ifconfig-push 172.16.1.1 255.255.0.0
iroute 10.0.0.0 255.255.255.0

Code: Select all

ccd/client2

ifconfig-push 172.16.1.2 255.255.0.0
push "route 10.0.0.0 255.255.255.0"

Code: Select all

ccd/client3

ifconfig-push 172.16.2.1 255.255.0.0

Code: Select all

openvpn-client.ovpn

client
dev tun
proto udp4
remote 192.168.1.100 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert clientX.crt
key clientX.key
remote-cert-tls server
tls-crypt ta.key
cipher AES-256-GCM
verb 3
auth SHA256
auth-nocache
meanwhile, back on the server to enable ip forwarding...

Code: Select all

# sed -i s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/ /etc/sysctl.conf && sysctl -p
then, because virtualmin switches ubuntu's active firewall front end to firewalld...

Code: Select all

# firewall-cmd --direct --add-rule ipv4 filter FORWARD 10 -i tun0 -s 172.16.1.0/24 -j ACCEPT

antioch
OpenVpn Newbie
Posts: 9
Joined: Fri Sep 10, 2021 7:17 pm

Re: roast my config

Post by antioch » Tue May 24, 2022 4:40 pm

crickets?

*minimum post length spam*

User avatar
TinCanTech
Forum Team
Posts: 10816
Joined: Fri Jun 03, 2016 1:17 pm

Re: roast my config

Post by TinCanTech » Tue May 24, 2022 4:56 pm

What do you expect ?

antioch
OpenVpn Newbie
Posts: 9
Joined: Fri Sep 10, 2021 7:17 pm

Re: roast my config

Post by antioch » Fri May 27, 2022 4:07 pm

expect? nothing, i'm gpl. though i had hoped for some constructive replies.

User avatar
TinCanTech
Forum Team
Posts: 10816
Joined: Fri Jun 03, 2016 1:17 pm

Re: roast my config

Post by TinCanTech » Fri May 27, 2022 4:27 pm

You don't need --auth sha256

For clarity, try --verb 4

antioch
OpenVpn Newbie
Posts: 9
Joined: Fri Sep 10, 2021 7:17 pm

Re: roast my config

Post by antioch » Sat May 28, 2022 10:57 pm

got ya!

spent a saturday rtfm and hardening. gotta tackle an mtu issue so my mobile clients can digest opt-verify. but this otherwise suites my most legacy system. gotta bum someone's modern crapple device at some point because that would be nice too i guess. :-/

this look solid?

Code: Select all

openvpn-server.conf

dev tun0

ca ca.crt
cert server.crt
key server.key
dh none
tls-crypt ta.key
crl-verify crl.pem

topology subnet
client-config-dir ccd
ccd-exclusive
keepalive 10 120
max-clients 64
opt-verify
explicit-exit-notify 1
persist-key
persist-tun
user nobody
group nogroup

mode server
tls-server
push "topology subnet"
ifconfig 172.16.0.254 255.255.0.0
push "route-gateway 172.16.0.254"
route 10.0.0.0 255.255.255.0 172.16.0.254
cipher AES-256-GCM              # FOR 2.4 AND EARLIER CLIENTS
data-ciphers AES-256-GCM
tls-version-min "1.3"
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
ecdh-curve secp384r1
tls-cert-profile preferred
remote-cert-tls client

status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3

300000
OpenVPN Expert
Posts: 664
Joined: Tue May 01, 2012 9:30 pm

Re: roast my config

Post by 300000 » Sun May 29, 2022 9:35 am

i had previously accomplished numbers one and two, but now need to adjust for number three by disabling client-to-client and putting each entity's vpn clients into that entity's own subnet, so that i can then restrict access among them.

If you need each client have its owe subnet you need create full CA authority then create each client individual certificate. After that use client confi directive on CDD so every client will get what you want .

To make it more secure you should use firewall job . You can block individual client using firewall rule.

antioch
OpenVpn Newbie
Posts: 9
Joined: Fri Sep 10, 2021 7:17 pm

Re: roast my config

Post by antioch » Sun May 29, 2022 4:20 pm

300000 wrote:
Sun May 29, 2022 9:35 am
If you need each client have its owe subnet you need create full CA authority then create each client individual certificate. After that use client confi directive on CDD so every client will get what you want .

To make it more secure you should use firewall job . You can block individual client using firewall rule.
the ca was previously established and resides offline on a full disk encrypted flash drive install of ubuntu server 20.04.

the rest of what you state was detailed in my initial post. it seems clients were blocked from each other by default in the firewall, hence the line allowing my specific subnet through to the others.

my last post was a hardened version of the same config.

did you see an oversight somewhere along the way?

Post Reply