A VPN requires a client and server. The “client” is the remote device (BATM, computer, cell phone) that connects to the “server”. The server runs on your CAS installation. This configuration is divided into 2 parts: 1) the server configuration and 2) the client configuration. The server-side is done first, and the resulting OVPN files (from the server setup) are then sent to your “clients”.
Quick jump:
Server Setup
Install the required software.
sudo apt install easy-rsa openvpn openssl
Generate a OVPN file for CAS users.
/batm/batm-manage vpn-user-generate [USER] [EMAIL]
USER - the client name used for naming configurations and interfaces.
Do not use spaces.
The length is limited to 8 letters, and each one needs to be different.
You may create up to 50 clients; each must have a unique user name.
Each CAS user should use their own client access, and only one, single connection may be used per OVPN file (i.e. you cannot connect 2 devices simultaneously).
EMAIL: the user’s email address.
Request a simple password from the user (or agree on a password in advance).
you will be asked to enter that password during this process.
Generated client configuration files are typically located in this folder: /batm/vpngen/cli-adminusers
The file is named: vpnU[user].ovpn
Do not send a password with the OVPN file using the same method!
Usage:
sudo /batm/batm-manage vpn-user-generate jdoe john.doe@yourdomain.com
Generates: /batm/vpngen/cli-adminusers/vpnUjdoe.ovpn
Download the file to your local machine (your laptop or desktop) via SCP or a SFTP client (e.g. FileZilla).
Scroll to this section (below) for instructions: SCP Instructions
Then send that file to John Doe using email.
THE FILE IS NOT AUTOMATICALLY SENT!
YOU MUST SEND THE FILE MANUALLY USING A METHOD DESCRIBED BELOW.
John Doe will use the agreed upon password to use the file.
Destroy/Revoke VPN access for a CAS user:
The server controls who is permitted access. If a client’s access is no longer required, then you should delete his/her credentials. Don’t reuse credentials. Destroy any possibly compromised credentials. Create new credentials whenever in doubt.
sudo /batm/batm-manage vpn-user-revoke [USER]
will stop, disable and destroy VPN access for
[USER]
e.g.
sudo /batm/batm-manage vpn-user-revoke jdoe
Configure your Firewall:
You really should be using a firewall.
Open the ports for VPN clients between 12000/tcp and up to 120xx/tcp .
xx is number of clients
12000-12050 would enable 50 clients to get through.
Interface
tunU+
means any interface starting with tunU (all user vpns).Allow only CAS port (default: 7777/tcp) from tunU+ interface.
Disable routing between vpns and to other server services.
See Most secure: use the integrated admin VPN
OpenVPN Client
Your CAS host runs an OpenVPN server. You connect to that server from a client. Every major OS (Windows, Linux, Mac, Android) supports a native OpenVPN client.
The OpenVPN settings required to connect to the server are contained in an OVPN file. That file is manually sent to each user, as explained above: Generate a OVPN file for CAS users
This section explains how to use the OVPN file once it is received.
Only one client/OVPN file may be created for each CAS user.
You may use the same OVPN file on multiple devices,
as long as there is only one active connection per device.
e.g you may use the same OVPN on your phone and laptop, but
you cannot use your phone and laptop at the same time.
See: https://openvpn.net/vpn-client/
Linux:
sudo apt install openvpn
Windows: official https://openvpn.net/community-downloads/
Android: https://play.google.com/store/apps/details?id=net.openvpn.openvpn
Apple: Use official OpenVPN Connect – OpenVPN App from OpenVPN Technologies
Import the client configuration file (the OVPN file) after installation.
Request the OVPN file from your CAS system administrator.
Save the received file (via email or whatever means it was sent) locally & where you can find it.
Import it using the OpenVPN client you just installed.
Connect the VPN.
Linux: import to Network Connections (Network Manager), or start it from the console:
sudo openvpn --config vpnUsatoshi.ovpn
Replace
vpnUsatoshi.ovpn
with the actual filename (and path) of your OVPN file.Also see below: Linux Network Manager Client
Everything else: activate it (turn it on) using the GUI OpenVPN client.
OpenVPN User Guide: https://openvpn.net/connect-docs/user-guide.html
Navigate to CAS in your browser,
typically:
https://10.3.2.2:7777
If you’ve customized your
admin_bind_ip=
setting, then use that instead:e.g.
https://[admin_bind_ip]:port
Replace
[admin_bind_ip]
with your actualadmin_bind_ip=
IP address.
Whenever possible, update your browsers for any critical security upgrades.
Linux Network Manager Client
The Linux Network Manager requires special configuration to use local DNS lookups. If you use Linux and find you cannot browse the Internet after connecting, modify this setting.
Enable the option “Use this connection only for resources on its network”
Navigate to: IPv4 Settings
Click “Routes”:
Enable: “Use this connection only for resources on its network”
Click OK.
Troubleshooting
Linux
Inspect the syslog at: /var/log/syslog
(on both client and server) to identify failures.
Network Manager issues:
ERROR: tls-crypt unwrap error: packet authentication failed
In some Linux distributions, you may find that Network Manager (the Linux connection GUI control) fails to import the tls-crypt.key properly. To overcome this:
Open the OVPN file with a Linux text editor.
Copy the text located between
<tls-crypt>
and</tls-crypt>
and paste it into a new file.do not include the
<tls-crypt>
and</tls-crypt>
in the new file.
Save the new file as tls-crypt.key in a secure local directory.
A common secure folder is found within
~/.local/share/networkmanagement/certificates/
The folder will vary from one machine to another.
Update the VPN settings from within Network Manager to use this key.
Edit the VPN configuration,
navigate to Advanced → TLS Settings and change:
Mode: TLS-crypt
Key File: should point to the new file you created.
Save the settings and test - you should now get past the tls-crypt unwrap error
Example tls-crypt contents:
Windows
OpenVPN cannot connect: “Unsupported Options”:
Delete the current Windows OpenVPN client profile,
edit the (text file) profile, and comment out the offending option (use a hashtag “#” to do this),
e.g. change “
route-delay 4
" to: “# route-delay 4
"
save the file,
import the file again (via Windows OpenVPN Connect), and test it.
SCP Instructions
Secure File Copy (SCP) is one of many ways to securely transfer a file between 2 computers.
SCP is a commonly used Linux tool. If you feel out of your comfort zone, please hire a professional to assist you. GENERAL BYTES is not a Linux support agent, and this topic is well outside the scope of GENERAL BYTES Support.
First, navigate to the desired target directory on your receiving (target) client computer.
cd /home/example/Documents
in the example below, we’ll use “.” (a period) to tell SCP to put it in the same directory that we’re currently in (
/home/example/Documents
).
Next - determine the location and filename of the source file (the OVPN file) on your CAS server:
The default directory is currently:
/batm/vpngen/cli-adminusers/
The filename is formatted as:
vpnU[user].ovpn
The location + filename for user “jdoe” would thus be:
/batm/vpngen/cli-adminusers/vpnUjdoe.ovpn
The CAS server IP is prefixed to the filename, so using an example IP of 10.11.12.13:
10.11.12.13//batm/vpngen/cli-adminusers/vpnUjdoe.ovpn
We must specify the username of the system. If the username is “root”, then we add it like so:
root@10.11.12.13/batm/vpngen/cli-adminusers/vpnUjdoe.ovpn
The format of the SCP command is: scp source target
the source is:
root@10.11.12.13/batm/vpngen/cli-adminusers/vpnUjdoe.ovpn
the target is:
.
Finally, using the above examples, this command would copy the OVPN source file to the current directory:
scp root@10.11.12.13:/batm/vpngen/cli-adminusers/vpnUjdoe.ovpn ./
this example assumed password authentication is enabled.
WE URGE YOU TO AVOID USING PASSWORDS FOR SSH.
Implementing public keys are recommended and well-documented on the Internet:
You may be asked to confirm the “authenticity of host”. If this is the first time you’ve connected to that server, then do so.
Modified (if you have heeded our warnings and implemented public key SSH access):
using a private key located at:
/home/client/.ssh/scp-demo
using user “server” instead of “root”.
scp -i /home/client/.ssh/scp-demo server@10.11.12.13:/batm/vpngen/cli-adminusers/vpnUjdoe.ovpn .
NOTE: the “server” user in this example MUST have sufficient privileges to access the OVPN file on the CAS server. Unprivileged users may not be able to read the file (to copy the file).
Typical Problems:
Permission denied: the key you’ve provided is invalid (or missing, or has the wrong ownership, or wrong permissions), or the specified non-root user does not have read access to the the source file.
Connection refused: the server SSH is being served on an atypical port. Add “-P xxxx” to the beginning of the command line to specify the port (where “xxxx” is the port number in use).