Admin OpenVPN (using batm-manage)

A VPN requires a client and server. The “client” is the remote device (BATM, computer, or cell phone) that connects to the “server”. The OpenVPN server runs on the same server as your CAS installation.

This configuration is divided into two parts: 1) the server configuration and 2) the client configuration. The server-side is completed first, and the resulting OVPN files (from the server setup) are then sent to your “clients”: the users that will want to connect to the CAS GUI/server/front end.

Quick jump:

OpenVPN Server

Your CAS host runs an OpenVPN server. Other devices (clients) may then connect to your server to enjoy secure, protected access to CAS. This section described the first step: installing and configuring the server.

Install the required software.

Generate a OVPN file for CAS users.

USER - the client name used for naming configurations and interfaces.

• Do not use spaces.

• The length is limited to 8 letters, and each one needs to be different.

• You may create up to 50 clients; each must have a unique user name.

• Each CAS user should use their own client access, and only one, single connection may be used per OVPN file (i.e. you cannot connect 2 devices simultaneously).

EMAIL: the user’s email address.

• the OVPN file will NOT automatically be sent to the user via email! It must be done manually.

Request a simple password from the user (or agree on a password in advance).

• you will be asked to enter that password during this process.

Example: sudo /batm/batm-manage vpn-user-generate jdoe john.doe@yourdomain.com

• Generates this file: /batm/vpngen/cli-adminusers/vpnUjdoe.ovpn

• Download that file from there to your laptop or desktop via SCP or a SFTP client (e.g. FileZilla).

  • Scroll to this section (below) for instructions: SCP Instructions

• Then manually send that file to John Doe using email.

• John Doe will use the agreed upon password to use the file.

THE FILE IS NOT AUTOMATICALLY SENT IN THIS STEP!

YOU MUST SEND THE FILE MANUALLY USING A METHOD DESCRIBED BELOW.

Destroy/Revoke VPN access for a CAS user:

The server controls who is permitted access. If a client’s access is no longer required, then you should delete his/her credentials. Don’t reuse credentials. Destroy any possibly compromised credentials. Create new credentials whenever in doubt.

• will stop, disable and destroy VPN access for [USER]

• e.g. sudo /batm/batm-manage vpn-user-revoke jdoe

Configure your Firewall:

You really should be using a firewall.

Open the ports for VPN clients between 12000/tcp and up to 120xx/tcp .

• xx is number of clients

• 12000-12050 would enable 50 clients to get through.

• Interface tunU+ means any interface starting with tunU (all user vpns).

• Allow only CAS port (default: 7777/tcp) from tunU+ interface.

Disable routing between vpns and to other server services.

Refer to Configuring Server Firewalls | 4.3. Most secure option

• See Most secure: use the integrated admin VPN

OpenVPN Client

Your CAS host runs an OpenVPN server. You connect to that server from a client. Every major OS (Windows, Linux, Mac, Android) supports a native OpenVPN client. This section described the second phase of OpenVPN setup: installing and configuring the client.

The OpenVPN settings required to connect to the server are contained in an OVPN file. That file is manually sent to each user, as explained above: Generate a OVPN file for CAS users

This section explains how to use the OVPN file once it is received.

• Only one client/OVPN file may be created for each CAS user.

• You may use the same OVPN file on multiple devices,

• as long as there is only one active connection, only one device connected.

  • e.g you may use the same OVPN on your phone and laptop, but

  • you cannot connect your phone and laptop at the same time.

See: OpenVPN Connect - VPN For Your Operating System | OpenVPN

• Linux: sudo apt install openvpn

• Windows: official https://openvpn.net/community-downloads/

• Android: https://play.google.com/store/apps/details?id=net.openvpn.openvpn

• Apple: Use official OpenVPN Connect – OpenVPN App from OpenVPN Technologies

Import the client configuration file (the OVPN file) after installation.

1. Request the OVPN file from your CAS system administrator.

2. Save the received file (via email or whatever means it was sent) locally & where you can find it.

3. Import it using the OpenVPN client you just installed.

Connect the VPN.

• Linux: import to Network Connections (Network Manager), or start it from the console:

  • sudo openvpn --config vpnUsatoshi.ovpn

  • Replace vpnUsatoshi.ovpn with the actual filename (and path) of your OVPN file.

  • Also see below: Linux Network Manager Client

• Everything else: activate it (turn it on) using the GUI OpenVPN client.

  • OpenVPN User Guide: https://openvpn.net/connect-docs/user-guide.html

Navigate to CAS in your browser,

• typically: https://10.3.2.2:7777

  • If you’ve customized your admin_bind_ip= setting, then use that instead:

    • e.g. https://[admin_bind_ip]:port

      • Replace [admin_bind_ip] with your actual admin_bind_ip=IP address.

• Whenever possible, update your browsers for any critical security upgrades.

Linux Network Manager Client

The Linux Network Manager requires special configuration to use local DNS lookups. If you use Linux and find you cannot browse the Internet after connecting, modify this setting.

• Enable the option “Use this connection only for resources on its network”

Navigate to: IPv4 Settings

Open

Click “Routes”:

Open

Enable: “Use this connection only for resources on its network”

• Click OK.

Troubleshooting

Linux

Inspect the syslog at: /var/log/syslog (on both client and server) to identify failures.

Network Manager issues:

ERROR: tls-crypt unwrap error: packet authentication failed

In some Linux distributions, you may find that Network Manager (the Linux connection GUI control) fails to import the tls-crypt.key properly. To overcome this:

1. Open the OVPN file with a Linux text editor.

2. Copy the text located between <tls-crypt> and </tls-crypt> and paste it into a new file.

   1. do not include the <tls-crypt> and </tls-crypt> in the new file.

3. Save the new file as tls-crypt.key in a secure local directory.

   1. A common secure folder is found within ~/.local/share/networkmanagement/certificates/

   2. The folder will vary from one machine to another.

4. Update the VPN settings from within Network Manager to use this key.

   1. Edit the VPN configuration,

   2. navigate to Advanced → TLS Settings and change:

      1. Mode: TLS-crypt

      2. Key File: should point to the new file you created.

Save the settings and test - you should now get past the tls-crypt unwrap error

Example tls-crypt contents:

Windows

OpenVPN cannot connect: “Unsupported Options”:

1. Delete the current Windows OpenVPN client profile,

2. edit the (text file) profile, and comment out the offending option (use a hashtag “#” to do this),

   1. e.g. change “route-delay 4" to: “# route-delay 4"

3. save the file,

4. import the file again (via Windows OpenVPN Connect), and test it.

SCP Instructions

Secure File Copy (SCP) is one of many ways to securely transfer a file between 2 computers.

SCP is a commonly used Linux tool. If you feel out of your comfort zone, please hire a professional to assist you. GENERAL BYTES is not a Linux support agent, and this topic is well outside the scope of GENERAL BYTES Support.

First, navigate to the desired target directory on your receiving (target) client computer.

• in the example below, we’ll use “.” (a period) to tell SCP to put it in the same directory that we’re currently in (/home/example/Documents).

Next - determine the location and filename of the source file (the OVPN file) on your CAS server:

• The default directory is currently: /batm/vpngen/cli-adminusers/

• The filename is formatted as: vpnU[user].ovpn

• The location + filename for user “jdoe” would thus be: /batm/vpngen/cli-adminusers/vpnUjdoe.ovpn

• The CAS server IP is prefixed to the filename, so using an example IP of 10.11.12.13:

  • 10.11.12.13//batm/vpngen/cli-adminusers/vpnUjdoe.ovpn

• We must specify the username of the system. If the username is “root”, then we add it like so:

  • root@10.11.12.13/batm/vpngen/cli-adminusers/vpnUjdoe.ovpn

The format of the SCP command is: scp source target

• the source is: root@10.11.12.13/batm/vpngen/cli-adminusers/vpnUjdoe.ovpn

• the target is: . (a period represents “here”: the current directory).

Finally, using the above examples, this command would copy the OVPN source file to the current directory:

• this example assumes password authentication is currently enabled (default configuration).

• Afterwards: AVOID USING PASSWORDS FOR SSH. Convert to Public Key Authentication as soon as practical, and disable password-based SSH logins from that point forward.

  • Password-based logins can be very insecure.

  • Public Key Authentication is secure and well-documented:

    • https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server

    • https://www.ssh.com/academy/ssh/keygen

• You may be asked to confirm the “authenticity of host”. If this is the first time you’ve connected to that server, then do confirm it. You should not encounter that obstacle again for that server (unless the server has been rebuilt or compromised). It is a security checkpoint.

Modified (if you have heeded our warnings and implemented public key SSH access):

• using a private key located at: /home/client/.ssh/scp-demo

• using user “server” instead of “root”.

• NOTE: the “server” user in this example MUST have sufficient privileges to access the OVPN file on the CAS server. Unprivileged users may not be able to read the file (to copy the file).

Typical Problems:

Permission denied: the key you’ve provided is invalid (or missing, or has the wrong ownership, or wrong permissions), or the specified non-root user does not have read access to the the source file.

Connection refused: the server SSH is being served on an atypical port. Add “-P xxxx” to the beginning of the command line to specify the port (where “xxxx” is the port number in use).