Admin OpenVPN (using batm-manage)

This article presumes that the CAS admin modification has already been completed:

• See: https://generalbytes.atlassian.net/l/cp/ea6cCkPm

A VPN requires a client and server. The “client” is the remote device (BATM, computer, cell phone) that connects to the “server”. The server runs on your CAS installation. This configuration is divided into 2 parts: 1) the server configuration and 2) the client configuration. The server-side is done first, and the resulting OVPN files (from the server setup) are then sent to your “clients”.

Server Setup

Install the required software.

Generate a OVPN file for CAS users.

/batm/batm-manage vpn-user-generate [USER] [EMAIL]

USER - the client name used for naming configurations and interfaces.

• Do not use spaces.

• The length is limited to 8 letters, and each one needs to be different.

• You may create up to 50 clients; each must have a unique user name.

• Each CAS user should use their own client access, and only one, single connection may be used per OVPN file (i.e. you cannot connect 2 devices simultaneously).

EMAIL: the user’s email address.

• Request a simple password from the user (or agree on a password in advance).

• you will be asked to enter that password during this process.

Usage:

sudo /batm/batm-manage vpn-user-generate jdoe john.doe@yourdomain.com

Generates: /batm/vpngen/cli-adminusers/vpnUjdoe.ovpn

• Download the file to your local machine (your laptop or desktop) via SCP or a SFTP client (e.g. FileZilla).

  • Scroll to this section (below) for instructions: SCP Instructions

• Then send that file to John Doe using email.

• John Doe will use the agreed upon password to use the file.

Destroy/Revoke VPN access for a CAS user:

The server controls who is permitted access. If a client’s access is no longer required, then you should delete his/her credentials. Don’t reuse credentials. Destroy any possibly compromised credentials. Create new credentials whenever in doubt.

• will stop, disable and destroy VPN access for [USER]

Configure your Firewall:

You really should be using a firewall.

Open the ports for VPN clients between 12000/tcp and up to 120xx/tcp .

• xx is number of clients

• 12000-12050 would enable 50 clients to get through.

• Interface tunU+ means any interface starting with tunU (all user vpns).

• Allow only CAS port (default: 7777/tcp) from tunU+ interface.

Disable routing between vpns and to other server services.

Refer to https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/954728558/Configuring+Server+Firewalls#4.3.-Most-secure-option

• See Most secure: use the integrated admin VPN

Install OpenVPN on your client(s).

You may use the same client on multiple devices (but only one active connection per device) - and use only ONE client per user.

• e.g you may use the same OVPN on your phone and laptop, but

• you cannot use your phone and laptop at the same time.

See: https://openvpn.net/vpn-client/

• Linux: sudo apt install openvpn

• Windows: official https://openvpn.net/community-downloads/

• Android: https://play.google.com/store/apps/details?id=net.openvpn.openvpn

• Apple: Use official OpenVPN Connect – OpenVPN App from OpenVPN Technologies

Import the client configuration file (the OVPN file) after installation.

1. You received the file via email, now save it somewhere you can find it.

2. Import it using the OpenVPN client you just installed.

Connect the VPN.

• Linux: import to Network Connections (Network Manager), or start it from the console:

  • sudo openvpn --config vpnU[user].ovpn

  • Also see below: Linux Network Manager Client

• Everything else: activate it (turn it on) using the GUI OpenVPN client.

Navigate to CAS in your browser,

• typically: https://10.3.2.2:7777

• if you’ve customized your admin_bind_ip= setting, then use that instead:

  • e.g. https://"new hostname or internal admin_bind_ip":port

• Update your browsers and any SSH clients (as needed) with the utmost of urgency.

Linux Network Manager Client

The Linux Network Manager requires special configuration to use local DNS lookups. If you use Linux and find you cannot browse the Internet after connecting, modify this setting.

• Enable the option “Use this connection only for resources on its network”

Navigate to: IPv4 Settings

Open

Click “Routes”:

Open

Enable: “Use this connection only for resources on its network”

• Click OK.

Troubleshooting

Linux

Inspect the syslog at: /var/log/syslog (on both client and server) to identify failures.

Network Manager issues:

ERROR: tls-crypt unwrap error: packet authentication failed

In some Linux distributions, you may find that Network Manager (the Linux connection GUI control) fails to import the tls-crypt.key properly. To overcome this:

1. Open the OVPN file with a Linux text editor.

2. Copy the text located between <tls-crypt> and </tls-crypt> and paste it into a new file.

   1. do not include the <tls-crypt> and </tls-crypt> in the new file.

3. Save the new file as tls-crypt.key in a secure local directory.

   1. A common secure folder is found within ~/.local/share/networkmanagement/certificates/

   2. The folder will vary from one machine to another.

4. Update the VPN settings from within Network Manager to use this key.

   1. Edit the VPN configuration,

   2. navigate to Advanced → TLS Settings and change:

      1. Mode: TLS-crypt

      2. Key File: should point to the new file you created.

Save the settings and test - you should now get past the tls-crypt unwrap error

Example tls-crypt contents:

Windows

OpenVPN cannot connect: “Unsupported Options”:

1. Delete the current Windows OpenVPN client profile,

2. edit the (text file) profile, and comment out the offending option (use a hashtag “#” to do this),

   1. e.g. change “route-delay 4" to: “# route-delay 4"

3. save the file,

4. import the file again (via Windows OpenVPN Connect), and test it.

SCP Instructions

Secure File Copy (SCP) is one of many ways to securely transfer a file between 2 computers.

SCP is a commonly used Linux tool. If you feel out of your comfort zone, please hire a professional to assist you. GENERAL BYTES is not a Linux support agent, and this topic is well outside the scope of GENERAL BYTES Support.

First, navigate to the desired target directory on your receiving (target) client computer.

• in the example below, we’ll use “.” (a period) to tell SCP to put it in the same directory that we’re currently in (/home/example/Documents).

Next - determine the location and filename of the source file (the OVPN file) on your CAS server:

• The default directory is currently: /batm/vpngen/cli-adminusers/

• The filename is formatted as: vpnU[user].ovpn

• The location + filename for user “jdoe” would thus be: /batm/vpngen/cli-adminusers/vpnUjdoe.ovpn

• The CAS server IP is prefixed to the filename, so using an example IP of 10.11.12.13:

  • 10.11.12.13//batm/vpngen/cli-adminusers/vpnUjdoe.ovpn

• We must specify the username of the system. If the username is “root”, then we add it like so:

  • root@10.11.12.13/batm/vpngen/cli-adminusers/vpnUjdoe.ovpn

The format of the SCP command is: scp source target

• the source is: root@10.11.12.13/batm/vpngen/cli-adminusers/vpnUjdoe.ovpn

• the target is: .

Finally, using the above examples, this command would copy the OVPN source file to the current directory:

• this example assumed password authentication is enabled.

• WE URGE YOU TO AVOID USING PASSWORDS FOR SSH.

  • Implementing public keys are recommended and well-documented on the Internet:

    • https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server

    • https://www.ssh.com/academy/ssh/keygen

• You may be asked to confirm the “authenticity of host”. If this is the first time you’ve connected to that server, then do so.

Modified (if you have heeded our warnings and implemented public key SSH access):

• using a private key located at: /home/client/.ssh/scp-demo

• using user “server” instead of “root”.

• NOTE: the “server” user in this example MUST have sufficient privileges to access the OVPN file on the CAS server. Unprivileged users may not be able to read the file (to copy the file).

Typical Problems:

Permission denied: the key you’ve provided is invalid (or missing, or has the wrong ownership, or wrong permissions), or the specified non-root user does not have read access to the the source file.

Connection refused: the server SSH is being served on an atypical port. Add “-P xxxx” to the beginning of the command line to specify the port (where “xxxx” is the port number in use).