November 25, 2016 — 21:31

Author: silver  Category: encryption linux  Comments: Off

OpenVPN Access Server is quite easy and fast to setup and includes a web gui.

Download:

• Server:
  • All OpenVPN Access Server downloads come with 2 free client connections for testing purposes. 
  • https://openvpn.net/index.php/access-server/download-openvpn-as-sw/
• Client:
  • Download “OpenVPN-Connect” from Server
  • For Windows there’s also “OpenVPN-GUI” which comes included with the Installer:
    • https://openvpn.net/index.php/open-source/downloads.html 
    • https://build.openvpn.net/downloads/snapshots/openvpn-install-master-xxx-x86_64.exe (supports newer functions like OTP)

Configuration:

Clickety click in the gui, plus some hardening:

Server:

auth SHA512
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
tls-version-min 1.0

Client:

auth SHA512
cipher AES-256-CBC

Connect with SSH + SOCKS Proxy + OTP:

$ ssh -D 1 to remote host

$ sudo sh -c 'trap : INT; openvpn --socks-proxy localhost 1080 --config /etc/openvpn/keys/server/client.ovpn \
   --route 10.0.0.0 255.0.0.0 net_gateway 0 --script-security 2 --up-restart --persist-key --persist-tun \
   --up /etc/openvpn/update-resolv-conf --auth-nocache --auth-user-pass --user nm-openvpn --group nm-openvpn \
   --chroot /var/lib/openvpn/chroot; \
   set -x; for i in 127.0.0.1/32 10.0.0.0/8; do ip route del $i; done; /sbin/resolvconf -d tun0.openvpn'

Ban user:

Ban a user from logging into the VPN or Web server
(doesn’t affect a user who is already logged in — for this, use DisconnectUser below):

/usr/local/openvpn_as/scripts/sacli --user <USER> --key prop_deny --value true UserPropPut

Re-admit a user who was previously banned:

/usr/local/openvpn_as/scripts/sacli --user <USER> --key prop_deny --value false UserPropPut

Disconnect a user:

/usr/local/openvpn_as/scripts//sacli --user <USER> --key prop_deny --value true UserPropPut

Set client cert keysize:

/usr/local/openvpn_as/scripts/sa --keysize=4096 Init

Generating init scripts:

/usr/local/openvpn_as/scripts/openvpnas_gen_init [--auto]

Google Authenticator:

Unlock a secret:

./sacli -u <USER> --lock 0 GoogleAuthLock

Lock a secret:

./sacli -u <USER> --lock 1 GoogleAuthLock

Generate a new, unlocked secret:

./sacli -u <USER> --lock 0 GoogleAuthRegen

Generate a new, locked secret:

./sacli -u <USER> --lock 1 GoogleAuthRegen

Enable Google Authenticator for all accounts:

./sacli --key vpn.server.google_auth.enable --value true ConfigPut

Enable for 1 user:

./sacli --user <USER_OR_GROUP> --key prop_google_auth --value true UserPropPut

Disable:

./sacli --key vpn.server.google_auth.enable --value false ConfigPut

Disable for 1 user:

./sacli --user <USER_OR_GROUP> --key prop_google_auth --value false UserPropPut

Revoke and reissue secret:

./sacli -u <USER> GoogleAuthRegen

Retrieve current user properties:

./confdba -us -p

Port sharing:

Advanced VPN Settings: port-share 127.0.0.1 10443
(tcp mode only)