OpenVPN Implementation II - Host-to-site VPN solution - Part 4

3. OpenVPN installation directory, Prep software

7). Enable Kernal IP forwarding

Enabling ip_forward tells your Linux system to do this. For it to be meaningful, you need two network interfaces. When doing routing, security is important and that's where Linux's packet filter, iptables, gets involved. So you will need an iptables configuration consistent with your needs.

Note that enabling forwarding with iptables disabled and/or without taking firewalling and security into account could leave you open to vulnerabilites if one of the NICs is facing the Internet or a subnet you don't have control over.

- Check using sysctl -p to validate the ip_forward setting.

- if net.ipv4.ip_forward = 0, then run sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#' /etc/sysctl.conf to change or you can directly vi /etc/sysctl.conf and change 0 to 1

- Activate the change by sysctl -p

[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
[root@localhost ~]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#' /etc/sysctl.conf
[root@localhost ~]# vi /etc/sysctl.conf
[root@localhost ~]# cat /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1 //now changed to 1

8). Start Openvpn Server

/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &

netstat -lntup |grep vpn

lsof -i :11945

[root@localhost openvpn]# /usr/local/sbin/openvpn --config /etc/openvpn/server.conf &
[1] 41314
[root@localhost openvpn]# netstat -lntup |grep vpn
tcp 0 0 192.168.2.16:1194 0.0.0.0:* LISTEN 41314/openvpn
[root@localhost rpm]# lsof -i :11945
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
openvpn 1802 root 5u IPv4 13516 0t0 TCP 192.168.2.16:openvpn (LISTEN)

Note after openvpn service started, new interface added in the network config.

[root@localhost openvpn]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:D0:10:3F
...................., .................................
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

9). Stop OpenVPN server

to stop OpenVPN server, you can:

- run ps -ef|grep vpn

- run pkill openvpn

- validate if openvpn session is killed

 

[root@VpnL01 keys]# ps -ef |grep vpn
root 2082 1 0 08:31 ? 00:00:00 /usr/local/sbin/openvpn --config /etc/openvpn/server.conf
root 3013 2878 0 11:37 pts/0 00:00:00 grep vpn
[root@VpnL01 keys]# pkill openvpn
[root@VpnL01 keys]# netstat -nltup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1901/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1757/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2026/master
tcp 0 0 :::22 :::* LISTEN 1901/sshd
tcp 0 0 ::1:631 :::* LISTEN 1757/cupsd
tcp 0 0 ::1:25 :::* LISTEN 2026/master
udp 0 0 0.0.0.0:631 0.0.0.0:* 1757/cupsd
udp 0 0 0.0.0.0:68 0.0.0.0:* 1765/dhclient
udp 0 0 0.0.0.0:68 0.0.0.0:* 1762/dhclient
[root@VpnL01 keys]# ps -ef |grep vpn
root 3035 2878 0 11:38 pts/0 00:00:00 grep vpn
[root@VpnL01 keys]#

10). Add openvpn run on startup - Method 1 rc.local

echo '#startup OpenVPN service' >> /etc/rc.local

echo '/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &' >> /etc/rc.local

[root@localhost openvpn]# echo '#startup OpenVPN service' >> /etc/rc.local
[root@localhost openvpn]# echo '/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &' >> /etc/rc.local
[root@localhost openvpn]# tail -2 /etc/rc.local
tail: inotify cannot be used, reverting to polling
#startup OpenVPN service
/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &

Note: that build-in openvpn startup using:

/usr/local/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn

 

11). Add openvpn run on startup - Method 2 Service

For earlier version of openvpn, you can find the openvpn.init file under /sample-scripts/

for example, in OpenVPN 2.2.2 openvpn.init file located under openvpn-2.2.2/sample-scripts/openvpn.init.

For later version,

To install: copy this file to /etc/rc.d/init.d/openvpn chkconfig --add openvpn mkdir /etc/openvpn make .conf or .sh files in /etc/openvpn (see below) to stop service: /etc/rc.d/init.d/openvpn stop to start service: /etc/rc.d/init.d/openvpn start It's important to make sure only one .conf file exist in /etc/openvpn folder.. or it wont start the service.

 

[root@localhost openvpn]# cp /home/admin/tools/openvpn/openvpn-2.3.12/distro/rpm/openvpn.init.d.rhel /etc/rc.d/init.d/openvpn
[root@localhost openvpn]# chkconfig --add openvpn
[root@localhost openvpn]#

 

 

Please publish modules in offcanvas position.