CentOS 7 OpenVPN Server Using FreeIPA For Authentication

OpenVPN is one of the most versatile, reliable, and secure VPN protocols to date. It is regarded as a "de- facto standard in the open source networking space."[1] It combined with the Identity Management, Policies, and Auditability of FreeIPA provides for an easy to manage and fully secure VPN platform which integrates well with an existing corporate network.

OpenVPN and FreeIPA are both Free and Open Source Software (FOSS) which means they are well maintained by a large community of developers and users. OpenVPN also meets the requirements for most major enterprises as it supports several various operating systems such as; Windows, MAC, Linux, UNIX, Android, iPhone, etc...

Let's get started with building an OpenVPN server on CentOS 7 using FreeIPA as the authentication source.

Note: This tutorial assumes that the FreeIPA Identity Management infrastructure is already configured and working.


Step 1) Patch OS and install pre-requisites

In step 1 we are going to ensure our operating system is patched by running the command yum update -y. We are also going to install the EPEL (Extra Packages For Linux) repository which hosts the OpenVPN and easy-rsa packages. Lastly we will install the FreeIPA ipa-client package and join the host to the existing IPA domain.

Install updates, as well as the EPEL and IPA client packages

Note: Make sure to refresh the yum repo metadata cache using the command yum makecache fast after installing the EPEL repo in order to download the latest repository package metadata.

$ yum update -y
$ yum install -y epel-release ipa-client
$ yum makecache fast
Install the OpenVPN and easy-rsa packages
$ yum install -y openvpn easy-rsa
Configure the host operating system to use FreeIPA for authentication and identity services.

Note: This step requires an IPA user account with enough privileges to join the IPA domain.

$ ipa-client-install --mkhomedir --enable-dns-updates

Step 2) Initialize the PKI and generate certificates

In this step we are going to copy the newly installed easy-rsa files into the openvpn directory. Doing so will allow us to initialize on openvpn server specific Public Key Infrastructure (PKI) and generate the necessary certificates for OpenVPN.

Recursively copy the entire 'easy-rsa' directory from /usr/share/easy-rsa/ to /etc/openvpn/
$ cp -r /usr/share/easy-rsa/ /etc/openvpn/
$ ls -lah /etc/openvpn/
total 64K
drwxr-xr-x.  5 root root     176 May 21 12:00 .
drwxr-xr-x. 87 root root    8.0K May 21 11:17 ..
drwxr-x---.  2 root openvpn    6 Feb 20 10:23 client
drwxr-xr-x.  3 root root      39 May 21 11:55 easy-rsa
drwxr-x---.  2 root openvpn    6 Feb 20 10:23 server
Change directory to /etc/openvpn/easy-rsa/3/

Note: I am using version 3.0.3 of easy-rsa.

$ cd /etc/openvpn/easy-rsa/3/
$ ls -lah
total 44K
drwxr-xr-x. 4 root root   73 May 21 10:52 .
drwxr-xr-x. 3 root root   39 May 21 11:55 ..
-rwxr-xr-x. 1 root root  36K May 21 10:51 easyrsa
-rw-r--r--. 1 root root 4.5K May 21 10:51 openssl-1.0.cnf
drwxr-xr-x. 2 root root   69 May 21 10:51 x509-types
Initialize the easy-rsa PKI
$ ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki

Create a new local Certificate Authority (CA)

Please take note of the pass phrase used when creating your new CA. This pass phrase will be needed to sign and revoke all certificates in the PKI.

$ ./easy-rsa build-ca
Generating a 2048 bit RSA private key
.............+++
........................................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/ca.key.mCySoOBBWR'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3/pki/ca.crt

Generate the Diffie Hellman (DH) parameters

DH parameters are different from RSA keys generated with CA, server, and client certificates in that they are NOT used for authentication purposes. DH parameters are instead used by two separate entities (the server and client in our case) to generate a common shared secret. This shared secret is then used to encrypt traffic between the two entities.

$ ./easyrsa gen-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..............................................................+............................+....
.....................................................+...........+..............................
.................................+..............................................................
................................................................................................
................................................................................................
................................................................................................
................................................................................................
......................+..+......................................................................
......................................................+.........................................
................................................................................................
................................................................................................
................................................................................................
...............+................................................................................
................................................................................................
...................................+.....................+...........................+..........
................................................................................................
..........+.....................................................................................
................................................................................................
......................+..........................................+..............................
................................+...............................................................
................................................................................................
.........................................................+......................................
................................................................................................
............................................+...................+...............................
.....+..........................................................................................
................................................................................................
.................................+...................................+..........................
................................................................................................
........+.......................................................................................
.......+........................................................................................
................................................................................................
.....................................+..........................................................
......................+................................................+........................
......+.................+...........................+...........................................
......................................................................+...............+.........
...............++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem

Generate the server keypair and sign locally with the previously generated CA

Make sure to specify the Fully Qualified Domain Name (FQDN) of the Public IP address to be used so that the connecting OpenVPN clients can perform X509 Name verification against the OpenVPN gateway certificate.

Note: Use the CA pass phrase set previously in this step
Note 2: The nopass argument is passed to the build-server-full function so that the pass phrase is not required every time the OpenVPN service is started/restart.

$ ./easyrsa build-server-full host.domain.tld nopass
Generating a 2048 bit RSA private key
.....+++
.............................................................................................+++
writing new private key to '/etc/openssl/easy-rsa/3/pki/private/host.domain.tld.key.uNKMalQEBR'
-----
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openssl/easy-rsa/3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'host.domain.tld'
Certificate is to be certified until May 19 16:26:38 2029 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Generate the client keypair and sign locally with the previously generated CA

We will be using a generic Common Name (CN) when generating the client certificate as it will be distributed amongst all connecting parties as part of the OpenVPN client configuration file (client.ovpn).

Note: Use the CA pass phrase set previously in this step
Note 2: The nopass argument is passed to the build-client-full function so that the pass phrase is not required every time a client connects using the client certificate.

./easyrsa build-client-full client nopass
Generating a 2048 bit RSA private key
........+++
..............+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/client.key.KeY3a27stb'
-----
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client'
Certificate is to be certified until May 19 16:31:49 2029 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Verify that all certificates, keys, and Diffie Hellman parameters are present

(pki/ca.crt, pki/dh.pem, pki/issued/host.domain.tld.crt, pki/issued/client.crt, pki/private/ca.key, pki/private/host.domain.tld.key, pki/private/client.key)

$ ls -lah pki/
total 36K
drwx------. 6 root root  228 May 22 12:31 .
drwxr-xr-x. 4 root root   73 May 22 12:01 ..
-rw-------. 1 root root 1.2K May 22 12:05 ca.crt
drwx------. 2 root root   94 May 22 12:31 certs_by_serial
-rw-------. 1 root root  424 May 22 12:22 dh.pem
-rw-------. 1 root root  147 May 22 12:31 index.txt
-rw-------. 1 root root   21 May 22 12:31 index.txt.attr
-rw-------. 1 root root   21 May 22 12:26 index.txt.attr.old
-rw-------. 1 root root   78 May 22 12:26 index.txt.old
drwx------. 2 root root   51 May 22 12:31 issued
drwx------. 2 root root   65 May 22 12:31 private
drwx------. 2 root root   51 May 22 12:31 reqs
-rw-------. 1 root root 1.0K May 22 12:31 .rnd
-rw-------. 1 root root   33 May 22 12:31 serial
-rw-------. 1 root root   33 May 22 12:31 serial.old
$
$ ls -lah pki/issued/
total 16K
drwx------. 2 root root   51 May 22 12:31 .
drwx------. 6 root root  228 May 22 12:31 ..
-rw-------. 1 root root 4.4K May 22 12:31 client.crt
-rw-------. 1 root root 4.5K May 22 12:26 host.domain.tld.crt
$
$ ls -lah pki/private/
total 12K
drwx------. 2 root root   65 May 22 12:31 .
drwx------. 6 root root  228 May 22 12:31 ..
-rw-------. 1 root root 1.8K May 22 12:05 ca.key
-rw-------. 1 root root 1.7K May 22 12:31 client.key
-rw-------. 1 root root 1.7K May 22 12:26 host.domain.tld.key
Generate the OpenVPN TLS AUTH static encryption key

The TLS AUTH static pre-shared key (PSK) is distributed to all connecting parties as part of the OpenVPN client configuration file (client.ovpn), and is used to add extra protection to the TLS channel. TLS Authentication requires that all incoming packets to the OpenVPN gateway have a valid signature that is generated by the static TLS AUTH encryption key.

Change directory to /etc/openvpn/ and generate the TLS AUTH static encryption key
$ cd /etc/openvpn/
$ ls -lah
total 8.0K
drwxr-xr-x.  5 root root   69 May 22 16:40 .
drwxrwxrwt. 11 root root 4.0K May 22 16:40 ..
drwxr-x---.  2 root root    6 May 22 16:37 client
drwxr-xr-x.  3 root root   39 May 22 12:01 easy-rsa
drwxr-x---.  2 root root    6 May 22 16:37 server
$ openvpn --genkey --secret /etc/openvpn/openvpn.tlsauth
$ ls -lah
total 12K
drwxr-xr-x.  5 root root   92 May 22 16:43 .
drwxrwxrwt. 11 root root 4.0K May 22 16:42 ..
drwxr-x---.  2 root root    6 May 22 16:37 client
drwxr-xr-x.  3 root root   39 May 22 12:01 easy-rsa
-rw-------.  1 root root  636 May 22 16:43 openvpn.tlsauth
drwxr-x---.  2 root root    6 May 22 16:37 server

Step 3) Configure the OpenVPN Server

In this step we are going to create the OpenVPN server configuration file (/etc/openvpn/server.conf) which contains all of the directives required to establish the VPN gateway. Each directive in the example configuration file has an octothorpe (#) next to it which denotes a comment. Each comment indicates what the configuration directive does.

/etc/openvpn/server.conf

port 1194                                                             # listening port
proto udp                                                             # listening protocol
dev tun                                                               # device type (Tun vs Tap)
tun-mtu 1500                                                          # tunnel MTU
tun-mtu-extra 32                                                      # Assume that tun/tap device may return up to 32 bytes more than "tun-mtu"
mssfix 1450                                                           # tell OpenVPN to send packat sizes of 1450 bytes to avoid exceeding the "tun-mtu"
reneg-sec 14400                                                       # renegotiate data channel key every 4 hours
ca /etc/openvpn/easy-rsa/3/pki/ca.crt                                 # specify path to CA certificate
cert /etc/openvpn/easy-rsa/3/pki/issued/host.domain.tld.crt           # specify path to server certificate
key /etc/openvpn/easy-rsa/3/pki/private/host.domain.tld.key           # specify path to server private key
dh /etc/openvpn/easy-rsa/3/pki/dh.pem                                 # specify path to Diffie Hellman parameters
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn  # specify the PAM authentication plugin module path and initialize 
username-as-common-name                                               # use authenticated username as CN instead of client certificate CN
server 172.22.1.0 255.255.255.0                                       # specify the subnet and range of IPs that OpenVPN will allocate (subnet must be a private range)
push "redirect-gateway def1 bypass-dhcp"                              # push client routing configuration to redirect all traffic over VPN (including dhcp)
push "dhcp-option DNS 208.67.222.222"                                 # push client DHCP configuration to set new DNS server
push "dhcp-option DNS 208.67.220.220"                                 # push client DHCP configuration to set new DNS server
duplicate-cn                                                          # Allow the use of the same client certificate from multiple clients simultaneously
user nobody                                                           # run the openvpn daemon as a non-privileged user (nobody)
group nobody                                                          # run the openvpn daemon as a non-privileged group (nobody)
keepalive 5 30                                                        # push ping/ping-restart parameters to host
comp-lzo                                                              # enable fast LZO compression
persist-key                                                           # do not re-read key files on SIGUSR1 or -ping-restart signals
persist-tun                                                           # do not close and reopen the TUN/TAP device on SIGUSR1 or -ping-restart signals
status vpn.log                                                        # write operational status to this file
verb 3                                                                # set output verbosity
log-append /var/log/openvpn.log                                       # append all logging message to /var/log/openvpn.log (create if it does not exist)
remote-cert-eku "TLS Web Client Authentication"                       # verify that the connecting party is using a TLS web client certificate
tls-crypt vpn.tlsauth                                                 # Add HMAC authentication on top of the TLS control channel (similar to tls-ath, but encrypted) 

Step 4) Configure firewalld and enable kernel IP forwarding

Next we will be configuring firewalld (a frontend management solution for iptables) on our CentOS 7 host to perform masquerade (similar to a one-to-many NAT) as well as to apply filtering. We also need to explicitely enable IP forwarding in the kernel so that firewalld/iptables can perform masquerade.

Routing and forwarding is needed in order to allow traffic to flow between the new OpenVPN subnet and the internal corporate subnets.

Check the current firewalld active zone

Running the command firewall-cmd --list-all will display all attributes of the current active zone ("public" in our case).

Note: Take note of the 'services' and 'masquerade' fields below. These will change after we are done configuring firewalld

$ firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
Add the openvpn service to the public zone for both runtime and permenant configurations

Note: The first command does NOT contain the --permanent flag. This means that the openvpn service has been effectively added to the runtime configuration. The second command which DOES contain the --permanant flag will store our service to the firewalld configuration file which will then be loaded as a runtime configuration during service reload/restarts and at boot time.

$ firewall-cmd --zone=public --add-service openvpn
success
$ firewall-cmd --zone=public --add-service openvpn --permanent
success
$ firewall-cmd --list-services
ssh dhcpv6-client openvpn
Add masquerade to the runtime and permanent configurations
$ firewall-cmd --add-masquerade
success
$ firewall-cmd --add-masquerade --permanent
success
$ firewall-cmd --query-masquerade
yes
Verify the active zone configuration

Note: Notice that the openvpn service has been appended to the 'services' field and that 'masquerade' has been enabled.

$ firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: ssh dhcpv6-client openvpn
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
Configure the direct passthrough NAT for our new OpenVPN subnet

Note: the -o flag is used to indicate the interface that is connected to the OpenVPN server's Gateway of Last Resort (ie: default gateway).
This interface can be found by running the command ip route | grep default | cut -d" " -f5

$ firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 172.22.1.0/24 -o $(ip route | grep default | cut -d" " -f5) -j MASQUERADE
success
Verify the direct passthrough
$ firewall-cmd --direct --get-all-passthroughs
ipv4 -t nat -A POSTROUTING -s 172.22.1.0/24 -o ens192 -j MASQUERADE
Enable kernel IP forwarding

Kernel IP forwarding MUST be enabled in order for firewalld/iptables to properly forward traffic via masquerade. Adding the net.ipv4.ip_forward=1 directive to the /etc/sysctl.conf file will make the change persist across reboots.

The sysctl -p command loads in the sysctl settings from the default sysctl configuration file (/etc/sysctl.con on CentOS 7).

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
$ echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
$ sysctl -p
net.ipv4.ip_forward = 1
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Step 5) Configure OpenVPN to use FreeIPA for Authentication

In this step we will be configuring the OpenVPN PAM (Pluggable Authentication Module) which will perform authentication when clients connect to the VPN gateway.

Pluggable authentication modules are a common framework for authentication and security.[2]

Plugable authentication modules allow applications (such as OpenVPN) that need authentication functionality to be written without any awareness of the underlying authentication schemes. In our case, OpenVPN is passing off all authentication actions to PAM in order to authenticate against FreeIPA. The OpenVPN server is not aware of what backend authentication mechanism is being used.

Create the PAM openvpn module

This openvpn module is very simple as it leverages other typical/default system authentication modules (system-auth) which come pre-installed on the system. This module also assumes that a user group named 'vpn' exists in the IPA domain and will only allow users that are members of the 'vpn' group to connect.
/etc/pam.d/openvpn

auth       [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       required     pam_succeed_if.so user ingroup vpn
auth       include      system-auth
account    include      system-auth
password   include      system-auth

Once the module is created, openvpn will use it automatically.


Step 6) Enable and start the OpenVPN service

Now we will start and enable the OpenVPN service.

Enable the service

Use systemctl to enable the OpenVPN server service.

$ systemctl enable -f openvpn@server.service
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
Start the service

Use systemctl to start and check the status of the OpenVPN server service.

$ systemctl start openvpn@server.service
$ systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-05-23 17:43:13 EDT; 24s ago
 Main PID: 783 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           ├─783 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
           └─784 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf

May 23 17:43:13 host.domain.tld systemd[1]: Starting OpenVPN Robust And Highly Flexible .....
May 23 17:43:13 host.domain.tld systemd[1]: Started OpenVPN Robust And Highly Flexible T...r.
Hint: Some lines were ellipsized, use -l to show in full.

Step 7) Create the OpenVPN Client configuration file

In this step we are going to create the client configuration file (client.ovpn) which contains all of the OpenVPN client directives required to establish a connection with the VPN gateway. Once again, each directive in the example configuration file has an octothorpe (#) next to it which denotes a comment. Each comment indicates what the configuration directive does.

Note: All certificates, private keys, and static keys in this file have been obfuscated and are not being used by an OpenVPN server.

client.ovpn

client                                                                # denotes that this is a client configuration
proto udp                                                             # UDP Protocol
remote host.domain.tld 1194                                           # VPN gateway FQDN and port
dev tun                                                               # tunnel vs Tap
resolv-retry infinite                                                 # always try to resolve remote hostname
nobind                                                                # do not bind to local address and port
persist-key                                                           # do not re-read key files on SIGUSR1 or -ping-restart signals
persist-tun                                                           # do not close and reopen the TUN/TAP device on SIGUSR1 or -ping-restart signals
remote-cert-eku "TLS Web Server Authentication"                       # verify that the OpenVPN gateway is using a TLS web server certificate
verify-x509-name host.domain.tld name                                 # verify the OpenVPN gateway X509 certificate CN matches what is expected
tun-mtu 1500                                                          # tunnel MTU
tun-mtu-extra 32                                                      # Assume that tun/tap device may return up to 32 bytes more than "tun-mtu"
mssfix 1450                                                           # tell OpenVPN to send packat sizes of 1450 bytes to avoid exceeding the "tun-mtu"
reneg-sec 14400                                                       # renegotiate data channel key every 4 hours
auth-user-pass                                                        # authenticate with username/password
auth-nocache                                                          # do not cache user credentials in memory
comp-lzo                                                              # enable fast LZO compression
tls-client                                                            # enforce TLS 
tls-version-min 1.2                                                   # only connect to a gateway that utilizes TLS v1.2 or higher
verb 3                                                                # set output verbosity
<ca>                                                                  # specify contents of inline CA certificate
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIJAM8Eie7i1qNNMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC0Vhc3ktUlNBIENBMB4XDTE5MDUyMjE2MDUxNloXDTI5MDUxOTE2MDUxNlow
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDLfkW1keD1vl5woEEz5+VrwLhI7jb5fP0XqfqWhTqNJixEVmoTaMoY
K8aLIQIzvEOBVWrn9Xr+pz9boElvVm/SMjXqTdTOKLTwanEqnSo/YCZWa4Hf1B6t
ajMLlfh6iSYUAG/QeYdl8PDJi3IIyQx6LeVUVQbkuCY5lDRo5I46EE4Ydp7Nf/hw
3LYhEbKiv8XorVSxQI0xTEmX1/YHLOK7lCaY3aLMoSPnD7uIgQsNER/epC4AV/wO
qk5IC8xcmY+fHDCP8CfoKOizLhwY/vTl0scclLnZZ2K31XCPnGdLZdcJHBPNjGXM
gZU6olPA6Fw8Q/sjk2Zb9FsiEH8UKc7NAgMBAAGjgYUwgYIwHQYDVR0OBBYEFOdX
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
gQVcoRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQYIJAM8Eie7i1qNNMAwGA1Ud
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
x/AybbCyA3u6zULs3ma2XMNlj4stUjVrhGeHS/ujqanF8C/tmGVoqbUu96s54Nu5
0RV0dz+4F4Rj2AkrDO7FTiicPudAlM29gGmcnCs3N906j8dPf/21gsRQM6jTTFsG
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
fCq5pGV33n+u6rXI9/KXUqykyzi+yEZ/oh5p2DFiqHMscKNqamJ4pqYYCT9xrVry
yX8vEW05Lw8VAJejIcgXhVsI9SgXxZzF7KuDg9LwRWVHCjwJcuzGb/yt0dOyCH97
F6godENxL0ue
-----END CERTIFICATE-----
</ca>
<cert>                                                                # specify contents of inline client certificate
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIRAJ7NApkjhdAJApXaG/JloGcwDQYJKoZIhvcNAQELBQAw
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwNTIyMTYzMTQ5WhcNMjkwNTE5
MTYzMTQ5WjARMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDiKfONjUh3IJMoNfn/V+5yCAEwy3BmjVjTrYMMazkyyE7BBRh6
U3TTcOej1a3pc60UzLD5s517M3OifLq6V2+mjKl+ySlAB33ckNlVS22zLiviSLXd
swdIxzB4tFq2BQUraszKjYWGaTQQHAawG6esp2JAzHcOrO3FZY9nlAIoASJFD/6V
byvt7/qt9heeo9P+ENBBB0Q6XuKU39IjY0brbSezEKMnFX0DUsEGk7aly5T7tdmn
yucvxYwWBxk8gfNj/67/5w6HmgGGw1baSoz46N79itbKMRlO8bVyVG9TohdjADSn
DwAwggEKAoIBAQDiKfONjUh3IJMoNfn/V+5yCAEwy3BmjVjTrYMMazkyyE7BBRh6
ADAdBgNVHQ4EFgQUfH5JdR1s1+lfpyGk0MekyA1w7uMwRgYDVR0jBD8wPYAU51dv
nNJ51jn1MrDjjQYMGDqBBVyhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBggkA
zwSJ7uLWo00wEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GCSqG
SIb3DQEBCwUAA4IBAQCdwVFZ26w6//tI3PbKWeO0nEKXgg7aUC6p7GvgEgjsnlAu
KRZZb/4ShzsoMw05FdbFE3GQfSqPMAp4MzQMH0XmwgaiSvYYM//CPHLKiNyjZ/3w
hkfDpHXB1acJqZDuzckfbyEiFATJ45Q4813aJmSuKBO2i/bdwGrl/Ve2WVMuECjm
o4/t1qJpp4UGBHkrVkgDmVmxVF+Y5YANzdl3/L+KrmO5aTGeW1yutSd+R28kRewg
DwAwggEKAoIBAQDiKfONjUh3IJMoNfn/V+5yCAEwy3BmjVjTrYMMazkyyE7BBRh6
Fv5CafQJmVmsTWYQNsryn/qw7S6iDipIDfZr+Z28
-----END CERTIFICATE-----
</cert>
<key>                                                                 # specify contents of inline client private key
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDiKfONjUh3IJMo
Nfn/V+5yCAEwy3BmjVjTrYMMazkyyE7BBRh6U3TTcOej1a3pc60UzLD5s517M3Oi
fLq6V2+mjKl+ySlAB33ckNlVS22zLiviSLXdswdIxzB4tFq2BQUraszKjYWGaTQQ
HAawG6esp2JAzHcOrO3FZY9nlAIoASJFD/6Vbyvt7/qt9heeo9P+ENBBB0Q6XuKU
39IjY0brbSezEKMnFX0DUsEGk7aly5T7tdmnyucvxYwWBxk8gfNj/67/5w6HmgGG
QFmW88SWX3y35Gqsls018FxkgY8w3Jmwr/bwN2COJwE6PyFACd9LZZf2HiEW2KKK
Vly+oXZnAgMBAAECggEBAL5e66jiHPZRkC0PykC6Rnbr7/yfshxQrE15x06jzsDF
RS1KWcFWEIeOiR0qVzqj6TQR3IJDQ7MZqyNB9He3875wtpeHQlaoN7R6pMYcONnT
apMN+zADa4VCTbW8soJ2lVRnkLyLBbMPSQiqXqLMlIZLWvQKZ8kNnRNEmsJoHqyG
OlK4xpbIeh5QZC6Pfkg+4NyTol7fUu2JIbLPK3rdQaff/nhLSIrn8HdKGAfnEf6y
QFmW88SWX3y35Gqsls018FxkgY8w3Jmwr/bwN2COJwE6PyFACd9LZZf2HiEW2KKK
2dtyqh4SoWS2DOOfNK40gDyJJKj2ykhWWJxFuSpvGsECgYEA+5lGTHnzsI5zlhU3
sHjekbpj0rbgQXboFGbsA98Y/zVTGoEAfMWLip0jzoJLXU84R1dgiMRmMCuFsuz7
raJW4K2FuYwr9Beoa42z0g51JWWASXyVNLDwj1SeYHw4WupXim2LnLQpbOZzy1sz
MZstdtlHdmUg4IHWi8Pd93LsrwcCgYEA5h7F1VKMNQppYMXjpjgvDPb1lEroIGry
1GEwqonXJNKQeCkcyq+hCEFj0jQ+zI6B+GiIZMaE0FJNjSmwi6DKqCc8Ico9StO/
jV70NjtFZhf8PzpEonWFN1FAGJhdVAONdRAXF3aoOH7S06n7FHyVyQuYrWYvcs57
ZvjYI5VxxaECgYB5ApqGM+2aUJmVaPUVAr2B99UFRwILWoZ7MZl4rzgVn28uAzfZ
QFmW88SWX3y35Gqsls018FxkgY8w3Jmwr/bwN2COJwE6PyFACd9LZZf2HiEW2KKK
VgEN3xQhsf1k9OtP4CpTH3ABOcId3+p6hHlUfWLatf8fHDO1m2pKFtNxxwKBgQDH
1rd03p/Vu/nxSUi945KwjpKLulVFObsxRkmt/9AvMRC22PUg605LzgVy2V4j5Cno
YFb6NQ/HnYGtciPXzcXQK2pj6a46mhKCIZCwu94zn+a1vdM2xhnvBQdFlKOPvxoM
K/HxtWC21yQdHkNl8h9dnU10YAYajEfMD5Qbqr9HoQKBgQCNEI51AIKqxb1EkQDo
fxecc3ENmo1NaiWSz4joO9RaPYcI2YCJww+hb90G1wWMNKUKWclOwqYW4QSk/FsU
o+QbjUf+RsziaG9qzylySo6krWZo+8Fwjcyh90fgmSKqlpRvpHX9u+vcHwj/3hb4
cbQoHRhuTUeec6eXIBTIKS71pA==
-----END PRIVATE KEY-----
</key>
<tls-crypt>                                                           # specify contents of inline tls-crypt/tls-auth static PSK
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
5aaaed78271ae44196a870a1c9738152
60c8efc2fb2bdbd4f94ea4484848faf9
96159b73ffe1e25a8306b4b05b6aeff0
68fce7a75f68952089750ebfe9274de7
51ed1c46ea26b9726c7cc0727a3158cd
ac197135cb11e2d5091e896079196af7
4203eeaff48da6623d16ae118396160c
c81037cbf7dd88f6d6e045ed5eeabd99
8828e6c77ef92c81554872be7005e17d
68fce7a75f68952089750ebfe9274de7
b411d71509a92a30c0e0c94cec93be5b
41f346050e8133f58d119c031f30d27d
d967bf41fe2256855c700cc36e754a17
bb9bcc286cb1f533d39a8e3071f1dcfa
68fce7a75f68952089750ebfe9274de7
5b63bae2ac841ea1f7ec6cf21e2138f2
-----END OpenVPN Static key V1-----
</tls-crypt>

Step 8) Install OpenVPN on the connecting Client

Before we connect to the newly created OpenVPN gateway, the Community Edition of OpenVPN must be installed on the client. The Community Edition OpenVPN packages can be downloaded directly from openvpn.net. OpenVPN hosts versions of the OpenVPN software for most major operating systems.

Download and install the appropiate version of OpenVPN from https://openvpn.net/community-downloads/.

OpenVPN-installation.gif


Step 9) Connect to the OpenVPN gateway using the OpenVPN client

In this step, I will demonstrate connecting to the OpenVPN gateway from a Windows 10 client. Authentication is peformed against the FreeIPA infrastructure via the OpenSSL PAM module configured in step 5.

Before we being, make sure to place the client.ovpn configuration file created in step 6 in the "C:\Program Files\OpenVPN\config" directory.

OpenVPN-client-connection.gif


Footnotes


  1. https://openvpn.net/community/ ↩︎

  2. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules ↩︎

Show Comments