Feature #1956

VPN: support for OpenVPN roadwarrior

Added by Giacomo Sanchietti about 8 years ago. Updated almost 8 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-openvpn
Target version:v6.4-beta2
Resolution: NEEDINFO:No

Description

Add roadwarrior support with two authentication methods:
  • system user / password
  • client certificate

The roadwarrior configuration should be bridged.

See: http://www.shorewall.net/OPENVPN.html

openvpn.patch Magnifier - Rename vpn => ovpn in shorewall configs (2.28 KB) Davide Principi, 10/01/2013 06:23 PM


Related issues

Related to NethServer 6 - Feature #1763: VPN CLOSED 08/28/2013 09/16/2013

Associated revisions

Revision 13a7310c
Added by Giacomo Sanchietti almost 8 years ago

First import. Refs #1956

Revision 23e4330e
Added by Giacomo Sanchietti almost 8 years ago

Refactor pki scripts. Refs #1956

Revision 723897a6
Added by Giacomo Sanchietti almost 8 years ago

translations: fix typo in english and italian languages. Refs #1956

Revision 55ca9381
Added by Giacomo Sanchietti almost 8 years ago

host-to-net.conf template: fix syntax, handle RouteToVPN property. Refs #1956

Revision ce3a39c5
Added by Giacomo Sanchietti almost 8 years ago

createlinks: expand host-to-net.conf and reload server on interface-update event. Refs #1956

Revision 676bf477
Added by Davide Principi almost 8 years ago

/etc/shorewall/policy template (15openvpn): fixed syntax. Refs #1956

Revision d8dc96e4
Added by Giacomo Sanchietti almost 8 years ago

web ui: add download actions. Refs #1956 1763

Revision 24a155f4
Added by Giacomo Sanchietti almost 8 years ago

host-to-net.conf template: fix typo, fix certificate+password mode. Refs #1956

Revision 5ca5ca93
Added by Giacomo Sanchietti almost 8 years ago

translations: update english and italian translations. Refs #1956

Revision 66f56849
Added by Giacomo Sanchietti almost 8 years ago

openvpn-client, openvpn-local-client: add scripts for client configuration. Refs #1958 #1956

Revision ca74c92f
Added by Giacomo Sanchietti almost 8 years ago

host-to-net.conf template: push green route to clients. Refs #1956

Revision 5de22401
Added by Giacomo Sanchietti almost 8 years ago

web ui, db defaults, host-to-net.conf, openvpn-local-client: add Compression option. Refs #1956

Revision 48406643
Added by Davide Principi almost 8 years ago

/etc/shorewall templates: renamed "vpn" zone to "ovpn". Refs #1956

Revision ef68f2cb
Added by Giacomo Sanchietti almost 8 years ago

spec: change /var/lib/nethserver/certs/clients mode. Refs #1958 #1956

Revision 73c29b49
Added by Giacomo Sanchietti almost 8 years ago

nethserver-openvpn-genclient: fix created files permssions. Refs #1956

Revision 3ec58372
Added by Giacomo Sanchietti almost 8 years ago

nethserver-openvpn-bridge: execute only when needed. Refs #1956

Revision 027fddd8
Added by Giacomo Sanchietti almost 8 years ago

shorewall template: fix syntax in bridged mode. Refs #1956

Revision d5f5fd82
Added by Giacomo Sanchietti almost 8 years ago

web ui: add validation to Accounts module. Refs #1956

Revision 922d5655
Added by Giacomo Sanchietti almost 8 years ago

web ui: update translation. Refs #1956

Revision 7154fc0c
Added by Giacomo Sanchietti almost 8 years ago

nethserver-openvpn-bridge: add device prop to green interface to avoid warnings. Refs #1956

Revision 5c8a8014
Added by Giacomo Sanchietti almost 8 years ago

web ui: execute nethserver-openvpn-save in background to avoid event block during bridge creation. Refs #1956

History

#1 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti almost 8 years ago

  • Assignee set to Giacomo Sanchietti

#3 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from TRIAGED to ON_DEV
  • % Done changed from 20 to 30
Implemented features:
  • Bridged and routed modes
  • 3 authentication types:
    • Password (PAM)
    • Certificate
    • Certificate + Password
  • Client to client traffic
  • Client traffic routed through VPN tunnel
  • Client configuration file with CA key included
  • Static IP reservation
  • Firewall policies:
    • vpn -> lan: accept
    • vpn -> firewall: accept
    • vpn -> net (red): deny unless RouteToVPN property is enabled
  • Certificate creation and revocation via command line tools
What is missing:
  • Web UI for:
    • certificates management
    • IP reservation
    • download of certificates and client configuration

#4 Updated by Giacomo Sanchietti almost 8 years ago

Certificate management, including working Web UI, has been moved to nethserver-vpn package.

Still missing:
  • download of certificates and client configuration

#5 Updated by Giacomo Sanchietti almost 8 years ago

  • Parent task deleted (#1763)

#6 Updated by Davide Principi almost 8 years ago

Proposed patch

Rename vpn => ovpn in shorewall configs

#7 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

Implemented, see nethserver-vpn and nethserver-openvpn for details.

#8 Updated by Giacomo Sanchietti almost 8 years ago

Test must be split in two cases: bridged and routed mode.

Possibly use a Windows machine as client and put it in an external network.

Test case 1: routed mode with certificate

  • Enable OpenVPN server, select Routed mode and choose a valid network and netmask different from any other network already configured inside the server
  • Select certificate as authentication mode
  • Create a new vpn-only account, select certificate authentication mode
  • Download generated OpenVPN client configuration and try it on a client
  • The client should have an ip from the range and should be able to ping clients behind the firewall and the firewall itself

Test case 2: routed mode with password

  • Enable OpenVPN server, select Routed mode and choose a valid network and netmask different from any other network already configured inside the server
  • Select password as authentication mode
  • Create a new user account and set a password
  • Download generated OpenVPN client configuration and try it on a client
  • The client should have an ip from the range and should be able to ping clients behind the firewall and the firewall itself

Test case 3: bridged mode

  • Enable OpenVPN server, select Bridged mode and choose an ip interval inside local LAN, make sure the range will not collide with the one from dhcp configuration
  • Select an authentication mode
  • Download generated OpenVPN client configuration and try it on a client
  • The client should have an ip from the range and should be able to ping clients behind the firewall and the firewall itself

#9 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-vpn-1.0.0-25.0git7a115920.ns6.noarch
  • nethserver-openvpn-0.0.1-33.0git922d5655.ns6.noarch.rpm

See also #1763

#10 Updated by Davide Principi almost 8 years ago

  • Assignee set to Davide Principi

#11 Updated by Davide Principi almost 8 years ago

  • Test case 1 => OK
  • Test case 2 => OK
  • Test case 3 => Still testing

#12 Updated by Davide Principi almost 8 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED

#13 Updated by Davide Principi almost 8 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-openvpn-1.0.0-1.ns6.noarch.rpm

with dependencies:
pkcs11-helper-1.07-5.el6.x86_64.rpm
openvpn-2.3.1-3.el6.x86_64.rpm

Also available in: Atom PDF