OCI VPN Server PriTunl for clients

Sometimes you need more than a bastion for reaching your cloud resources. Bastions are great for SSH and RDP tunneling but really more limited to admins and administration. Of course site to site can be solved with OCI CPE and tunnels between colo/client networks.

There are several options for VPN servers and I use LibreSwan for testing site to site OCI tenancy VPN tunnels. LibreSwan could also work in a case of many users needing access to cloud resources but it is not easy to administer users etc.

So this time I tried a product called pritunl ( https://pritunl.com/ )

You should be able to use normal OpenVPN and I think even IPsec clients to connect. Pritunl also provide clients but ideally you should just be able to use anything generic.

Admin can easily add users and send an import file which includes your cert etc.. For me this worked well under Linux just using the generic network manager openvpn plugin but I need to verify Windows and Macs also.

https://docs.pritunl.com/docs/installation

$ sudo -s
# tee -a /etc/yum.repos.d/mongodb-org-3.4.repo << EOF
> [mongodb-org-3.4]
> name=MongoDB Repository
> baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/3.4/x86_64/
> gpgcheck=1
> enabled=1
> gpgkey=https://www.mongodb.org/static/pgp/server-3.4.asc
> EOF
[mongodb-org-3.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/3.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.4.asc

# tee -a /etc/yum.repos.d/pritunl.repo << EOF
> [pritunl]
> name=Pritunl Repository
> baseurl=https://repo.pritunl.com/stable/yum/centos/7/
> gpgcheck=1
> enabled=1
> EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/7/
gpgcheck=1
enabled=1

# yum -y install epel-release
[snip]
Complete!

# grep disabled /etc/selinux/config 
#     disabled - No SELinux policy is loaded.
SELINUX=disabled

# gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
# gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
# yum -y install pritunl mongodb-org

# systemctl start mongod pritunl
# systemctl enable mongod pritunl
Created symlink from /etc/systemd/system/multi-user.target.wants/pritunl.service to /etc/systemd/system/pritunl.service.

Connect to web interface…

# firewall-cmd --zone=public --permanent --add-port=12991/udp
success
# systemctl restart firewalld

On VPN Server Removed 0.0.0.0/0 route and add 10.1.0.0/16
Install network-manager-openvpn on my Linux desktop and import file exported on vpn server
Connect to VPN server

# ping 10.1.1.7
PING 10.1.1.7 (10.1.1.7) 56(84) bytes of data.
64 bytes from 10.1.1.7: icmp_seq=1 ttl=63 time=46.4 ms

$ ssh -I /media/ssh-keys/OBMCS opc@10.1.1.7
Last login: Fri Dec 15 16:50:24 2017

Network Manager VPN Connections

I have documented previously that the Linux network manager can be used to connect to several different VPN gateways.  There are several network manager plugins available for the different VPN solutions.  The pptp plugin is used frequently but for newer Cisco gateways you should use the network-manager-openconnect-gnome plugin. You should use the network-manager-vpnc plugin to connect to older Cisco gateways.

The vpnc plugin also happens to work for Palo Alto GlobalProtect concentrators.  For the vpnc plugin to work with Palo Alto GlobalProtect gateways you need to:

– Enable X-Auth on your VPN gateway. You will also need the group name and password from the VPN administrator.

– Create a “Cisco compatible” VPN when creating your network manager connection.

 

OpenVPN with Gnome NetworkManager plug-in

Instructions how to use the OpenVPN plug-in with the Gnome NetworkManager.

Details:

– In this case the OpenVPN server hands out dynamic IP addresses.
– Ubuntu 12.10 64-bit client.

Get your user configuration file:

In a browser visit your OpenVPN server webpage at https://server.domain/
Follow Login > Download “Yourself (user-locked profile)” > Save As client.ovpn
** I renamed the file to client_29.ovpn since I have multiple servers I connect to.

Split client.ovpn into several files:

The Gnome NetworkManager does not like using one big configuration file, although the command line OpenVPN client does work fine with one file (client.ovpn).  For NetworkManager you can break out manually with an editor or as follow. I used my personal home folder to store the files.

sed -n '//,/<\/tls-auth>/p' client_29.ovpn > sitename_ovpn_29tls.key
sed -n '//,/<\/cert>/p' client_29.ovpn > sitename_ovpn_29.crt
sed -n '//,/<\/ca>/p' client_29.ovpn > sitename_ovpn_29ca.cer
sed -n '//,/<\/key>/p' client_29.ovpn > sitename_ovpn_29.key

** After you split the configuration up remember to edit the files and remove the lines containing the open <> and close </> tags.

Install the OpenVPN plugin for NetworkManager:

# aptitude install network-manager-openvpn-gnome

Below are some screen shots showing some configuration settings fro this particular setup. Your mileage may vary depending on how your administrator configured the server.


Add a new VPN Connection in GNOME:


Reference certificates and keys:


General Settings:


TLS Key:

Showing syslog while connecting (snipped):

Nov 22 08:49:42 u12 NetworkManager[660]:  Starting VPN service 'openvpn'...
Nov 22 08:49:43 u12 nm-openvpn[4791]: Control Channel Authentication: using '/home/rrosso/sitename_ovpn_29tls.key' as a OpenVPN static key file
Nov 22 08:49:43 u12 nm-openvpn[4791]: LZO compression initialized
Nov 22 08:49:47 u12 NetworkManager[660]:  IPv4 configuration:
Nov 22 08:49:47 u12 NetworkManager[660]:  Internal Gateway: 172.22.91.1
Nov 22 08:49:47 u12 NetworkManager[660]:  Internal Address: 172.22.91.253
Nov 22 08:49:47 u12 NetworkManager[660]:  Internal Prefix: 24
Nov 22 08:49:48 u12 NetworkManager[660]:  VPN connection 'sitename device 29' (IP Config Get) complete.
Nov 22 08:49:48 u12 NetworkManager[660]:  ((null)): writing resolv.conf to /sbin/resolvconf
Nov 22 08:49:49 u12 dbus[402]: [system] Activating service name='org.freedesktop.nm_dispatcher' (using servicehelper)
Nov 22 08:49:52 u12 nm-openvpn[4791]: Initialization Sequence Completed
Nov 22 08:50:08 u12 ntpdate[4876]: step time server 91.189.94.4 offset 9.301349 sec

Older (pre Ubuntu 12.04) information.  May or may not be useful to you.

How to test a manual connection(no Network Manager plug-in):

rrosso@u10:~$ sudo openvpn --config client.ovpn --script-security 2
Sat Mar 19 10:14:34 2011 OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
Enter Auth Username:rrosso
Enter Auth Password:
...

Older versions of Ubuntu and NetworkManager this was a necessary addition to set DNS:

rrosso@u10:~$ tail -3 client.ovpn
#rrosso added for DNS resolver
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Several problems I encountered with permissions on older versions:
– NetworkManager: <WARN> vpn_service_watch_cb()
– VPN service ‘org.freedesktop.NetworkManager.openvpn’ exited with error: 1
– connection_need_secrets_cb()

https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/360818

Debug NetworkManager as follow:
http://live.gnome.org/NetworkManager/Debugging

# OPENVPN_DEBUG=1 /usr/lib/network-manager-openvpn/nm-openvpn-service

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=527975
https://bugs.launchpad.net/ubuntu/+source/network-manager-vpnc/+bug/360818

** Not sure if tinkering with this next file helped but changed it to look as follow and could at least troubleshoot further after wards.

Permissions problem:

# cat /etc/dbus-1/system.d/nm-openvpn-service.conf
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow own="org.freedesktop.NetworkManager.openvpn"/>
<allow send_destination="org.freedesktop.NetworkManager.openvpn"/>
</policy>
</busconfig>

** I restored the original file and things are still working

Some older links on DNS resolver and OpenVPN:
http://www.subvs.co.uk/openvpn_resolvconf
http://forums.openvpn.net/topic7109.html

Posted in VPN