OpenVPN Server with Username/Password Authentication

This topic is to discuss the following lesson:

OK that’s fine for a Ubuntu client. Now I want to have an Android client. Is it possible to do this? Re Android apps: OpenVPN Connect app requires a .ovpn profile but gives no info on them; OpenVPN For Android app wants a Client Certificate and a User Certificate. Any ideas as to whoich (or other Android app) to use?
PS My Android devices use Jelly Bean & Kit Kat.

Hi John,

I am using “OpenVPN for Android” but I can choose between certificates and just username/password authentication. The only certificate you need to add is the server certificate…no client certificates.

Do you have this option? I’m using Android 4.4 on a Google Nexus 5.

Rene

Rene,

I’m using Android 4.4.2 on a Google Nexus 10. I’ve reinstalled 'OpenVPN for Android". It immediately asked me to add a Profile. I did this & it showed me a screen containing hotspots for Basic, IP and DNS, Routing, Authentication/Encryption, Advanced, Generated Config. I’ve set Type in Basic to Username/Password. I’ve set the server address in Basic to the Internet IP Address set in my router. I’ve set the CA Certificate to the ca.crt created file. I’ve left the Client Certificate as ‘No Certificate’. I’ve set username in Basic & left Password blank. Ideally, I want to just use the VPN for internet banking. What’s the best way to do that i.e. to not use the VPN for mail or iother internet browsing?

I forgot to ask another question. At the moment my laptop (running the client) connects using a Laptop.crt & Laptop.key files created by “./build-key Laptop” to my desktop running the server: I followed the procedure from Ubuntu’s Community Documentation for Ubuntu Server OpenVPN. Am I correct in stating that the same server configuration file & created ca.crt file will still work for user/password authentication from the client? The reason that I want to do this is that it seems a good idea to use user/password authentication for Android devices (since, if I lost an Android device, then without this authentication, someone could use my VPN) but not for my Ubuntu laptop as that’s much more secure.

Answering the question in my last message, it’s not possible to use user/password auth on Android devices but not on laptop (without configuring 2 VPN servers), due to the server.conf containing:

#Username and Password authentication.
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
So I will use user/password authentication on both laptop & Android devices.

Another question: I’ve messed up my client.conf file by previously installing a user cert & key files to my client. Even though I completely removed openvpn & reinstalled it, it did not create a new client.conf. After doing the openvpn command to setup the use of the client it still contained the following:

ca ca.crt
cert Laptop.crt
key Laptop.key

What should I do with the latter 2 lines?

Also, I do not yet have a static ip address (for my router) & ddclient has disappeared from the Ubunto repos. What’s the recommended procedure (in Precise & Trusty) to use hostname provider?

Hi John,

If you don’t want user certificates then using Basic with username/password authentication is the way to go. The only requirement is adding the ca.crt file from the OpenVPN server.

Once you are able to connect you will have a VPN tunnel between your client and the server but that’s it. If you want the VPN to access other networks then first we need to tell the server that it should forward IP traffic:

<strong>cat &#047;proc&#047;sys&#047;net&#047;ipv4&#047;ip_forward</strong>
0

The “0” means no forwarding so let’s change it:

<strong>sudo sysctl -w net&#047;ipv4&#047;ip_forward=1</strong>

This tells Ubuntu to forward IP traffic, let’s verify it:

<strong>cat &#047;proc&#047;sys&#047;net&#047;ipv4&#047;ip_forward</strong>
1

Now it says “1” so it will forward IP traffic. We also have to tell our clients what networks are behind the VPN server. To do this you have to add some lines in your server.conf file:

&#35; Push Route to Clients&#046;
push "route 192&#046;168&#046;50&#046;0 255&#046;255&#046;255&#046;0"

This tells the client that network 192.158.50.0 /24 is reachable through the VPN. If you want to use the VPN for banking then you can add the IP addresses or subnets of your bank here. If you just want to send ALL traffic through the VPN then you can use this entry:

push "redirect-gateway def1"

Since you are sending traffic from your client through the VPN to the server and then onto the Internet, you also have to enable NAT on your OpenVPN server. You can do this with IPtables:

iptables -t nat -A POSTROUTING -s 10&#046;8&#046;0&#046;0&#047;24 -o eth0 -j MASQUERADE

That should be it. If you do this all traffic headed towards network 192.168.50.0/24 will go through your VPN.

Rene

Hi John,

You are right about this. It’s best that if you lose a device that you just revoke the ca.crt and generate a new one.

Rene

You should be able to delete those two lines without any issues. Instead of deleting lines…just comment them out first. I believe ddclient is still in the Ubuntu Universe repository, add it and see if you can install it.

Most consumer routers also have a ddclient, I like to use those so I don’t have to think about it when I have to reinstall a computer.

Hi Rene,

I am not sure if this is the right place to ask. I have actually quite some bit of googling and reading around, but most topic on VPN are about setup configurations and getting it to work.

But i am curious as on how does the packet generated actually get routed from the source to destination. Why is there a need for a tunnel interface to be setup ? How does the packet, through the tunnel interface, get on to the actual network interface to the internet and over to the vpn server ?

Being so, why can’t packet just be encrypted and encapsulated and send over the normal network interface to the default gateway ?

I tried ciscopress, but mostly are either talking on the high level concept , else deep diving into the configuration.

Hope you are able to point me to some documentation for further reading
or it would be absolutely great if you are able to setup a topic on how VPN actually works

Thanks a million.
Hope to hear from you soon

Hi Sze Jie K,

In a few days I’ll write a topic on IPsec VPN that explains this, for now I’ll try to explain it here in a few sentences.

First of all, the tunnel interface is not always required. IPsec for example has a “transport” and “tunnel” mode. The transport mode is useful if you only want to encrypt packets between two devices. For example, you could use it to encrypt telnet traffic between two devices.

Tunnel mode is useful for site-to-site VPNs. For example, let’s say we have two sites that are both connected to the Internet, site1 uses 192.168.1.0 /24 and site2 uses 192.168.2.0 /24.

There is no way that 192.168.1.0 /24 and 192.168.2.0 /24 could communicate with each other since these are private addresses. To fix this, we can tunnel this traffic. Tunneling is basically putting the existing IP packet into another IP packet so that we can route it…the “outer” IP packet uses the public IP addresses of the routers.

The end result will be that 192.168.1.0 /24 and 192.168.2.0 /24 will be able to talk with each other, even though the Internet is in between these two networks.

If you want to see what that looks like, take a look at the wireshark capture in this post:

In the example above, I’m using GRE tunneling without any encryption. It helps to visualize what a tunnel looks like though.

Let me know if you have any other questions about this? I’ll do my best to answer them.

Rene

Hi Rene,

Thanks for your reply and wonderful link.
Can i check if my following understanding is correct

1a) tunneling is used when the src/dst network is prohibited/unreachable between 2 connected points due to FW issue or as in your example, internal network going over WAN to another.

1b) if the source and destination network are reachable to one another, there will be no need for tunneling.

2a) tunnel interface are “virtual/logical” interface in which they are “tag” to the actual physical interface and uses the physical interface to actually send out the encapsulated frame/packet.

2b) by using the tunnel interface as a gateway, network A can reach network B across the WAN.

2c) routing protocols (such as EIGRP) can be use in conjunction with the tunnel interface, so that routers know what are the internal networks that can be reached via the tunnel interface.

==========================================================

question1)
for Access VPN (e.g. PC connecting to office network) ,
is it also using similar setup in which

  • the pc will have a tunnel interface
  • the vpn server will also have tunnel interface
    - the tunnel interfaces will be actually “tag” / using the actual physical interface connecting to the default GW for routing/communication between each other.

question2)
without routing protocol, or manually specifying routes

a) how does the PC know which are internal office networks that will be reachable via the tunnel interface ?

b) how does the vpn server know what is the internal network that my PC is using ?

c) with regards to b) It is most likely that my PC’s gateway is using NAT. So the tunnel packet coming from the VPN server back to my PC will be using my GW/Router’s public IP as the destination IP for both the outside and inside encapsulated packet ? - - I am having problem visualizing the whole picture here.

I hope i am making sense.

I have managed to follow your example and build up a lab using PT but still have not tried the NAT part. Will be sharing the config and diagram on the next post for your purview (if you may, so as you can advise if my understanding is correct or wrong)…

Hope to hear from you soon

Here are the answers to your questions:

1a) This is correct, this is probably the main reason why you want to use tunneling.

1b) There is another reason why you want to use tunneling. For example, IPsec doesn’t support multicast. If you want to encrypt multicast traffic with IPsec then you will have to create a GRE tunnel and then encrypt the GRE tunnel with IPsec.

2a) These are virtual interfaces yes but they aren’t really “attached” to the physical interface.

2b) This is correct but we don’t use the word gateway for this. From the router’s perspective, the IP address on the other side of the (GRE) tunnel is a next hop.

2c) That’s right, if you use a GRE interface then you can use it just like any other interface. If you only use IPsec then we don’t use IP addresses on the tunnel interface.

And your other questions:

  1. When you use client software then it will use a virtual interface on the pc. We don’t always have to use tunnel interfaces. You might want to try this example:

The physical interface is used to reach the remote VPN server, it’s not like virtual interface are attached to it.

  1. The VPN server can “push” routes to your PC. a computer also has a routing table, even though it doesn’t route between interfaces it will use it to select outgoing interfaces.

When you use a remote access VPN then your VPN client will get an IP address from the VPN server, there’s no need for the VPN server to know about the network that your PC is on.

The VPN traffic will be NAT translated just like any other traffic. With IPsec this can cause issues and we use NAT-T for this…that’s another story though :slight_smile:

Hi Rene,

Thanks for your time and the replies!
Please kindly see my queries below with [Koh] tagging ->

2a) These are virtual interfaces yes but they aren’t really “attached” to the physical interface.
[Koh] By meaning of “attached”, i am actually refering to that the virtual (“tunnel”) interfaces are using the actual physical interface to transmit the packet/frame out
- am i right ?

2b) This is correct but we don’t use the word gateway for this. From the router’s perspective, the IP address on the other side of the (GRE) tunnel is a next hop.
[Koh] Duly Noted. Actually i am trying to visualize how it be, if i have a tunnel interface on a host computer connecting to the VPN server.
In a client access VPN setup, what will be set as the Gateway then ?

Assuming 192.168.8.0 is the LAN network on the other side of the VPN server.

Host Computer
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.8.0 ?.?.?.? 255.255.255.0 U 0 0 0 tun0 ?

When you use client software then it will use a virtual interface on the pc. We don’t always have to use tunnel interfaces. You might want to try this example:


[Koh] I do not have a cisco router available to test it out, is there any other way to try ? I am thinking of using 2 VMs to simulate the openvpn configuration in this above post - is it okay ?

When you use a remote access VPN then your VPN client will get an IP address from the VPN server, there’s no need for the VPN server to know about the network that your PC is on.
[Koh] Can you elaborate further on this ?
Assuming that the router is the VPN server, how does it knows that it needs to route a packet back to me via the tunnel interface if there is no routing to my network setup on it ?

192.168.0.0/24 - my network
192.168.1.0/24 - company internal network

10.10.10.1 - my router A
10.10.10.2 - company router B

192.168.3.1 - router A tunnel interface
192.168.3.2 - router B tunnel interface

Assuming if router A is actually my host computer (not sure if i am able to think it this way) - How does router B/VPN server knows that it must route to 192.168.0.0 via the 192.168.3.1 through the tunnel interface ?

Regards,
Koh

2a) That’s correct, you’ll always need the physical interface to actually transmit the data.

2b) The normal gateway will remain the default gateway. However, some extra entries might appear in the routin table of the computer.

If you want to play with VPNs on your computer then you could use two virtual machines with OpenVPN (one server, one client) or you could try GNS3 to emulate a Cisco router and use one virtual machine as the VPN client.

Normally with a VPN client, the VPN server won’t know the network behind the computer. Also, your computer is no router so it won’t normally route packets from one interface to the other. If you would have a site-to-site VPN then you need to manually configure which networks are behind each router or you need to push them.