Configuring a VPN Appliance for Remote Access


VPN Appliance Powered by OPNsense


The eApps VPN Appliance is powered by OPNsense, a leading open source network security platform based on FreeBSD. See https://www.opnsense.org. OPNsense supports OpenVPN, a widely used SSL VPN technology that is well suited for client/server VPN tunnels. The configuration of the VPN Appliance is done using the OPNsense user interface. Some configuration settings on your eApps Virtual Servers must be performed via the command line. This guide explains how to set up your remote access VPN. If you would like to have eApps perform the setup and configuration for you, contact sales@eapps.com 

Prerequisites

In order to configure a remote access VPN server, you will need to have the following:

  • A Virtual Server built using the VPN Appliance (OPNsense) template
  • One or more eApps hosted Virtual Servers that will connect to the VPN tunnel

You will also need the following:
  • The public IP address, gateway, and CIDR netmask for the Virtual Server
  • The private IP address that you purchased for your OPNsense VPN VS along with the gateway and CIDR netmask
  • The private IP addresses range you want to use for your VPN clients.
  • Log in to your OPNsense Dashboard
  • Your VPN Appliance has a user interface for setup and administration called the OPNsense Dashboard.

To log in to your dashboard, follow these steps:

  1. Log in to your customer portal at https://portal.eapps.com/clientarea.php. If you don't remember your password, click the Request a Password Reset link.
  2. Navigate to My Cloud > Virtual Servers and click the magnifying glass icon to the right of your server name
  3. You will see your OPNsense Dashboard URL in the row labled Control Panel
  4. The credentials are in the Credentials row. Click the password link to show your password.

Create a Certificate Authority

This step is only required for the first time setup. If you decide to create more VPN servers, you can use the same Certificate Authority and Server Certificate you create now, or you can create new ones for each tunnel.

In your VPN Appliance dashboard, navigate to System -> Trust -> Authorities and click on + Add or Import CA. We will use these settings for this example:
Descriptive name: My Internal CA
Method: Create an internal Certificate Authority

===Internal Certificate Authority===
Key length (bits): 2048
Digest Algorithm: SHA256
Lifetime (days): 365

===Distinguished name===
Country Code: US
State or Province: GA
City: Atlanta
Organization: eApps Hosting
Email Address: support@eapps.com
Common Name: internal-ca
Note that you can select a higher value for Lifetime. This can be useful if you want to avoid having to create a new Certificate Authority and Server Certificate every year.

Click Save to add the new Certificate Authority.

Create a Server Certificate

Now we will use this Certificate Authority to create a new Server Certificate. This step is only required for the first time setup. If you decide to create more VPN servers, you can use the same Certificate Authority and Server Certificate you create now, or you can create new ones for each tunnel.

In your VPN Appliance dashboard, navigate to System -> Trust -> Certificates and click + add or import certificate. We will use these settings for this example:
Method: Create an internal Certificate
Descriptive Name: My Internal Certificate

===Internal Certificate===
Certificate authority: Select the CA you created earlier. It will show the descriptive name you chose in the dropdown.
Type: Server Certificate
Key length (bits): 2048
Digest Algorithm: SHA256
Lifetime (days): 365

===Distinguished name===
Country Code: US
State or Province: GA
City: Atlanta
Organization: eApps Hosting
Email Address: support@eapps.com
Common Name: VPN Server Certificate
Alternative Names: Leave default
Note that you can select a higher value for Lifetime. This can be useful if you want to avoid having to create a new Certificate Authority and Server Certificate every year.

Click Save to create the certificate.

Add a VPN Server

In your VPN Appliance dashboard, navigate to VPN -> OpenVPN -> Servers and click on + add server. We will use these settings for this example:
===General information===
Disabled: Unchecked
Server Mode: Remote Access ( User Auth )
Backend for authentication: Local Database # make sure it's selected and highlighted!
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
Description: My Corporate VPN

===Cryptographic Settings===
TLS Authentication
Check: Enable authentication of TLS packets
ChecK: Automatically generate a shared TLS authentication key
Peer Certificate Authority: Select the CA you created earlier. It will show the descriptive name you chose in the dropdown.
Peer Certificate Revocation List: No Certificate Revocation Lists (CRLs) defined.
Server Certificate: Select the Server Certificate you created earlier. It will show the descriptive name you chose in the dropdown.
DH Parameters Length: 4096
Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
Auth Digest Algorithm: SHA256 (256bit)
Hardware Crypto: No Hardware Crypto Acceleration
Certificate Depth: One (Client+Server)

===Tunnel Settings===
IPv4 Tunnel Network: 172.16.0.0/24 # you may select any private IPv4 range. We recommend 172.x.x.x so it won't interfere with the eApps 10.x.x.x range or most home networks 192.x.x.x range
IPv6 Tunnel Network: Leave blank
Redirect Gateway: Unchecked
IPv4 Local Network: Your VPN Appliance private Subnet and CIDR (For example if your IP is 10.1.0.x/20 your value would be 10.1.0.0/20, if it is 10.0.25.x/24, your subnet would be 10.0.25.0/24)
IPv6 Local Network: Leave blank
Concurrent connections: Leave blank
Compression: Enabled with Adaptive Compression
Type-of-Service: Unchecked
Inter-client communication: Checked
Duplicate Connections: Unchecked
Disable IPv6: Checked

===Client Settings===
Dynamic IP: Unchecked
Address Pool: Checked
Topology: Unchecked
DNS Default Domain: Unchecked
DNS Servers: Unchecked
Force DNS cache update: Unchecked
NTP Servers: Unchecked
NetBIOS Options: Unchecked
Client Management Port: Unchecked

===Advanced configuration===
Advanced: Leave blank
Verbosity level: 1 (default)
Renegotiate time: 0
Click Save to add the new VPN Server.

The VPN Server setup is now complete. From now on, you will only need to add a user for each new client you want to connect to the VPN. This means if you want to connect one of your eApps Virtual Servers to the VPN, you will need to create a "user" for each server.

Add Users

In your VPN Appliance dashboard, navigate to System -> Access -> Users. Click on the + sign to add a new user. We will use the following settings for this example:
Disabled: Unchecked
Username: testuser
Password: testpassword
Full name: Leave blank
Expiration date: Leave blank
Group Memberships: Leave blank
Certificate: Checked
OTP seed: Leave blank
Authorized keys: Leave blank
IPsec Pre-Shared Key: Leave blank
Click Save and you will be redirected to the User Certificate creation page. We will use the following settings for this example:
Method: Create an internal Certificate
Descriptive name: Leave default

===Internal Certificate===
Certificate authority: Select the CA you created earlier. It will show the descriptive name you chose in the dropdown.
Type: Client Certificate
Key length (bits): 2048
Digest Algorithm: SHA256
Lifetime (days): 365

===Distinguished name===
Country Code: US
State or Province: GA
City: Atlanta
Organization: eApps Hosting
Email Address: support@eapps.com
Common Name: Leave default
Alternative Names: Leave default
Click Save to finish creating the User Certificate
Click Save again to finish creating the User

Configuring Clients

OPNsense provides easy to install packages for personal clients on various platforms such as Windows, Mac, iPhone, Android and Linux. You can export an installation package and find instructions for setting up each client depending on the platform directly on your VPN Appliance.

In your VPN Appliance dashboard, navigate to VPN -> OpenVPN -> Client Export. Leave the default settings and scroll down to Client Install Packages. Select the package you want in the Export dropdown to automatically download the files you need to set up your clients. You can find documentation and client download links in the Links to OpenVPN clients section.

Configure Access to Your Virtual Server(s)

In your VPN Appliance dashboard, navigate to VPN -> OpenVPN -> Client Export. Select the Archive file from the Export dropdown. Copy this .zip file to your eApps Virtual Server. In this example, we have copied it to the /root directory of the server appserver1

CentOS 7

Install OpenVPN using yum
[root@appserver1 ~]# yum -y install openvpn
Unzip the archive you downloaded from your VPN Appliance. You should have a .crt file, a .key file, and a .ovpn file.
[root@appserver1 ~]# unzip OPNsense-udp-1194-config.zip
Archive: OPNsense-udp-1194-config.zip
creating: OPNsense-udp-1194/
inflating: OPNsense-udp-1194/OPNsense-udp-1194.ovpn
inflating: OPNsense-udp-1194/OPNsense-udp-1194-ca.crt
inflating: OPNsense-udp-1194/OPNsense-udp-1194-tls.key
Move the files to the appropriate directory and rename the .ovpn configuration file to a more descriptive name (such as this server's hostname) with a .conf extension.
[root@appserver1 ~]# mv OPNsense-udp-1194/OPNsense-udp-1194* /etc/openvpn/client/
[root@appserver1 ~]# mv /etc/openvpn/client/OPNsense-udp-1194.ovpn /etc/openvpn/client/appserver1.conf
Copy the default systemd service file to a new file and name it something more descriptive, such as the name of your VPN.
[root@appserver1 ~]# cp /usr/lib/systemd/system/openvpn-client\@.service /usr/lib/systemd/system/corporate-vpn\@.service
Remove an unnecessary option from the newly created systemd service file
[root@appserver1 ~]# sed -i 's/--nobind //g' /usr/lib/systemd/system/corporate-vpn\@.service
Create an authentication file that will have the username and password this server will use to authenticate to your VPN Server. The ^C means to hit ENTER after the password and then CTRL+C
[root@appserver1 ~]# cat > /etc/openvpn/client/auth.txt
user
password
^C
Edit the OpenVPN configuration file to include your authentication file
[root@appserver1 ~]# sed -i 's/auth-user-pass/auth-user-pass auth.txt/'g /etc/openvpn/client/appserver1.conf
Change the permissions of the files so only root has access to them
[root@appserver1 ~]# chmod 600 /etc/openvpn/client/*
Reload systemd and enable the service so it will start up automatically after a reboot
[root@appserver1 ~]# systemctl daemon-reload
[root@appserver1 ~]# systemctl enable corporate-vpn@appserver1
[root@appserver1 ~]# systemctl start corporate-vpn@appserver1
Your server should now be connected to the VPN Server. It should have an IP assigned from the IP pool you selected earlier. In the following example, the server was assigned the IP 172.16.0.14
[root@appserver1 ~]# systemctl status corporate-vpn@appserver1
corporate-vpn@my-name.service - OpenVPN tunnel for appserver1
Loaded: loaded (/usr/lib/systemd/system/corporate-vpn@.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2018-02-08 14:57:42 UTC; 1h 11min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 16904 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-corporate\x2dvpn.slice/corporate-vpn@appserver1.service
└─16904 /usr/sbin/openvpn --suppress-timestamps --config appserver1.conf

Feb 08 14:57:42 appserver1 openvpn[16904]: TCP/UDP: Preserving recently used remote address: [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 08 14:57:42 appserver1 openvpn[16904]: UDP link local (bound): [AF_INET][undef]:0
Feb 08 14:57:42 appserver1 openvpn[16904]: UDP link remote: [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 08 14:57:42 appserver1 openvpn[16904]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 08 14:57:43 appserver1 openvpn[16904]: [VPN Server Certificate] Peer Connection Initiated with [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 08 14:57:44 appserver1 openvpn[16904]: TUN/TAP device tun0 opened
Feb 08 14:57:44 appserver1 openvpn[16904]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 08 14:57:44 appserver1 openvpn[16904]: /sbin/ip link set dev tun0 up mtu 1500
Feb 08 14:57:44 appserver1 openvpn[16904]: /sbin/ip addr add dev tun0 local 172.16.0.14 peer 172.16.0.13
Feb 08 14:57:44 appserver1 openvpn[16904]: Initialization Sequence Completed

CentOS 6

Install OpenVPN using yum
[root@appserver4 ~]# yum -y install openvpn
Unzip the archive you downloaded from your VPN Appliance. You should have a .crt file, a .key file, and a .ovpn file.
[root@appserver4 ~]# unzip OPNsense-udp-1194-config.zip
Archive: OPNsense-udp-1194-config.zip
creating: OPNsense-udp-1194/
inflating: OPNsense-udp-1194/OPNsense-udp-1194.ovpn
inflating: OPNsense-udp-1194/OPNsense-udp-1194-ca.crt
inflating: OPNsense-udp-1194/OPNsense-udp-1194-tls.key
Move the files to the appropriate directory and rename the .ovpn configuration file to a more descriptive name (such as this server's hostname) with a .conf extension.
[root@appserver4 ~]# mv OPNsense-udp-1194/OPNsense-udp-1194* /etc/openvpn/
[root@appserver4 ~]# mv /etc/openvpn/OPNsense-udp-1194.ovpn /etc/openvpn/appserver4.conf
Create an authentication file that will have the username and password this server will use to authenticate to your VPN Server. The ^C means to hit ENTER after the password and then CTRL+C
[root@appserver4 ~]# cat > /etc/openvpn/auth.txt
user
password
^C
Edit the OpenVPN configuration file to include your authentication file
[root@appserver4 ~]# sed -i 's/auth-user-pass/auth-user-pass auth.txt/'g /etc/openvpn/appserver4.conf
Change the permissions of the files so only root has access to them
[root@appserver4 ~]# chmod 600 /etc/openvpn/*
Add the OpenVPN service to the startup system services so it will start up automatically after a reboot
[root@appserver4 ~]# chkconfig openvpn on
[root@appserver4 ~]# service openvpn start
Starting openvpn: [ OK ]
Your server should now be connected to the VPN Server. It should have an IP assigned from the IP pool you selected earlier. In the following example, the server was assigned the IP 172.16.0.18
[root@appserver4 ~]# service openvpn status
Status written to /var/log/messages

[root@appserver4 openvpn]# grep openvpn /var/log/messages
Feb 8 20:15:26 appserver4 openvpn[18575]: OpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017
Feb 8 20:15:26 appserver4 openvpn[18575]: library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Feb 8 20:15:26 appserver4 openvpn[18576]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Feb 8 20:15:26 appserver4 openvpn[18576]: TCP/UDP: Preserving recently used remote address: [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 8 20:15:26 appserver4 openvpn[18576]: UDP link local (bound): [AF_INET][undef]:0
Feb 8 20:15:26 appserver4 openvpn[18576]: UDP link remote: [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 8 20:15:26 appserver4 openvpn[18576]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 8 20:15:27 appserver4 openvpn[18576]: [VPN Server Certificate] Peer Connection Initiated with [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 8 20:15:28 appserver4 openvpn[18576]: TUN/TAP device tun0 opened
Feb 8 20:15:28 appserver4 openvpn[18576]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 8 20:15:28 appserver4 openvpn[18576]: /sbin/ip link set dev tun0 up mtu 1500
Feb 8 20:15:28 appserver4 openvpn[18576]: /sbin/ip addr add dev tun0 local 172.16.0.18 peer 172.16.0.17
Feb 8 20:15:28 appserver4 openvpn[18576]: Initialization Sequence Completed

Debian 8, 9, Ubuntu 16, and Ubuntu 17

Install OpenVPN using apt
root@appserver3:~# apt-get install openvpn
Unzip the archive you downloaded from your VPN Appliance. You should have a .crt file, a .key file, and a .ovpn file.
root@appserver3:~# unzip OPNsense-udp-1194-config.zip
Archive: OPNsense-udp-1194-config.zip
creating: OPNsense-udp-1194/
inflating: OPNsense-udp-1194/OPNsense-udp-1194.ovpn
inflating: OPNsense-udp-1194/OPNsense-udp-1194-ca.crt
inflating: OPNsense-udp-1194/OPNsense-udp-1194-tls.key
Move the files to the appropriate directory and rename the .ovpn configuration file to a more descriptive name (such as this server's hostname) with a .conf extension.
root@appserver3:~# mv OPNsense-udp-1194/OPNsense-udp-1194* /etc/openvpn/
root@appserver3:~# mv /etc/openvpn/OPNsense-udp-1194.ovpn /etc/openvpn/appserver3.conf
Create an authentication file that will have the username and password this server will use to authenticate to your VPN Server. The ^C means to hit ENTER after the password and then CTRL+C
root@appserver3:~# cat > /etc/openvpn/auth.txt
user
password
^C
Edit the OpenVPN configuration file to include your authentication file
root@appserver3:~# sed -i 's/auth-user-pass/auth-user-pass auth.txt/'g /etc/openvpn/appserver3.conf
Copy the default systemd service file to a new file and name it something more descriptive, such as the name of your VPN.
root@appserver3:~# cp /lib/systemd/system/openvpn\@.service /lib/systemd/system/corporate-vpn\@.service
Change the permissions of the files so only root has access to them
root@appserver3:~# chmod 600 /etc/openvpn/*
Reload systemd and enable the service so it will start up automatically after a reboot
root@appserver3:~# systemctl daemon-reload
root@appserver3:~# systemctl enable corporate-vpn@appserver3
root@appserver3:~# systemctl start corporate-vpn@appserver3
Your server should now be connected to the VPN Server. It should have an IP assigned from the IP pool you selected earlier. In the following example, the server was assigned the IP 172.16.0.10
root@appserver3:~# systemctl status corporate-vpn@appserver3
corporate-vpn@appserver3.service - OpenVPN connection to appserver3
Loaded: loaded (/lib/systemd/system/corporate-vpn@.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2018-02-08 19:49:16 UTC; 2s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 3221 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid (code=exited, status=0/SUCCESS)
Main PID: 3224 (openvpn)
CGroup: /system.slice/system-corporate\x2dvpn.slice/corporate-vpn@appserver3.service
└─3224 /usr/sbin/openvpn --daemon ovpn-appserver3 --status /run/openvpn/appserver3.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/appserver3.conf --writepid /run/openvpn/appserver3.pid

Feb 08 19:49:16 appserver3 ovpn-appserver3[3224]: UDPv4 link local (bound): [undef]
Feb 08 19:49:16 appserver3 ovpn-appserver3[3224]: UDPv4 link remote: [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 08 19:49:16 appserver3 ovpn-appserver3[3224]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 08 19:49:16 appserver3 systemd[1]: Started OpenVPN connection to appserver3.
Feb 08 19:49:17 appserver3 ovpn-appserver3[3224]: [VPN Server Certificate] Peer Connection Initiated with [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 08 19:49:19 appserver3 ovpn-appserver3[3224]: TUN/TAP device tun0 opened
Feb 08 19:49:19 appserver3 ovpn-appserver3[3224]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Feb 08 19:49:19 appserver3 ovpn-appserver3[3224]: /sbin/ip link set dev tun0 up mtu 1500
Feb 08 19:49:19 appserver3 ovpn-appserver3[3224]: /sbin/ip addr add dev tun0 local 172.16.0.10 peer 172.16.0.9
Feb 08 19:49:19 appserver3 ovpn-appserver3[3224]: Initialization Sequence Completed

Windows 2016 and Windows 2012

Install the OpenVPN client by downloading the .exe file from https://openvpn.net/index.php/open-source/downloads.html. It is in the Installer, Windows Vista and later row.

Extract the files from the .zip archive you downloaded from your VPN Appliance to C:\Program Files\OpenVPN\config

Open Notepad and type your username in the first line, and your password in the second line. Save it as auth.txt in the C:\Program Files\OpenVPN\config directory. The final file should be C:\Program Files\OpenVPN\config\auth.txt

Right click your .ovpn file in C:\Program Files\OpenVPN\config and click Open with... to open it with Notepad.

Edit the file to add auth.txt to the end of the auth-user-pass line. If your file displays everything in a single line, you can break it up into multiple lines for better formatting. Here is an example file for your reference:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
reneg-sec 0
resolv-retry infinite
remote OPNSENSE_PUBLIC_IP 1194 udp
lport 0
auth-user-pass auth.txt
ca OPNsense-udp-1194-ca.crt
tls-auth OPNsense-udp-1194-tls.key 1
ns-cert-type server
comp-lzo adaptive
Save the file and start the OpenVPN GUI. You can do this by clicking the icon on your desktop or right clicking the OpenVPN GUI icon on your taskbar then clicking Connect. It should connect without prompting for a username or password.

Do not confuse it with the network system tray icon. The network system tray icon is a computer with an ethernet cable, while the OpenVPN GUI icon is a computer with a lock icon.

Open PowerShell or Command Prompt and type services.msc. Press ENTER

In the Services window, right click on OpenVPNService and click on Properties

Select Automatic from the Startup type dropdown

Click Apply
Click OK

Note that the next time the server boots, OpenVPN will connect automatically. If you connect to your Windows server via Remote Desktop and check the OpenVPN GUI status icon, you will NOT see it connected. This is intended since the service is actually running as a system service in the background. You can check you have an IP from the private IP pool you selected above by opening PowerShell or Command Prompt and issuing the ipconfig command. The output should look something like this
Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator> ipconfig
Windows IP Configuration

Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::7883:c593:fc38:46ec%15
IPv4 Address. . . . . . . . . . . : 172.16.0.22
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :

Plesk

Follow the above VPN setup instructions depending on the operating system your Plesk control panel is installed on.

To be able to manage the new private IP through Plesk, log in to your Plesk panel and navigate to Tools & Settings -> IP Addresses. Click Reread IP and the IP address will be added to the list of available IP addresses. You can now host a website, set up email, and use any other Plesk function with this IP address.

cPanel/WHM

Follow the above VPN setup instructions depending on the operating system your cPanel/WHM control panel is installed on.

To be able to manage the new private IP through cPanel/WHM, log in to your WHM administration panel and navigate to Home -> IP Functions -> Rebuild the IP Address Pool. Click Proceed and the IP address will be added to the list of available IP addresses. You can now host a website, set up email, and use any other cPanel/WHM function with this IP address.

Comments

Please login to comment