Configuring a VPN Appliance for Remote Access
- 20/02/2018 2:18 PM
VPN Appliance Powered by OPNsense
The eApps VPN Appliance is powered by OPNsense, a leading open source network security platform based on FreeBSD. See https://www.opnsense.org. OPNsense supports OpenVPN, a widely used SSL VPN technology that is well suited for client/server VPN tunnels. The configuration of the VPN Appliance is done using the OPNsense user interface. Some configuration settings on your eApps Virtual Servers must be performed via the command line. This guide explains how to set up your remote access VPN. If you would like to have eApps perform the setup and configuration for you, contact sales@eapps.com
Prerequisites
In order to configure a remote access VPN server, you will need to have the following:- A Virtual Server built using the VPN Appliance (OPNsense) template
- One or more eApps hosted Virtual Servers that will connect to the VPN tunnel
You will also need the following:
- The public IP address, gateway, and CIDR netmask for the Virtual Server
- The private IP address that you purchased for your OPNsense VPN VS along with the gateway and CIDR netmask
- The private IP addresses range you want to use for your VPN clients.
- Log in to your OPNsense Dashboard
- Your VPN Appliance has a user interface for setup and administration called the OPNsense Dashboard.
To log in to your dashboard, follow these steps:
- Log in to your customer portal at https://portal.eapps.com/clientarea.php. If you don't remember your password, click the Request a Password Reset link.
- Navigate to My Cloud > Virtual Servers and click the magnifying glass icon to the right of your server name
- You will see your OPNsense Dashboard URL in the row labled Control Panel
- The credentials are in the Credentials row. Click the password link to show your password.
Create a Certificate Authority
This step is only required for the first time setup. If you decide to create more VPN servers, you can use the same Certificate Authority and Server Certificate you create now, or you can create new ones for each tunnel.In your VPN Appliance dashboard, navigate to System -> Trust -> Authorities and click on + Add or Import CA. We will use these settings for this example:
Descriptive name: My Internal CANote that you can select a higher value for Lifetime. This can be useful if you want to avoid having to create a new Certificate Authority and Server Certificate every year.
Method: Create an internal Certificate Authority
===Internal Certificate Authority===
Key length (bits): 2048
Digest Algorithm: SHA256
Lifetime (days): 365
===Distinguished name===
Country Code: US
State or Province: GA
City: Atlanta
Organization: eApps Hosting
Email Address: support@eapps.com
Common Name: internal-ca
Click Save to add the new Certificate Authority.
Create a Server Certificate
Now we will use this Certificate Authority to create a new Server Certificate. This step is only required for the first time setup. If you decide to create more VPN servers, you can use the same Certificate Authority and Server Certificate you create now, or you can create new ones for each tunnel.In your VPN Appliance dashboard, navigate to System -> Trust -> Certificates and click + add or import certificate. We will use these settings for this example:
Method: Create an internal CertificateNote that you can select a higher value for Lifetime. This can be useful if you want to avoid having to create a new Certificate Authority and Server Certificate every year.
Descriptive Name: My Internal Certificate
===Internal Certificate===
Certificate authority: Select the CA you created earlier. It will show the descriptive name you chose in the dropdown.
Type: Server Certificate
Key length (bits): 2048
Digest Algorithm: SHA256
Lifetime (days): 365
===Distinguished name===
Country Code: US
State or Province: GA
City: Atlanta
Organization: eApps Hosting
Email Address: support@eapps.com
Common Name: VPN Server Certificate
Alternative Names: Leave default
Click Save to create the certificate.
Add a VPN Server
In your VPN Appliance dashboard, navigate to VPN -> OpenVPN -> Servers and click on + add server. We will use these settings for this example:===General information===Click Save to add the new VPN Server.
Disabled: Unchecked
Server Mode: Remote Access ( User Auth )
Backend for authentication: Local Database # make sure it's selected and highlighted!
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
Description: My Corporate VPN
===Cryptographic Settings===
TLS Authentication
Check: Enable authentication of TLS packets
ChecK: Automatically generate a shared TLS authentication key
Peer Certificate Authority: Select the CA you created earlier. It will show the descriptive name you chose in the dropdown.
Peer Certificate Revocation List: No Certificate Revocation Lists (CRLs) defined.
Server Certificate: Select the Server Certificate you created earlier. It will show the descriptive name you chose in the dropdown.
DH Parameters Length: 4096
Encryption algorithm: AES-256-CBC (256 bit key, 128 bit block)
Auth Digest Algorithm: SHA256 (256bit)
Hardware Crypto: No Hardware Crypto Acceleration
Certificate Depth: One (Client+Server)
===Tunnel Settings===
IPv4 Tunnel Network: 172.16.0.0/24 # you may select any private IPv4 range. We recommend 172.x.x.x so it won't interfere with the eApps 10.x.x.x range or most home networks 192.x.x.x range
IPv6 Tunnel Network: Leave blank
Redirect Gateway: Unchecked
IPv4 Local Network: Your VPN Appliance private Subnet and CIDR (For example if your IP is 10.1.0.x/20 your value would be 10.1.0.0/20, if it is 10.0.25.x/24, your subnet would be 10.0.25.0/24)
IPv6 Local Network: Leave blank
Concurrent connections: Leave blank
Compression: Enabled with Adaptive Compression
Type-of-Service: Unchecked
Inter-client communication: Checked
Duplicate Connections: Unchecked
Disable IPv6: Checked
===Client Settings===
Dynamic IP: Unchecked
Address Pool: Checked
Topology: Unchecked
DNS Default Domain: Unchecked
DNS Servers: Unchecked
Force DNS cache update: Unchecked
NTP Servers: Unchecked
NetBIOS Options: Unchecked
Client Management Port: Unchecked
===Advanced configuration===
Advanced: Leave blank
Verbosity level: 1 (default)
Renegotiate time: 0
The VPN Server setup is now complete. From now on, you will only need to add a user for each new client you want to connect to the VPN. This means if you want to connect one of your eApps Virtual Servers to the VPN, you will need to create a "user" for each server.
Add Users
In your VPN Appliance dashboard, navigate to System -> Access -> Users. Click on the + sign to add a new user. We will use the following settings for this example:Disabled: UncheckedClick Save and you will be redirected to the User Certificate creation page. We will use the following settings for this example:
Username: testuser
Password: testpassword
Full name: Leave blank
Expiration date: Leave blank
Group Memberships: Leave blank
Certificate: Checked
OTP seed: Leave blank
Authorized keys: Leave blank
IPsec Pre-Shared Key: Leave blank
Method: Create an internal CertificateClick Save to finish creating the User Certificate
Descriptive name: Leave default
===Internal Certificate===
Certificate authority: Select the CA you created earlier. It will show the descriptive name you chose in the dropdown.
Type: Client Certificate
Key length (bits): 2048
Digest Algorithm: SHA256
Lifetime (days): 365
===Distinguished name===
Country Code: US
State or Province: GA
City: Atlanta
Organization: eApps Hosting
Email Address: support@eapps.com
Common Name: Leave default
Alternative Names: Leave default
Click Save again to finish creating the User
Configuring Clients
OPNsense provides easy to install packages for personal clients on various platforms such as Windows, Mac, iPhone, Android and Linux. You can export an installation package and find instructions for setting up each client depending on the platform directly on your VPN Appliance.In your VPN Appliance dashboard, navigate to VPN -> OpenVPN -> Client Export. Leave the default settings and scroll down to Client Install Packages. Select the package you want in the Export dropdown to automatically download the files you need to set up your clients. You can find documentation and client download links in the Links to OpenVPN clients section.
Configure Access to Your Virtual Server(s)
In your VPN Appliance dashboard, navigate to VPN -> OpenVPN -> Client Export. Select the Archive file from the Export dropdown. Copy this.zip
file to your eApps Virtual Server. In this example, we have copied it to the /root
directory of the server appserver1
CentOS 7
Install OpenVPN usingyum
[root@appserver1 ~]# yum -y install openvpnUnzip the archive you downloaded from your VPN Appliance. You should have a
.crt
file, a .key
file, and a .ovpn
file.[root@appserver1 ~]# unzip OPNsense-udp-1194-config.zipMove the files to the appropriate directory and rename the
Archive: OPNsense-udp-1194-config.zip
creating: OPNsense-udp-1194/
inflating: OPNsense-udp-1194/OPNsense-udp-1194.ovpn
inflating: OPNsense-udp-1194/OPNsense-udp-1194-ca.crt
inflating: OPNsense-udp-1194/OPNsense-udp-1194-tls.key
.ovpn
configuration file to a more descriptive name (such as this server's hostname) with a .conf
extension.
[root@appserver1 ~]# mv OPNsense-udp-1194/OPNsense-udp-1194* /etc/openvpn/client/Copy the default
[root@appserver1 ~]# mv /etc/openvpn/client/OPNsense-udp-1194.ovpn /etc/openvpn/client/appserver1.conf
systemd
service file to a new file and name it something more descriptive, such as the name of your VPN.[root@appserver1 ~]# cp /usr/lib/systemd/system/openvpn-client\@.service /usr/lib/systemd/system/corporate-vpn\@.serviceRemove an unnecessary option from the newly created
systemd
service file[root@appserver1 ~]# sed -i 's/--nobind //g' /usr/lib/systemd/system/corporate-vpn\@.serviceCreate an authentication file that will have the username and password this server will use to authenticate to your VPN Server. The
^C
means to hit ENTER
after the password and then CTRL+C
[root@appserver1 ~]# cat > /etc/openvpn/client/auth.txtEdit the OpenVPN configuration file to include your authentication file
user
password
^C
[root@appserver1 ~]# sed -i 's/auth-user-pass/auth-user-pass auth.txt/'g /etc/openvpn/client/appserver1.confChange the permissions of the files so only
root
has access to them[root@appserver1 ~]# chmod 600 /etc/openvpn/client/*Reload
systemd
and enable the service so it will start up automatically after a reboot[root@appserver1 ~]# systemctl daemon-reloadYour server should now be connected to the VPN Server. It should have an IP assigned from the IP pool you selected earlier. In the following example, the server was assigned the IP
[root@appserver1 ~]# systemctl enable corporate-vpn@appserver1
[root@appserver1 ~]# systemctl start corporate-vpn@appserver1
172.16.0.14
[root@appserver1 ~]# systemctl status corporate-vpn@appserver1
corporate-vpn@my-name.service - OpenVPN tunnel for appserver1
Loaded: loaded (/usr/lib/systemd/system/corporate-vpn@.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2018-02-08 14:57:42 UTC; 1h 11min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 16904 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-corporate\x2dvpn.slice/corporate-vpn@appserver1.service
└─16904 /usr/sbin/openvpn --suppress-timestamps --config appserver1.conf
Feb 08 14:57:42 appserver1 openvpn[16904]: TCP/UDP: Preserving recently used remote address: [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 08 14:57:42 appserver1 openvpn[16904]: UDP link local (bound): [AF_INET][undef]:0
Feb 08 14:57:42 appserver1 openvpn[16904]: UDP link remote: [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 08 14:57:42 appserver1 openvpn[16904]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 08 14:57:43 appserver1 openvpn[16904]: [VPN Server Certificate] Peer Connection Initiated with [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 08 14:57:44 appserver1 openvpn[16904]: TUN/TAP device tun0 opened
Feb 08 14:57:44 appserver1 openvpn[16904]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 08 14:57:44 appserver1 openvpn[16904]: /sbin/ip link set dev tun0 up mtu 1500
Feb 08 14:57:44 appserver1 openvpn[16904]: /sbin/ip addr add dev tun0 local 172.16.0.14 peer 172.16.0.13
Feb 08 14:57:44 appserver1 openvpn[16904]: Initialization Sequence Completed
CentOS 6
Install OpenVPN usingyum
[root@appserver4 ~]# yum -y install openvpnUnzip the archive you downloaded from your VPN Appliance. You should have a
.crt
file, a .key
file, and a .ovpn
file.[root@appserver4 ~]# unzip OPNsense-udp-1194-config.zipMove the files to the appropriate directory and rename the
Archive: OPNsense-udp-1194-config.zip
creating: OPNsense-udp-1194/
inflating: OPNsense-udp-1194/OPNsense-udp-1194.ovpn
inflating: OPNsense-udp-1194/OPNsense-udp-1194-ca.crt
inflating: OPNsense-udp-1194/OPNsense-udp-1194-tls.key
.ovpn
configuration file to a more descriptive name (such as this server's hostname) with a .conf
extension.[root@appserver4 ~]# mv OPNsense-udp-1194/OPNsense-udp-1194* /etc/openvpn/Create an authentication file that will have the username and password this server will use to authenticate to your VPN Server. The
[root@appserver4 ~]# mv /etc/openvpn/OPNsense-udp-1194.ovpn /etc/openvpn/appserver4.conf
^C
means to hit ENTER
after the password and then CTRL+C
[root@appserver4 ~]# cat > /etc/openvpn/auth.txtEdit the OpenVPN configuration file to include your authentication file
user
password
^C
[root@appserver4 ~]# sed -i 's/auth-user-pass/auth-user-pass auth.txt/'g /etc/openvpn/appserver4.confChange the permissions of the files so only
root
has access to them[root@appserver4 ~]# chmod 600 /etc/openvpn/*Add the OpenVPN service to the startup system services so it will start up automatically after a reboot
[root@appserver4 ~]# chkconfig openvpn onYour server should now be connected to the VPN Server. It should have an IP assigned from the IP pool you selected earlier. In the following example, the server was assigned the IP
[root@appserver4 ~]# service openvpn start
Starting openvpn: [ OK ]
172.16.0.18
[root@appserver4 ~]# service openvpn status
Status written to /var/log/messages
[root@appserver4 openvpn]# grep openvpn /var/log/messages
Feb 8 20:15:26 appserver4 openvpn[18575]: OpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017
Feb 8 20:15:26 appserver4 openvpn[18575]: library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Feb 8 20:15:26 appserver4 openvpn[18576]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Feb 8 20:15:26 appserver4 openvpn[18576]: TCP/UDP: Preserving recently used remote address: [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 8 20:15:26 appserver4 openvpn[18576]: UDP link local (bound): [AF_INET][undef]:0
Feb 8 20:15:26 appserver4 openvpn[18576]: UDP link remote: [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 8 20:15:26 appserver4 openvpn[18576]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 8 20:15:27 appserver4 openvpn[18576]: [VPN Server Certificate] Peer Connection Initiated with [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 8 20:15:28 appserver4 openvpn[18576]: TUN/TAP device tun0 opened
Feb 8 20:15:28 appserver4 openvpn[18576]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 8 20:15:28 appserver4 openvpn[18576]: /sbin/ip link set dev tun0 up mtu 1500
Feb 8 20:15:28 appserver4 openvpn[18576]: /sbin/ip addr add dev tun0 local 172.16.0.18 peer 172.16.0.17
Feb 8 20:15:28 appserver4 openvpn[18576]: Initialization Sequence Completed
Debian 8, 9, Ubuntu 16, and Ubuntu 17
Install OpenVPN usingapt
root@appserver3:~# apt-get install openvpnUnzip the archive you downloaded from your VPN Appliance. You should have a
.crt
file, a .key
file, and a .ovpn
file.root@appserver3:~# unzip OPNsense-udp-1194-config.zipMove the files to the appropriate directory and rename the
Archive: OPNsense-udp-1194-config.zip
creating: OPNsense-udp-1194/
inflating: OPNsense-udp-1194/OPNsense-udp-1194.ovpn
inflating: OPNsense-udp-1194/OPNsense-udp-1194-ca.crt
inflating: OPNsense-udp-1194/OPNsense-udp-1194-tls.key
.ovpn
configuration file to a more descriptive name (such as this server's hostname) with a .conf
extension.root@appserver3:~# mv OPNsense-udp-1194/OPNsense-udp-1194* /etc/openvpn/Create an authentication file that will have the username and password this server will use to authenticate to your VPN Server. The
root@appserver3:~# mv /etc/openvpn/OPNsense-udp-1194.ovpn /etc/openvpn/appserver3.conf
^C
means to hit ENTER
after the password and then CTRL+C
root@appserver3:~# cat > /etc/openvpn/auth.txtEdit the OpenVPN configuration file to include your authentication file
user
password
^C
root@appserver3:~# sed -i 's/auth-user-pass/auth-user-pass auth.txt/'g /etc/openvpn/appserver3.confCopy the default
systemd
service file to a new file and name it something more descriptive, such as the name of your VPN.root@appserver3:~# cp /lib/systemd/system/openvpn\@.service /lib/systemd/system/corporate-vpn\@.serviceChange the permissions of the files so only
root
has access to themroot@appserver3:~# chmod 600 /etc/openvpn/*Reload
systemd
and enable the service so it will start up automatically after a rebootroot@appserver3:~# systemctl daemon-reloadYour server should now be connected to the VPN Server. It should have an IP assigned from the IP pool you selected earlier. In the following example, the server was assigned the IP
root@appserver3:~# systemctl enable corporate-vpn@appserver3
root@appserver3:~# systemctl start corporate-vpn@appserver3
172.16.0.10
root@appserver3:~# systemctl status corporate-vpn@appserver3
corporate-vpn@appserver3.service - OpenVPN connection to appserver3
Loaded: loaded (/lib/systemd/system/corporate-vpn@.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2018-02-08 19:49:16 UTC; 2s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 3221 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid (code=exited, status=0/SUCCESS)
Main PID: 3224 (openvpn)
CGroup: /system.slice/system-corporate\x2dvpn.slice/corporate-vpn@appserver3.service
└─3224 /usr/sbin/openvpn --daemon ovpn-appserver3 --status /run/openvpn/appserver3.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/appserver3.conf --writepid /run/openvpn/appserver3.pid
Feb 08 19:49:16 appserver3 ovpn-appserver3[3224]: UDPv4 link local (bound): [undef]
Feb 08 19:49:16 appserver3 ovpn-appserver3[3224]: UDPv4 link remote: [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 08 19:49:16 appserver3 ovpn-appserver3[3224]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 08 19:49:16 appserver3 systemd[1]: Started OpenVPN connection to appserver3.
Feb 08 19:49:17 appserver3 ovpn-appserver3[3224]: [VPN Server Certificate] Peer Connection Initiated with [AF_INET]OPNSENSE_PUBLIC_IP:1194
Feb 08 19:49:19 appserver3 ovpn-appserver3[3224]: TUN/TAP device tun0 opened
Feb 08 19:49:19 appserver3 ovpn-appserver3[3224]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Feb 08 19:49:19 appserver3 ovpn-appserver3[3224]: /sbin/ip link set dev tun0 up mtu 1500
Feb 08 19:49:19 appserver3 ovpn-appserver3[3224]: /sbin/ip addr add dev tun0 local 172.16.0.10 peer 172.16.0.9
Feb 08 19:49:19 appserver3 ovpn-appserver3[3224]: Initialization Sequence Completed
Windows 2016 and Windows 2012
Install the OpenVPN client by downloading the.exe
file from https://openvpn.net/index.php/open-source/downloads.html. It is in the Installer, Windows Vista and later row.Extract the files from the
.zip
archive you downloaded from your VPN Appliance to C:\Program Files\OpenVPN\config
Open
Notepad
and type your username in the first line, and your password in the second line. Save it as auth.txt
in the C:\Program Files\OpenVPN\config
directory. The final file should be C:\Program Files\OpenVPN\config\auth.txt
Right click your
.ovpn
file in C:\Program Files\OpenVPN\config
and click Open with..
. to open it with Notepad
.Edit the file to add
auth.txt
to the end of the auth-user-pass
line. If your file displays everything in a single line, you can break it up into multiple lines for better formatting. Here is an example file for your reference:dev tunSave the file and start the OpenVPN GUI. You can do this by clicking the icon on your desktop or right clicking the OpenVPN GUI icon on your taskbar then clicking Connect. It should connect without prompting for a username or password.
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
reneg-sec 0
resolv-retry infinite
remote OPNSENSE_PUBLIC_IP 1194 udp
lport 0
auth-user-pass auth.txt
ca OPNsense-udp-1194-ca.crt
tls-auth OPNsense-udp-1194-tls.key 1
ns-cert-type server
comp-lzo adaptive
Do not confuse it with the network system tray icon. The network system tray icon is a computer with an ethernet cable, while the OpenVPN GUI icon is a computer with a lock icon.
Open
PowerShell
or Command Prompt
and type services.msc
. Press ENTER
In the Services window, right click on OpenVPNService and click on Properties
Select Automatic from the Startup type dropdown
Click Apply
Click OK
Note that the next time the server boots, OpenVPN will connect automatically. If you connect to your Windows server via Remote Desktop and check the OpenVPN GUI status icon, you will NOT see it connected. This is intended since the service is actually running as a system service in the background. You can check you have an IP from the private IP pool you selected above by opening
PowerShell
or Command Prompt
and issuing the ipconfig
command. The output should look something like thisWindows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::7883:c593:fc38:46ec%15
IPv4 Address. . . . . . . . . . . : 172.16.0.22
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
Plesk
Follow the above VPN setup instructions depending on the operating system your Plesk control panel is installed on.To be able to manage the new private IP through Plesk, log in to your Plesk panel and navigate to Tools & Settings -> IP Addresses. Click Reread IP and the IP address will be added to the list of available IP addresses. You can now host a website, set up email, and use any other Plesk function with this IP address.
cPanel/WHM
Follow the above VPN setup instructions depending on the operating system your cPanel/WHM control panel is installed on.To be able to manage the new private IP through cPanel/WHM, log in to your WHM administration panel and navigate to Home -> IP Functions -> Rebuild the IP Address Pool. Click Proceed and the IP address will be added to the list of available IP addresses. You can now host a website, set up email, and use any other cPanel/WHM function with this IP address.