Thursday 16 December 2021

OpenVPN 2.x auto setup on Linux -RHEL8

 OpenVPN open source OpenVPN CLI program

The open source project client program can also connect to the Access Server. The package is available in most distributions and is known simply as openvpn. It supports the option to connect to multiple OpenVPN servers simultaneously, and it comes with a service component that can automatically and silently start any auto-login profiles it finds in the /etc/openvpn folder, even before a user has logged in. This service component can be set to automatically start at boot time with the tools available in your Linux distribution if supported. On Ubuntu and Debian, when you install the openvpn package, it is automatically configured to start at boot time.


To install the OpenVPN client on Linux, it is possible in many cases to just use the version that is in the software repository for the Linux distribution itself. If you run into any connectivity problems when using outdated software, it may be due to a possible lack of support for higher TLS versions in older versions of OpenVPN. Follow the instructions found on the open source openvpn community wiki if you wish to install the OpenVPN client on your Linux system.


After installing, you will need a connection profile. This is a file generated by your OpenVPN Access Server installation for your specific user account. It contains the required certificates and connection settings. Go to the Client web interface of your Access Server (the main address, not the /admin portion). Log in with your user credentials. You will be shown a list of files available to you for download. Pick the user-locked profile or the auto-login profile, and you will be sent a client.ovpn file. Save this file to your Linux operating system somewhere. OpenVPN Access Server supports server-locked, user-locked, and auto-login profiles, but the OpenVPN command line client is only able to connect with user-locked or auto-login connection profiles.


We are assuming you are going to start the connection through either the command line as a root user, or via the service daemon. If you want unprivileged users to be able to make a connection, take a look at the community wiki for more information on how to implement that. Here we are going to focus on the simplest implementation; run the connection as root user directly, or via the service daemon.


Start a connection with an auto-login profile manually:

Start a connection with an auto-login profile manually:


openvpn --config client.ovpn

Start a connection with a user-locked profile manually:


openvpn --config client.ovpn --auth-user-pass

If you use Google Authenticator or another extra factor authentication, add the auth-retry parameter:


openvpn --config client.ovpn --auth-user-pass --auth-retry interact

To start an auto-login connection via the service daemon, place client.ovpn in /etc/openvpn/ and rename the file. It must end with .conf as file extension. Ensure the service daemon is enabled to run after a reboot, and then simply reboot the system. The auto-login type profile will be picked up automatically and the connection will start itself. You can verify this by checking the output of the ifconfig command; you should see a tun0 network adapter in the list.


[root@openvpn]# systemctl enable openvpn@pok_zone10015-onsite

Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@pok_zone10015-onsite.service to /usr/lib/systemd/system/openvpn@.service.

[root@openvpn]# systemctl stop openvpn@pok_zone10015-onsite

[root@ openvpn]# systemctl start openvpn@pok_zone10015-onsite

Enter Auth Username: sachin@yahoo.com

Enter Auth Password: ********************

[root@ openvpn]#



[root@openvpn]# systemctl enable openvpn@pok_zone10015-onsite

Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@pok_zone10015-onsite.service to /usr/lib/systemd/system/openvpn@.service.

[root@ibmgpu07]# systemctl stop openvpn@pok_zone10015-onsite


[root@ibmgpu07 openvpn]# shutdown -r now

login as: root

root@ibmgpu07.eng.platformlab.ibm.com's password:

Last login: Mon Sep  6 06:47:18 2021 from 9.195.45.219

[root@ibmgpu07 ~]# systemctl status openvpn@pok_zone10015-onsite

● openvpn@pok_zone10015-onsite.service - OpenVPN Robust And Highly Flexible Tunneling Application On pok_zone10015/onsite

   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)

   Active: active (running) since Mon 2021-09-06 07:55:40 EDT; 14min ago

 Main PID: 2398 (openvpn)

   Status: "Initialization Sequence Completed"

   CGroup: /system.slice/system-openvpn.slice/openvpn@pok_zone10015-onsite.service

           └─2398 /usr/sbin/openvpn --cd /etc/openvpn/ --config pok_zone10015-onsite.conf


Sep 06 07:55:42 ibmgpu07 openvpn[2398]: Mon Sep  6 07:55:42 2021 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication

Sep 06 07:55:42 ibmgpu07 openvpn[2398]: Mon Sep  6 07:55:42 2021 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication

Sep 06 07:55:42 ibmgpu07 openvpn[2398]: Mon Sep  6 07:55:42 2021 ROUTE_GATEWAY 9.21.55.2/255.255.255.0 IFACE=eno1 HWADDR=40:f2:e9:03:2c:0a

Sep 06 07:55:42 ibmgpu07 openvpn[2398]: Mon Sep  6 07:55:42 2021 TUN/TAP device tun0 opened

Sep 06 07:55:42 ibmgpu07 openvpn[2398]: Mon Sep  6 07:55:42 2021 TUN/TAP TX queue length set to 100

Sep 06 07:55:42 ibmgpu07 openvpn[2398]: Mon Sep  6 07:55:42 2021 /sbin/ip link set dev tun0 up mtu 1500

Sep 06 07:55:42 ibmgpu07 openvpn[2398]: Mon Sep  6 07:55:42 2021 /sbin/ip addr add dev tun0 10.255.15.2/24 broadcast 10.255.15.255

Sep 06 07:55:42 ibmgpu07 openvpn[2398]: Mon Sep  6 07:55:42 2021 /sbin/ip route add 10.20.160.0/22 via 10.255.15.1

Sep 06 07:55:42 ibmgpu07 openvpn[2398]: Mon Sep  6 07:55:42 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocach...vent this

Sep 06 07:55:42 ibmgpu07 openvpn[2398]: Mon Sep  6 07:55:42 2021 Initialization Sequence Completed

Hint: Some lines were ellipsized, use -l to show in full.

[root@ibmgpu07 ~]# ps -ef | grep openvpn

root      2398     1  0 07:55 ?        00:00:00 /usr/sbin/openvpn --cd /etc/openvpn/ --config pok_zone10015-onsite.conf

root      3894  3698  0 08:10 pts/0    00:00:00 grep --color=auto openvpn

[root@ibmgpu07 ~]# ip a | grep tun

9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100

    inet 10.255.15.2/24 brd 10.255.15.255 scope global tun0

[root@ibmgpu07 ~]#

==========================

Reference:

https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-linux/

https://forums.openvpn.net/viewtopic.php?t=27419

https://openvpn.net/blog/openvpn-3-linux-and-auth-user-pass/

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)