18 Mar

VPN Ports

 

PPTP:
To allow PPTP tunnel maintenance traffic, open TCP 1723.
To allow PPTP tunneled data to pass through router, open Protocol ID 47.

L2TP over IPSec
To allow Internet Key Exchange (IKE), open UDP 500.
To allow IPSec Network Address Translation (NAT-T) open UDP 4500.
To allow L2TP traffic, open UDP 1701.

OpenVPN:

OpenVPN uses port 1194 udp and tcp:

Here’s the Cisco access list: (gre=Protocol ID 47, pptp=1723, isakmp=500, non500-isakmp=4500):

permit gre any any
permit tcp any any eq 1194
permit udp any any eq 1194
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 5500
permit tcp any any eq 1723
permit udp any any eq 1701

If natted address is being used by any of the peer then you need to open up the UDP port 4500 for ISAKMP.

If no natting is there then you need to open up the UDP port 500 for ISAKMP

For Phase 2: you need to explicitly open up the port for specific protocol like port 50 for AH and port 51 for ESP

IPSec can use ESP (protocol 50), or AH (protocol 51).   AH breaks if used with any type of NAT with IPv4, so it is rarely ever used in a transform set.

Common Cisco ACL for allowing VPN traffic:

remark Allow VPN Traffic
permit udp any host [IPSec Headend] eq 500
permit udp any host [IPSec Headend] eq 4500
permit 50 any host [IPSec Headend]
permit 51 any host [IPSec Headend]
permit 47 any host [IPSec Headend]
permit 57 any host [IPSec Headend]
deny   ip any host [IPSec Headend]

13 Jan

OpenVPN Access Server Essential Guide

logo

VPN Mode (Layer 2 or Layer 3)

vpnmode

Layer 2 = Use TAP interface, bridge your LAN to VPN Client. VPN client will reside within the same VPN segment. LAN Broadcast will works in this mode. Considered legacy, only Windows  vpn client support this method.

Layer 3 = Use TUN interface, VPN Client will be given a pool of ip address which is different from VPN segment. Better control and most of enterprise VPN deployment use this method.

vpnmode2

 

Create VPN User

By default, OpenVPN Access Server use PAM authentication, to add new vpn client we can just simply add a new user to our LINUX server.

root@advanxer:~# useradd nas
root@advanxer:~# passwd nas
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

adduser
If you checked “Allow Auto-login”, your vpn client will be automatically connect to vpn without entering any username/password, useful for automation.

Generate and download OpenVPN profile

Login to https://serverip and select “login”. Login option will allow you to download vpn profile, to connect to vpn server, select Connect.
openvpnlogin
Click on “Yourself (autologin profile) and keep the profile safely.

Connect to vpn server using CLI

Transfer the client profile to your box (in this example, to my OpenWRT router) via SCP. Your must have openvpn binary files installed prior to this.

root@OpenWrt:~# openvpn --config client.ovpn

If you received Initialization Sequence Completed, that’s mean the tunnel is up. You can verify using ifconfig and you will see new interface tun0 is there.

08 Jan

Install OpenVPN Access Server (Debian/Ubuntu)

logo
All configuration is performed in Virtual Private Server (VPS). If you have the intention to use VPS, make sure your provider support and enable TUN/TAP module in your VPS container. For the following example, I’m using Ramnode VPS (affiliate link) because of their good support, you can enable and disable TUN/TAP easily on your own and their price is relatively cheap. For myself, I’m subscribed to their OpenVZ SSD VPS (128MB RAM, 10GB SSD Space) for 20.40 USD Annually (USD1.70 per month). Don’t forget to enter the promotional code RN15OFF to enjoy 15% Recurring Discount off your VPS price.

Enable TUN/TAP

Go to your VPS Control Panel, and at the bottom you will see an option to enable TUN/TAP module. Turn it on and reboot your VPS.
2

Once boot up, check whether the module is enabled or not by executing below command:

root@advanxer:~# cat /dev/net/tun

If you receive the message File descriptor in bad state your TUN/TAP device is ready for use.
If you receive the message No such device the TUN/TAP device was not successfully created.

Download and Install OpenVPN Access Server

Go to OpenVPN Access Server download page and select your architecture. I’m using Debian 7 32bit OS.

root@advanxer:/home# wget http://swupdate.openvpn.org/as/openvpn-as-2.0.3-Debian7.i386.deb

Perform installation by executing:

root@advanxer:/home# dpkg -i openvpn-as-2.0.3-Debian7.i386.deb

Change openvpn default password:

root@advanxer:/home#  passwd openvpn

Now you can access OpenVPN Admin UI from below link:
Admin UI: https://serverip:943/admin
Client UI: https://serverip:943/

Incoming search terms:

  • TUN / TAP enable or disable on vps?