TIPS Install OpenVPN on IncrediblePBX 13-13

Discussion in 'Open Discussion' started by Kurt Mullen, Apr 6, 2019.

  1. dicko

    dicko Still learning but earning

    Joined:
    Oct 30, 2015
    Messages:
    590
    Likes Received:
    211
    I would run the script as

    bash -x openvpn-install.sh

    Override the whining about old OS's and see what stalls (likely unbound or somesuch)
     
  2. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    449
    Likes Received:
    176
    It's pretty obvious where the failings will be. No need to run it. All the systemd-isms would need to be addressed. The iptables stuff would need to be integrated into the IPBX model. Other than those, it's probably about 90+%.
     
    #22 jerrm, Apr 9, 2019
    Last edited: Apr 15, 2019 at 8:16 PM
  3. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
  4. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    449
    Likes Received:
    176
    I took some time to add CentOS6 support to @dicko's linked script, but I commented out all the iptables stuff. Looks like it works, but I need to test on a clean machine.

    @wardmundy, from the IPBX perspective, what would you consider the primary purpose if OpenVPN was added?

    The linked script assumes all client traffic is pushed through the VPN. Probably not desirable by default. An endpoint or management pc could connect to many open internet devices and we wouldn't want that traffic passing through the pbx - from both a security and performance perspective.

    If the purpose is for endpoints and management, do we need to worry about pushing local dns at all - or could we could just point to the server's openvpn ip? What does the current neorouter setup do?
     
  5. KNERD

    KNERD Member

    Joined:
    Mar 9, 2014
    Messages:
    86
    Likes Received:
    14

    You are a bit corerect, it is sort of outdated . I missed the Easy RSA Part, and one other thing about the epel repo. All they have to do is use the guide for CentOS 7 on the Easy RSA part, and they rest will work on the CentOS 6 guide

    All the have to do is follow the CentOS 7 guide parts about Easy RSA and doing "yum install epel-relase". The rest of the setup is the same.
     
  6. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    449
    Likes Received:
    176
    But a tutorial shouldn't require someone to hunt around and piece together different parts of various tutorials. At the end of the day it doesn't work and contributes to the "OpenVPN is difficult" atmosphere.

    It's not just D.O. None of the CentOS 6 links I looked at was current.

    It's just the nature of moving technology and trying to use an eight year old distro that has had multiple updates since most of the tutorials were written (and abandoned).
     
    wardmundy likes this.
  7. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    Since this only becomes painful for the OpenVPN Server component, I threw in the towel and used https://github.com/angristan/openvpn-install with CentOS 7 and Vultr. It's a star platform as designed so you're going to want the server component on a public server somewhere with a static IP address.

    This install still ASS-U-MEs some basic familiarity with OpenVPN, but it works like a champ, and you can use the server platform to build all the client config files for any OS including CentOS 6. Very slick and easy... finally. I took good notes on what was missing. We'll put together a tutorial in coming weeks that adds the few pieces that were not discussed or addressed in the install script.

    Wondering out loud why we couldn't host the server platform and let users rely upon TM3 to whitelist the private OpenVPN client IP addresses that actually belong to them. I guess the wrinkle would be SIP phones that don't have native firewall protection. Perhaps we could use passwords for those VPN clients. Any thoughts??
     
    #27 wardmundy, Apr 9, 2019
    Last edited: Apr 9, 2019
    dicko likes this.
  8. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    449
    Likes Received:
    176
    Do you really want that kind of headache if (when) there are problems?

    I have the script running well on CentOS 6. The mods add CentOS 6 support, it should still work on the other platforms.

    I made changes based on how I see the likely functionality if running on the PBX. Basically I don't see this as a path into the internal net, only as a secure tunnel for management and endpoints:
    • add CentOS 6.10 as a supported platform
    • enable the epel repo for yum commands since the IPBX install disables epel
    • removed pushing DNS
    • removed pushing default gateway
    • removed IP forwarding
    • removed nat
    • removed systemd based firewall scripts
    • now only one additional firewall rule accepting the VPN port - inserting it into iptables-custom at the "# custom rules go below here" comment.
    • optionally push route(s) for local adapter subnets - to allow addressing the "internal" IP
    Android and PC softphones, ssh, http, etc all work.

    I'll give it a quick review later today and post what I have.

    Still need to add SL and Raspbian support, but that should be trivial. Need to test with phones. The defaults require a 2.4 client, my guess some phones won't be that current. Probably need to work out an menu easy option to allow 2.2 or 2.3 clients.
     
  9. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    @jerrm: Echoing the following two rules to the end of /usr/local/sbin/iptables-custom should satisfy the firewall requirements. And then just iptables-restart.
    Code:
    echo "/usr/sbin/iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT" >> /usr/local/sbin/iptables-custom
    echo "/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" >> /usr/local/sbin/iptables-custom
    
    And hosting for others wouldn't work since this is a Class C network with only 254 usable IP addresses (10.8.0.1 to 10.8.0.254) .

    EDIT: I think it could be changed to Class B network with 65,534 IP addresses (10.8.0.1 to 10.8.255.254) by making the following change in /etc/openvpn/openvpn.conf:
    Code:
    server 10.8.0.0 255.255.0.0
    But see the tips in this article for practical limitations and how to avoid problems. 254 seems like a safe maximum with a beefy server.

    Current Connected Client List:
    Code:
    cat /var/log/openvpn/status.log | grep 10.8
    
     
    #29 wardmundy, Apr 11, 2019
    Last edited: Apr 11, 2019
  10. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    More good news. OpenVPN can coexist with NeoRouter so you can have the best of both worlds on your PBX (tested on CentOS and Mac OS X)...
    Code:
    LOCALHOST
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:65536  Metric:1
              RX packets:202908 errors:0 dropped:0 overruns:0 frame:0
              TX packets:202908 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:18326501 (17.4 MiB)  TX bytes:18326501 (17.4 MiB)
    
    NeoRouter
    nrtap     Link encap:Ethernet  HWaddr 6E:BF:BC:FC:8E:44
              inet addr:10.0.0.16  Bcast:10.255.255.255  Mask:255.0.0.0
              inet6 addr: fe80::6cbf:bcff:fefc:8e44/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1300  Metric:1
              RX packets:97 errors:0 dropped:0 overruns:0 frame:0
              TX packets:58 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:500
              RX bytes:13123 (12.8 KiB)  TX bytes:6237 (6.0 KiB)
    
    OpenVPN
    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
              inet addr:10.8.0.2  P-t-P:10.8.0.2  Mask:255.255.255.0
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX packets:3669 errors:0 dropped:0 overruns:0 frame:0
              TX packets:3686 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:3011339 (2.8 MiB)  TX bytes:327460 (319.7 KiB)
    
     
    #30 wardmundy, Apr 11, 2019
    Last edited: Apr 11, 2019
  11. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    449
    Likes Received:
    176
    Busy week kept me away. Finally got back to the script today. Spun up and tested a clean iso install and Scientific Linux is fine after a version check tweak (as expected). No extensive testing, but it seems to do what I want so far.

    Script is pretty ugly right now - chunks of stuff still commented out until I decide what to add back.

    As previously stated my purpose for this is access to the machine for management and endpoints, not access to the entire internal LAN. I'll probably add that back, but this is just first round.

    Changes from Angristan's script:
    • add CentOS 6 support
    • add Scientific Linux 6 support
    • enable the epel repo for yum commands since the IPBX install disables epel
    • removed pushing DNS
    • removed pushing default gateway
    • removed IP forwarding
    • removed nat
    • removed systemd based firewall scripts - now only one additional firewall rule accepting the VPN port - inserting it into iptables-custom at the "# custom rules go below here" comment
    • push route(s) for local adapter subnets - to allow addressing the "internal" IP
    • add vpn network/prefix input
    • make iptables updates optional
    • place .ovpn profiles into a "server.ovpn" subfolder instead of dumping directly into home folders
    • beginnings of multiple instance support - probably works OK now if you manually edit the SERVER variable but not tested.
    Note: This has not been tested on a Centos 7 or Ubuntu install. My guess is it should work, but I haven't spun up and tested. Feeback encouraged.

    Raspbian will have to wait for now. The Jessie repos we are stuck with only have OpenVPN 2.3x. Default features in the script require 2.4. Is there a backports repo for Raspbian?

    The script defaults will definitely not work with OpenVPN clients prior to version 2.4. Likely most phones have pre-2.4 versions. Need to add options to allow a server config compatible with earlier clients.

    My to-do list (that may or may not happen):
    • Raspbian support.
    • add back optional forwarding and optional nat for LAN access
    • add back optional dns push (with or without forwarding)
    • add appropriate options to allow earlier OpenVPN clients
     

    Attached Files:

    #31 jerrm, Apr 13, 2019 at 4:04 PM
    Last edited: Apr 15, 2019 at 5:46 PM
  12. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    krzykat likes this.
  13. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    449
    Likes Received:
    176
    Looks good, but my biggest issue with the default setup is pushing the default gateway.

    In the IPBX context, I don't think most would want all internet their traffic sent over the VPN.

    For dedicated phones it might be OK, but not for management or to run a zoiper/gs wave/whatever client on a smartphone/pc. A few Netflix binges could really dig into the hosting bandwidth, even more so if multiplied a few users.
     
    #33 jerrm, Apr 15, 2019 at 3:42 PM
    Last edited: Apr 15, 2019 at 5:47 PM
  14. kyle95wm

    kyle95wm Phone Genius Owner

    Joined:
    Apr 16, 2016
    Messages:
    467
    Likes Received:
    84
    Reading through that article, it sounds to me like you're using a standalone server for the VPN. I was expecting something more along the lines of installing the server directly onto the PBX, or am I misunderstanding something?
     
  15. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    449
    Likes Received:
    176
    You are correct. Ward's setup assumes a separate OpenVPN server with the PBX as a client.

    Try my script to install on the PBX itself. Tested on CentOS6/Scientific Linux 6 with IPBX 13-13. I think it should be OK CentOS7/SL 7/Ubuntu, but haven't tested. If there are problems let me know.
     
  16. kyle95wm

    kyle95wm Phone Genius Owner

    Joined:
    Apr 16, 2016
    Messages:
    467
    Likes Received:
    84
    Alright, I use version 6 for all my PBX's. Has this been extensively tested?
     
  17. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    449
    Likes Received:
    176
    Extensively? No.

    I probably installed/removed 30+ times on multiple machines in the course of testing the script. I had two others run through it without issue.

    At the end of the day it makes a one line change to iptables-custom that is easily identified. The other changes can be undone with a "yum -y remove openvpn; rm -rf /etc/openvpn".
     
    wardmundy likes this.
  18. kyle95wm

    kyle95wm Phone Genius Owner

    Joined:
    Apr 16, 2016
    Messages:
    467
    Likes Received:
    84
    And I assume that Ward's steps for renewing the server certificate are more or less the same, apart from an added directory to /etc/openvpn/?
     
  19. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    449
    Likes Received:
    176
    Correct. I used the same script Ward is using as the base for mine. Other than file locations, all the heavy lifting is the same code for now. All of the client config stuff from Ward's tutorial should be the same as well.
     
  20. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,701
    Likes Received:
    2,512
    04/16 UPDATE: We’ve made one change in the Angristan script to adjust client routing. By default, all packets from every client flowed through the OpenVPN server which wasted considerable bandwidth. Our preference is to route client packets destined for the Internet directly to their destination rather than through the OpenVPN server. The sed command added to the base install in the tutorial now does this by adjusting the code generator for client configs.
    Code:
    sed -i 's|tls-client|tls-client\npull-filter ignore "redirect-gateway"|' /root/openvpn-install.sh
    If you’ve already installed and run the Angristan script, your existing clients will be configured differently. Our recommendation is to remove the existing clients, make the change below, and then recreate the clients again by rerunning the script. In the alternative, you can execute the command below to correct future client creations and then run it again on each existing client platform substituting the name of the /root/.ovpn client file for /etc/openvpn/client-template.txt and then restart each of your OpenVPN clients.
    Code:
    sed -i 's|tls-client|tls-client\npull-filter ignore "redirect-gateway"|' /etc/openvpn/client-template.txt