OpenVPN 2 is available for Centos from the EPEL repository, so you need to have EPEL enabled.

If you do not have EPEL enabled run:

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Installation

To install OpenVPN run:

yum install openvpn lzo -y

Configuration

Setup the SSL CA and keys:

cp -r /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/open-rsa

Create and customize the vars file /etc/openvpn/open-rsa/vars, Make sure you change the KEY_ values to your own settings

export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="/etc/openvpn/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="ZA"
export KEY_PROVINCE="Gauteng"
export KEY_CITY="Johannesburg"
export KEY_ORG="Topdog-software"
export KEY_EMAIL="andrew@topdog.za.net"
export KEY_CN="Topdog-software OpenVPN CA"
export KEY_NAME="tdss"
export KEY_OU="Topdog-software"

Create the keys directory:

mkdir /etc/openvpn/keys

Create the CA:

cd /etc/openvpn/open-rsa
source ./vars
./clean-all
./build-ca

Create the servers SSL certificate (replace vpn.home.topdog-software.com with name of your server):

./build-key-server vpn.home.topdog-software.com

Generate Diffie Hellman parameters:

./build-dh

Create the leases file:

touch /etc/openvpn/ipp.txt

Create the configuration file /etc/openvpn/server.conf:

port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/vpn.home.topdog-software.com.crt
key keys/vpn.home.topdog-software.com.key
dh keys/dh1024.pem
cipher AES-128-CBC
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

Create iptables rules to allow traffic through:

*filter
..
..
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A FORWARD -i tun+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun+ -j ACCEPT

Enable packet forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Make it permanent add the following to /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Your OpenVPN should be ready to go, start OpenVPN:

service openvpn start

Client configuration

Each client requires a certificate & key pairing, lets create one:

./build-key client1.home.topdog-software.com

Copy the client1.home.topdog-software.com.crt, ca.crt and client1.home.topdog-software.com.key files to the OpenVPN keys directory on the client.

Create the client OpenVPN configuration /etc/openvpn/server.conf:

remote vpn.home.topdog-software.com 1194
client 
remote-cert-tls server 
dev tun0 
proto udp
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
float 
ca keys/ca.crt 
cert keys/client1.home.topdog-software.com.crt
key keys/client1.home.topdog-software.com.key
cipher AES-128-CBC
comp-lzo
status /var/log/openvpn-client.log

Static addresses

If you want some clients to get static addresses:

mkdir /etc/openvpn/ccd

Create a client file for each of the clients you want to get a static address in /etc/openvpn/ccd the file name should match the CN in the client certificate.

ifconfig-push 10.0.0.2 10.0.0.1

There are various types of bonding available but i will show how to bond in mode 1 which is active-backup. If your interested in the other available types please refer to the documentation.

In this setup i have two connections to different switches in case one fails the other takes over and services are not disrupted.

Setup bonded interface

Create a file in /etc/modprobe.d called bond.conf and add the following

alias bond0 bonding

Create the bonded interface file /etc/sysconfig/network-scripts/ifcfg-bond0 with the following contents

DEVICE=bond0
IPADDR=xxx.xxx.xxx.xxx
NETMASK=xxx.xxx.xxx.xxx
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
BONDING_OPTS="bond0 miimon=80 mode=1"

Modify the interfaces you want to bond to look like:

DEVICE=ethX
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
MASTER=bond0
SLAVE=yes

Restart networking for the changes to take effect:

service network restart

Checking the status

You can check the status of the interface by running:

cat /proc/net/bonding/bond0

This is how you do it for various *nix types.

Debian/Ubuntu/SUSE

mandb

RHEL/CENTOS/SL/Fedora

makewhatis

AIX/Solaris/HP-UX

catman -w

This plugin is not enabled by default to enable it you need to add the following to your ./configure options

--enable-xauth-pam

You do require the pam development headers and libraries on your build machine to successfully compile.

System Configuration

The plugin is configurable in the strongswan.conf file, you are able to change the pam service that is used for authentication.

By default the login pam service is used for authentication.

I will create a new service called ipsec for demonstration.

charon {
    plugins{
        xauth-pam {
            pam_service = ipsec
        }
    }
}

The pam service configuration file is as follows.

#%PAM-1.0
# /etc/pam.d/ipsec
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Now to use PAM authentication in your connections you set for XAuth:

rightauth2=xauth-pam

Hybrid Authentication:

rightauth=xauth-pam

You are good to go and should be able to use any pam module to authenticate your users to your VPN. The options are endless: SQL, LDAP, RADIUS, LOCAL etc.

Related articles

• Iphone/Ipad/Mac OSX IPSEC VPN with Strongswan 5 on Centos/RHEL 6
• Mac OSX IPSEC VPN via command line using builtin Racoon client
• IPSEC split tunneling VPN with Mac OSX and Strongswan 5 on Centos/RHEL 6

With the release of Strongswan 5.0.1 it is no longer the only way to support split tunneling.

Strongswan 5.0.1 introduces the unity plugin which allows for the configuration of split tunneling either using a charon option or using the attr plugin which is enabled by default.

The unity plugin is not enabled by default to enable it you need to add the following to your ./configure options

--enable-unity

Charon option

To enable this option you need to edit the strongswan.conf file and set

charon {
    # ... other options
    cisco_unity = yes
    #...
}

As a client strongswan will install policies only for the received Split-Include attributes and IPsec bypass policies for received Local-LAN attributes.

As a server strongswan will send Split-Include attributes for leftsubnet definitions containing multiple subnets to clients that support the IKEv1 Cisco Unity Extensions.

Attr plugin option

It is also possible to configure split tunneling using the attr plugin. Two new options have been added:

• split-include - Comma-separated list of subnets to tunnel
• split-exclude - Comma-separated list of subnets not to tunnel

charon {
    # ... other options
    split-include = 192.168.1.0/24, 172.16.0.0/16
    split-exclude = 10.128.0.0/16
    #...
}

Related articles

• Iphone/Ipad/Mac OSX IPSEC VPN with Strongswan 5 on Centos/RHEL 6
• Mac OSX IPSEC VPN via command line using builtin Racoon client
• IPSEC split tunneling VPN with Mac OSX and Strongswan 5 on Centos/RHEL 6

In my previous post i described how to setup an IPSEC VPN for use with Iphone, Ipad and Mac OSX IPSEC VPN clients.

This post describes how to enable split tunneling which is supported by the Mac OSX IPSEC client. Although split tunneling is considered insecure there are cases where it is ideal to run split tunnels.

The scenario for this post is that you are connected to a LAN (10.128.0.0/24) with internet access via a gateway on the LAN, you want to connect to a different network 192.168.1.0/24 which is only accessible via VPN, but you want to retain access to resources on the LAN while accessing the remote 192.168.1.0/24 network.

To follow this howto you need to have strongswan rpm with the attr-sql plugin enabled with a sqlite or mysql backed plugin enabled. The EPEL rpm does not support these features at the time of writing. You need to build your own custom strongswan rpm. You can download my spec file and use it to build yourself the rpm.

Installation

Install the rpm

rpm -Uvh strongswan-5.0.0-5.el6.x86_64.rpm

Configuration

Use the following configuration files, if you installation is new refer to my previous post on how to create the certificates

Create strongswan configuration

This strongswan configuration allows you to use both certificates and pre shared keys.

Add the username and password to /etc/strongswan/ipsec.secrets

andrew : XAUTH "5tr0ngp4ss0rd"

Add the preshared key to /etc/strongswan/ipsec.secrets

: PSK "very long pre shared key difficlult to guess"

Edit /etc/strongswan/ipsec.conf with the following content.

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        esp=aes256-sha256-modp2048,aes256-sha1!
        ike=aes256-sha1-modp1536,aes256-sha512-modp1024,aes256-sha1-modp1024!
        auto=add

conn rw-xauth
        leftcert=vpn.example.org.pem
        leftid=@vpn.example.org
        leftauth=pubkey
        leftfirewall=yes
        right=%any
        rightauth=pubkey
        rightauth2=xauth
        rightsourceip=%vpnclients
        rekey=yes

conn rw-xauth-psk
        leftfirewall=yes
        leftauth=psk
        right=%any
        rightauth=psk
        rightauth2=xauth
        rightsourceip=%vpnclients
        rekey=yes

Add the attr-sql plugin configuration to /etc/strongswan/strongswan.conf

libhydra {
        plugins {
                attr-sql {
                        database = sqlite:///var/lib/strongswan/ipsec.db
                }
        }
}

Restart the service

Restart the service for the configurations to take effect.

service strongswan restart

Create sql attr Database

Create a sqlite database to store the pool information.

wget http://bit.ly/PyMe08
cat sqlite.sql | sqlite3 /var/lib/strongswan/ipsec.db

Create a database based pool

The pool will store the address range, the split tunnel network (192.168.1.0/24), dns server to assign and a banner.

strongswan pool --add vpnclients --start 192.168.2.0 --end 192.168.2.254 --timeout 48
strongswan pool --addattr dns --server 192.168.1.1 --pool vpnclients
strongswan pool --addattr unity_def_domain --string "example.org" --pool vpnclients
strongswan pool --addattr banner --string "example.org - all activity is monitored" --pool vpnclients
strongswan pool --addattr unity_split_include --subnet "192.168.1.0/255.255.255.0" --pool vpnclients

Testing

Configure your Mac OSX VPN client.

• Launch System preferences then select Network > + > Interface > VPN > VPN Type > Cisco IPSEC > Create

Set the Fields

Description      Strongswan-IPSEC
Server           vpn.example.org
Account          andrew
Password         5tr0ngp4ss0rd
Use Certificate  ON
Certificate      name.example.org

Now when you connect, you will remain connected to your LAN as well as the remote network 10.128.0.0/24 if you run netstat -rn you will see the 10.128.0.0/24 network being routed via the tunnel interface.

Related articles

• Iphone/Ipad/Mac OSX IPSEC VPN with Strongswan 5 on Centos/RHEL 6
• Mac OSX IPSEC VPN via command line using builtin Racoon client

This howto describes setting up an IPSEC VPN for use with the Iphone, Ipad and Mac OSX VPN clients on Centos/RHEL 6. I am using the 5.x branch of Strongswan which is now the mainline actively maintained branch. At the time of writing the 5.x EPEL package was only available in the testing repo.

The configuration should work both with NAT and without NAT on both sides, if you are NATing on the server side make sure your forward UDP 500 and 4500 to the machine running strongswan.

This howto uses example.org and 192.168.1.0/24 and 192.168.2.0/24 networks for illustration purposes, you need to change these to suit your own setup.

Install

To access the EPEL packages you need to enable the EPEL repo. You are then able to install the strongswan package.

yum install --enablerepo=epel-testing strongswan

Create the required configuration directories

mkdir -p /etc/strongswan/ipsec.d/{aacerts,acerts,cacerts,certs,crls,ocspcerts,private}

Configuration

Create a CA

For RSA authentication you need to setup a CA which will issue the certificates to be used by the server and the clients.

cd /etc/pki/tls/misc
./CA -newca
echo 00 > /etc/pki/CA/crlnumber
openssl ca -gencrl -out /etc/pki/CA/crl.pem

Install to strongswan directories

ln -s /etc/pki/CA/cacert.pem /etc/strongswan/ipsec.d/cacerts/
ln -s /etc/pki/CA/crl.pem /etc/strongswan/ipsec.d/crls/

Create the server certificate

Apple clients require that the servers certificate subjectAltName attribute contain either the server IP address or server DNS name. To ensure the server certificate contains the subjectAltName attribute edit the openssl.cnf and set it under the [ usr_cert ] section

For DNS name set it to

subjectAltName=DNS:vpn.example.org

For IP address set it to

subjectAltName=IP:192.168.1.1

Now generate and sign the server certitifcate

./CA -newreq
./CA -sign

Install to strongswan directories.

mv newcert.pem /etc/strongswan/ipsec.d/certs/vpn.example.org.pem
mv newkey.pem /etc/strongswan/ipsec.d/private/vpn.example.org.key

Add the private key password to /etc/strongswan/ipsec.secrets

: RSA vpn.example.org.key "p4ssw0rd"

Create the client certificate

This is the certificate that will be used by you VPN clients ie Ipad/Iphone, edit the openssl.cnf and comment out the subjectAltName attribute setting.

Now generate and sign the client certificate, do this for all the clients you expect to use.

./CA -newreq
./CA -sign
openssl pkcs12 -export -in ipad.example.org.pem -inkey ipad.example.org.key \
 -certfile /etc/pki/CA/cacert.pem -out ipad.p12

You now need to import the CA certificate and the client p12 certificate on to the device. You need to download the Iphone configuration utility and use it to import the certificates to your device.

Add the username and password to /etc/strongswan/ipsec.secrets

andrew : XAUTH "5tr0ngp4ss0rd"

Create strongswan configuration

Edit /etc/strongswan/ipsec.conf with the following content.

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        auto=add

conn rw-xauth
        leftcert=vpn.example.org.pem
        leftid=@vpn.example.org
        leftauth=pubkey
        leftfirewall=yes
        right=%any
        rightauth=pubkey
        rightauth2=xauth
        rightsourceip=192.168.2.0/24

The above setup assumes the network behind the vpn is 192.168.1.0/24 and virtual IP addresses will be assigned to VPN clients from the 192.168.2.0/24 network block.

Enable packet forwarding

If your system is not setup for packet forwarding enable it.

echo 1 > /proc/sys/net/ipv4/ip_forward

Edit /etc/sysctl.conf and set

net.ipv4.ip_forward = 1

Testing

Start strongswan.

service strongswan start

Check /var/log/messages and /var/log/secure for any errors.

Ipad configuration

• Launch Settings then select General > Network > VPN > Add VPN Configuration
• Toggle VPN type to IPSec

Set the Fields

Description      Strongswan-IPSEC
Server           vpn.example.org
Account          andrew
Password         5tr0ngp4ss0rd
Use Certificate  ON
Certificate      ipad.example.org

A VPN connection should now be possible by toggling VPN to ON under Settings > VPN.

Related articles

• IPSEC split tunneling VPN with Mac OSX and Strongswan 5 on Centos/RHEL 6
• Mac OSX IPSEC VPN via command line using builtin Racoon client

error (no valid KEY) resolving 'dlv.isc.org/DNSKEY/IN': 156.154.101.23#53
error (broken trust chain) resolving './NS/IN': 193.0.14.129#53

The issue is caused by the date on the system falling out of sync, which causes DLV validation to fail.

This issue can be fixed by doing the following on Centos / RHEL.

ntpdate ntp.pool.org
hwclock --systohc
rm /var/named/dynamic/managed-keys.bind*
service named restart

Name resolution so now work without any issues.

DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.

I previously wrote about setting up DKIM using dkim-milter, dkim-milter has since been depreciated.

We will be using the OpenDKIM implementation Centos, OpenDKIM is a fork of dkim-milter.

Installation

yum install opendkim

Generate the Keys

opendkim-genkey -d <domain_name> -s <selector>

Replace with the domain name you will be signing the mail for, and with a selector name it can be anything (but just one word). The command will create two files.

• .txt - contains the public key you publish via DNS

• .private - the private key you use for signing your email

Create a sub directory in /etc/opendkim/keys to store your key, i prefer to use the domain name as the sub directory name.

# mv <selector>.private /etc/opendkim/keys/<domain_name>/<selector>.pem
# chmod 600 /etc/opendkim/keys/<domain_name>/<selector>.pem
# chown opendkim.opendkim /etc/opendkim/keys/<domain_name>/<selector>.pem

DNS Setup

You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of .txt is the record you need to add to your zone file a sample, is below (it uses default as the selector and example.com as the domain_name)

default._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA
DCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDv
wn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+z
JVW+CKpUcI8BJD03iW2l1CwIDAQAB" ; ----- DKIM default for example.com

Configuration

Edit /etc/opendkim.conf comment out "KeyFile /etc/opendkim/keys/default.private" and uncomment "#KeyTable /etc/opendkim/KeyTable"

Edit the file /etc/opendkim/KeyTable and add your domain using the following format

<selector>._domainkey.<domain_name> <domain_name>:<selector>:/etc/opendkim/keys/<domain_name>/<selector>.pem

Add your servers IP addresses to /etc/opendkim/TrustedHosts

More advanced configuration options can be set in the file /etc/opendkim.conf

Configure Postfix

You need to add the following options to the postfix main.cf file to enable it to use the milter.

smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Append the OpenDKIM options to the existing milters if you have other milters already configured.

Start OpenDKIM and restart postfix

# service opendkim start
# service postfix restart

Testing

Send an email to sa-test@sendmail.net or autorespond+dkim@dk.elandsys.com, you will receive a response stating if your setup is working correctly. If you have a Gmail account you can send an email to that account and look at the message details similar to the picture below, you should see signed-by “your domain” if your setup was done correctly.

DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.

We will be using the milter implementation of dkim http://dkim-milter.sf.net on centos 5.3.

This howto has been updated to allow for the following.

• Multiple domains using different keys
• Same domain using different selectors
• Selective signing of email

Older versions are provided below for reference.

Installation

I provide Centos rpms for Dkim-milter at http://www.topdog- software.com/oss/ so we will install the latest version.

Install the rpm, ( 32bit and 64bit intel supported )

# wget http://www.topdog-software.com/oss/roundcube/andrew_topdog-software.com_key.txt
# rpm --import andrew_topdog-software.com_key.txt
# http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.2-2.$(uname -i).rpm

Generate the Keys

# dkim-genkey -d <domain_name> -s <selector> -t

Replace with the domain name you will be signing the mail for, and with a selector name it can be anything (but just one word). The command will create two files.

• .txt - contains the public key you publish via DNS

• .private - the private key you use for signing your email

Create a sub directory in /etc/mail/dkim/keys to store your key, i prefer to use the domain name as the sub directory name.

# mv <selector>.private /etc/mail/dkim/keys/<domain_name>/<selector>.pem
# chmod 600 /etc/mail/dkim/keys/<domain_name>/<selector>.pem
# chown dkim-milt.dkim-milt /etc/mail/dkim/keys/<domain_name>/<selector>.pem

DNS Setup

You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of .txt is the record you need to add to your zone file a sample, is below (it uses default as the selector and topdog-software.com as the domain_name)

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA
DCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDv
wn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+z
JVW+CKpUcI8BJD03iW2l1CwIDAQAB" ; ----- DKIM default for topdog-software.com

Also add this to your zone file. (This sets your policy see http://www.sendmail.org/dkim/wizard for an explanation or refer to the RFC)

_adsp._domainkey    IN  TXT "dkim=unknown"

Configuration

Edit the file /etc/mail/dkim/keylist and add your domain using the following format

*@<domain_name>:<domain_name>:/etc/mail/dkim/keys/<domain_name>/<selector>
#sign only for andrew
andrew@<domain_name>:<domain_name>:/etc/mail/dkim/keys/<domain_name>/<selector>

Add your servers IP addresses to /etc/mail/dkim/trusted-hosts

More advanced configuration options can be set in the file /etc/dkim-filter.conf (Refer to the file and the man pages for details)

Configure Postfix

You need to add the following options to the postfix main.cf file to enable it to use the milter.

smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209

Append the dkim-milter options to the existing milters if you have other milters already configured.

Start dkim-milter and restart postfix

# service dkim-milter start
# service postfix restart

Testing

Send an email to sa-test@sendmail.net or autorespond+dkim@dk.elandsys.com, you will receive a response stating if your setup is working correctly. If you have a Gmail account you can send an email to that account and look at the message details similar to the picture below, you should see signed-by “your domain” if your setup was done correctly.

Updates

Updated rpms are always provided at http://www.topdog-software.com/oss/dkim-milter/