OpenVPN Create User Keys

As I’d forgotten how to create a new OpenVPN user, it’s not something I do every day, I thought I put here a reminder of the process used.

To get a private key and a signed public key the easiest way is to use the Easy-RSA program that came with openvpn. Change to the directory, set the variables and run the script like this:

$ cd /etc/openvpn/easy-rsa
$ sudo source ./vars
$ sudo ./build-key-pass [USERNAME]

This creates the necessary CSR and submits it and generates the key and certificate in /etc/openvpn/easy-rsa/keys

I then wrote a script than turns the key and certificate into a single .ovpn file I can just give to the user along with the key password.

Continue reading →

OpenVPN & DNS Lookup Failures

I’ve noticed that occasionally my OpenVPN connection fails to resolve host names for systems at the other end of the tunnel. If I check the DHCP settings I can see I am being pushed the DNS servers for the remote end, but nslookup fails to use them.

This is to do with the binding order. In previous version of Windows you could adjust the binding order, but on Windows 10 this option has been removed.

To ensure your OpenVPN Interface appears before your other adapters you need to use some PowerShell to change the InterfaceMetric. The lower the number the higher the priority.

Continue reading →

OpenVPN & iptables

Some time ago I setup an OpenVPN server so we could securely logon to IT systems from outside the network. This worked really well until I rebooted it the other day. Then I discovered I could still successfully connect to the OpenVPN server, but I couldn’t route any traffic to internal hosts.

Turns out I’d forgotten to make my iptables firewall rules persistent.

Continue reading →

OpenVPN

Some months ago we bought a Barracuda firewall/VPN box to allow IT staff to connect and manage other IT devices securely. The idea was that the Barracuda would not only authenticate them against Active Directory and support two-factor authentication, but also carry out some Network Access Control and only allow devices that meets specific criteria connect to the network. Eg. Must be a domain member with a current Anti-virus and active firewall.

Well it turns out that the Barracuda couldn’t meet these needs. If you wanted to connect to the Barracuda using it’s web interface for portal type access it was fine. It used an agent based NAC and would allow two-factor auth using Google, but sadly not RADIUS.

However, if you wanted to use the network connection feature that is provided by using OpenVPN then you were going to be sadly disappointed.

Continue reading →