With iOS 10, PPTP is out and IPSEC and L2TP are the main options now. PPTP uses a protocol that is neither TCP or UDP – it is GRE. And IPSEC uses yet another protocol called ESP. The problem with most VPNs is that they do not work when you need them to because many hotel and guest networks allow access to only specific protocols, such as TCP/UDP. This tutorial will show you how you can configure a simple OpenVPN server to authenticate your Active Directory users even through environments that are prone to blocking PPTP, IPSEC, and L2TP.
First, let’s download a copy of the very cool open source router, VyOS.
http://packages.vyos.net/iso/release/1.1.7/vyos-1.1.7-amd64.iso
Now, we create a VM with a 2GB partition and we install VyOS. At the prompt, login with vyos/vyos and type:
install image
When asked, set your password of choice for the vyos username. Eject the CD, reboot, and you should get to the login prompt. Login, and let’s get started.
Type the following:
configure set system package repository squeeze components 'main contrib non-free' set system package repository squeeze distribution 'squeeze' set system package repository squeeze url 'http://archive.debian.org/debian' set system package repository squeeze-lts components 'main contrib non-free' set system package repository squeeze-lts distribution 'squeeze-lts' set system package repository squeeze-lts url 'http://archive.debian.org/debian' sudo apt-get -o Acquire::Check-Valid-Until=false update sudo apt-get install krb5-config krb5-user libpam-krb5 commit
Now you should have all of the packages that you need, so its time to start configuring kerberos. Type the following:
sudo nano /etc/krb5.conf
Here is a template for a simple krb5.conf file that you will need to modify to match your domain. The IP of your domain controller will be the IP for the kdc. Take note of the case changes for the domain name. Match the example for the case for your domain.
[libdefaults]
default_realm = MYDOMAIN.LOCAL
[realms]
MYDOMAIN.LOCAL = {
kdc = 10.0.0.2
}
[domain_realms]
.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL
[appdefaults]
forwardable = true
pam = {
minimum_uid = 1000
MYDOMAIN.LOCAL = {
ignore_k5login = true
}
}
Now that /etc/krb5.conf is configured, we should be able to do the first test. Let’s run kinit
kinit myuser
After you type in the password, you should be able to check if you are logged in with the klist command.
klist
If all worked, type the following.
save exit reboot now
Now it’s time to configure OpenVPN.
First, let’s copy over the template easy-rsa folder to the config folder so that it persists upon upgrades.
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /config/easy-rsa2 cd /config/easy-rsa2 source ./vars ./clean-all ./build-ca ./build-dh ./build-key-server ./build-key-server server cp keys/ca.crt /config/auth/ cp keys/dh1024.pem ../auth/ cp keys/server.key ../auth/ cp keys/server.crt ../auth/ ./build-key company
Phew! Ok, now we’re done with the prerequisites to configure OpenVPN. Let’s start configuring VyOS so that it uses all of these new settings.
configure set interfaces openvpn vtun0 mode server set interfaces openvpn vtun0 openvpn-option --username-as-common-name set interfaces openvpn vtun0 openvpn-option "plugin /usr/lib/openvpn/openvpn-auth-pam.so login" set interfaces openvpn vtun0 persistent-tunnel set interfaces openvpn vtun0 protocol udp set interfaces openvpn vtun0 server domain-name mydomain.local set interfaces openvpn vtun0 server subnet 10.0.1.0/24 set interfaces openvpn vtun0 server name-server 10.0.0.2 set interfaces openvpn vtun0 push-route 10.0.0.0/16 set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt set interfaces openvpn vtun0 tls cert-file /config/auth/server.crt set interfaces openvpn vtun0 tls dh-file /config/auth/dh1024.pem set interfaces openvpn vtun0 tls key-file /config/auth/server.key commit exit
We are almost there. Now we just need to create the .ovpn file. Replace the sections between cat /config/auth/ca.crt.
client remote VPN.mydomain.com 1194 proto udp dev tun resolv-retry infinite nobind persist-key persist-tun-----BEGIN CERTIFICATE----- ........................................ ........................................ ........................................ ........................................ .........................== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ........................................ ........................................ ........................................ ........................................ .........................== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- ........................................ ........................................ ........................................ ........................................ .........................== -----END RSA PRIVATE KEY----- auth-user-pass
Install OpenVPN Connect on your iOS 10 device.
Copy your .ovpn file onto your device and open it.
Enter your username/pass and you’re ready to go.
Note: It is not imperative that each person has a unique certificate because they need to authenticate their user/pass in order to connect (and we use their username to register instead of their certificate name). If you are not happy with the security risk of re-using certificates, you can generate a new certificate for each person by using the ./build-key script in the /config/easy-rsa2 folder.