Sunday, August 06, 2006

Openvpn with Clarkconnect 3.2

I recently installed and configured openvpn 2.0.7-1 to work on my Clarkconnect 3.2 firewall.

Here is what I did.

Down load the openvpn rpm from:
http://dag.wieers.com/packages/openvpn/
The specific one I downloaded was:
http://dag.wieers.com/packages/openvpn/openvpn-2.0.7-1.el3.rf.i386.rpm

Down load lzo from:
http://dag.wieers.com/packages/lzo/
The specific one I downloaded was:
http://dag.wieers.com/packages/lzo/lzo-1.08-4.1.el3.rf.i386.rpm

Then install both RPM's with rpm -ivh
lzo needs to be installed first.

Okay then the configuration part.

Take a look at the documentation for openvpn
http://openvpn.net/howto.html#install

The first thing I did was cd to /usr/share/doc/openvpn-2.0.7/
Then cd to easy-rsa

And follow the instructions on creating your on PKI from the openvpn howto guide.

After that cd back up one level to /usr/share/doc/openvpn-2.0.7/

Then cd in to the sample-config-files directory

Copy the server.conf file to /etc/openvpn

You will also need to copy the the following files from /usr/share/doc/openvpn-2.0.7/easy-rsa/keys folder
ca.crt
dh1024.pem
server.crt
server.key

Then you will need to modify the server.conf file in /etc/openvpn to reflect your set up.

The conf file has a pretty good set of comments to tell you all about what needs to be filled in and how it needs to be set. I really did not do anything special for the Clarkconnect firewall.

I did set
push "redirect-gateway"
So all traffic would go through the vpn and be encrypted.

Okay here is the magic part for Clarkconnect

You need to go to the clarkconnect web admin. Select the network tab under firewall select incoming.

You want to allow incoming connections port 1194 (or what ever port you set up in your /etc/openvpn/server.conf file) for UDP or TCP depending on how you set up your server.conf file.

Here is what stumped me for awhile.

The problem is with all the iptables examples that are given on the openvpn site use the A option which is append. This errrr appends the rule at the bottom of the table the problem with this is it places the new rule after the very useful for a firewall rule that says "deny anything from anywhere" the packets hit the deny anything and boom they get dropped on the firewall floor.

So to get around that do this.

cd to /etc/rc.d
vi rc.firewall.local

I added something like this
iptables -I INPUT -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT

Okay I changed that entry a little.
iptables -I OUTPUT -s 192.168.7.100 -d 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT

On iptables -I OUTPUT the -s (source) address is the ip for the internal interface on your clarkconnect box.

where 10.8.0.0/24 is the subnet for the openvpn connections. I guess it would work with the interface instead of the source port
The -i tun0 worked except for the output rule

This way the rule gets added higher in the iptables and the packets are passed on instead of dropped. Also by using the rc.firewall.local the rules will survive a firewall restart.

That pretty much configures the server.

For clients I used.
For OS X tunnelblick
http://tunnelblick.net/
Go right for the version 3.0 product (it was rc3 when I grabbed it) the 2.0 version just did not work.

For Windows Openvpn Gui for windows :-)
http://openvpn.se/

You will need to check the instructions on where to copy the client certificates that you created in /usr/share/doc/openvpn-2.0.7/easy-rsa/ folder.

That pretty much is all I did to get it to work.

I'm still having a problem with routing to the CC box using the inside interface, when the tunnel is up. I can now get to the internal interface after entering the OUTPUT iptables rule shown above And anything to the outside interface, the public IP is unencrypted I think. This means any service I normally get from the clarkconnect box is not working right.

Oh yeah and it really does not work to good when I'm trying to connect from the inside you really need to be on the outside connecting to get a good test.

So far though it seems to work.