Security – https and ssh access to OpenVPN from windows

openvpnSecurityvpn

I recently installed OpenVPN on a remote CentOS 7 web server. I am able to connect to it from a local CentOS 7 devbox by typing openvpn --config /path/to/client.ovpn. Once the connection is made, I am then able to ssh to the server through the vpn by typing ssh username@10.8.0.1, and I am able to view web apps hosted by apache on the remote server through the vpn by typing https : / / 10.8.0.1 into a web browser. So how can I my non-technical end-users make the same https connections from windows?

I downloaded and installed the SecurePoint OpenVPN client for Windows. I was then able to create a config for the server, including links to the .crt and .key files and definitions of other parameters that were defined in the client.ovpn file in Linux. The SecurePoint client then forced me to use a username and password for an OS account on the remote server (perhaps for the better), but does not allow me to connect to web apps running on the server. Specifically, typing https : / / 10.8.0.1 into a web browser results in "This page can't be displayed", even though my Linux devbox allows content to be served from the server through the vpn to the client as described in the preceding paragraph. What am I doing wrong? And how can I get this to work?

EDIT

As per @garethTheRed's advice, I typed sudo firewall-cmd --list-all --zone=internal and got the following results:

internal (active)
  interfaces: tun0
  sources:
  services: dhcpv6-client https ipp-client mdns samba-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source NOT address="10.8.1.1" service name="ssh" reject

I then clicked "connect" in the SecurePoint GUI and, after it said the connection to the server was established, I opened up cmd.exe and typed ping 10.8.0.1 and got the following results:

Pinging 10.8.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.8.0.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Unchecking the user/auth option removed the username/password login requirement.

Note that, when SecurePoint is connected, all other internet access through the browser seems blocked because all requests for pages are rejected. Also, the VPN shows up in the windows list of wifi networks as "Unidentified Network" with "no internet access". When I disconnect from the VPN using SecurePoint, the "Unidentified Network" goes away. You can see what it looks like when the VPN connection is active by clicking on this link

What else can I try?

Best Answer

Confirm that your firewall on the CentOS server (internal zone if that where the tun0 device is located) has https available as a service.

You should be able to ping the server on 10.8.0.1 from the Windows machine. If this works, then your VPN is up and working and it's probably the CentOS server's firewall blocking you.

If the ping doesn't work, then you have deeper underlying problems to solve before you look into your https pages.

In the case of the latter, post the output of running ìpconfig /all and route print on the Windows machine.

Official OpenVPN Client

As an experiment, you could also install openvpn on the Windows machine and run it in a similar way to the way you did on the CentOS client using similar configuration files. It may give a clue to what's happening:

Download the OpenVPN client for Windows from here, then install it. Towards the end of the installation you should see a tick-box that offers to start the client. Make sure that the client is NOT started.

Copy your *.ovpn file from the CentOS machine (the one that worked previously) to the Windows machine. If you are transferring the file, you may come across the issue of Unix/DOS line terminators. The dos2unix package has a converter called unix2dos that converts the files to DOS format for you.

Open notepad as Administrator (right click and choose "Run as administrator") and edit the *.ovpn file changing the paths to the key and two certificates remembering to use two back-slashes in the paths (e.g. C:\\Users\\Bloggs\\key.pem). Save this file to C:\Program Files\OpenVPN\config.

Start the OpenVPN client from the Start Menu by right clicking on it and choosing "Run as administrator" (this is only needed the first time you run it). If the above has worked you should be able to right click on the icon in the task-bar and connect. If there is no connect option, then check the above.

After a second or three, you'll get a pop-up telling you that you've connected. Try your https webpage.

Basic Windows Compatible Configuration

As a test, backup your current server configuration and try the following:

port 1194
proto udp
dev tun
ca /etc/pki/openvpn/cacerts/CA.crt
cert /etc/pki/openvpn/public/OpenVPN_Server.crt
key /etc/pki/openvpn/private/OpenVPN_Server.pem  # This file should be kept secret
dh /etc/pki/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

It works on my server with both Linux and Windows clients (both the OpenVPN and the SecurePoint) one. It won't provide the functionality you need for your server, but it may help you find where the problem is. You may need to adjust the paths to the files, of course.

For reference, here is the *.ovpn file I used:

client
dev tun
proto udp
remote <IP or FQDN of server> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca C:\\Users\\gareth\\ca.crt
cert C:\\Users\\gareth\\client.pem
key C:\\Users\\gareth\\key.crt

For the SecurePoint client, I left everything as default other than the Auth user/pass tick-box, which I un-ticked and (of course) the key and certificates.

Best Answer

Related Solutions

Linux – Basic IPTables setup for OpenVPN/HTTP/HTTPS server

Security – Our security auditor is an idiot. How to give him the information he wants

Related Topic