A great number of our clients are already using their own VPN solutions. Nonetheless, we receive frequent enquiries for advice on possible options for accessing intranet sites from iOS and Android devices without having to turn to costly VPN solutions. We have decided, through this How To, to explain how OpenVPN – a free VPN server – can be installed and used in combination with Cortado, for example, to release intranet sites for mobile devices and automatically distribute the necessary configuration to managed devices.
Aim
The aim is to set up a functional, secure VPN server to release intranet applications to mobile devices through the VPN over the WiFi network. So far as possible, we want to configure the apps with the so-named Managed Configurations, to reduce the amount of manual work on the end device. This How To largely prepares the way for themes that we’ll be developing in the upcoming How Tos, Managed Domains and Intranet Apps.
Implementation
Setting up the VPN servers
The absolute first decision we need to make, is whether to put our VPN server into operation on Cortado MDM, or to set it up on a dedicated Linux server where it will function as the VPN server. We have offered explanations of both possibilities, although we do recommend the latter option.
Setting up the VPN servers under Linux
Dimensioning: 2 cores, 4 GB RAM, 30 GB hard disc space
We have decided on Debian as the operating system here. After installing the virtual machine and the operating system (a minimal installation with SSH will suffice) and creating a SUDOER user, we log in to the server via SSH with our SUDOER user. We execute the commands one after another, as follows:
- With this command, we ensure that we have the current packet information and that all updates have been installed
Sudo apt update && sudo apt upgrade
- Now we install iptables and configure the server port shares. For this, we log on once as Root user.
Su root
- we now make sure that, if any are present, no existing firewall rules remain in the system
Iptables –F && iptables –X
- now we install iptables-persistent, our local firewall
Apt install iptables-persistent
- Now we can create some rules for the firewall. IMPORTANT: Please change the interface (eth0 in the example) to the actual interface currently in use on the system, Otherwise, you could be suddenly locked out of your own system. If you’re not sure, enter “ifconfig” in the console and check the interface name again.
Cd /etc/iptables/rules.v4
- We now replace all rules, if we find any present, with our own. You can comfortably adapt our rules, if you are well enough acquainted with the material. The file should look like this.
*filter
- We allow all loopback traffic from the interface lo here and block all other traffic.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A OUTPUT -o lo -j ACCEPT
- Here we allow pings
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
- Here we allow SSH
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT
- Here we allow UDP traffic on the 1194 for OpenVPN.
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT
- We allow DNS name resolution and HTTP/HTTPS.
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --sport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
- We allow all traffic from the tun0 interface (our most recent VPN interface) to permit communication with our eth0 interface.
-A INPUT -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
- Now we reject all traffic that we have not released with the rules configured above.
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT
- With COMMIT, we close the configuration file.
COMMIT
- With the following commands we can immediately activate the newly created rules.
Iptables-restore < /etc/iptables/rules.v4
- We now load the rules into our iptables-persistent, so that they are always used:
Dpkg-reconfigure iptables-persistent
- Now we’re ready to download our Open VPN. This is also really simple. However, we’ll firstly switck back from our root user to our standard SUDOER user.
Su sudoer
- Now we install OpenVPN.
Sudo apt install openvpn
- If we just leave it at that point, OpenVPN will run via the root user, and that would not be a good idea. Unless it’s absolutely necessary, no service should run with root privileges because, if the user (here root) becomes compromised, all services could be controlled by an attacker (in this case root, thus all). By creating another user and configuring OpenVPN such that the service is executed by this new user, we will immensely limit the damage from any potential incident.
Sudo adduser –system –shell /usr/sbin/nologin --no-create-home cortadovpn
Sudo Groupadd cortadovpn
Sudo Usermod –g cortadovpn cortadovpn
- Now we generate a so-called HMAC signature:
Sudo Openvpn –genkey –secret /etc/openvpn/server/ta.key
- And now we will generate a Diffie-Hellman parameter. We’ll increase the OpenVPN recommended size of 2048 up to 4096 bits. That is perfectly sufficient. Larger sizes would lead to exorbitant generation times. Generating our 4096 bit parameter will take about 10-20 minutes.
Sudo Openssl genpkey –genparam –algorithm DH –out /etc/openvpn/server/dhp4096.pem -pkeyopt dh_paramgen_prime_len:4096
- We have now come to the point where we have to think about certificates. In principal, it would be advisable to obtain all certificates from an existing, globally trusted CA that is not located on the OpenVPN server. For the sake of simplicity, we have written down the steps for generating (here, self-signed) TLS certificates locally. If it appears that this approach will not be sufficiently secure in your environment, you can always generate and import certificates according to your wishes.
- To create our CA and generate the client certificates, we will use easy-rsa. We start by copying the configuration files into our OpenVPN directory:
Cd /etc/openvpn
cp -r /usr/share/easy-rsa/ /etc/openvpn
Cd easy-rsa
- now we edit the VARS file
Nano vars
- Edit the following section with your appropriate data:
Export KEY_CONFIG=etc/openvpn/easy-rsa(openssl.cnf
(If required, this path must be altered so that it leads to where your openssl.cnf is actually located.)
Export Key_name=”Unser Servername”
# These are the default values for fields
# which will be placed in the certificate.
# Don’t leave any of these fields blank.export KEY_COUNTRY="DE"
export KEY_PROVINCE="BERLIN"
export KEY_CITY="BERLIN"
export KEY_ORG="CORTADO"
export KEY_EMAIL="support@cortado.com"
export KEY_OU="CONSULTING"
- We save the document and clean up with the following command.
. ./vars
(note the period, the space and then the second period)
./ckean-all
- Now we create our CA and the client certificates.
./build-ca
- You can skip over the following prompt with Enter, as we have set our default settings in the VARS file. Our next step will be to create our server key
./build-key-server <servername>
//enter the name of the server here, as it would be requested by the client.
- You can skip over all of the following prompts. Note that for this How To, no password will be set for the certificate. The corresponding prompt can also be skipped over with Enter. Confirm that you have signed the certificate and wish to save the changes. We now copy the generated data into the OpenVPN root directory and start the OpenVPN server
Cp /etc/openvpn/easy-rsa/key/<servername>.crt /etc/openvpn
Cp /etc/openvpn/easy-rsa/key/<servername>.key /etc/openvpn
Cp /etc/openvpn/easy-rsa/ca.crt /etc/openvpn
Service openvpn start
- Our VPN server is now ready for service and we can create certificates for our clients. We need to decide here whether to use one certificate for them all, or if each client should receive their own certificate. Naturally, the second method is more appealing, as we can, if required, block each client from VPN access individually. And furthermore, you can easily reset the device of that individual over MDM or revoke access to corporate content. To simplify matters here, we have decided to go with one certificate for all clients. If you want to create additional client certificates, you can simply repeat the following steps, or create a suitable script for the purpose.
- We can use the command below to create our first certificate. You can skip through the subsequent prompts with Enter.
./build-key user1
- In the folder keys, we’ll now find the certificate, which this client can use for logging in to our VPN server. We’re now done on the Linux machine and can go over to the Cortado management console to start provisioning the device. Proceed with the step Configuring Clients via the management console.
Setting up the VPN server with Windows Server 2016
If you want to set up your OpenVPN on a Windows server, rather than running it on a Linux machine, you can follow this guide:
- Log on to your Windows server with an administrator account, download the latest installer for Windows from the OpenVPN manufacturer’s website and install the program.
- Please ensure that you select all the checkboxes in the selection list.
- Now you have to create a configuration file. For this, open Notepad in the administrator mode and, under C:/Program Files/OpenVPN/config/ save the file server.ovpn with the following content. Please edit the server names so that they match your application:
port 1194
proto tcp
dev tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh2048.pem"
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist "C:\\Program Files\\OpenVPN\\log\\ipp.txt"
push "route 192.168.0.0 255.255.255.0"
keepalive 10 120
cipher AES-128-CBC
persist-key
persist-tun
status "C:\\Program Files\\OpenVPN\\log\\openvpn-status.log"
verb 3
script-security 3
- Start a command line with administrator rights and switch to the OpenVPN directory.
cd C:\Program Files\OpenVPN\easy-rsa
- Execute init-config.bat there once.
init-config
- After that, open Notepad with administrator rights, click on Open and navigate to the OpenVPN directory to open and edit the vars.bat file. Here we can specify the attributes for the certificates. Change the values below, to fit your application.
set KEY_COUNTRY=DE
set KEY_PROVINCE=BERLIN
set KEY_CITY=BERLIN
set KEY_ORG=CORTADO
set KEY_EMAIL=support@cortado.com
set KEY_CN=
(enter the server names in the form that they will later be called up by the clients.)
set KEY_NAME=
(enter the server names in the form that they will later be called up by the clients.)
set KEY_OU=CONSULTING
set PKCS11_MODULE_PATH=changeme
set PKCS11_PIN=1234
- Once you have concluded your modifications, you can save the file again. Now switch back to the command line with administrator rights and execute the following commands:
vars
clean-all
vars
build-ca
- You can skip through all the prompts that appear now with Enter. We have already previously made the appropriate adjustments in the Vars file. Follow with these comands.
vars
build-dh
build-key.-server
- Now we can generate the client certificates. We do that with the following commands:
vars
build-key
- To request the desired attributes, for NAME and EMAILADDRESS please enter the name and the email address of the user who will use the certificate and then conclude the setup with the required confirmations.
- We can now begin testing the OpenVPN server, in order to check whether all the server.ovpn configured files are saved to the correct locations. For this, you start OpenVPN and right click on the icon in the taskbar and click on “Connect”. If the process runs through without errors and the window closes, the server is functional. If you have errors appearing, please go to the indicated log directory and open the log file there. Normally files are not found here. If necessary, move the files into the correct directories and try starting the OpenVPN server again.
- We’re now finished on the server side and can switch to the management console, to create a VPN profile for our clients.
Configuring Clients via the management console
We now pass on all the information to the client that he needs to log on to the VPN server with no password, but with his certificate only and to use it, for example, to open intranet web sites.
However, there are two things we need to prepare.
Upload the client certifikate(s)
- For one thing, we need to upload our client certificates, or announce them. We can do that with Administration→ Profiles → Global → Certificate. If we only want to upload a single client certificate, we can do it on the left side.
- So that the certificate can be correctly used by the end device, it must be converted to the PFX format. This is achieved as follows:
- Copy the .crt and .key of the client certificate into a common folder. Take note, that both files must have the same name. Then open a command line with admin rights and navigate to this folder. Then execute the following command:
certutil –MergePFX <name of the crt>.crt <name of the crt>.pfx
- The PFX file you have generated can be uploaded via the Upload dialogue of the profile. If you want to roll out multiple client certificates at once, a so-called PFX folder is recommended for the purpose. Create a file for this in the Cortado administration portal, or on a file server. Convert all the client certificates that you previously had issued from Easy-RSA into PFX files. Give them all the same password and name each of them after the UPN of the respective user who is to receive the certificate. Now enter the path to this folder on the right side.
Upload the CA certificate
Our CA certificate unfortunately can’t be distributed for OpenVPN as a certificate profile through the management console. For this we must once only, manually create and copy the ca.crt file, open it and replace all breaks (“spaces”) within the —-BEGIN CERTIFICATE—- and —-END CERTIFICATE—- brackets with n. It’s best to do this manually, as the line breaks in the certificates are not like normal spaces that regular text editors are able to recognise. Once we have accomplished that, we can copy the string to the clipboard.
Configuration the VPN profile
Now we turn to our iOS VPN profile, which we configure as follows. In the management console, open Administration→ Profiles. Create a new iOS profile. Add the following information to the fields.
Profile name: can be freely selected
Account: can be left empty
VPN-Server: Here we enter the VPN server address, which the clients will use to reach it over Wi-Fi.
Connection Type: We select here Custom SSL
Identifier: The OpenVPN app’s bundle ID goes here (currently: net.openvpn.connect.app)
User Authentication: Certificate
Identity Certificate: <Select here the uploaded PFX file or the PFX folder that you specified previously.>
In the section Custom Data, we now only have to define a set of key/value pairs, then we’re done. You can use the small Plus sign to add new key fields, and remove them again with the X. Enter the following keys and fill in the value column with the corresponding values:
remote | VPN server address |
ca | Copy in the adapted string for the CA.crts here |
port | VPN server port |
dev | tun |
proto | tcp |
Now you can save the profile.
Rolling out and bringing into service the OpenVPN app on iOS
- Now add the OpenVPN app and roll it out. If you’re no longer sure how to roll out applications onto end devices with Cortado, the relevant section can be found in the manual.
- Now we assign the VPN profile. You’ll find more information on that in the manual.
- The OpenVPN app will now be installed on the devices and, in the settings, the point “VPN” is displayed and can now be enabled.
- If the VPN connection is established, you have done everything correctly. Maybe you want to take full advantage of the new VPN? Read here how to set up Per-App VPN.