Password-less VPN Split-Tunneling using OpenVPN + Google OTP + Key
CoVID-19 has forced people to stay at home & also to work-from-home!
Work-from-home is easy to adopt for organizations who are already mostly using the cloud and hardly have anything on-premises.
This is not the case for a lot of corporate and government organizations. They need to find a secure way to tunnel to office network to allow work-from-home.
Full VPN Tunnel vs Split VPN Tunnel Explained.
In the context of a VPN connection, split tunneling refers to the practice of routing only some traffic (office network) over the VPN, while letting other traffic (your pornhub traffic) directly access the Internet. This is done so that your office IT doesn’t get to know all the naughty things you are doing apart from work, which sounds pretty fair to me. But if the corporate DNS servers are being used then forget my statement completely.
So, lets cut the crap and get to the configuration part.
First is first, you need to install Docker because we will be running this on a container for ease of management.
A little security information before we begin the configuration is no harm!
1. OpenVPN and SWEET32 Vulnerability
Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN.
See https://sweet32.info/ for a much better explanation.
The following ciphers are affected, and should no longer be used:
BF-*
DES* (including 3DES variants)
RC2-*
The following ciphers are *not* affected:
AES-*
CAMELLIA-*
SEED-*
I have used cipher “AES-256-CBC” but you are free to use whatever cipher you think adds more security.
2. Root with empty password
A security vulnerability in the official docker images based on the alpine linux distribution allowed for more than three years logging into the root account using a blank password.
This issue has been fixed now although we still do not use ssh or enable ssh on the container. But if you are still paranoid then you could add this to the Dockerfile to disable the default root login.
RUN sed -i -e 's/^root::/root:!:/'/etc/shadowFinally, the setup configuration.
Generate server configuration with
-2and-C $CIPHERoptions
#replace vpn.example.com with your dns and add all the network addresses you would like to be routed via the Tunnel with -p ‘route 10.10.10.0 255.255.255.0’. This would route 10.10.10.0/24 traffic through VPN. If you want to add google dns to be allowed then you could add -p ‘8.8.8.8 255.255.255.255’
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -N -d -p 'route 10.130.0.0 255.255.0.0' -e 'topology subnet' -u udp://vpn.example.com -2 -C $CIPHERWe have chosen UDP instead of TCP to avoid handshake due to CoVID-19. Also please sure to create your folder ~/openvpn and pass it to the environment variable $OVPN_DATA
Possible topology choices
These are available options as values to the — topology parameter in --dev tun mode. Each topology is described further in its own section below.
subnet: The recommended topology for modern servers. Note that this is not the current default. Addressing is done by IP & netmask.
net30: This is the old topology for support with Windows clients running 2.0.9 or older clients. This is the default as of OpenVPN 2.3, but not recommended for current use. Each client is allocated a virtual /30, taking 4 IPs per client, plus 4 for the server.
p2p: This topology uses Point-to-Point networking. This is not compatible with Windows clients, though use with non-Windows allows use of the entire subnet (no “lost” IPs.)
Refer: https://community.openvpn.net/openvpn/wiki/Topology
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn ovpn_initpkidocker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
Generate your client certificate (possibly without a password since you’re using OTP). Generate authentication configuration for your client. -t is needed to show QR code.
docker run -v $OVPN_DATA:/etc/openvpn -rm -t kylemanna/openvpn easyrsa build-client-full <user> nopassdocker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_otp_user <user>
The last step will generate OTP configuration for the provided user with the following options to prevent brute-force attempts.
google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \
-l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticatorDownload Google Authenticator App for OTP.
Google Authenticator is a software-based authenticator by Google that implements two-step verification services using the Time-based One-time Password Algorithm and HMAC-based One-time Password algorithm, for authenticating users of software applications.
OPTIONAL: You may also setup a static IP for a user!
echo “ifconfig-push <IP ADDRESS> <NETMASK>” | docker run -v $OVPN_DATA:/etc/openvpn -i — rm kylemanna/openvpn tee /etc/openvpn/ccd/<user>Now grab a copy of your OVPN configuration
docker run -v $OVPN_DATA:/etc/openvpn --rm -t kylemanna/openvpn ovpn_getclient <user> > <user>.ovpnDownload OpenVPN client and the OVPN configuration.
https://openvpn.net/client-connect-vpn-for-windows/
Download your <user>.ovpn configuration and import it on the client. You can login using the username and in password field enter your OTP shown in the Google Authenticator App.
