OpenVpn CentOS 7 – Client Mikrotik and Yealink Phone

Yealink T20P

Versao do firmware 9.73.0.40
Versao do hardware 7.0.0.54

Existe um bug que se colocar o nome dns do servidor de destino openvpn, o telefone não funciona. Sendo necessário desativar a VPN pelo painel frontal e posterior mudar o arquivo de conf do cliente para o número do ip do servidor.

[root@ipbx ~]# openvpn --version
OpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017

[root@ipbx ]# uname -a
Linux ipbx.localdomain 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

CENTOS 7

Step 1 — Installing OpenVPN

yum install openvpn easy-rsa -y

cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

mkdir /var/log/openvpn
touch/var/log/openvpn/openvpn.log

Let’s create a directory for the keys to go in.

mkdir -p /etc/openvpn/easy-rsa/keys
# We also need to copy the key and certificate generation scripts into the directory.

cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
# or download in git. I install version 2.2 

To make life easier for ourselves we’re going to edit the default values the script
uses so we don’t have to type our information in each time. This information is stored
in the vars file so let’s open this for editing.

vi /etc/openvpn/easy-rsa/vars

We’re going to be changing the values that start with KEY_. Update the following values to be accurate for your organization.

The ones that matter the most are:

KEY_NAME: You should enter server here; you could enter something else, but then you would also have to update the configuration files that reference server.key and server.crt
KEY_CN: Enter the domain or subdomain that resolves to your server
For the other values, you can enter information for your organization based on the variable name.


# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="BR"
export KEY_PROVINCE="RJ"
export KEY_CITY="RiodeJaneiro"
export KEY_ORG="Abratel"
export KEY_EMAIL="sammy@abratel.com"
export KEY_OU="AbratelTelecom" here i put same the name server

We’re also going to remove the chance of our OpenSSL configuration not loading due to the version being undetectable. We’re going to do this by copying the required configuration file and removing the version number.

Certificate:

openssl-1.0.0.cnf
easy-rsa release 2.2

I need change for SHA1 (because Yealink and Mikrotik clients)

[root@ipbx easy-rsa]# cat /etc/openvpn/easy-rsa/openssl.cnf 

default_days    = 3650                  # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = SHA1          # use public key default MD
preserve        = no 

[ req ]
default_bits            = $ENV::KEY_SIZE
default_keyfile         = privkey.pem
default_md              = SHA1


cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

To start generating our keys and certificates we need to move into our easy-rsa directory and source in our new variables.

cd /etc/openvpn/easy-rsa
source ./vars

Then we will clean up any keys and certificates which may already be in this folder and generate our certificate authority.

./clean-all 

When you build the certificate authority, you will be asked to enter all the information we put into the vars file, but you will see that your options are already set as the defaults. So, you can just press ENTER for each one.

./build-ca 

The next things we need to generate will are the key and certificate for the server. Again you can just go through the questions and press ENTER for each one to use your defaults. At the end, answer Y (yes) to commit the changes.

./build-key-server server 

We also need to generate a Diffie-Hellman key exchange file. This command will take a minute or two to complete:

./build-dh 

That’s it for our server keys and certificates. Copy them all into our OpenVPN directory.

cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn 

All of our clients will also need certificates to be able to authenticate. These keys and certificates will be shared with your clients, and it’s best to generate separate keys and certificates for each client you intend on connecting.

Make sure that if you do this you give them descriptive names, but for now we’re going to have one client so we’ll just call it client.

cd /etc/openvpn/easy-rsa
./build-key client 

That’s it for keys and certificates.

YEALINK CLIENT:

vpn.cnf

client
remote A.B.C.D
nobind
persist-key
persist-tun
port 1195
proto tcp
dev tun
verb 4

ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client4.crt
key /yealink/config/openvpn/keys/client4.key

Todos os arquivos ca.crt, client4.crt e client5.key devem conter dentro do diretório keys
No windows pode-se utilizar o compactar 7zip para criar o tar.

vpn.cnf
|–> keys/ca.crt
|–> keys/client4.crt
|–> keys/client4.key

  tar -cf openvpn.tar vpn.cnf keys/ 

Os nomes devem ser respeitador (openvpn.tar, vpn.cnf)

[root@ipbx easy-rsa]# tail -f /var/log/openvpn/openvpn.log

ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref

GLOBAL STATS
Max bcast/mcast queue length,1
END
Sat Jan 27 21:25:13 2018 TCP connection established with [AF_INET]C.C.C.C:2864
Sat Jan 27 21:25:14 2018 C.C.C.C:2864 TLS: Initial packet from [AF_INET]C.C.C.C:2864, sid=0777373e dc508015
tail: /var/log/openvpn/openvpn.log: file truncated
Sat Jan 27 21:25:26 2018 C.C.C.C:2864 VERIFY OK: depth=1, C=BR, ST=RJ, L=RiodeJaneiro, O=Abratel, OU=ipbx, CN=ipbx.intranet, name=EasyRSA, emailAddress=xxxx@xxxx.com
Sat Jan 27 21:25:26 2018 C.C.C.C:2864 VERIFY OK: depth=0, C=BR, ST=RJ, L=RiodeJaneiro, O=Abratel, OU=ipbx, CN=client4, name=EasyRSA, emailAddress=xxxxx@xxxxx.com
Sat Jan 27 21:25:26 2018 C.C.C.C:2864 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jan 27 21:25:26 2018 C.C.C.C:2864 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sat Jan 27 21:25:26 2018 C.C.C.C:2864 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 27 21:25:26 2018 C.C.C.C:2864 Incoming Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jan 27 21:25:26 2018 C.C.C.C:2864 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sat Jan 27 21:25:26 2018 C.C.C.C:2864 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 27 21:25:26 2018 C.C.C.C:2864 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Sat Jan 27 21:25:26 2018 C.C.C.C:2864 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Jan 27 21:25:26 2018 C.C.C.C:2864 [client4] Peer Connection Initiated with [AF_INET]C.C.C.C:2864
Sat Jan 27 21:25:26 2018 MULTI: new connection by client 'client4' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Sat Jan 27 21:25:26 2018 MULTI_sva: pool returned IPv4=10.8.0.14, IPv6=(Not enabled)
Sat Jan 27 21:25:26 2018 MULTI: Learn: 10.8.0.14 -> client4/C.C.C.C:2864
Sat Jan 27 21:25:26 2018 MULTI: primary virtual IP for client4/C.C.C.C:2864: 10.8.0.14
Sat Jan 27 21:25:29 2018 client4/C.C.C.C:2864 PUSH: Received control message: 'PUSH_REQUEST'
Sat Jan 27 21:25:29 2018 client4/C.C.C.C:2864 SENT CONTROL [client4]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.1,topology net30,ifconfig 10.8.0.14 10.8.0.13' (status=1)
tail: /var/log/openvpn/openvpn.log: file truncated

Log aparelho YEALINK

Jan 27 00:00:17 openvpn[299]: OpenVPN 2.1.3 mipsel-unknown-linux-uclibc [SSL] [LZO2] [EPOLL] built on Sep 30 2013
Jan 27 00:00:17 openvpn[299]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan 27 00:00:17 openvpn[299]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jan 27 00:00:17 openvpn[299]: WARNING: file '/yealink/config/openvpn/keys/client4.key' is group or others accessible
Jan 27 00:00:17 openvpn[299]: Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Jan 27 00:00:17 openvpn[299]: Socket Buffers: R=[43689->131072] S=[16384->131072]
Jan 27 00:00:18 openvpn[299]: Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Jan 27 00:00:18 openvpn[299]: Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Jan 27 00:00:18 openvpn[299]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Jan 27 00:00:18 openvpn[299]: Local Options hash (VER=V4): 'db02a8f8'
Jan 27 00:00:18 openvpn[299]: Expected Remote Options hash (VER=V4): '7e068940'
Jan 27 00:00:18 openvpn[301]: Attempting to establish TCP connection with A.B.C.D:1195 [nonblock]
Jan 27 00:00:18 netS[262]: SRV <3+error > sendto v6 ntp socket err
Jan 27 23:25:14 openvpn[301]: TCP connection established with A.B.C.D:1195
Jan 27 23:25:14 openvpn[301]: TCPv4_CLIENT link local: [undef]
Jan 27 23:25:14 openvpn[301]: TCPv4_CLIENT link remote: A.B.C.D:1195
Jan 27 23:25:14 openvpn[301]: TLS: Initial packet from A.B.C.D:1195, sid=4aba1b0f 2963060c
Jan 27 23:25:14 openvpn[301]: VERIFY OK: depth=1, /C=BR/ST=RJ/L=RiodeJaneiro/O=Abratel/OU=ipbx/CN=ipbx/name=EasyRSA/emailAddress=uxxxx@xxxx.com
Jan 27 23:25:14 openvpn[301]: VERIFY OK: depth=0, /C=BR/ST=RJ/L=RiodeJaneiro/O=Abratel/OU=AbratelTelecom/CN=server/name=EasyRSA/emailAddress=xxxx@xxxx.com
Jan 27 23:25:26 openvpn[301]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 27 23:25:26 openvpn[301]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 23:25:26 openvpn[301]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 27 23:25:26 openvpn[301]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 23:25:26 openvpn[301]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Jan 27 23:25:26 openvpn[301]: [server] Peer Connection Initiated with A.B.C.D:1195

MIKROTIK

Para funcionar no mikrotik, no server da openvpn não pode ter:
— Compressão Lzo
— Porta UDP

Alguns ajustes são necessários. Ainda no linux, converter as chaves para RSA:

openssl rsa -in ca.key -text > ca.rsa
openssl rsa -in client2.key -text > client2.rsa

NO MIKROTIK

Importar do linux esses 4 arquivos abaixo e arrasta-los para dentro do mikrotik.
Depois no terminal do mesmo executar

/certificate import file-name=ca.crt (pressione enter até concluir)
/certificate import file-name=ca.rsa (pressione enter até concluir)
/certificate import file-name=client4.crt (pressione enter até concluir)
/certificate import file-name=client4.rsa (pressione enter até concluir)

No MIKROTIK:
INTERFACES –> ADD –> OPENVPN CLIENT

Dialup: A.B.C.D (ip do servidor openvpn)
porta: 1195
mode: ip
user: cliente4 (nome da chave)
pass: vazia
profile: default-encryptation
Certificate: client4.crt_0
Auth: sha1
Cipher: blowfish 128

Após conexão, em IP –> ROUTE eu pude observar que automaticamente criou minha rota para o rede 192.168.1.0/24 saindo pelo openvpn clint.

Criei um masquerad no firewall com:

SOURCE: rede LAN mikrotik 
OutInterface: openvpncliete criada
Aba Action: Masquerad

Step 4 — Routing – SOMENTE SE NECESSITAR ACESSAR A REDE INTERNA LAN ONDE O SERVIDOR VPN ASTERISK ENCONTRA-SE

To keep things simple we’re going to do our routing directly with iptables rather than the new firewalld.

First, make sure the iptables service is installed and enabled.

yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables –flush
Next we’ll add a rule to iptables to forward our routing to our OpenVPN subnet, and save this rule.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
Then we must enable IP forwarding in sysctl. Open sysctl.conf for editing.

vi /etc/sysctl.conf
Add the following line at the top of the file:

net.ipv4.ip_forward = 1

Then restart the network service so the IP forwarding will take effect.

systemctl restart network.service

Step 5 — Starting OpenVPN

Now we’re ready to run our OpenVPN service. So lets add it to systemctl:

systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service

Foi criada uma regra de mascaramento:
NAT –> ADD
Chain: srcnat
Src. Address: rede lan (exemplo: 192.168.88.0/24)
Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24)
Out Interface: nome-da-open-vpn-interface
Action: Masquerade

Em MANGLE:
ADD
Chain: Prerouting
Src. Address: rede lan (exemplo: 192.168.88.0/24)
Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24)
Action: Mark routing
New Routing Mark: OpenVpn-NOME
Desmarcar Passthrough


IP –> ROUTES

ADD
Dst. Address: 192.168.218.0/24 (lan do outro lado)
Geteway: openvpn-gw-criado-automaticamente
Routinha Mark: OpenVpn-NOME (dado a regra acima de Mangle)

Obs Final: Não consegui autenticar via UDP no asterisk. Sendo necessário trocar tudo para TCP. Não achei vantajoso a Mikrotik não tem lançado uma versão em UDP ainda para openvpn.

Para funcionar os aparelhos yealink tive que refazer todas as rotas do mikrotik usando ao invés do 192.168.218.0/24 o ip do servidor openvpn 10.8.0.1 … Contrario a isso a voz não passou nos dois canais.

Deixe um comentário