{"id":1039,"date":"2018-01-27T21:25:08","date_gmt":"2018-01-28T00:25:08","guid":{"rendered":"http:\/\/blog.abratel.com.br\/?p=1039"},"modified":"2018-02-06T21:12:48","modified_gmt":"2018-02-07T00:12:48","slug":"1039","status":"publish","type":"post","link":"https:\/\/blog.abratel.com.br\/?p=1039","title":{"rendered":"OpenVpn CentOS 7 – Client Mikrotik and Yealink Phone"},"content":{"rendered":"

Yealink T20P<\/strong><\/p>\n

\tVersao do firmware\t9.73.0.40
\n \tVersao do hardware\t7.0.0.54<\/p>\n

Existe um bug que se colocar o nome dns do servidor de destino openvpn, o telefone n\u00e3o funciona. Sendo necess\u00e1rio desativar a VPN pelo painel frontal e posterior mudar o arquivo de conf do cliente para o n\u00famero do ip do servidor.<\/p>\n

\r\n<strong>[root@ipbx ~]# openvpn --version<\/strong>\r\nOpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH\/PKTINFO] [AEAD] built on Sep 26 2017\r\n\r\n[root@ipbx ]# uname -a\r\nLinux ipbx.localdomain 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU\/Linux\r\n\r\nCENTOS 7\r\n<\/pre>\n
Step 1 \u2014 Installing OpenVPN<\/strong><\/p>\n
\r\nyum install openvpn easy-rsa -y\r\n\r\ncp \/usr\/share\/doc\/openvpn-*\/sample\/sample-config-files\/server.conf \/etc\/openvpn\r\n\r\nmkdir \/var\/log\/openvpn\r\ntouch\/var\/log\/openvpn\/openvpn.log\r\n\r\n<\/pre>\n
Let’s create a directory for the keys to go in.<\/p>\n
\r\nmkdir -p \/etc\/openvpn\/easy-rsa\/keys\r\n# We also need to copy the key and certificate generation scripts into the directory.\r\n\r\ncp -rf \/usr\/share\/easy-rsa\/2.0\/* \/etc\/openvpn\/easy-rsa\r\n# or download in git. I install version 2.2 \r\n<\/pre>\n
To make life easier for ourselves we’re going to edit the default values the script
\nuses so we don’t have to type our information in each time. This information is stored
\nin the vars file so let’s open this for editing.<\/p>\n
\r\nvi \/etc\/openvpn\/easy-rsa\/vars\r\n<\/pre>\n
We’re going to be changing the values that start with KEY_. Update the following values to be accurate for your organization.<\/p>\n
The ones that matter the most are:<\/p>\n
KEY_NAME: You should enter server here; you could enter something else, but then you would also have to update the configuration files that reference server.key and server.crt
\nKEY_CN: Enter the domain or subdomain that resolves to your server
\nFor the other values, you can enter information for your organization based on the variable name.<\/p>\n
\r\n\r\n# These are the default values for fields\r\n# which will be placed in the certificate.\r\n# Don't leave any of these fields blank.\r\nexport KEY_COUNTRY="BR"\r\nexport KEY_PROVINCE="RJ"\r\nexport KEY_CITY="RiodeJaneiro"\r\nexport KEY_ORG="Abratel"\r\nexport KEY_EMAIL="sammy@abratel.com"\r\nexport KEY_OU="AbratelTelecom" here i put same the name server\r\n\r\n<\/pre>\n
We’re also going to remove the chance of our OpenSSL configuration not loading due to the version being undetectable. We’re going to do this by copying the required configuration file and removing the version number.<\/p>\n
Certificate<\/strong>:<\/p>\n
openssl-1.0.0.cnf
\neasy-rsa release 2.2<\/p>\n
I need change for SHA1 (because Yealink and Mikrotik clients)<\/p>\n
\r\n[root@ipbx easy-rsa]# cat \/etc\/openvpn\/easy-rsa\/openssl.cnf \r\n\r\ndefault_days    = 3650                  # how long to certify for\r\ndefault_crl_days= 30                    # how long before next CRL\r\ndefault_md      = SHA1          # use public key default MD\r\npreserve        = no \r\n\r\n[ req ]\r\ndefault_bits            = $ENV::KEY_SIZE\r\ndefault_keyfile         = privkey.pem\r\ndefault_md              = SHA1\r\n\r\n\r\ncp \/etc\/openvpn\/easy-rsa\/openssl-1.0.0.cnf \/etc\/openvpn\/easy-rsa\/openssl.cnf\r\n<\/pre>\n
To start generating our keys and certificates we need to move into our easy-rsa directory and source in our new variables.<\/p>\n
\r\ncd \/etc\/openvpn\/easy-rsa\r\nsource .\/vars\r\n<\/pre>\n
Then we will clean up any keys and certificates which may already be in this folder and generate our certificate authority.<\/p>\n
.\/clean-all <\/pre>\n
When you build the certificate authority, you will be asked to enter all the information we put into the vars file, but you will see that your options are already set as the defaults. So, you can just press ENTER for each one.<\/p>\n
.\/build-ca <\/pre>\n
The next things we need to generate will are the key and certificate for the server. Again you can just go through the questions and press ENTER for each one to use your defaults. At the end, answer Y (yes) to commit the changes.<\/p>\n
.\/build-key-server server <\/pre>\n
We also need to generate a Diffie-Hellman key exchange file. This command will take a minute or two to complete:<\/p>\n
.\/build-dh <\/pre>\n
That’s it for our server keys and certificates. Copy them all into our OpenVPN directory.<\/p>\n
\r\ncd \/etc\/openvpn\/easy-rsa\/keys\r\ncp dh2048.pem ca.crt server.crt server.key \/etc\/openvpn <\/pre>\n
All of our clients will also need certificates to be able to authenticate. These keys and certificates will be shared with your clients, and it’s best to generate separate keys and certificates for each client you intend on connecting.<\/p>\n
Make sure that if you do this you give them descriptive names, but for now we’re going to have one client so we’ll just call it client.<\/p>\n
\r\ncd \/etc\/openvpn\/easy-rsa\r\n.\/build-key client <\/pre>\n
That’s it for keys and certificates.<\/p>\n
YEALINK CLIENT:<\/strong><\/p>\n
\r\nvpn.cnf\r\n\r\nclient\r\nremote A.B.C.D\r\nnobind\r\npersist-key\r\npersist-tun\r\nport 1195\r\nproto tcp\r\ndev tun\r\nverb 4\r\n\r\nca \/yealink\/config\/openvpn\/keys\/ca.crt\r\ncert \/yealink\/config\/openvpn\/keys\/client4.crt\r\nkey \/yealink\/config\/openvpn\/keys\/client4.key\r\n\r\n<\/pre>\n
Todos os arquivos ca.crt, client4.crt e client5.key devem conter dentro do diret\u00f3rio keys
\nNo windows pode-se utilizar o compactar 7zip para criar o tar. <\/p>\n
  vpn.cnf
\n  |–> keys\/ca.crt
\n  |–> keys\/client4.crt
\n  |–> keys\/client4.key
\n<\/strong><\/p>\n
  tar -cf openvpn.tar vpn.cnf keys\/ <\/pre>\n
Os nomes devem ser respeitador (openvpn.tar, vpn.cnf)<\/p>\n
\r\n[root@ipbx easy-rsa]# tail -f \/var\/log\/openvpn\/openvpn.log\r\n\r\nROUTING TABLE\r\nVirtual Address,Common Name,Real Address,Last Ref\r\n\r\nGLOBAL STATS\r\nMax bcast\/mcast queue length,1\r\nEND\r\nSat Jan 27 21:25:13 2018 TCP connection established with [AF_INET]C.C.C.C:2864\r\nSat Jan 27 21:25:14 2018 C.C.C.C:2864 TLS: Initial packet from [AF_INET]C.C.C.C:2864, sid=0777373e dc508015\r\ntail: \/var\/log\/openvpn\/openvpn.log: file truncated\r\nSat Jan 27 21:25:26 2018 C.C.C.C:2864 VERIFY OK: depth=1, C=BR, ST=RJ, L=RiodeJaneiro, O=Abratel, OU=ipbx, CN=ipbx.intranet, name=EasyRSA, emailAddress=xxxx@xxxx.com\r\nSat Jan 27 21:25:26 2018 C.C.C.C:2864 VERIFY OK: depth=0, C=BR, ST=RJ, L=RiodeJaneiro, O=Abratel, OU=ipbx, CN=client4, name=EasyRSA, emailAddress=xxxxx@xxxxx.com\r\nSat Jan 27 21:25:26 2018 C.C.C.C:2864 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key\r\nSat Jan 27 21:25:26 2018 C.C.C.C:2864 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).\r\nSat Jan 27 21:25:26 2018 C.C.C.C:2864 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication\r\nSat Jan 27 21:25:26 2018 C.C.C.C:2864 Incoming Data Channel: Cipher 'BF-CBC' initialized with 128 bit key\r\nSat Jan 27 21:25:26 2018 C.C.C.C:2864 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).\r\nSat Jan 27 21:25:26 2018 C.C.C.C:2864 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication\r\nSat Jan 27 21:25:26 2018 C.C.C.C:2864 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.\r\nSat Jan 27 21:25:26 2018 C.C.C.C:2864 Control Channel: TLSv1, cipher TLSv1\/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA\r\nSat Jan 27 21:25:26 2018 C.C.C.C:2864 [client4] Peer Connection Initiated with [AF_INET]C.C.C.C:2864\r\nSat Jan 27 21:25:26 2018 MULTI: new connection by client 'client4' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.\r\nSat Jan 27 21:25:26 2018 MULTI_sva: pool returned IPv4=10.8.0.14, IPv6=(Not enabled)\r\nSat Jan 27 21:25:26 2018 MULTI: Learn: 10.8.0.14 -> client4\/C.C.C.C:2864\r\nSat Jan 27 21:25:26 2018 MULTI: primary virtual IP for client4\/C.C.C.C:2864: 10.8.0.14\r\nSat Jan 27 21:25:29 2018 client4\/C.C.C.C:2864 PUSH: Received control message: 'PUSH_REQUEST'\r\nSat Jan 27 21:25:29 2018 client4\/C.C.C.C:2864 SENT CONTROL [client4]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.1,topology net30,ifconfig 10.8.0.14 10.8.0.13' (status=1)\r\ntail: \/var\/log\/openvpn\/openvpn.log: file truncated\r\n<\/pre>\n
Log aparelho YEALINK<\/p>\n
\r\nJan 27 00:00:17 openvpn[299]: OpenVPN 2.1.3 mipsel-unknown-linux-uclibc [SSL] [LZO2] [EPOLL] built on Sep 30 2013\r\nJan 27 00:00:17 openvpn[299]: WARNING: No server certificate verification method has been enabled.  See http:\/\/openvpn.net\/howto.html#mitm for more info.\r\nJan 27 00:00:17 openvpn[299]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables\r\nJan 27 00:00:17 openvpn[299]: WARNING: file '\/yealink\/config\/openvpn\/keys\/client4.key' is group or others accessible\r\nJan 27 00:00:17 openvpn[299]: Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]\r\nJan 27 00:00:17 openvpn[299]: Socket Buffers: R=[43689->131072] S=[16384->131072]\r\nJan 27 00:00:18 openvpn[299]: Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]\r\nJan 27 00:00:18 openvpn[299]: Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'\r\nJan 27 00:00:18 openvpn[299]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'\r\nJan 27 00:00:18 openvpn[299]: Local Options hash (VER=V4): 'db02a8f8'\r\nJan 27 00:00:18 openvpn[299]: Expected Remote Options hash (VER=V4): '7e068940'\r\nJan 27 00:00:18 openvpn[301]: Attempting to establish TCP connection with A.B.C.D:1195 [nonblock]\r\nJan 27 00:00:18 netS[262]: SRV <3+error > sendto v6 ntp socket err\r\nJan 27 23:25:14 openvpn[301]: TCP connection established with A.B.C.D:1195\r\nJan 27 23:25:14 openvpn[301]: TCPv4_CLIENT link local: [undef]\r\nJan 27 23:25:14 openvpn[301]: TCPv4_CLIENT link remote: A.B.C.D:1195\r\nJan 27 23:25:14 openvpn[301]: TLS: Initial packet from A.B.C.D:1195, sid=4aba1b0f 2963060c\r\nJan 27 23:25:14 openvpn[301]: VERIFY OK: depth=1, \/C=BR\/ST=RJ\/L=RiodeJaneiro\/O=Abratel\/OU=ipbx\/CN=ipbx\/name=EasyRSA\/emailAddress=uxxxx@xxxx.com\r\nJan 27 23:25:14 openvpn[301]: VERIFY OK: depth=0, \/C=BR\/ST=RJ\/L=RiodeJaneiro\/O=Abratel\/OU=AbratelTelecom\/CN=server\/name=EasyRSA\/emailAddress=xxxx@xxxx.com\r\nJan 27 23:25:26 openvpn[301]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key\r\nJan 27 23:25:26 openvpn[301]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication\r\nJan 27 23:25:26 openvpn[301]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key\r\nJan 27 23:25:26 openvpn[301]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication\r\nJan 27 23:25:26 openvpn[301]: Control Channel: TLSv1, cipher TLSv1\/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA\r\nJan 27 23:25:26 openvpn[301]: [server] Peer Connection Initiated with A.B.C.D:1195\r\n<\/pre>\n
MIKROTIK<\/strong><\/p>\n
Para funcionar no mikrotik, no server da openvpn n\u00e3o <\/strong>pode ter:
\n— Compress\u00e3o Lzo
\n— Porta UDP<\/p>\n
Alguns ajustes s\u00e3o necess\u00e1rios. Ainda no linux, converter as chaves para RSA:<\/p>\n
\r\nopenssl rsa -in ca.key -text > ca.rsa\r\nopenssl rsa -in client2.key -text > client2.rsa\r\n\r\n<\/pre>\n
NO MIKROTIK<\/strong><\/p>\n
Importar do linux esses 4 arquivos abaixo e arrasta-los para dentro do mikrotik.
\nDepois no terminal do mesmo executar<\/p>\n
\r\n\/certificate import file-name=ca.crt (pressione enter at\u00e9 concluir)\r\n\/certificate import file-name=ca.rsa (pressione enter at\u00e9 concluir)\r\n\/certificate import file-name=client4.crt (pressione enter at\u00e9 concluir)\r\n\/certificate import file-name=client4.rsa (pressione enter at\u00e9 concluir)\r\n<\/pre>\n
No MIKROTIK:
\nINTERFACES –> ADD –> OPENVPN CLIENT<\/strong><\/p>\n
\r\nDialup: A.B.C.D (ip do servidor openvpn)\r\nporta: 1195\r\nmode: ip\r\nuser: cliente4 (nome da chave)\r\npass: vazia\r\nprofile: default-encryptation\r\nCertificate: client4.crt_0\r\nAuth: sha1\r\nCipher: blowfish 128\r\n<\/pre>\n
Ap\u00f3s conex\u00e3o, em IP –> ROUTE<\/strong> eu pude observar que automaticamente criou minha rota para o rede 192.168.1.0\/24 saindo pelo openvpn clint.<\/p>\n
Criei um masquerad no firewall com: <\/p>\n
\r\nSOURCE: rede LAN mikrotik \r\nOutInterface: openvpncliete criada\r\nAba Action: Masquerad\r\n<\/pre>\n
Step 4 \u2014 Routing – SOMENTE SE NECESSITAR ACESSAR A REDE INTERNA LAN ONDE O SERVIDOR VPN ASTERISK ENCONTRA-SE<\/strong><\/p>\n
To keep things simple we’re going to do our routing directly with iptables rather than the new firewalld.<\/p>\n
First, make sure the iptables service is installed and enabled.<\/p>\n
yum install iptables-services -y
\nsystemctl mask firewalld
\nsystemctl enable iptables
\nsystemctl stop firewalld
\nsystemctl start iptables
\niptables –flush
\nNext we’ll add a rule to iptables to forward our routing to our OpenVPN subnet, and save this rule.<\/p>\n
iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE
\niptables-save > \/etc\/sysconfig\/iptables
\nThen we must enable IP forwarding in sysctl. Open sysctl.conf for editing.<\/p>\n
\r\nvi \/etc\/sysctl.conf\r\nAdd the following line at the top of the file:\r\n\r\nnet.ipv4.ip_forward = 1\r\n<\/pre>\n
Then restart the network service so the IP forwarding will take effect.<\/p>\n
\r\nsystemctl restart network.service\r\n<\/pre>\n
Step 5 \u2014 Starting OpenVPN<\/strong><\/p>\n
Now we’re ready to run our OpenVPN service. So lets add it to systemctl:<\/p>\n
\r\nsystemctl -f enable openvpn@server.service\r\nsystemctl start openvpn@server.service\r\n\r\n<\/pre>\n
Foi criada uma regra de mascaramento:<\/strong>
\nNAT –> ADD
\nChain: srcnat
\nSrc. Address: rede lan (exemplo: 192.168.88.0\/24)
\nDst. Address: rede lan da vpn do outro lado (192.168.218.0\/24)
\nOut Interface: nome-da-open-vpn-interface
\nAction: Masquerade<\/p>\n
Em MANGLE:<\/strong>
\nADD
\nChain: Prerouting
\nSrc. Address: rede lan (exemplo: 192.168.88.0\/24)
\nDst. Address: rede lan da vpn do outro lado (192.168.218.0\/24)
\nAction: Mark routing
\nNew Routing Mark: OpenVpn-NOME
\nDesmarcar Passthrough<\/p>\n

\nIP –> ROUTES<\/strong>
\nADD
\nDst. Address: 192.168.218.0\/24 (lan do outro lado)
\nGeteway: openvpn-gw-criado-automaticamente
\nRoutinha Mark: OpenVpn-NOME (dado a regra acima de Mangle)<\/p>\n
Obs Final:<\/strong> N\u00e3o consegui autenticar via UDP no asterisk. Sendo necess\u00e1rio trocar tudo para TCP. N\u00e3o achei vantajoso a Mikrotik n\u00e3o tem lan\u00e7ado uma vers\u00e3o em UDP ainda para openvpn.<\/p>\n
Para funcionar os aparelhos yealink tive que refazer todas as rotas do mikrotik usando ao inv\u00e9s do 192.168.218.0\/24 o ip do servidor openvpn 10.8.0.1 … Contrario a isso a voz n\u00e3o passou nos dois canais.<\/p>\n","protected":false},"excerpt":{"rendered":"
Yealink T20P Versao do firmware 9.73.0.40 Versao do hardware 7.0.0.54 Existe um bug que se colocar o nome dns do servidor de destino openvpn, o telefone n\u00e3o funciona. Sendo necess\u00e1rio desativar a VPN pelo painel frontal e posterior mudar o arquivo de conf do cliente…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1,2],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts\/1039"}],"collection":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1039"}],"version-history":[{"count":11,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts\/1039\/revisions"}],"predecessor-version":[{"id":1051,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts\/1039\/revisions\/1051"}],"wp:attachment":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1039"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1039"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1039"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}