Joe's Linux Blog Linux Admin tips and tricks

March 5, 2014

OpenVPN Linux clients with VPN-based DNS services

Filed under: Centos,Configuration,Installation — jfreivald @ 6:45 am

Openvpn is a really nice, relatively simple VPN service.

There are lots of tutorials on how to get things rolling. This post deals with the specific issue of DNS services made available through the VPN.

Most of my users connect to our VPN using Windows clients, which is great because OpenVPN’s Windows client has the ability to override the existing DNS services that the client is using and replace them with DNS services pushed by the VPN server.  This means that the users have access to all of our internal network using the same names as if they were connected locally.  Just what you would expect.

Under Linux this is a bit more complicated because Linux (and most of the *nix world) uses the /etc/resolv.conf file to resolve name information and the Linux Openvpn client doesn’t change the information stored thereon it’s own. This makes things painful if Linux users don’t have access to the internal DNS.

The Openvpn solution is to use the openvpn scripting feature to pass the information to a script which will process it. After a few false starts with other people’s scripts I came up with the following configuration. OpenVPN will provide warnings in syslog that scripting is enabled because almost anything can be done with scripts, even very bad things.

I hope that you find these scripts helpful.

 

Linux Client Configuration: /etc/openvpn/client.conf

client
dev tun
proto udp
script-security 2
up ./up.sh
down ./down.sh
remote <remote_server_ip_address> 1194
remote <remote_server_ip_address #2> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/pki/tls/certs/my_cert_authority.pem
cert /etc/pki/tls/certs/my_client_certificate.pem
key /etc/pki/tls/private/my_client_key.key
ns-cert-type server
verb 1
mute 5

The up script: /etc/openvpn/up.sh:

#!/bin/bash
log="openvpn.log"
modified="0"
echo "Initialization: $0 $1 $2 $3 $4 $5 $6" >> $log
echo ";; created by openvpn" > ./resolv.conf.new 
echo ";; Initialization: $0 $1 $2 $3 $4 $5 $6" > ./resolv.conf.new
for opt in ${!foreign_option_*}; do
    optval=${!opt} 
    optiontype="`echo $optval | awk -F ' ' '{ print $1; }';`"
    if [ "$optiontype" == "dhcp-option" ]; then 
        dhcptype=`echo $optval | awk -F ' ' '{ print $2;}';` 
        dhcpval=`echo $optval | awk -F ' ' '{ print $3;}';` 
        if [ "$dhcptype" == "DNS" ]; then 
            modified="1" 
            echo "Adding DNS Server $dhcpval" >> $log 
            echo "nameserver $dhcpval" >>./resolv.conf.new 
        fi 
        if [ "$dhcptype" == "DOMAIN" ]; then 
            modified="1" 
            echo "Adding domain $dhcpval" >> $log 
            echo "domain $dhcpval" >> ./resolv.conf.new 
            echo "search $dhcpval" >> ./resolv.conf.new 
        fi 
        #Note that the DOMAIN must come first for the sed command do match properly.
        if [ "$dhcptype" == "DOMAIN-SEARCH" ]; then 
            modified="1"
            echo "Adding domain search $dhcpval" >> $log
            sed -i "s/^search \(.*\)/search \\1 $dhcpval/" ./resolv.conf.new
        fi
        dhcptype=
        dhcpval=
    else
        echo "Ignore non-dhcp option: $optval" >> $log
    fi
done
if [ "$modified" != "0" ]; then
    if [ -f /etc/resolv.conf ] && [ -f ./resolv.conf.new ]; then
        cp -f /etc/resolv.conf ./resolv.conf.saved
        if [ $? != 0 ]; then
            echo "Failed to copy existing /etc/resolv.conf." >> $log
        fi
    fi
 if [ -f ./resolv.conf.new ]; then
    echo "Replacing existing name services with VPN settings" >> $log
    cp -f ./resolv.conf.new /etc/resolv.conf
        if [ $? != 0 ]; then
            echo "Replacement resolv.conf failed." >> $log
            exit 1;
        else
            rm ./resolv.conf.new
        fi
    fi
else
    echo "/etc/resolv.conf not replaced" >> $log
fi

VPN Down script: /etc/openvpn/down.sh

#!/bin/bash
log="openvpn.log"
if [ -f ./resolv.conf.saved ]; then
    echo "Reverting to original name services." >> $log
    cp -f ./resolv.conf.saved /etc/resolv.conf
    if [ $? == 0 ]; then
        rm -f resolv.conf.saved
    else
        echo "Failed to recover /etc/resolv.conf." >> $log
    fi
else
    echo "No stored name service information available." >> $log
fi

Server configuration file: /etc/openvpn/server.conf

port 1194
dev tun
# TLS parms
tls-server
#Notice that the server uses a Diffie-Hellman file. This is to make session key generation less resource intensive.
ca /etc/pki/tls/certs/<my_certificate_authority>.pem
cert /etc/pki/tls/certs/<my_server_certificate>.pem
key /etc/pki/tls/private/<my_server_key>.key
dh /etc/pki/tls/private/<my_server_diffe_hellman_file>.pem
# Tell OpenVPN to be a multi-client udp server
mode server
# The server's virtual endpoints
ifconfig 192.168.200.1 192.168.200.2
# Require all clients to have a ccd file. This provides clients with a static IP address, and no client that isn't assigned a static IP address will be permitted to join the network.
# It is a little more overhead to keep track of clients, and probably isn't necessary in most cases.
ccd-exclusive
# Use individual client configs based on SSL CN
client-config-dir /etc/openvpn/ccd
# Pool of /30 subnets to be allocated to clients.
# When a client connects, an --ifconfig command
# will be automatically generated and pushed back to
# the client.
# ifconfig-pool 10.2.0.4 10.2.0.255
# Push route to client to bind it to our local virtual endpoint.
# These are the only routes that will be delivered to the client over the VPN. All other internet traffic will route based on their current routing tables.
push "route 192.168.200.0 255.255.255.0"
push "route 10.1.0.0 255.255.0.0"
push "route 10.2.0.0 255.255.0.0"
push "route 10.128.0.0 255.255.0.0"
# Push DHCP options to clients. Windows clients use these automatically, Linux clients need our up/down scripts to help them.
push "dhcp-option DNS 192.168.200.12"
push "dhcp-option DOMAIN work"
push "dhcp-option DOMAIN-SEARCH intranet.work"
# Client should attempt reconnection on link
# failure.
keepalive 10 60
# Delete client instances after some period
# of inactivity.
inactive 600
# Route the --ifconfig pool range into the
# OpenVPN server.
route 192.168.201.0 255.255.255.0
# The server doesn't need privileges
user openvpn
group openvpn
# Keep TUN devices and keys open across restarts.
persist-tun
persist-key
verb 2

October 30, 2011

Qt 4.7.4 for RHEL/Centos 6.0 pre-release

Filed under: Uncategorized — jfreivald @ 11:03 pm

Update Nov 14 2011: I’ve uploaded 32-bit packages for testing as well.  Please have at it and let me know what the issues are.  The repository file is the same for all versions.  Qt-Creator packages are building for both architectures overnight, so if all goes well I will upload them in the morning.

2nd Update Nov 14th 2011: Having problems compiling qt-creator.  Hopefully today, maybe tomorrow.

I’ve finished the first compile of Qt 4.7.4 packages for RHEL/Centos 6.0.  There are several things to consider before using these packages.

Unlike RHEL/Centos 5, Qt 4 is a primary system package upon which rests a host of system applications, most notably KDE.  For this first round of packages, I took the system package spec file and updated it with the 4.7.4 sources.  There are quite a few patches in the system sources, and I kept all of them that didn’t cause a portion of the build process to break.  Anything that broke the process was simply commented out, which is a lazy way of doing things.  In actuality, each one should be analyzed and re-patched to the new source if necessary.  Time constraints dictate that I’m a bit lazy on this for now, so these packages should be rigorously tested before pushed to a production system.  Also, the new system packages use an Epoch, which means that the version numbers are meaningless in terms of which packages Yum will install.  To get around this, I bumped the Epoch from 1 to 1000, and I’ll continue to increment it as I push new packages.  This should provide that the freivald.com packages are always selected over other repositories.

I plan to push these to a fresh VM in a day or two and, if all goes well, build and push Qt-Creator.

Feel free to test these packages, but be aware that they are for test purposes only at this point.  Please provide feedback on the success or failure of your testing.

The repository file (which is the same as the v5 file) is located here.

Cheers.

–JATF

September 30, 2011

Milestones

Filed under: Uncategorized — jfreivald @ 2:18 pm

On September 30th http://software.freivald.com surpassed 1 Terrabyte of data transfer for the year to date. That does not include the blog or the other hosted sites, just the software downloads.

I’m very pleased that so many people find the Qt for Centos and RedHat Enterprise Linux packages and the Centos images for the Alix platform useful.

Cheers.

September 23, 2011

Qt 4.7.4 and qt-creator 2.3.0 for Centos/RHEL 5

Filed under: Centos,qt — jfreivald @ 7:09 pm

Qt packages are released for Centos and RHEL Version 5.7, i386 and x86_64 architectures.

With this release comes a new repository structure. The old /centos tree will disappear except for the new software.freivald.com repository file update, which point to the new repository. The new files are found only at http://software.freivald.com/el. The upgrade should be seamless, but will require one ‘yum update’ to grab the new repository files, and another ‘yum update’ to grab the updated files out of the new repository.

If you use priorities, which you should if you have more than one additional repository, be certain to un-comment the priority lines in /etc/yum.repos.d/software.freivald.com.repo.

The new repository file is at http://software.freivald.com/el/5/i386/os/software.freivald.com-2.0.0-0.el.noarch.rpm

Please let me know of any problems with the update, particularly on x86_64. I have changed the way the qt-creator libraries are linked because the qt-creator source always puts the libs in /usr/lib/qtcreator, even when they should be in /usr/lib64/qtcreator.

Cheers.

–JATF

September 4, 2011

A Tweetie Bird Told Me . . .

Filed under: Uncategorized — Tags: — jfreivald @ 12:33 pm

. . . that I need to start providing twitter updates when I release new versions of Qt for Enterprise Linux or Centos for ALIX. Follow me on twitter @jfreivald.

December 19, 2010

Qt 4.7.1 and Qt-Creator 2.0.1 update for RHEL/Centos/EL 5.5

Filed under: Centos,qt — jfreivald @ 11:13 pm

Pushing updates as I type this. Should be done uploading in about an hour.

Qt update is to new version.

Qt Creator update adds a menu item. Thanks nina802 for the suggestion.

Check here for instructions.

Cheers.

–JATF

November 17, 2010

Qt 4.7.1, alix and Qt for el6 and other housekeeping

Filed under: ALIX,Centos,Configuration,qt,Tools,Web Publishing — jfreivald @ 9:59 pm

Sorry for the delay in getting 4.7.1 out. I’m jammed up at work. I hope to get it out in the next week or so.

When Centos 6 is released I’ll be building Qt packages and ALIX images for it but I will not be abandoning el5 until it is EOL. Lord thank you for Virtual Machines!

I will also be re-configuring the repositories to make them non-centos specific.  I’ll be using ‘qt-el’ instead of ‘centos’ to eliminate confusion for RHEL users who have never heard of Centos. The update will involve moving the RPM packages to a new directory structure and updating the repository package.  The old /centos directories will have only the updated repository package in it, so when a ‘yum upgrade’ is performed on an existing machine the new package will redirect the machine to the new directory structure.  A second  ‘yum update’ will then upgrade the packages normally.

With any luck it will be entirely seamless to the community.

On a side note, we’re over 200 registered users, over 700,000 non-bot hits per month (over 670k from Yum and wget alone!), and easily keeping over 50GB of transfer per month, with a peak in October of over 110GB.  We’re #1 on Google’s search with “Qt Centos” and “ALIX Centos” and several others.  We have users in Russia, Germany, Italy, France, India, South Africa, the U.S., and dozens more, with hits coming from .com, .edu, .org and several other top-level domains.

Thank you to everyone for making this project worthwhile.

–JATF

October 11, 2010

Donations

Filed under: Uncategorized — Tags: , , , , — jfreivald @ 10:41 am

I had a viewer ask if they could donate to help support one of the projects, so I’ve added a PayPal donation button on the top right. Donations are certainly appreciated but by no means compulsory.

October 4, 2010

Qt4 4.7.0 and qt-creator 2 for Centos and RHEL 5.5

Filed under: Centos,qt,Tools — jfreivald @ 7:53 pm

I’ve updated the x86_64 and i386 repositories to Qt 4.7.0 and qt-creator 2.0.1.

UPDATE [6 OCT, 11:34]: This morning I finally added Yum groups to the repository, so all you have to do for the base library is (as root):
yum groupinstall Qt4
and for the development environment:
yum groupinstall Qt4-Devel
The mysql and postgresql packages do not install by default because they pull a bunch of extra libraries if you don’t have the databases already installed, so you might also want to include:
yum install qt4-postgresql qt4-mysql

If you are doing any application debugging you may want to install qt4-debuginfo as well:
yum install --enablerepo software.freivald.com-debuginfo qt4-debuginfo

NOTE: I’ve changed the 32 bit packages to be optimized for i686, which might register conflicts against the old i386 packages. If that happens, uninstall the conflicting i386 packages using ‘rpm -e –nodeps ‘, which will keep dependencies from preventing the uninstall. Then install the new packages as normal.

If this causes too much headache then I can create a separate repository for each. Let me know.

These packges were created on Centos 5.5 but should be completely compatible with RedHat Enterprise Linux 5.5.

–JATF

July 26, 2010

Updated registration

Filed under: Uncategorized — jfreivald @ 9:05 am

I’ve updated the registration plugin to hopefully reduce the bot-login rate.  I also deleted registrations that I thought were bots.  Please accept my apologies if you were deleted in the purge.

If anyone has problems with the new registration screen, e-mail me at: joseph@freivald.com.

–JATF

Older Posts »

Powered by WordPress