openvpn as #0

Supports: trusty
Add to new model

Description

OpenVPN Access Server is a full featured SSL VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, and Linux OS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.


Overview

This charm provides OpenVPN Access Server. Below is a
description taken from the main project site:

OpenVPN Access Server is a full featured SSL VPN software solution that
integrates OpenVPN server capabilities, enterprise management capabilities,
simplified OpenVPN Connect UI, and OpenVPN Client software packages that
accommodate Windows, MAC, and Linux OS environments. OpenVPN Access Server
supports a wide range of configurations, including secure and granular remote
access to internal network and/ or private cloud network resources and
applications with fine-grained access control.

Usage

To deploy the charm, you will first need a bootstrapped Juju environment and,
at a minimum, capacity for one additional machine.

Deploy openvpn-as to a bootstrapped environment:

juju deploy openvpn-as

It is recommended that you change the default password for the instance:

juju set openvpn-as password=newpassword

Finally, expose the service:

juju expose openvpn-as

You can then browse to https://ip-address-or-fqdn/admin to configure
OpenVPN-AS. The username and password by default are 'openvpn/openvpn-as'. If
you set the password as recommended above, then use that password instead of
the default.

Connecting to the VPN

The easiest way to establish a connection to the VPN is to authenticate via
the login page at https://ip-address-or-fqdn. This will give access to client
packages and config files needed for client connections.

Basic Linux Client Usage

To connect to the VPN using a Linux distribution, the openvpn package is
required on the client. Then you may login to the OpenVPN-AS web client and
download a configuration for your user. Run the OpenVPN client with the
downloaded configuration and you should see a connection established. Below
are the common steps to install an use the OpenVPN client with the downloaded
config file 'client.ovpn':

sudo apt-get install openvpn
sudo openvpn --config client.ovpn

Basic Windows and Mac Usage

To connect to the VPN with a Windows or Mac OS, a client executable is
available from the web portal once successfully authenticated. Clients will be
prompted to download the client and continue.

Advanced Linux Client Usage with NetworkManager

To import a VPN configuration into NetworkManager, the NetworkManager OpenVPN
package must be installed and the client keys and certficates as well as CA
certificate must be extracted from the OpenVPN-AS server. In order to do this,
you must know the machine number running the OpenVPN-AS service. For this
example, we will assume the machine number is "1" and the client is 'johndoe'.

juju ssh 1
mkdir /tmp/johndoe_client
sudo /usr/local/openvpn_as/scripts/sacli -a johndoe \
    -o /tmp/johndoe_client/ --cn johndoe get5
cd /tmp && tar -czf /home/ubuntu/johndoe-openvpn.tgz \
    johndoe_client/
rm -Rf johndoe_client
exit

This process uses the OpenVPN-AS script to get the user certificate, key,
client config file, CA certificate and TLS key then creates a tarball in the
default user's home directory. Now copy the certificate to your computer for
redistribution and delete the original file:

juju scp 1:~/johndoe-openvpn.tgz .
juju ssh 1 "sudo rm johndoe_client.tgz && exit"

For instructions on how to import the downloaded files into NetworkManager,
reference the following article: http://bit.ly/15dVReF

Configuration

There are a number of configuration options available via the charm. Most of
the options, however, can be modified using the OpenVPN-AS Admin UI, but are
provided in the charm as a means of convenience and rapid deployment.

By default, the username is 'openvpn' and PAM is used as the authentication
backend. These options can be changed via the OpenVPN-AS Admin UI and are left
at their default settings in order to ensure a low barrier to deployment.
OpenVPN defaults to this username, and this username can be disabled if desired.

FQDN

The FQDN of the service will default to the public address of the machine it is
deployed on. The FQDN is referenced in the client configuration downloaded by
clients connecting to the VPN. The VPN will not be able to establish a successful
connection until the FQDN correctly resolves to the OpenVPN-AS service.

juju set openvpn-as fqdn=example.site.com

Password

This option sets the password on the service for the 'openvpn' admin user.

juju set openvpn-as password=newpassword

Port

The port configuration option determines the port used to manage, log in, and
connect to the service. When the port is changed, any prior downloaded
configurations will need to be reconfigured for each client previously using
the service.

juju set openvpn-as port=8443

Client Network

The client network option configures the network used when assigning VPN
clients addresses. If you're home or corporate network use the same range as
the default, then you may consider changing it to an alternate network range. A
CIDR value is required or a '/24' CIDR will be assigned to the network given.

juju set openvpn-as client-network=10.11.12.0/23

Reroute Gateway

By default all client traffic will be routed through the VPN tunnel. To
disallow clients from sending all traffic through the VPN tunnel, set this
value to 'False'. This will only allow clients to access remote subnets located
behind the subnet. A list of networks to be routed through the VPN can be
configured through the Admin UI.

juju set openvpn-as reroute-gateway=False

Reroute DNS

By default all DNS queries will be routed through the VPN tunnel. To disable
this, set the following option to False.

juju set openvpn-as reroute-dns=False

License

In order to use more than the default 2 concurrent client sessions, a valid
license will be needed from
https://openvpn.net/index.php/access-server/license-key.html. Once a license
has been acquired, you can install it via this option.

juju set openvpn-as license=XXXXXXXXXXXXX

Contact Information

Author: NextRevision notarobot@nextrevision.net
Report bugs at: http://bugs.launchpad.net/charms/+source/openvpn-as
Location: http://jujucharms.com/charms/distro/openvpn-as


Configuration

client-network
(string) network to use for client addressing; must include a cidr suffix, i.e. X.X.X.X/XX
5.5.0.0/20
fqdn
(string) FQDN of the server, defaults to unit's private address
license
(string) optional license key acquired from openvpn.net to allow for greater than two clients; see https://openvpn.net/index.php/access-server/license-key.html for more details
password
(string) password for the admin user 'openvpn'
openvpn-as
port
(int) port to run the web UI over (includes admin UI)
443
reroute-dns
(boolean) reroutes all DNS traffic through the established VPN tunnel
True
reroute-gateway
(boolean) reroutes all client traffic through the established VPN tunnel
True