Tag Archives: VPN Connectivity

The resulting benefits of a VPN can, depending on the VPN protocol used, be supplemented by encryption that enables tap-proof and manipulation-proof communication between the VPN partners.

OpenVPN Connection Script

Running Scripts on OpenVPN Connect and Disconnect

OpenVPN Client for Windows using script file allows you to mapping network drives to servers shares when starting VPN connections. There are other options, such as running login scripts, printer redirects, or automated updating. This tutorial shows the installation and the usage of OpenVPN connection scripts.

How to do it

The OpenVPN GUI for Windows can be downloaded from the community website here. The OpenVPN client can also be deployed using winget ran in the command prompt.

C:\> winget install --id OpenVPNTechnologies.OpenVPN

Upon during installation, the OpenVPN directory is created under %USERPROFILE%, including the folder config, which contains the configuration files (.ovpn) that are stored from the OpenVPN GUI with File Import.

OpenVPN in Tasklbar click Import file

Right-clicking above the OpenVPN icon icon in the taskbar opens the context menu with file import, which is saved at: %USERPROFILE%\OpenVPN\config

openvpn-config

The batch files must be in the same config directory and have the same name as the file name of the configuration (.ovpn), whereby _up must be added, as here the file name starts with VPNConfig and appended _up, VPNConfig_up.bat.

OpenVPN Connection Script

The contents of the connection-building batch file may look like this so that a network drive is mapped to the server after connecting OpenVPN.

Edit OpenVPN_up.bat in Notepad
Edit OpenVPN Connection Script VPNConfig_up.bat in Notepad

It is mapped with VPNConfig_up.bat the network drive I: to the server tower, here in this example being login against domain city.local as username max using password pass123. If you do not want to have a visible password in the batch, you can remove it so the password prompt will by called.

Edit OpenVPN_down.bat in Notepad
Edit OpenVPN Connection Script VPNConfig_down.bat in Notepad

After disconnecting the OpenVPN connection, the batch VPNConfig_down.bat does disconnects the network drives.

explorer-openvpn-config

The batch files must be in the same directory, here in the user profile under OpenVPN along with the ovpn file in the config directory.

  If you rename the configuration file before importing it, here the VPNConfig.ovpn i.e. CityOffice.ovpn, then this name appears in the context menu when connecting to destination in the OpenVPN GUI. The batch files must have the same names before _up and _down.

  In order for the server name to be resolved at “net use”, the entry “dhcp-option DNS” has to modify in the file VPNConfig.ovpn:
dhcp-option DNS 192.168.3.110

In this example, the DNS 192.168.3.110 is on the remote network to which we connect to OpenVPN. If there is no DNS on the network, the IP address must be specified instead of the host name.

OpenVPN Settings

In the OpenVPN Settings you will find the possibility to determine the location of the configuration files and log files, here the path to the files can be changed, also there is the possibility to determine the extension .ovpn. Adjusting the paths can be useful, for example, when using roaming profiles, creating the folder for the OpenVPN connections under %APPDATA%, or when using offline folders, this can be set individually.

OpenVPN Settings Advanced

In the OpenVPN Settings Advanced, the values for script files can be changed if necessary, in the Script Timeout area for Preconnect script timeout, in this case the batch file VPNConfig_up.bat, and VPNConfig_down.bat for timeout for Disconnect script.

Example of a Netlogon Connection Script (xxxxxxxx_up.bat):
@echo off
timeout 5
REM mapping network printer
rundll32 printui.dll,PrintUIEntry /in /n \\tower\laserjet_office
REM mapping network drive
net use I: \\tower\office /persistent:no /user:city\max pass123
REM wait along two pings
ping localhost -n 2 > null
REM pop-up greeting message
echo msgbox("Welcome %USERNAME% on %USERDOMAIN%."),vbInformation , "Message"> %temp%\msg.vbs 
%temp%\msg.vbs
REM delete message
erase %temp%\msg.vbs

How to SSH Tunnel Reverse Port forwarding

How to build VPN Tunnel using SSH Port Forwarding

Linux has build in SSH from the start, Apple has also integrated Secure Shell into macOS, Microsoft provide OpenSSH on Windows 10 from 1803 and Server 2019 as an optional feature. There are also SSH Tunnels and SSH port forwarding known from tools like PuTTY and KiTTY. So why use SSH only as Terminal (TTY), as VPN Tunnel there are useful opportunities too, for example, VPN is not able because firewall is not capable, or additional software cannot be installed in corporate networks, because the required authorization is not given. An SSH Reverse Tunnel is always useful for devices they are not reachable behind the firewall.

How to use SSH as a VPN Tunnel with port forwarding use OpenSSH on Linux, macOS and Windows

SSH Tunnel to Remote Host B

Here as an example, a tunnel is built from host A to host B, host B is a web server from which the intranet page is to be opened http://192.168.111.10 on Host A. The only requirement is that there is a NAT mapping via port 22 to host B on the firewall (NAT router) and that the SSH service is present on each host.

SSH Tunnel Reverse port forwarding to Remote Host B
Illustration: ssh tunnel host A to host B

Run the command in the Linux terminal on Host A as follows:

$ ssh -NT -L 80:192.168.111.10:80 cherry@172.17.16.15 -p 45680

On Host A, the web page can now be opened http://localhost. The SSH tunnel enable port forwarding for TCP port 80 on Host B from 192.168.111.10 to the localhost 127.0.0.1 on Host A, the external port is 45680. Just we log on to Host B with user cherry.

The parameters:
-L = Local port
-N = do not run a remote command
-p = External SSH port (NAT port on firewall)
-T = do not open a terminal

On Host B the SSH daemon must be configured and activated, in the configuration file /etc/ssh/sshd_config the following settings are required, for many Linux distributions this is default.

# Force SSH Protocol 2
Protocol 2
 
#Turn on Privileged Separation for security
UsePrivilegeSeparation yes
 
#Deny root login
PermitRootLogin no
 
#Do not allow empty passwords
PermitEmptyPasswords no
 
# installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys
 
# Forward my X Sessions
X11Forwarding yes
X11DisplayOffset 10
 
# I hate Motd displays
PrintMotd no
 
# It's alliivee
TCPKeepAlive yes
 
#AllowTcpForwarding yes

  The lines commented out with hash mean they are default values, e.g. #AllowTcpForwarding is by default yes.

Hint! OpenSSH also available on Synology NAS, FreeNAS, FreePBX Distro, OpenWrt, Raspberry Pi (Raspbian) and now on Windows Servers.

SSH Tunnel to Remote Host C

In this example, an SSH Tunnel is built from Host A to Host C, Host C is an RDS terminal server, Host B serves as a port forwarder.

example, SSH Tunnel Reverse port forwarding built from host A to host C
Illustration: ssh tunnel host A to host C

Run the command in the Linux terminal on Host A as follows:

$ ssh -NT -L 3389:192.168.111.10:3389 cherry@172.17.16.15 -p 43389

The Remote Desktop session to Host C is built via localhost on Host A, by pressing the Win + R key opens Run, to confirm the input mstsc /v:localhost with OK.

Run mstsc

  This example uses the tcp port 3389 for RDP as both internal and external port. All unprivileged ports (-L) higher than 1024 can be used, if a port other than 3389 is used, then the port must be passed to RDP for execution, e.g. mstsc /v:localhost:44389

For Host B, the kernel must be enabled for IP forwarding, which is command for this in the shell as root:

$ net.ipv4.ip_forward = 1

Alternatively, echo in the Shell Console does the same thing:

$ echo 1 > /proc/sys/net/ipv4/ip_forward

Check the current IPv4 forward status as follows:

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

The value 1 for activation, 0 applies deactivation. The change is not boot persistent, so that after the next start the IP forwarding is active again, edit using nano or sudo vi /etc/sysctl.conf

Controls IP packet forwarding
net.ipv4.ip_forward = 1

It is recommended to use an SSH key for authentication, a key pair can be created as follows:

$ ssh-keygen -f ~/.ssh/key_rsa -t rsa -b 4096

The public key ~/.ssh/key_rsa.pub is stored in the user’s home path, here in this example on Host B under the path in the file .ssh/authorized_keys.

  Authentication using SSH keys is not only more secure, there are other advantages, for example, the user is not asked to enter a password, also the SSH tunnel and other commands can be executed from a script.

SSH Tunnel on macOS

For Apple macOS, SSH is available after activation, open Terminal and run this command as follows:

$ sudo systemsetup -setremotelogin on

After that, the SSH Tunnel can be set up under macOS.

$ ssh -i ssh/key_rsa -NT -R 3389:192.168.111.11:3389 cherry@172.17.16.15 -p 43389

Remote Desktop for Mac Gateway on localhost is now registered and the RDP session can be opened, in this way terminal servers are protected and can only be reached via SSH.

macOS also offers the possibility for automation and uses launchd and the launch system services, the following script is created at: @/Library/LaunchDaemons/server.hostc.client.cherry.home.plist with the following content:

<plist version="1.0">
   <dict>
   <key>Label</key>
   <string>server.hostc.client.cherry.home</string>
   <key>ProgramArguments</key>
   <array>
	  <string>Ssh</string>
	  <string>-NTC</string>
	  <string>-o ServerAliveInterval=60</string>
	  <string>-o ExitOnForwardFailure=yes</string>
	  <string>-i</string>
	  <string>/Users/cherry/.ssh/key_rsa</string>
	  <string>-R 3389:192.168.111.11:3389</string>
	  <string>cherry@172.17.16.15</string>
          <string>-p 43389</string>
   </array>
   <key>Username</key>
   <string>Cherry</string>
   <key>RunatLoad</key>
   <true>
   <key>Keepalive</key>
   <true>
</true></true></dict>
</plist>

OpenSSH Server Installation from PowerShell

For Windows Server 2019, the OpenSSH server can also be deployed with elevated rights from the PowerShell opened as administrator.

PS C:\> Get-WindowsCapability -Online | ? name -like *OpenSSH.Server* | Add-WindowsCapability -Online
  Windows 10 OpenSSH client can be found in the settings, under Apps & Features – Optional Features – OpenSSH Client.