Difference between revisions of "VPN"

(Generate Clients certificates and private keys)
(Generate Clients certificates and private keys)
Line 151: Line 151:
 
source /etc/openvpn/easy-rsa/vars
 
source /etc/openvpn/easy-rsa/vars
 
. /etc/openvpn/easy-rsa/build-key [clientName]
 
. /etc/openvpn/easy-rsa/build-key [clientName]
<syntaxhighlight lang="bash">
+
</syntaxhighlight>
  
 
Replace the ''[clientName]'' parameter with a relevant identifier for each client.  
 
Replace the ''[clientName]'' parameter with a relevant identifier for each client.  

Revision as of 14:34, 21 May 2014

VIRTUAL PRIVATE NETWORK (VPN)


Introduction

Reminder: What is a “VPN”?

  • English:


Sources


Installation

Binary

Installation is easy. You just need “openvpn”.

apt-get update && apt-get upgrade
apt-get install openvpn easy-rsa

Logs

Create target files

touch /var/log/openvpn.log
touch /var/log/openvpn-status.log
chmod 777 /var/log/openvpn*

Create symlinks

ln -s /var/log/openvpn.log /etc/openvpn/openvpn.log
ln -s /var/log/openvpn-status.log /etc/openvpn/openvpn-status.log

Adjust '/etc/openvpn/server.conf' accordingly

/var/log/openvpn.log		=> 	real time log
/var/log/openvpn-status.log	=>	list of connected clients


Public Key Infrastructure

The OpenVPN package provides a set of encryption-related tools called "easy-rsa".

These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory.

However, in order to function properly, these scripts should be located in the /etc/openvpn directory.


Installation

Copy these files with the following command:

[Old Ubuntu - before 14.04]

cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

[New Ubuntu distro - 14.04 and later]

cp -R /usr/share/easy-rsa/ /etc/openvpn

Configure Public Key Infrastructure Variables

Default values

Before you can generate the public key infrastructure for OpenVPN, you must configure a few variables that the easy-rsa scripts will use to generate the scripts.

These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file.


[Old Ubuntu]

Don't forget to add /etc/openvpn/easy-rsa/2.0/ everywhere !!


vim /etc/openvpn/easy-rsa/vars


Here is an example of the relevant values:

export KEY_COUNTRY="SE"
export KEY_PROVINCE="Västra Götaland"
export KEY_CITY="Goteborg"
export KEY_ORG="daxiongmao.eu"
export KEY_EMAIL="guillaume@qin-diaz.com"

>> Alter the examples to reflect your configuration.

This information will be included in certificates you create! That must be accurate, particularly the KEY_ORG and KEY_EMAIL values.

Initialize the Public Key Infrastructure (PKI)

Generate the Authority of Certification (AC):


cd /etc/openvpn/easy-rsa/
. /etc/openvpn/easy-rsa/vars
. /etc/openvpn/easy-rsa/clean-all
. /etc/openvpn/easy-rsa/build-ca

When asked, use your COMPANY name as "common name".

Generate OpenVPN Server Certificates and Private Key

cd /etc/openvpn/easy-rsa/
source /etc/openvpn/easy-rsa/vars
. /etc/openvpn/easy-rsa/build-key-server [server]

[server] replace server by your actual server name !


This script will also prompt you for additional information.

Common Name = Name of the current server (server DNS name)

Generate Clients certificates and private keys

cd /etc/openvpn/easy-rsa/
source /etc/openvpn/easy-rsa/vars
. /etc/openvpn/easy-rsa/build-key [clientName]

Replace the [clientName] parameter with a relevant identifier for each client.

  • The client common name must be unique
  • It helps you to identify each client. Don’t hesitate to use meaningful name.


The name is put inside the certificate.

All other information can remain the same


Generate Diffie Hellman Parameters

The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server.

cd /etc/openvpn/easy-rsa/
. /etc/openvpn/easy-rsa/build-dh

Generate shared security key

NOT TESTED – July 2013

To increase security, you can use a share common key between server and clients. Each client will need the shared key + its own key to communicate.


 
openvpn --genkey --secret ./keys/ta.key


Distribute keys

Client files

In order to authenticate to the VPN, you'll need to copy a number of certificate and key files to the remote client machines. They are:

  • Authority of certification ca.crt
  • Client certificate [clientName].crt
  • Client private key [clientName].key

!!! These keys should transferred with the utmost attention to security. Anyone who has the key is able to gain full access to your virtual private network !!!


Server files

The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them. These files are:

  • Authority of certification ca.crt
  • Authority private key ca.key
  • Diffie Hellman props dh1024.pem
  • Server certificate server.crt
  • Server private key server.key


cd /etc/openvpn/
ln -s /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn/ca.crt
ln -s /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpn/ca.key
ln -s /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/dh1024.pem
ln -s /etc/openvpn/easy-rsa/2.0/keys/myServer.crt /etc/openvpn/server.crt
ln -s /etc/openvpn/easy-rsa/2.0/keys/myServer.key /etc/openvpn/server.key


!! Apart 'ca.crt', all these files mustn't leave your server!!


Revoking Client Certificates

How to remove a user's access to the VPN server?

cd /etc/openvpn/easy-rsa/2.0/
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/revoke-full [clientName]

This will revoke the ability of users who have the [clientName] certificate to access the VPN.

For this reason, keeping track of which users are in possession of which certificates is crucial.

Server configuration

Configuration file

Basic setup

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn/
gzip -d server.conf.gz


Security algorithms and hash

Cryptographic algorithms

openvpn --show-ciphers

Search for: AES-128-CBC, AES-256-CBC


Hash algorithms

openvpn --show-digests

Search for: MD5


Handshake algorithms

openvpn --show-tls


Server configuration

See attached file “server.conf”

You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.

Be careful when you choose the port number! Common open ports:

  • 80 (http)
  • 443 (HTTPS)
  • 8080 (Proxy / JEE servers)


Firewall

You can use the following firewall script:

MODPROBE=`which modprobe`
IPTABLES=`which iptables`
INT_ETH = eth0
INT_VPN = tun0
IP_LAN_VPN = 10.8.0.0/24

# --- #
# VPN #
# --- #
$MODPROBE iptable_nat

echo " ... Enable NAT features"
echo 1 > /proc/sys/net/ipv4/ip_forward

echo " ... Allow all VPN communications (no filter)"
$IPTABLES -A INPUT -i $INT_VPN -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_VPN -m state ! --state INVALID -j ACCEPT

echo " ... Allowing VPN forwarding"
# Allow forwarding
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_VPN -s $IP_LAN_VPN -j ACCEPT
$IPTABLES -A FORWARD -j REJECT
# Allow devices communication $ETH0 <--> tun0
$IPTABLES -t nat -A POSTROUTING -s $IP_LAN_VPN -o $INT_ETH -j MASQUERADE
# Forward Established, Related
$IPTABLES -A FORWARD -s $IP_LAN_VPN -p tcp -m state --state RELATED,ESTABLISHED --sport 1024:65535 --dport 1024:65535 -j ACCEPT
$IPTABLES -A FORWARD -s $IP_LAN_VPN -p udp -m state --state RELATED,ESTABLISHED --sport 1024:65535 --dport 1024:65535 -j ACCEPT

Off course, you should also have:
echo -e " ... Keep$GREEN ESTABLISHED$BLACK connections "
# Keep established connections
$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED -j ACCEPT

# keep related connections
echo -e " ... Keep$GREEN RELATED$BLACK connections"
$IPTABLES -A INPUT -m state --state RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state RELATED -j ACCEPT


Startup

Restart services

service openvpn restart
service firewall restart


Client Software

Linux

apt-get install openssl openssh-server openvpn

Windows

On windows, many clients are available. The best one for Windows 7 and 8 is: « OpenVPN Connect Client Download for Windows » https://openvpn.net/index.php?option=com_content&id=357

Note: The file must be around 15 Mb.

MacOSX

The best VPN client is “tunnelblick” http://code.google.com/p/tunnelblick

  • Configuration files are in ~/librairies/openvpn
  • That’s the libraries [“bibliothèque”] folder of the current user


Client files

The client requires:

  • Authority of certification ca.cert
  • Client private key client.key
  • Client certificate client.crt

Then, you can setup client configuration.

  • See “client_conf.ovpn”


Notes: You have to edit the configuration file.

  • Adjust paths on lines 30-38
  • On Windows you must you the double slash \\
  • On Linux don’t forget to uncomment the following lines for better security:
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
  • Linux: depending on your distribution you might need to adjust user / group default name.