Configuring VPNs with OpenVPN

possibledisastrousΑσφάλεια

9 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

102 εμφανίσεις



Configuring VPNs with OpenVPN
Lecturer: Carlos Rey-Moreno
carlos.reymoreno@gmail.com
Networking Course
Honors on Computer Science
University of the Western Cape
28 – Feb - 2013


Installing VPN

For installing the last version, we add the repository together
with its public key:
wget ­O ­ http://repos.openvpn.net/repos/repo­public.gpg | sudo apt­key 
add ­ 
sudo echo “deb http://repos.openvpn.net/repos/apt/lucid­stable lucid 
main” >>  /etc/apt/sources.list

Once we have it in our list of repositories, we update our list of
packages and install openvpn:
sudo apt­get update
sudo apt­get install openvpn


First Steps in the server

OpenVPN already includes a set of script called "easy-rsa"
that handles all the certificates creations for us, it's also
already included in the ubuntu documentation, so let's copy it:

sudo mkdir /etc/openvpn/easy­rsa/
sudo cp ­r /usr/share/doc/openvpn/examples/easy­rsa/2.0/* /etc/openvpn/easy­rsa/
sudo chown ­R $USER /etc/openvpn/easy­rsa/

You should then edit the file /etc/openvpn/easy-rsa/vars (using
vi) setting default variables for the certificates:
export KEY_COUNTRY="ZA"
export KEY_PROVINCE="WestersCape"
export KEY_CITY="CapeTown"
export KEY_ORG="UWC"
export KEY_EMAIL="carlos.reymoreno@gmail.com"

Note: the field Key_Country must contain only 2 letters


First Steps in the server

Move to the easy-rsa directory
$ cd /etc/openvpn/easy­rsa/

Execute your new vars file
 
$ source ./vars

Setup the easy-rsa directory (Deletes all keys)
 
$ ./clean­all

Creates the certification and key for CA:
$ ./build­ca 

Creates the certification and key for the server:
$ ./build­key­server server 

Creates the certification and key for the client:
$ ./build­key [name_of_client]
Note: In the last 3 steps (./build-*) you have to press enter and/or press y
when prompted
Note: [name_of_client] has to be different for each client in the VPN


Additional steps in the server

If further security wants to be provided

Build the Diffie Hellman parameters:
$ ./build­dh

Build a TLS key
$ cd keys
$ openvpn ­­genkey ­­secret ta.key  

Move the keys and certs to the configuration folder in the server
$ sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Move the keys and certs needed to the configuration folder
(/etc/openvpn/) into the client (over a secure channel, a hard
drive for example):

/etc/openvpn/easy­rsa/keys/ca.crt

/etc/openvpn/easy­rsa/keys/[name_of_client].crt

/etc/openvpn/easy­rsa/keys/[name_of_client].key

/etc/openvpn/easy­rsa/keys/ta.key


server.conf # network configuration

Which local IP address should OpenVPN listen on? (optional)
local 172.16.38.74 

Indicate the port the OpenVPN will be using:

If you want to run multiple OpenVPN instances on the same
machine, use a different port number for each one.

You will need to open up this port on your firewall.
port 1194

"dev tun" will create a routed IP tunnel
dev tun

Configure server mode and supply a VPN subnet for
OpenVPN to draw client addresses from. The server will take
10.8.0.1 for itself, the rest will be made available to clients.
server 10.8.0.0 255.255.255.0

If you are using Ethernet bridging (brtcl tool), you must use
 
server­bridge 
and
 dev tap 
instead of
 server 
and
 dev tun.


server.conf # network configuration

Maintain a record of client virtual IP address associations in
this file. If OpenVPN goes down or is restarted, reconnecting
clients can be assigned the same virtual IP address from the
pool that was previously assigned.

ifconfig­pool­persist ipp.txt

Push routes to the client to allow it to reach other private
subnets behind the server. Remember that these private
subnets will also need to know to route the OpenVPN client
address pool (10.8.0.0/255.255.255.0) back to the OpenVPN
server.

push "route 10.10.38.0 255.255.255.0"
NOTE: This only make sense when the OpenVPN server is reached through a Public IP, so
this directive will give you access to the private network behind it.


server.conf # keys and certs

SSL/TLS root certificate (ca), certificate (cert), & private key (key).

Each client and the server must have their own cert and key file.


The server and all clients will use the same ca file.
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

Diffie Hellman parameters.
dh dh1024.pem

The tls-auth directive adds an additional HMAC signature to all
SSL/TLS handshake packets for integrity verification. The tls-auth
HMAC signature provides an additional level of security

The server and each client must have a copy of this key. The second
parameter should be '0 on the server and '1' on the clients.
tls­auth ta.key 0


Select a cryptographic cipher.

This config item must be copied to the client config file as well.
cipher BF­CBC        # Blowfish (default)


server.conf # logs and security

Reduce the OpenVPN daemon's privileges after initialization.
user nobody
group nogroup

The persist options try to avoid accessing resources on restart
that are no longer accessible due to the privilege downgrade.
persist­key
persist­tun

The keepalive directive causes ping-like messages to be sent
so that each side knows when the other side has gone down.
Ping every 10 seconds, assume that remote peer is down if no
ping received during 120 second time period.
keepalive 10 120

Output a short status file showing current connections,
truncated and rewritten every minute.
status openvpn­status.log

Set the appropriate level of log file verbosity.
verb 3


server.conf # others

OpenVPN allows either the TCP or UDP protocol to be used
as the VPN carrier connection. The UDP protocol will provide
better protection against DoS attacks and port scanning:
proto udp

Allow different clients to be able to "see" each other.

By default, clients will only see the server
client­to­client

Enable compression on the VPN link.

If you enable it here, you must also enable it in the client config
file.
comp­lzo

The maximum number of concurrently connected clients we
want to allow.
max­clients 100


client.conf

Specify that we are a client and that we will be pulling certain
config file directives from the server.
client

Use the same setting as you are using on the server.
dev tun

Are we connecting to a TCP or # UDP server? Use the same
setting as # on the server.
proto udp

The hostname/IP and port of the server.
remote server_IP 1194

Keep trying indefinitely to resolve the host name of the
OpenVPN server.
resolv­retry infinite

Most clients don't need to bind to a specific local port number.
nobind


Client.conf

Downgrade privileges after initialization
user nobody
group nobody

Try to preserve some state across restarts.
persist­key
persist­tun

SSL/TLS parms. See the server config file for more description.
ca ca.crt
cert [name_of_client].crt 
key [name_of_client].key

If a tls-auth key is used on the server then every client must
also have the key.
tls­auth ta.key 1

Select a cryptographic cipher. # If the cipher option is used on
the server then you must also specify it here.
cipher BF­CBC

Enable compression on the VPN link. Don't enable this unless
it is also enabled in the server config file.
comp­lzo

Set log file verbosity.
verb 3


Additional configurations

All the options available for the server:
http://openvpn.net/index.php/open-
source/documentation/howto.html#server

And for the client in:
http://openvpn.net/index.php/open-
source/documentation/howto.html#client

And many more HowTo in
http://openvpn.net/index.php/open-
source/documentation/howto.html


Starting the services

In the server:
sudo openvpn /etc/openvpn/server.conf

In the client
sudo openvpn /etc/openvpn/[name_of_the_client].conf

If everything goes fine, the “Initialization Sequence Completed”
message should appear in both.

You should also be able to ping the OpenVPN server in the
10.0.8.1 IP address (and the client in the IP given to its tun0
interface)

If you want to provide access to the client to the network in
which the server is connected you have to NAT:
# iptables ­t nat ­I POSTROUTING ­o eth0 ­j MASQUERADE
# echo 1 > /proc/sys/net/ipv4/ip_forward