PDF (734K) - Planetfoo.org

blueberrystoreSecurity

Dec 9, 2013 (3 years and 10 months ago)

90 views



A discussion about
OpenVPN
Matt Ryanczak


First lets talk about those SSH login
attempts

Are they a threat?

If so, how can you mitigate them?

Alternate port?

Key based auth?

Firewall and/or sshguard, fail2ban, etc.

Port knocking

Does a VPN replace SSH?


OpenVPN

What is OpenVPN?

What does OpenVPN do?

How does OpenVPN work?

What can OpenVPN do for me?


What is a VPN?
A VPN securely connects two end points via a
“hostile” network


How do VPNs Work?
A typical VPN embeds one protocol inside of another

Most protocols can be tunneled inside of another
protocol

Layer 2 and Layer 3 VPNs

Most VPNs use specialized protocols

IPSec

PPTP

SSL/TLS

MPLS

IP over DNS, ICMP, HTTP, IP, etc.

See http://www.vpnc.org/vpn-standards.html


Embedding TCP/IP in TCP/IP
A Packet
Data
TCP
I
P
Headers
Data
Et
hernet


Data
TCP
IP
Headers
Data
Data
TCP
IP
Headers
Data
Data
TCP
IP
Embedding TCP/IP in TCP/IP
Layer 2 Tunnel
Et
hernet
Ethernet
Ethernet


Data
TCP
IP
Headers
Data
Data
TCP
IP
Headers
Data
Data
TCP
IP
Embedding TCP/IP in TCP/IP
Layer 3 Tunnel
Et
hernet


OpenVPN: Features


Layer 2 or Layer 3 tunnels


Supports several authentication models

x.509 certificates

Pre-shared keys

LDAP

Two-factor authentication


NAT friendly


IPv4, IPv6 transport


Available on just about anything with a cpu


OpenVPN: Use Cases


Connect to home from afar


Securely traverse public networks


IPv6 or other protocol tunneling


Place remote server on local network


Bridge remote broadcast domains


Bypass restrictive firewalls & proxies


Hotelnet
Homenet
OpenVPN: Use Cases


Connect to home from afar
Internet


*$
OpenVPN: Use Cases


Securely traverse public networks
Internet


IPv6 Internet
*$
OpenVPN: Use Cases


IPv6 or other protocol tunneling
IPv4 Internet


OpenVPN: Use Cases


Give remote server static IP on local network
Internet


OpenVPN: Use Cases


Bridge remote broadcast domains
Internet


Corpnet
OpenVPN: Use Cases


Bypass restrictive proxies / firewalls
Internet


Internet
Cloud Provider
OpenVPN: Use Cases


Traverse CGN / Provision global IPv4 address
ISP
CGN


OpenVPN: Clients


Available in most Linux distros


Source available from openvpn.net


Windows GUI client from openvpn.net


OSX client – Tunnelblick

http://code.google.com/p/tunnelblick


Network Manager Plugin
networkmanager-openvpn


Android, iphone, symbian as well


OpenVPN: Server


Included in some Linux and *BSD distros

Debian/Ubuntu: apt-get install openvpn

RHEL/CentOS: yum install openvpn
(Not in base repos. Use rpmforge)

OSX: port install openvpn

FreeBSD/OpenBSD: Packages available. also in ports

Arch: pacman -S openvpn


Source code

http://openvpn.net/index.php/open-source/downloads.html


OpenVPN: Server Layout (Debian)


/etc/openvpn/*.conf

Each configuration file controls one instance of openvpn

You can mix server and client roles on the same machine

A configuration file defines either a client or server role

A tunnel device is mandatory

TUN (Layer3, point to point)

TAP (Layer2, bridging)

Authentication type is mandatory

Pre-shared keys

x.509 Certificate

IP addresses for tunnel endpoints is also mandatory


OpenVPN: Server Layout (Debian)

/etc/default/openvpn

Run time (init) defaults

/var/run/

openvpn.$instance.pid

Per instance PID file

Openvpn.$instance.status

Per instance status file

List of connected client

Statistics


/var/log

syslog/messages

daemon.log


OpenVPN: Configuration Example
Simple Server Configuration File:
dev tun
ifconfig 10.10.0.1 10.10.0.2
secret pre-shared.key
Corresponding Client Configuration File:
remote server.example.com
dev tun
ifconfig 10.10.0.2 10.10.0.1
secret pre-shared.key


OpenVPN: Configuration Example
Simple Server Configuration File:
dev tun
(setup a layer 3 tunnel)
ifconfig 10.10.0.1 10.10.0.2
(local / remote IP address)
secret pre-shared.key
(openvpn --genkey)
Corresponding Client Configuration File:
remote server.example.com
(server address / hostname
dev tun
(setup a layer 3 tunnel)
ifconfig 10.10.0.2 10.10.0.1
(local / remote IP address)
secret pre-shared.key
(must be same key as server)


OpenVPN: Multi-client Example
Server Configuration File:
port 1194
proto udp
dev tun0
ca ca.crt
cert server.example.crt
key server.example.key
mode server
tls-server
dh dh2048.pem
ifconfig-pool 192.168.35.230 192.168.35.240 255.255.255.0
push "route-gateway 192.168.35.1"
push "dhcp-option DNS 192.168.35.1"
keepalive 10 120
comp-lzo
user nobody
group nogroup


OpenVPN: Multi-client Example
Server Configuration File:
port 1194
(Listen on port 1194)
proto udp
(Use UDP)
dev tun0
(Create a point to point (layer 3) tunnel device)
ca ca.crt
(The CA certifitcate file)
cert server.example.crt
(The server certificate file)
key server.example.key
(The servers private key)
mode server
(this is a server)
tls-server
(Enalbe TLS and assume server role in TLS handshake)
dh dh2048.pem
(The Diffie-Hellman parameters file. Used for initial key exchange. Required for tls-server)
ifconfig-pool 192.168.35.230 192.168.35.240 255.255.255.0
(Pool of IP addresses to assign to clients)
push "route-gateway 192.168.35.1"
(The “push” directive pushes configuration options to the client)
push "dhcp-option DNS 192.168.35.1"
(Push the DNS server configuration option to the client)
keepalive 10 120
(Send a keepalive every 10 seconds and re-initialize if no packets have been seen in 120 seconds
comp-lzo
(Enable compression)
user nobody
(Run as user nobody)
group nogroup
(Run as group nogroup)


OpenVPN: Multi-client Example
Client Configuration File:
client
dev tun
proto udp
remote server.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca cacert.pem
cert ryanczak.crt
key ryanczak.key
ns-cert-type server
comp-lzo
verb 3
mute 10


OpenVPN: Multi-client Example
Client Configuration File:
client
(Be a client)
dev tun
(Create a point to point (layer 3) tunnel device)
proto udp
(Use UDP)
remote server.example.com 1194
(The remote server and port)
resolv-retry infinite
(If DNS lookups fail keep trying forever. NEVER GIVE UP!)
nobind
(Let client choose local address and port to bind to)
persist-key
(Do not re-read key files upon restart (SIGUSR1, ping timeout))
persist-tun
(DO not close or re-open tun device on restart (SIGUSR1, ping timeout))
ca cacert.pem
(The CA certificate file)
cert ryanczak.crt
(The client certificate file)
key ryanczak.key
(The client key file)
ns-cert-type server
(Require that the peer (server) certificate have an nsCerType of “server”)
comp-lzo
(Enable compression)
verb 3
(Log verbosity 1 0 - 11)
mute 10
(Log at most 10 consecutive messages of same type)


OpenVPN: Multi-client GUI Example
network-manager-openvpn:


OpenVPN: Multi-client GUI Example
network-manager-openvpn:


OpenVPN: Certificates and Keys


Pre-shared keys are an easy option

Easy

openvpn –genkey –secret secret.key

Does not scale well


x.509 certificates

More complicated to setup and use

Makes a multi-user or multi-server easier to maintain

Can integrate with existing CA infrastructure

Enables use of 2 factor authentication


OpenVPN: Certificates with easy-rsa


The openvpn source tarball come with easy-rsa

easy-rsa is an openssl wrapper that makes setting up a certificate
authority easy.

Handles the issuance of server and client certificates


src/openvpn/easy-rsa/

1.0
(old version)

2.0
(new version)

Windows
(Windows Version)


OpenVPN: Certificates with easy-rsa
Setting up easy-rsa 2.0:


Read the README!


Edit the vars file

Set Country, Province, Org, Email


Load the vars: $ . /vars


Initialize the CA: $ ./build-ca


Create a server certificate: $ ./build-key-server server.example.com


Create a user certificate: $ ./build-key
matt@example.com


Copy Certificate (*.crt) / Key (*.key) to client and server


OpenVPN: Routing


Routing is an important consideration


Routing all traffic over the tunnel can be more secure

Can impact performance

Force client to direct all traffic over tunnel

push "redirect-gateway def1"


Sometimes you only want traffic destined for the remote network

Generally will get better performance for non-vpn traffic

Force client to direct only some traffic over tunnel

push "route 192.168.10.0 255.255.255.0 192.168.10.1"


Client can also ignore the server and setup its own routes

route-nopull or route-noexec


OpenVPN: Firewall Rules (NAT)


Some form of firewall configuration is probably required


If you want VPN to have Internet access don't forget the NAT

$IPTABLES -t nat -A POSTROUTING -o $INTERNETIF -s $VPNNET -j MASQUERADE


Layer 2 tunnels may not require any special firewall rules


Consider securing traffic from VPN clients to internal network

Prudent if using VPN to setup static tunnel to remote server


Thanks!