|
|
(6 intermediate revisions by the same user not shown) |
Line 2: |
Line 2: |
| | | |
| | | |
− | =Introduction=
| + | [[File:Introduction-icon.png|link=VPN|64px|caption|VPN introduction]] |
| + | [[VPN|VPN introduction]] |
| | | |
− | See [[VPN|VPN introduction]]
| |
| | | |
| + | [[File:Vpn-server-config-icon.png|link=VPN server configuration|64px|caption|VPN server configuration]] |
| + | [[VPN server configuration|OpenVPN server configuration (server.conf)]] |
| | | |
| | | |
| + | [[File:Ssl certificate icon.jpg|link=VPN certificates management|64px|caption|VPN certificates management]] |
| + | [[VPN certificates management]] |
| | | |
− | =Server installation=
| |
| | | |
− | | + | [[File:Internet security.png|link=VPN security|64px|caption|VPN security]] |
− | ==Binary==
| + | [[VPN security]] |
− | | |
− | Installation is easy. You just need “openvpn”.
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | apt-get update && apt-get upgrade
| |
− | apt-get install openvpn easy-rsa
| |
− | </syntaxhighlight>
| |
− | | |
− | ==Logs==
| |
− | | |
− | Create target files
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | touch /var/log/openvpn.log
| |
− | touch /var/log/openvpn-status.log
| |
− | chmod 777 /var/log/openvpn*
| |
− | </syntaxhighlight>
| |
− | | |
− | Create symlinks
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | ln -s /var/log/openvpn.log /etc/openvpn/openvpn.log
| |
− | ln -s /var/log/openvpn-status.log /etc/openvpn/openvpn-status.log
| |
− | </syntaxhighlight>
| |
− | | |
− | Adjust '/etc/openvpn/server.conf' accordingly
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | /var/log/openvpn.log => real time log
| |
− | /var/log/openvpn-status.log => list of connected clients
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− |
| |
− | | |
− | =Public Key Infrastructure=
| |
− | | |
− | The OpenVPN package provides a set of encryption-related tools called "easy-rsa".
| |
− | | |
− | These scripts are located by default in the ''/usr/share/doc/openvpn/examples/easy-rsa/'' directory.
| |
− | | |
− | However, in order to function properly, these scripts should be located in the /etc/openvpn directory.
| |
− | | |
− | | |
− | ==Installation==
| |
− | | |
− | Copy these files with the following command:
| |
− | | |
− | [Old Ubuntu - before 14.04]
| |
− | <syntaxhighlight lang="bash">
| |
− | cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
| |
− | </syntaxhighlight>
| |
− | | |
− | [New Ubuntu distro - 14.04 and later]
| |
− | <syntaxhighlight lang="bash">
| |
− | cp -R /usr/share/easy-rsa/ /etc/openvpn
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ==Configure Public Key Infrastructure Variables==
| |
− | | |
− | | |
− | | |
− | ===Default values===
| |
− | | |
− | Before you can generate the public key infrastructure for OpenVPN, you must configure a few variables that the easy-rsa scripts will use to generate the scripts.
| |
− | | |
− | These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file.
| |
− | | |
− | | |
− | | |
− | [Old Ubuntu]
| |
− | | |
− | Don't forget to add /etc/openvpn/easy-rsa/'''2.0/''' everywhere !!
| |
− | | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/openvpn/easy-rsa/vars
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Here is an example of the relevant values:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | export KEY_COUNTRY="SE"
| |
− | export KEY_PROVINCE="Västra Götaland"
| |
− | export KEY_CITY="Goteborg"
| |
− | export KEY_ORG="daxiongmao.eu"
| |
− | export KEY_EMAIL="guillaume@qin-diaz.com"
| |
− | </syntaxhighlight>
| |
− | | |
− | >> Alter the examples to reflect your configuration.
| |
− | | |
− | This information will be included in certificates you create!
| |
− | That must be accurate, particularly the KEY_ORG and KEY_EMAIL values.
| |
− | | |
− | | |
− | | |
− | ===Initialize the Public Key Infrastructure (PKI)===
| |
− | | |
− | Generate the Authority of Certification (AC):
| |
− | | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd /etc/openvpn/easy-rsa/
| |
− | . /etc/openvpn/easy-rsa/vars
| |
− | . /etc/openvpn/easy-rsa/clean-all
| |
− | . /etc/openvpn/easy-rsa/build-ca
| |
− | </syntaxhighlight>
| |
− | | |
− | When asked, use your COMPANY name as "common name".
| |
− | | |
− | | |
− | | |
− | ===Generate OpenVPN Server Certificates and Private Key===
| |
− | | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd /etc/openvpn/easy-rsa/
| |
− | source /etc/openvpn/easy-rsa/vars
| |
− | . /etc/openvpn/easy-rsa/build-key-server [server]
| |
− | </syntaxhighlight>
| |
− | | |
− | [server] replace server by your actual server name !
| |
− | | |
− | | |
− | This script will also prompt you for additional information.
| |
− | | |
− | Common Name = Name of the current server (server DNS name)
| |
− | | |
− | | |
− | | |
− | ===Generate Clients certificates and private keys===
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd /etc/openvpn/easy-rsa/
| |
− | source /etc/openvpn/easy-rsa/vars
| |
− | . /etc/openvpn/easy-rsa/build-key [clientName]
| |
− | </syntaxhighlight>
| |
− | | |
− | Replace the ''[clientName]'' parameter with a relevant identifier for each client.
| |
− | * The client common name must be unique
| |
− | * It helps you to identify each client. Don’t hesitate to use meaningful name.
| |
− | | |
− | | |
− | The name is put inside the certificate.
| |
− | | |
− | All other information can remain the same
| |
− | | |
− | | |
− | | |
− | ===Generate Diffie Hellman Parameters===
| |
− | | |
− | The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server.
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd /etc/openvpn/easy-rsa/
| |
− | . /etc/openvpn/easy-rsa/build-dh
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | ===Generate shared security key===
| |
− | | |
− | '''NOT TESTED – July 2013'''
| |
− | | |
− | To increase security, you can use a share common key between server and clients.
| |
− | Each client will need the shared key + its own key to communicate.
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | openvpn --genkey --secret ./keys/ta.key
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ==Distribute keys==
| |
− | | |
− | | |
− | | |
− | ===Client files===
| |
− | | |
− | In order to authenticate to the VPN, you'll need to copy a number of certificate and key files to the remote client machines.
| |
− | They are:
| |
− | * Authority of certification ca.crt
| |
− | * Client certificate [clientName].crt
| |
− | * Client private key [clientName].key
| |
− | | |
− | !!! These keys should transferred with the utmost attention to security.
| |
− | Anyone who has the key is able to gain full access to your virtual private network !!!
| |
− | | |
− | | |
− |
| |
− | ===Server files===
| |
− | | |
− | The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them.
| |
− | These files are:
| |
− | * Authority of certification ca.crt
| |
− | * Authority private key ca.key
| |
− | * Diffie Hellman props dh2048.pem !! on new distro it might be higher by default !!
| |
− | * Server certificate server.crt
| |
− | * Server private key server.key
| |
− | | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd /etc/openvpn/
| |
− | ln -s /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/ca.crt
| |
− | ln -s /etc/openvpn/easy-rsa/keys/ca.key /etc/openvpn/ca.key
| |
− | ln -s /etc/openvpn/easy-rsa/keys/dh2048.pem /etc/openvpn/dh2048.pem
| |
− | ln -s /etc/openvpn/easy-rsa/keys/myServer.crt /etc/openvpn/server.crt
| |
− | ln -s /etc/openvpn/easy-rsa/keys/myServer.key /etc/openvpn/server.key
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | !! Apart 'ca.crt', all these files mustn't leave your server!!
| |
− | | |
− | | |
− | ==Revoking Client Certificates==
| |
− | | |
− | ''How to remove a user's access to the VPN server?''
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd /etc/openvpn/easy-rsa/
| |
− | . /etc/openvpn/easy-rsa/vars
| |
− | . /etc/openvpn/easy-rsa/evoke-full [clientName]
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | This will revoke the ability of users who have the [clientName] certificate to access the VPN.
| |
− | | |
− | For this reason, keeping track of which users are in possession of which certificates is crucial.
| |
− | | |
− | | |
− | | |
− | | |
− | =Server configuration=
| |
− | | |
− | | |
− | ==Configuration file==
| |
− | | |
− | | |
− | ===Basic setup===
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
| |
− | cd /etc/openvpn/
| |
− | gzip -d server.conf.gz
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ===Security algorithms and hash===
| |
− | | |
− | '''Cryptographic algorithms'''
| |
− | <syntaxhighlight lang="bash">
| |
− | openvpn --show-ciphers
| |
− | </syntaxhighlight>
| |
− | | |
− | Search for: AES-128-CBC, AES-256-CBC
| |
− | | |
− | | |
− | '''Hash algorithms'''
| |
− | <syntaxhighlight lang="bash">
| |
− | openvpn --show-digests
| |
− | </syntaxhighlight>
| |
− | | |
− | Search for: MD5
| |
− | | |
− | | |
− | '''Handshake algorithms'''
| |
− | <syntaxhighlight lang="bash">
| |
− | openvpn --show-tls
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ===Push network information===
| |
− | | |
− | For every network that you want to make it accessible through your VPN you have to adjust the other server to add a route to it.
| |
− | | |
− | === This will '''enable access to remote networks'''.
| |
− | | |
− | | |
− | source: http://blog.remibergsma.com/2013/01/13/howto-connect-to-hosts-on-a-remote-network-using-openvpn-and-some-routing/
| |
− | | |
− | | |
− | | |
− | You can push network information such as:
| |
− | * route(s). The VPN route is mandatory. Then you can also push a reference to the remote server so the VPN server act as a "gateway".
| |
− | * DNS
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | ### Push network settings to the client
| |
− | # >> VPN route. required to allow connections
| |
− | push "route 192.168.12.0 255.255.255.0"
| |
− | # >> Set the VPN server as global gateway
| |
− | push "redirect-gateway def1"
| |
− | | |
− | | |
− | ### Set the VPN server to act as a gateway for remote network
| |
− | ### You must set 1 'push route <network> <mask>' per target network(s)
| |
− | # >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
| |
− | push "route 192.168.1.0 255.255.255.0"
| |
− | # >> Remote DNS server
| |
− | push "dhcp-option WINS 192.168.1.21"
| |
− | push "dhcp-option DNS 192.168.1.21"
| |
− | # >> Force windows clients to use the pushed DNS
| |
− | push "register-dns"
| |
− | | |
− | | |
− | ### >> set alternate / failover DNS servers
| |
− | push "dhcp-option DNS 8.8.8.8"
| |
− | push "dhcp-option DNS 8.8.4.4"
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | ==Configuration example==
| |
− | | |
− | This is how you configuration should look like:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | #################################################
| |
− | # OpenVPN 2.0 config file #
| |
− | # --------------------------------------------- #
| |
− | # version 1.0 - April 2011 - Guillaume Diaz
| |
− | # version 1.2 - June 2013 - Guillaume Diaz
| |
− | # conf update + chroot
| |
− | #################################################
| |
− | | |
− | | |
− | # OpenVPN configuration
| |
− | ##########################
| |
− | # Which local IP address should OpenVPN listen on? (optional)
| |
− | local 192.168.1.2
| |
− | | |
− | # VPN interface
| |
− | # Which TCP/UDP port should OpenVPN listen on?
| |
− | # TCP or UDP server?
| |
− | dev tun
| |
− | proto udp
| |
− | port 8080
| |
− | | |
− | | |
− | # SECURITY - Crypto
| |
− | ########################
| |
− | # SSL/TLS root certificate (ca)
| |
− | # Server certificate and private key
| |
− | # Diffie hellman parameters
| |
− | ca /etc/openvpn/ca.crt
| |
− | cert /etc/openvpn/server.crt
| |
− | key /etc/openvpn/server.key
| |
− | dh /etc/openvpn/dh2048.pem
| |
− | | |
− | # Shared secret key by both server and clients
| |
− | ;tls-auth /etc/openvpn/ta.key 0
| |
− | | |
− | # Crypto settings
| |
− | cipher AES-128-CBC
| |
− | auth MD5
| |
− | | |
− | # Reduce OpenVPN daemon rights after application start
| |
− | # To chroot OpenVPN to its own folder
| |
− | user nobody
| |
− | group nogroup
| |
− | chroot /etc/openvpn/
| |
− | | |
− | | |
− | | |
− | # SERVER CONF
| |
− | ##########################
| |
− | # Server mode and VPN subset
| |
− | server 192.168.15.0 255.255.255.0
| |
− | # Maintain a record of client <-> virtual IP address associations in this file.
| |
− | ifconfig-pool-persist ipp.txt
| |
− | # Keepalive (ping-like)
| |
− | # 1 ping every 10s. 120s timeout = disconnect client
| |
− | keepalive 10 120
| |
− | # Keep server connection up and running
| |
− | persist-key
| |
− | persist-tun
| |
− | # Compression of data exchange
| |
− | comp-lzo
| |
− | | |
− | | |
− | | |
− | | |
− | # CLIENTS CONF
| |
− | ##########################
| |
− | # Maximum number of concurrently connected clients
| |
− | ;max-clients 100
| |
− | | |
− | # Allow different clients to be able to "see" each other.
| |
− | client-to-client
| |
− | # One certificate, multiple clients
| |
− | # Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
| |
− | ;duplicate-cn
| |
− | # Fix for Microsoft Windows clients
| |
− | mssfix
| |
− | # Server security level
| |
− | script-security 2
| |
− | | |
− | | |
− | # Push routes to the client
| |
− | # >> VPN route. required to allow connections
| |
− | push "route 192.168.15.0 255.255.255.0"
| |
− | # >> Set the VPN server as global gateway
| |
− | push "redirect-gateway def1"
| |
− | | |
− | ### Set the VPN server to act as a gateway for remote network
| |
− | ### You must set 1 'push route <network> <mask>' per target network(s)
| |
− | # >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
| |
− | push "route 192.168.1.0 255.255.255.0"
| |
− | # >> Remote DNS server
| |
− | push "dhcp-option WINS 192.168.1.21"
| |
− | push "dhcp-option DNS 192.168.1.21"
| |
− | # >> Force windows clients to use the pushed DNS
| |
− | push "register-dns"
| |
− | | |
− | | |
− | ### >> set alternate / failover DNS servers
| |
− | push "dhcp-option DNS 8.8.8.8"
| |
− | push "dhcp-option DNS 8.8.4.4"
| |
− | | |
− | | |
− | # LOGS
| |
− | ##########################
| |
− | # Short status file showing current connections
| |
− | # this is truncated and rewritten every minute.
| |
− | status /etc/openvpn/openvpn-status.log
| |
− | | |
− | # Log in a dedicated file instead of /var/log/messages
| |
− | log /etc/openvpn/openvpn.log
| |
− | log-append /etc/openvpn/openvpn.log
| |
− | | |
− | # Log level
| |
− | # 0 is silent, except for fatal errors
| |
− | # 4 is reasonable for general usage
| |
− | # 5 and 6 can help to debug connection problems
| |
− | # 9 is extremely verbose
| |
− | verb 6
| |
− | | |
− | # Silence repeating messages.
| |
− | # At most xx sequential same messages will be output to the log file.
| |
− | mute 10
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.
| |
− | | |
− | Be careful when you choose the port number!
| |
− | Common open ports:
| |
− | * 80 (http)
| |
− | * 443 (HTTPS)
| |
− | * 8080 (Proxy / JEE servers)
| |
− | | |
− | | |
− | | |
− | | |
− | | |
− | | |
− | | |
− | =Server security: Fail2ban=
| |
− | | |
− | It's a good idea to protect your server against brute force attacks and intruders.
| |
− | | |
− | See [[Fail2ban#VPN rule]]
| |
− | | |
− | | |
− | | |
− | | |
− | =Other servers configuration=
| |
− | | |
− | On each server that will be reachable through the VPN (including your VPN gateway) you have to add a new route to the VPN network.
| |
− | | |
− | | |
− | Create script
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd /etc/init.d
| |
− | vim addRouteToVpn.sh
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Put the following content
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | #!/bin/bash
| |
− | # Add a new route to the VPN network
| |
− | | |
− | ### BEGIN INIT INFO
| |
− | # Provides: vpn-route
| |
− | # Required-Start: $local_fs $remote_fs $network $syslog
| |
− | # Required-Stop: $local_fs $remote_fs $network $syslog
| |
− | # Should-Start: $named
| |
− | # Should-Stop: $named
| |
− | # Default-Start: 2 3 4 5
| |
− | # Default-Stop: 0 1 6
| |
− | # Short-Description: VPN route
| |
− | # Description: This will add a route to the VPN
| |
− | ### END INIT INFO
| |
− | | |
− | VPN_NETWORK="192.168.15.0"
| |
− | VPN_NETWORK_MASK="255.255.255.0"
| |
− | ## VPN gateway = IP @ of the VPN server in the remote [company] network
| |
− | VPN_GATEWAY="192.168.1.45"
| |
− | | |
− | echo " "
| |
− | echo "Adding route to the remote [company] network"
| |
− | echo " VPN network: $VPN_NETWORK/ $VPN_NETWORK_MASK"
| |
− | echo " VPN gateway: $VPN_GATEWAY"
| |
− | echo " "
| |
− | | |
− | route add -net $VPN_NETWORK netmask $VPN_NETWORK_MASK gw $VPN_GATEWAY
| |
− | | |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Grant the execution rights
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | chmod 755 /etc/init.d/addRouteToVpn.sh
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Register the script to run on boot && reboot
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | update-rc.d /etc/init.d/addRouteToVpn.sh defaults
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | | |
− | =Server: Advanced stuff=
| |
− | | |
− | Logrotate
| |
− | http://guillaume.vaillant.me/?p=393
| |
− | | |
− | -- TO BE FINISHED --
| |
− | | |
− | | |
− | | |
− | | |
− | =Firewall=
| |
− | | |
− | See [[Firewall VPN]]
| |