Difference between revisions of "VPN server"

 
(6 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
  
=Introduction=
+
[[File:Introduction-icon.png|link=VPN|64px|caption|VPN introduction]]
 +
[[VPN|VPN introduction]]
  
See [[VPN|VPN introduction]]
 
  
 +
[[File:Vpn-server-config-icon.png|link=VPN server configuration|64px|caption|VPN server configuration]]
 +
[[VPN server configuration|OpenVPN server configuration (server.conf)]]
  
  
 +
[[File:Ssl certificate icon.jpg|link=VPN certificates management|64px|caption|VPN certificates management]]
 +
[[VPN certificates management]]
  
=Server installation=
 
  
 
+
[[File:Internet security.png|link=VPN security|64px|caption|VPN security]]  
==Binary==
+
[[VPN security]]
 
 
Installation is easy. You just need “openvpn”.
 
 
 
<syntaxhighlight lang="bash">
 
apt-get update && apt-get upgrade
 
apt-get install openvpn easy-rsa
 
</syntaxhighlight>
 
 
 
==Logs==
 
 
 
Create target files
 
 
 
<syntaxhighlight lang="bash">
 
touch /var/log/openvpn.log
 
touch /var/log/openvpn-status.log
 
chmod 777 /var/log/openvpn*
 
</syntaxhighlight>
 
 
 
Create symlinks
 
 
 
<syntaxhighlight lang="bash">
 
ln -s /var/log/openvpn.log /etc/openvpn/openvpn.log
 
ln -s /var/log/openvpn-status.log /etc/openvpn/openvpn-status.log
 
</syntaxhighlight>
 
 
 
Adjust '/etc/openvpn/server.conf' accordingly
 
 
 
<syntaxhighlight lang="bash">
 
/var/log/openvpn.log => real time log
 
/var/log/openvpn-status.log => list of connected clients
 
</syntaxhighlight>
 
 
 
 
 
 
 
 
=Public Key Infrastructure=
 
 
 
The OpenVPN package provides a set of encryption-related tools called "easy-rsa".
 
 
 
These scripts are located by default in the ''/usr/share/doc/openvpn/examples/easy-rsa/'' directory.
 
 
 
However, in order to function properly, these scripts should be located in the /etc/openvpn directory.
 
 
 
 
 
==Installation==
 
 
 
Copy these files with the following command:
 
 
 
[Old Ubuntu - before 14.04]
 
<syntaxhighlight lang="bash">
 
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
 
</syntaxhighlight>
 
 
 
[New Ubuntu distro - 14.04 and later]
 
<syntaxhighlight lang="bash">
 
cp -R /usr/share/easy-rsa/ /etc/openvpn
 
</syntaxhighlight>
 
 
 
 
 
==Configure Public Key Infrastructure Variables==
 
 
 
 
 
 
 
===Default values===
 
 
 
Before you can generate the public key infrastructure for OpenVPN, you must configure a few variables that the easy-rsa scripts will use to generate the scripts.
 
 
 
These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file.
 
 
 
 
 
 
 
[Old Ubuntu]
 
 
 
Don't forget to add /etc/openvpn/easy-rsa/'''2.0/''' everywhere !!
 
 
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/openvpn/easy-rsa/vars
 
</syntaxhighlight>
 
 
 
 
 
Here is an example of the relevant values:
 
 
 
<syntaxhighlight lang="bash">
 
export KEY_COUNTRY="SE"
 
export KEY_PROVINCE="Västra Götaland"
 
export KEY_CITY="Goteborg"
 
export KEY_ORG="daxiongmao.eu"
 
export KEY_EMAIL="guillaume@qin-diaz.com"
 
</syntaxhighlight>
 
 
 
>> Alter the examples to reflect your configuration.
 
 
 
This information will be included in certificates you create!
 
That must be accurate, particularly the KEY_ORG and KEY_EMAIL values.
 
 
 
 
 
 
 
===Initialize the Public Key Infrastructure (PKI)===
 
 
 
Generate the Authority of Certification (AC):
 
 
 
 
 
<syntaxhighlight lang="bash">
 
cd /etc/openvpn/easy-rsa/
 
. /etc/openvpn/easy-rsa/vars
 
. /etc/openvpn/easy-rsa/clean-all
 
. /etc/openvpn/easy-rsa/build-ca
 
</syntaxhighlight>
 
 
 
When asked, use your COMPANY name as "common name".
 
 
 
 
 
 
 
===Generate OpenVPN Server Certificates and Private Key===
 
 
 
 
 
<syntaxhighlight lang="bash">
 
cd /etc/openvpn/easy-rsa/
 
source /etc/openvpn/easy-rsa/vars
 
. /etc/openvpn/easy-rsa/build-key-server [server]
 
</syntaxhighlight>
 
 
 
[server] replace server by your actual server name !
 
 
 
 
 
This script will also prompt you for additional information.
 
 
 
Common Name = Name of the current server (server DNS name)
 
 
 
 
 
 
 
===Generate Clients certificates and private keys===
 
 
 
<syntaxhighlight lang="bash">
 
cd /etc/openvpn/easy-rsa/
 
source /etc/openvpn/easy-rsa/vars
 
. /etc/openvpn/easy-rsa/build-key [clientName]
 
</syntaxhighlight>
 
 
 
Replace the ''[clientName]'' parameter with a relevant identifier for each client.
 
* The client common name must be unique
 
* It helps you to identify each client. Don’t hesitate to use meaningful name.
 
 
 
 
 
The name is put inside the certificate.
 
 
 
All other information can remain the same
 
 
 
 
 
 
 
===Generate Diffie Hellman Parameters===
 
 
 
The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server.
 
 
 
<syntaxhighlight lang="bash">
 
cd /etc/openvpn/easy-rsa/
 
. /etc/openvpn/easy-rsa/build-dh
 
</syntaxhighlight>
 
 
 
 
 
 
 
===Generate shared security key===
 
 
 
'''NOT TESTED – July 2013'''
 
 
 
To increase security, you can use a share common key between server and clients.
 
Each client will need the shared key + its own key to communicate.
 
 
 
<syntaxhighlight lang="bash">
 
openvpn --genkey --secret ./keys/ta.key
 
</syntaxhighlight>
 
 
 
 
 
==Distribute keys==
 
 
 
 
 
 
 
===Client files===
 
 
 
In order to authenticate to the VPN, you'll need to copy a number of certificate and key files to the remote client machines.
 
They are:
 
* Authority of certification ca.crt
 
* Client certificate [clientName].crt
 
* Client private key [clientName].key
 
 
 
!!! These keys should transferred with the utmost attention to security.
 
Anyone who has the key is able to gain full access to your virtual private network !!!
 
 
 
 
 
 
===Server files===
 
 
 
The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them.
 
These files are:
 
* Authority of certification ca.crt
 
* Authority private key ca.key
 
* Diffie Hellman props dh2048.pem  !! on new distro it might be higher by default !!
 
* Server certificate server.crt
 
* Server private key server.key
 
 
 
 
 
<syntaxhighlight lang="bash">
 
cd /etc/openvpn/
 
ln -s /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/ca.crt
 
ln -s /etc/openvpn/easy-rsa/keys/ca.key /etc/openvpn/ca.key
 
ln -s /etc/openvpn/easy-rsa/keys/dh2048.pem /etc/openvpn/dh2048.pem
 
ln -s /etc/openvpn/easy-rsa/keys/myServer.crt /etc/openvpn/server.crt
 
ln -s /etc/openvpn/easy-rsa/keys/myServer.key /etc/openvpn/server.key
 
</syntaxhighlight>
 
 
 
 
 
!! Apart 'ca.crt', all these files mustn't leave your server!!
 
 
 
 
 
==Revoking Client Certificates==
 
 
 
''How to remove a user's access to the VPN server?''
 
 
 
<syntaxhighlight lang="bash">
 
cd /etc/openvpn/easy-rsa/
 
. /etc/openvpn/easy-rsa/vars
 
. /etc/openvpn/easy-rsa/evoke-full [clientName]
 
</syntaxhighlight>
 
 
 
 
 
This will revoke the ability of users who have the [clientName] certificate to access the VPN.
 
 
 
For this reason, keeping track of which users are in possession of which certificates is crucial.
 
 
 
 
 
 
 
 
 
=Server configuration=
 
 
 
 
 
==Configuration file==
 
 
 
 
 
===Basic setup===
 
 
 
<syntaxhighlight lang="bash">
 
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
 
cd /etc/openvpn/
 
gzip -d server.conf.gz
 
</syntaxhighlight>
 
 
 
 
 
===Security algorithms and hash===
 
 
 
'''Cryptographic algorithms'''
 
<syntaxhighlight lang="bash">
 
openvpn --show-ciphers
 
</syntaxhighlight>
 
 
 
Search for: AES-128-CBC, AES-256-CBC
 
 
 
 
 
'''Hash algorithms'''
 
<syntaxhighlight lang="bash">
 
openvpn --show-digests
 
</syntaxhighlight>
 
 
 
Search for: MD5
 
 
 
 
 
'''Handshake algorithms'''
 
<syntaxhighlight lang="bash">
 
openvpn --show-tls
 
</syntaxhighlight>
 
 
 
 
 
===Push network information===
 
 
 
For every network that you want to make it accessible through your VPN you have to adjust the other server to add a route to it.
 
 
 
=== This will '''enable access to remote networks'''.
 
 
 
 
 
source: http://blog.remibergsma.com/2013/01/13/howto-connect-to-hosts-on-a-remote-network-using-openvpn-and-some-routing/
 
 
 
 
 
 
 
You can push network information such as:
 
* route(s). The VPN route is mandatory. Then you can also push a reference to the remote server so the VPN server act as a "gateway".
 
* DNS
 
 
 
<syntaxhighlight lang="bash">
 
### Push network settings to the client
 
#  >> VPN route. required to allow connections
 
push "route 192.168.12.0 255.255.255.0"
 
#  >> Set the VPN server as global gateway
 
push "redirect-gateway def1"
 
 
 
 
 
### Set the VPN server to act as a gateway for remote network
 
### You must set 1 'push route <network> <mask>' per target network(s)
 
#  >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
 
push "route 192.168.1.0 255.255.255.0"
 
# >> Remote DNS server
 
push "dhcp-option WINS 192.168.1.21"
 
push "dhcp-option DNS 192.168.1.21"
 
# >> Force windows clients to use the pushed DNS
 
push "register-dns"
 
 
 
 
 
###  >> set alternate / failover DNS servers
 
push "dhcp-option DNS 8.8.8.8"
 
push "dhcp-option DNS 8.8.4.4"
 
</syntaxhighlight>
 
 
 
 
 
 
 
==Configuration example==
 
 
 
This is how you configuration should look like:
 
 
 
<syntaxhighlight lang="bash">
 
#################################################
 
# OpenVPN 2.0 config file                      #
 
# --------------------------------------------- #
 
# version 1.0 - April 2011 - Guillaume Diaz
 
# version 1.2 - June 2013 - Guillaume Diaz
 
#                          conf update + chroot
 
#################################################
 
 
 
 
 
# OpenVPN configuration
 
##########################
 
# Which local IP address should OpenVPN listen on? (optional)
 
local 192.168.1.2
 
 
 
# VPN interface
 
# Which TCP/UDP port should OpenVPN listen on?
 
# TCP or UDP server?
 
dev tun
 
proto udp
 
port 8080
 
 
 
 
 
# SECURITY - Crypto
 
########################
 
# SSL/TLS root certificate (ca)
 
# Server certificate and private key
 
# Diffie hellman parameters
 
ca /etc/openvpn/ca.crt
 
cert /etc/openvpn/server.crt
 
key /etc/openvpn/server.key
 
dh /etc/openvpn/dh2048.pem
 
 
 
# Shared secret key by both server and clients
 
;tls-auth /etc/openvpn/ta.key 0
 
 
 
# Crypto settings
 
cipher AES-128-CBC
 
auth MD5
 
 
 
# Reduce OpenVPN daemon rights after application start
 
# To chroot OpenVPN to its own folder
 
user nobody
 
group nogroup
 
chroot /etc/openvpn/
 
 
 
 
 
 
 
# SERVER CONF
 
##########################
 
# Server mode and VPN subset
 
server 192.168.15.0 255.255.255.0
 
# Maintain a record of client <-> virtual IP address associations in this file. 
 
ifconfig-pool-persist ipp.txt
 
# Keepalive (ping-like)
 
# 1 ping every 10s. 120s timeout = disconnect client
 
keepalive 10 120
 
# Keep server connection up and running
 
persist-key
 
persist-tun
 
# Compression of data exchange
 
comp-lzo
 
 
 
 
 
 
 
 
 
# CLIENTS CONF
 
##########################
 
# Maximum number of concurrently connected clients
 
;max-clients 100
 
 
 
# Allow different clients to be able to "see" each other.
 
client-to-client
 
# One certificate, multiple clients
 
#  Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
 
;duplicate-cn
 
# Fix for Microsoft Windows clients
 
mssfix
 
# Server security level
 
script-security 2
 
 
 
 
 
# Push routes to the client
 
#  >> VPN route. required to allow connections
 
push "route 192.168.15.0 255.255.255.0"
 
#  >> Set the VPN server as global gateway
 
push "redirect-gateway def1"
 
 
 
### Set the VPN server to act as a gateway for remote network
 
### You must set 1 'push route <network> <mask>' per target network(s)
 
#  >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
 
push "route 192.168.1.0 255.255.255.0"
 
# >> Remote DNS server
 
push "dhcp-option WINS 192.168.1.21"
 
push "dhcp-option DNS 192.168.1.21"
 
# >> Force windows clients to use the pushed DNS
 
push "register-dns"
 
 
 
 
 
###  >> set alternate / failover DNS servers
 
push "dhcp-option DNS 8.8.8.8"
 
push "dhcp-option DNS 8.8.4.4"
 
 
 
 
 
# LOGS
 
##########################
 
# Short status file showing current connections
 
# this is truncated and rewritten every minute.
 
status /etc/openvpn/openvpn-status.log
 
 
 
# Log in a dedicated file instead of /var/log/messages
 
log        /etc/openvpn/openvpn.log
 
log-append  /etc/openvpn/openvpn.log
 
 
 
# Log level
 
# 0 is silent, except for fatal errors
 
# 4 is reasonable for general usage
 
# 5 and 6 can help to debug connection problems
 
# 9 is extremely verbose
 
verb 6
 
 
 
# Silence repeating messages. 
 
# At most xx sequential same messages will be output to the log file.
 
mute 10
 
</syntaxhighlight>
 
 
 
 
 
You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.
 
 
 
Be careful when you choose the port number!
 
Common open ports:
 
* 80 (http)
 
* 443 (HTTPS)
 
* 8080 (Proxy / JEE servers)
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
=Server security: Fail2ban=
 
 
 
It's a good idea to protect your server against brute force attacks and intruders.
 
 
 
See [[Fail2ban#VPN rule]]
 
 
 
 
 
 
 
 
 
=Other servers configuration=
 
 
 
On each server that will be reachable through the VPN (including your VPN gateway) you have to add a new route to the VPN network.
 
 
 
 
 
Create script
 
 
 
<syntaxhighlight lang="bash">
 
cd /etc/init.d
 
vim addRouteToVpn.sh
 
</syntaxhighlight>
 
 
 
 
 
Put the following content
 
 
 
<syntaxhighlight lang="bash">
 
#!/bin/bash
 
# Add a new route to the VPN network
 
 
 
### BEGIN INIT INFO
 
# Provides:          vpn-route
 
# Required-Start:    $local_fs $remote_fs $network $syslog
 
# Required-Stop:    $local_fs $remote_fs $network $syslog
 
# Should-Start:      $named
 
# Should-Stop:      $named
 
# Default-Start:    2 3 4 5
 
# Default-Stop:      0 1 6
 
# Short-Description: VPN route
 
# Description:      This will add a route to the VPN
 
### END INIT INFO
 
 
 
VPN_NETWORK="192.168.15.0"
 
VPN_NETWORK_MASK="255.255.255.0"
 
## VPN gateway = IP @ of the VPN server in the remote [company] network
 
VPN_GATEWAY="192.168.1.45"
 
 
 
echo " "
 
echo "Adding route to the remote [company] network"
 
echo "  VPN network:  $VPN_NETWORK/ $VPN_NETWORK_MASK"
 
echo "  VPN gateway:  $VPN_GATEWAY"
 
echo " "
 
 
 
route add -net $VPN_NETWORK netmask $VPN_NETWORK_MASK gw $VPN_GATEWAY
 
 
 
</syntaxhighlight>
 
 
 
 
 
Grant the execution rights
 
 
 
<syntaxhighlight lang="bash">
 
chmod 755 /etc/init.d/addRouteToVpn.sh
 
</syntaxhighlight>
 
 
 
 
 
Register the script to run on boot && reboot
 
 
 
<syntaxhighlight lang="bash">
 
update-rc.d /etc/init.d/addRouteToVpn.sh defaults
 
</syntaxhighlight>
 
 
 
 
 
 
 
 
 
=Server: Advanced stuff=
 
 
 
Logrotate
 
http://guillaume.vaillant.me/?p=393
 
 
 
-- TO BE FINISHED --
 
 
 
 
 
 
 
 
 
=Firewall=
 
 
 
See [[Firewall VPN]]
 

Latest revision as of 21:30, 10 September 2015