Difference between revisions of "VPN"
(→Client Software) |
|||
Line 529: | Line 529: | ||
* Linux: depending on your distribution you might need to adjust user / group default name. | * Linux: depending on your distribution you might need to adjust user / group default name. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | =Fail2ban= | ||
+ | |||
+ | It's a good idea to protect your server against brute force attacks and intruders. | ||
+ | |||
+ | |||
+ | ==Create new rule== | ||
+ | |||
+ | Create a new rule in Fail2Ban: | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | vim /etc/fail2ban/filter.d/openvpn.conf | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Add: | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | [Definition] | ||
+ | failregex = [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Auth Error:.* | ||
+ | [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} VERIFY ERROR:.* | ||
+ | [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.* | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | ==Apply rule== | ||
+ | |||
+ | Edit Fail2Ban main configuration: | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | vim /etc/fail2ban/jail.conf | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | At the end of the file, add: | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | [openvpn] | ||
+ | enabled = true | ||
+ | port = 8080 | ||
+ | protocol = udp | ||
+ | filter = openvpn | ||
+ | logpath = /etc/openvpn/openvpn.log | ||
+ | maxretry = 3 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | |||
+ | =Advanced stuff= | ||
+ | |||
+ | Logrotate | ||
+ | http://guillaume.vaillant.me/?p=393 | ||
+ | |||
+ | |||
+ | |||
+ | =Sources= | ||
+ | |||
+ | http://guillaume.vaillant.me/?p=393 |
Revision as of 23:21, 24 May 2014
VIRTUAL PRIVATE NETWORK (VPN)
Contents
Introduction
Reminder: What is a “VPN”?
- French: http://www.frameip.com/vpn/
- English:
Sources
- Linode: https://library.linode.com/networking/openvpn/debian-6-squeeze#sph_id7
- WebSite (1) : http://dev.shyd.de/2011/02/dockstar-howto-setup-openvpn-debian/
Installation
Binary
Installation is easy. You just need “openvpn”.
apt-get update && apt-get upgrade
apt-get install openvpn easy-rsa
Logs
Create target files
touch /var/log/openvpn.log
touch /var/log/openvpn-status.log
chmod 777 /var/log/openvpn*
Create symlinks
ln -s /var/log/openvpn.log /etc/openvpn/openvpn.log
ln -s /var/log/openvpn-status.log /etc/openvpn/openvpn-status.log
Adjust '/etc/openvpn/server.conf' accordingly
/var/log/openvpn.log => real time log
/var/log/openvpn-status.log => list of connected clients
Public Key Infrastructure
The OpenVPN package provides a set of encryption-related tools called "easy-rsa".
These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory.
However, in order to function properly, these scripts should be located in the /etc/openvpn directory.
Installation
Copy these files with the following command:
[Old Ubuntu - before 14.04]
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
[New Ubuntu distro - 14.04 and later]
cp -R /usr/share/easy-rsa/ /etc/openvpn
Configure Public Key Infrastructure Variables
Default values
Before you can generate the public key infrastructure for OpenVPN, you must configure a few variables that the easy-rsa scripts will use to generate the scripts.
These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file.
[Old Ubuntu]
Don't forget to add /etc/openvpn/easy-rsa/2.0/ everywhere !!
vim /etc/openvpn/easy-rsa/vars
Here is an example of the relevant values:
export KEY_COUNTRY="SE"
export KEY_PROVINCE="Västra Götaland"
export KEY_CITY="Goteborg"
export KEY_ORG="daxiongmao.eu"
export KEY_EMAIL="guillaume@qin-diaz.com"
>> Alter the examples to reflect your configuration.
This information will be included in certificates you create! That must be accurate, particularly the KEY_ORG and KEY_EMAIL values.
Initialize the Public Key Infrastructure (PKI)
Generate the Authority of Certification (AC):
cd /etc/openvpn/easy-rsa/
. /etc/openvpn/easy-rsa/vars
. /etc/openvpn/easy-rsa/clean-all
. /etc/openvpn/easy-rsa/build-ca
When asked, use your COMPANY name as "common name".
Generate OpenVPN Server Certificates and Private Key
cd /etc/openvpn/easy-rsa/
source /etc/openvpn/easy-rsa/vars
. /etc/openvpn/easy-rsa/build-key-server [server]
[server] replace server by your actual server name !
This script will also prompt you for additional information.
Common Name = Name of the current server (server DNS name)
Generate Clients certificates and private keys
cd /etc/openvpn/easy-rsa/
source /etc/openvpn/easy-rsa/vars
. /etc/openvpn/easy-rsa/build-key [clientName]
Replace the [clientName] parameter with a relevant identifier for each client.
- The client common name must be unique
- It helps you to identify each client. Don’t hesitate to use meaningful name.
The name is put inside the certificate.
All other information can remain the same
Generate Diffie Hellman Parameters
The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server.
cd /etc/openvpn/easy-rsa/
. /etc/openvpn/easy-rsa/build-dh
NOT TESTED – July 2013
To increase security, you can use a share common key between server and clients. Each client will need the shared key + its own key to communicate.
openvpn --genkey --secret ./keys/ta.key
Distribute keys
Client files
In order to authenticate to the VPN, you'll need to copy a number of certificate and key files to the remote client machines. They are:
- Authority of certification ca.crt
- Client certificate [clientName].crt
- Client private key [clientName].key
!!! These keys should transferred with the utmost attention to security. Anyone who has the key is able to gain full access to your virtual private network !!!
Server files
The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them. These files are:
- Authority of certification ca.crt
- Authority private key ca.key
- Diffie Hellman props dh1024.pem !! on new distro it might be dh2048.pem by default !!
- Server certificate server.crt
- Server private key server.key
cd /etc/openvpn/
ln -s /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/ca.crt
ln -s /etc/openvpn/easy-rsa/keys/ca.key /etc/openvpn/ca.key
ln -s /etc/openvpn/easy-rsa/keys/dh1024.pem /etc/openvpn/dh1024.pem
ln -s /etc/openvpn/easy-rsa/keys/myServer.crt /etc/openvpn/server.crt
ln -s /etc/openvpn/easy-rsa/keys/myServer.key /etc/openvpn/server.key
!! Apart 'ca.crt', all these files mustn't leave your server!!
Revoking Client Certificates
How to remove a user's access to the VPN server?
cd /etc/openvpn/easy-rsa/
. /etc/openvpn/easy-rsa/vars
. /etc/openvpn/easy-rsa/evoke-full [clientName]
This will revoke the ability of users who have the [clientName] certificate to access the VPN.
For this reason, keeping track of which users are in possession of which certificates is crucial.
Server configuration
Configuration file
Basic setup
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn/
gzip -d server.conf.gz
Security algorithms and hash
Cryptographic algorithms
openvpn --show-ciphers
Search for: AES-128-CBC, AES-256-CBC
Hash algorithms
openvpn --show-digests
Search for: MD5
Handshake algorithms
openvpn --show-tls
Server configuration
This is how you configuration should look like:
#################################################
# OpenVPN 2.0 config file #
# --------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz
# version 1.2 - June 2013 - Guillaume Diaz
# conf update + chroot
#################################################
# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
local 192.168.1.2
# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
proto udp
port 8080
# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0
# Crypto settings
cipher AES-128-CBC
auth MD5
# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/
# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like)
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo
# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100
# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
# Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level
script-security 2
# Push routes to the client
# >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
# >> Set the VPN server as global gateway
push "redirect-gateway def1"
# >> set the DNS Server
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log
# Log in a dedicated file instead of /var/log/messages
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages.
# At most xx sequential same messages will be output to the log file.
mute 10
You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.
Be careful when you choose the port number! Common open ports:
- 80 (http)
- 443 (HTTPS)
- 8080 (Proxy / JEE servers)
Firewall
You can use the following firewall script:
MODPROBE=`which modprobe`
IPTABLES=`which iptables`
INT_ETH = eth0
INT_VPN = tun0
IP_LAN_VPN = 10.8.0.0/24
# --- #
# VPN #
# --- #
$MODPROBE iptable_nat
echo " ... Enable NAT features"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo " ... Allow all VPN communications (no filter)"
$IPTABLES -A INPUT -i $INT_VPN -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_VPN -m state ! --state INVALID -j ACCEPT
echo " ... Allowing VPN forwarding"
# Allow forwarding
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_VPN -s $IP_LAN_VPN -j ACCEPT
$IPTABLES -A FORWARD -j REJECT
# Allow devices communication $ETH0 <--> tun0
$IPTABLES -t nat -A POSTROUTING -s $IP_LAN_VPN -o $INT_ETH -j MASQUERADE
# Forward Established, Related
$IPTABLES -A FORWARD -s $IP_LAN_VPN -p tcp -m state --state RELATED,ESTABLISHED --sport 1024:65535 --dport 1024:65535 -j ACCEPT
$IPTABLES -A FORWARD -s $IP_LAN_VPN -p udp -m state --state RELATED,ESTABLISHED --sport 1024:65535 --dport 1024:65535 -j ACCEPT
Off course, you should also have:
echo -e " ... Keep$GREEN ESTABLISHED$BLACK connections "
# Keep established connections
$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
# keep related connections
echo -e " ... Keep$GREEN RELATED$BLACK connections"
$IPTABLES -A INPUT -m state --state RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state RELATED -j ACCEPT
Startup
Restart services
service openvpn restart
service firewall restart
Client Software
Linux
apt-get install openssl openssh-server openvpn
Windows
On windows, many clients are available. The best one for Windows 7 and 8 is: « OpenVPN Connect Client Download for Windows » https://openvpn.net/index.php?option=com_content&id=357
Note: The file must be around 15 Mb.
MacOSX
The best VPN client is “tunnelblick” http://code.google.com/p/tunnelblick
- Configuration files are in ~/librairies/openvpn
- That’s the libraries [“bibliothèque”] folder of the current user
Client files
The client requires:
- Authority of certification ca.cert
- Client private key client.key
- Client certificate client.crt
Then, you can setup client configuration.
- See “client_conf.ovpn”
Notes:
You have to edit the configuration file.
- Adjust paths on lines 30-38
- On Windows you must you the double slash \\
- On Linux don’t forget to uncomment the following lines for better security:
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
- Linux: depending on your distribution you might need to adjust user / group default name.
Fail2ban
It's a good idea to protect your server against brute force attacks and intruders.
Create new rule
Create a new rule in Fail2Ban:
vim /etc/fail2ban/filter.d/openvpn.conf
Add:
[Definition]
failregex = [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Auth Error:.*
[a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} VERIFY ERROR:.*
[a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
Apply rule
Edit Fail2Ban main configuration:
vim /etc/fail2ban/jail.conf
At the end of the file, add:
[openvpn]
enabled = true
port = 8080
protocol = udp
filter = openvpn
logpath = /etc/openvpn/openvpn.log
maxretry = 3
Advanced stuff
Logrotate http://guillaume.vaillant.me/?p=393