|
|
(15 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
| + | [[Category:Linux]] |
| + | |
| VIRTUAL PRIVATE NETWORK (VPN) | | VIRTUAL PRIVATE NETWORK (VPN) |
| | | |
Line 6: |
Line 8: |
| | | |
| ==Reminder: What is a “VPN”?== | | ==Reminder: What is a “VPN”?== |
| + | |
| + | Nice explanations: |
| | | |
| * French: http://www.frameip.com/vpn/ | | * French: http://www.frameip.com/vpn/ |
Line 12: |
Line 16: |
| | | |
| | | |
− | ==Sources==
| |
| | | |
− | * Linode: https://library.linode.com/networking/openvpn/debian-6-squeeze#sph_id7
| + | As a quick reminder, you can use a VPN for 3 things: |
− | * WebSite (1) : http://dev.shyd.de/2011/02/dockstar-howto-setup-openvpn-debian/ | + | * Mask your source IP @ |
| | | |
| + | [[File:VPN change ip address 1.png|none|VPN change ip address (1)]] |
| | | |
| + | [[File:VPN change ip address 2.png|none|VPN change ip address (2)]] |
| | | |
− | =Installation=
| |
| | | |
| + | * Secure communication through the VPN server |
| | | |
− | ==Binary==
| + | [[File:VPN client to client.png|none|VPN client to client]] |
| | | |
− | Installation is easy. You just need “openvpn”.
| |
| | | |
− | <syntaxhighlight lang="bash">
| + | * Access remote LAN |
− | apt-get update && apt-get upgrade
| |
− | apt-get install openvpn easy-rsa
| |
− | </syntaxhighlight>
| |
| | | |
− | ==Logs==
| + | [[File:VPN to lan.png|none|VPN to LAN]] |
| | | |
− | Create target files
| |
| | | |
− | <syntaxhighlight lang="bash">
| + | Of course you can combine some / all of these usages. |
− | touch /var/log/openvpn.log
| |
− | touch /var/log/openvpn-status.log
| |
− | chmod 777 /var/log/openvpn*
| |
− | </syntaxhighlight>
| |
| | | |
− | Create symlinks
| |
| | | |
− | <syntaxhighlight lang="bash">
| |
− | ln -s /var/log/openvpn.log /etc/openvpn/openvpn.log
| |
− | ln -s /var/log/openvpn-status.log /etc/openvpn/openvpn-status.log
| |
− | </syntaxhighlight>
| |
| | | |
− | Adjust '/etc/openvpn/server.conf' accordingly
| |
| | | |
− | <syntaxhighlight lang="bash">
| + | ==Sources== |
− | /var/log/openvpn.log => real time log
| |
− | /var/log/openvpn-status.log => list of connected clients
| |
− | </syntaxhighlight>
| |
| | | |
− | | + | * Linode: https://library.linode.com/networking/openvpn/debian-6-squeeze#sph_id7 |
− |
| + | * WebSite (1) : http://dev.shyd.de/2011/02/dockstar-howto-setup-openvpn-debian/ |
− | =Public Key Infrastructure=
| |
− | | |
− | The OpenVPN package provides a set of encryption-related tools called "easy-rsa".
| |
− | | |
− | These scripts are located by default in the ''/usr/share/doc/openvpn/examples/easy-rsa/'' directory.
| |
− | | |
− | However, in order to function properly, these scripts should be located in the /etc/openvpn directory.
| |
− | | |
− | | |
− | ==Installation==
| |
− | | |
− | Copy these files with the following command:
| |
− | | |
− | [Old Ubuntu - before 14.04]
| |
− | <syntaxhighlight lang="bash">
| |
− | cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
| |
− | </syntaxhighlight>
| |
− | | |
− | [New Ubuntu distro - 14.04 and later]
| |
− | <syntaxhighlight lang="bash">
| |
− | cp -R /usr/share/easy-rsa/ /etc/openvpn
| |
− | </syntaxhighlight>
| |
− | | |
− | ==Configure Public Key Infrastructure Variables==
| |
− | | |
− | ===Default values===
| |
− | | |
− | Before you can generate the public key infrastructure for OpenVPN, you must configure a few variables that the easy-rsa scripts will use to generate the scripts.
| |
− | | |
− | These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file.
| |
− | | |
− | | |
− | | |
− | [Old Ubuntu]
| |
− | | |
− | Don't forget to add /etc/openvpn/easy-rsa/'''2.0/''' everywhere !!
| |
− | | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/openvpn/easy-rsa/vars
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Here is an example of the relevant values:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | export KEY_COUNTRY="SE"
| |
− | export KEY_PROVINCE="Västra Götaland"
| |
− | export KEY_CITY="Goteborg"
| |
− | export KEY_ORG="daxiongmao.eu"
| |
− | export KEY_EMAIL="guillaume@qin-diaz.com"
| |
− | </syntaxhighlight>
| |
− | | |
− | >> Alter the examples to reflect your configuration.
| |
− | | |
− | This information will be included in certificates you create!
| |
− | That must be accurate, particularly the KEY_ORG and KEY_EMAIL values.
| |
− | | |
− | ===Initialize the Public Key Infrastructure (PKI)===
| |
− | | |
− | Generate the Authority of Certification (AC):
| |
− | | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd /etc/openvpn/easy-rsa/
| |
− | . /etc/openvpn/easy-rsa/vars
| |
− | . /etc/openvpn/easy-rsa/clean-all
| |
− | . /etc/openvpn/easy-rsa/build-ca
| |
− | </syntaxhighlight>
| |
− | | |
− | When asked, use your COMPANY name as "common name".
| |
− | | |
− | ===Generate OpenVPN Server Certificates and Private Key===
| |
− | | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd /etc/openvpn/easy-rsa/
| |
− | source /etc/openvpn/easy-rsa/vars
| |
− | . /etc/openvpn/easy-rsa/build-key-server [server]
| |
− | </syntaxhighlight>
| |
− | | |
− | [server] replace server by your actual server name !
| |
− | | |
− | | |
− | This script will also prompt you for additional information.
| |
− | | |
− | Common Name = Name of the current server (server DNS name)
| |
− | | |
− | ===Generate Clients certificates and private keys===
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd /etc/openvpn/easy-rsa/
| |
− | source /etc/openvpn/easy-rsa/vars
| |
− | . /etc/openvpn/easy-rsa/build-key [clientName]
| |
− | </syntaxhighlight>
| |
− | | |
− | Replace the ''[clientName]'' parameter with a relevant identifier for each client.
| |
− | * The client common name must be unique
| |
− | * It helps you to identify each client. Don’t hesitate to use meaningful name.
| |
− | | |
− | | |
− | The name is put inside the certificate.
| |
− | | |
− | All other information can remain the same
| |
− | | |
− | | |
− | ===Generate Diffie Hellman Parameters===
| |
− | | |
− | The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server.
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd /etc/openvpn/easy-rsa/
| |
− | . /etc/openvpn/easy-rsa/build-dh
| |
− | </syntaxhighlight>
| |
− | | |
− | ===Generate shared security key===
| |
− | | |
− | '''NOT TESTED – July 2013'''
| |
− | | |
− | To increase security, you can use a share common key between server and clients.
| |
− | Each client will need the shared key + its own key to communicate.
| |
− | | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | openvpn --genkey --secret ./keys/ta.key
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ==Distribute keys==
| |
− | | |
− | ===Client files===
| |
− | | |
− | In order to authenticate to the VPN, you'll need to copy a number of certificate and key files to the remote client machines.
| |
− | They are:
| |
− | * Authority of certification ca.crt
| |
− | * Client certificate [clientName].crt
| |
− | * Client private key [clientName].key
| |
− | | |
− | !!! These keys should transferred with the utmost attention to security.
| |
− | Anyone who has the key is able to gain full access to your virtual private network !!!
| |
− | | |
− |
| |
− | ===Server files===
| |
− | | |
− | The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them.
| |
− | These files are:
| |
− | * Authority of certification ca.crt
| |
− | * Authority private key ca.key
| |
− | * Diffie Hellman props dh1024.pem
| |
− | * Server certificate server.crt
| |
− | * Server private key server.key
| |
− | | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd /etc/openvpn/
| |
− | ln -s /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn/ca.crt
| |
− | ln -s /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpn/ca.key
| |
− | ln -s /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/dh1024.pem
| |
− | ln -s /etc/openvpn/easy-rsa/2.0/keys/myServer.crt /etc/openvpn/server.crt
| |
− | ln -s /etc/openvpn/easy-rsa/2.0/keys/myServer.key /etc/openvpn/server.key
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | !! Apart 'ca.crt', all these files mustn't leave your server!!
| |
− | | |
− | | |
− | ==Revoking Client Certificates==
| |
− | | |
− | ''How to remove a user's access to the VPN server?''
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd /etc/openvpn/easy-rsa/2.0/
| |
− | . /etc/openvpn/easy-rsa/2.0/vars
| |
− | . /etc/openvpn/easy-rsa/2.0/revoke-full [clientName]
| |
− | </syntaxhighlight>
| |
− | | |
− | This will revoke the ability of users who have the [clientName] certificate to access the VPN.
| |
− | | |
− | For this reason, keeping track of which users are in possession of which certificates is crucial.
| |
− | | |
− | =Server configuration=
| |
− | | |
− | | |
− | ==Configuration file==
| |
− | | |
− | ===Basic setup===
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
| |
− | cd /etc/openvpn/
| |
− | gzip -d server.conf.gz
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ===Security algorithms and hash===
| |
− | | |
− | '''Cryptographic algorithms'''
| |
− | <syntaxhighlight lang="bash">
| |
− | openvpn --show-ciphers
| |
− | </syntaxhighlight>
| |
− | | |
− | Search for: AES-128-CBC, AES-256-CBC
| |
− | | |
− | | |
− | '''Hash algorithms'''
| |
− | <syntaxhighlight lang="bash">
| |
− | openvpn --show-digests
| |
− | </syntaxhighlight>
| |
− | | |
− | Search for: MD5
| |
− | | |
− | | |
− | '''Handshake algorithms'''
| |
− | <syntaxhighlight lang="bash">
| |
− | openvpn --show-tls
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | =Server configuration=
| |
− | | |
− | See attached file “server.conf”
| |
− | | |
− | You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.
| |
− | | |
− | Be careful when you choose the port number!
| |
− | Common open ports:
| |
− | * 80 (http)
| |
− | * 443 (HTTPS)
| |
− | * 8080 (Proxy / JEE servers)
| |
− | | |
− | | |
− |
| |
− | =Firewall=
| |
− | | |
− | You can use the following firewall script:
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | MODPROBE=`which modprobe`
| |
− | IPTABLES=`which iptables`
| |
− | INT_ETH = eth0
| |
− | INT_VPN = tun0
| |
− | IP_LAN_VPN = 10.8.0.0/24
| |
− | | |
− | # --- #
| |
− | # VPN #
| |
− | # --- #
| |
− | $MODPROBE iptable_nat
| |
− | | |
− | echo " ... Enable NAT features"
| |
− | echo 1 > /proc/sys/net/ipv4/ip_forward
| |
− | | |
− | echo " ... Allow all VPN communications (no filter)"
| |
− | $IPTABLES -A INPUT -i $INT_VPN -m state ! --state INVALID -j ACCEPT
| |
− | $IPTABLES -A OUTPUT -o $INT_VPN -m state ! --state INVALID -j ACCEPT
| |
− | | |
− | echo " ... Allowing VPN forwarding"
| |
− | # Allow forwarding
| |
− | $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
| |
− | $IPTABLES -A FORWARD -i $INT_VPN -s $IP_LAN_VPN -j ACCEPT
| |
− | $IPTABLES -A FORWARD -j REJECT
| |
− | # Allow devices communication $ETH0 <--> tun0
| |
− | $IPTABLES -t nat -A POSTROUTING -s $IP_LAN_VPN -o $INT_ETH -j MASQUERADE
| |
− | # Forward Established, Related
| |
− | $IPTABLES -A FORWARD -s $IP_LAN_VPN -p tcp -m state --state RELATED,ESTABLISHED --sport 1024:65535 --dport 1024:65535 -j ACCEPT
| |
− | $IPTABLES -A FORWARD -s $IP_LAN_VPN -p udp -m state --state RELATED,ESTABLISHED --sport 1024:65535 --dport 1024:65535 -j ACCEPT
| |
− | | |
− | Off course, you should also have:
| |
− | echo -e " ... Keep$GREEN ESTABLISHED$BLACK connections "
| |
− | # Keep established connections
| |
− | $IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
| |
− | $IPTABLES -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
| |
− | | |
− | # keep related connections
| |
− | echo -e " ... Keep$GREEN RELATED$BLACK connections"
| |
− | $IPTABLES -A INPUT -m state --state RELATED -j ACCEPT
| |
− | $IPTABLES -A OUTPUT -m state --state RELATED -j ACCEPT
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | =Startup=
| |
− | | |
− | ==Restart services==
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | service openvpn restart
| |
− | service firewall restart
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | ==Client Software==
| |
− | | |
− | ===Linux===
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | apt-get install openssl openssh-server openvpn
| |
− | </syntaxhighlight>
| |
− | | |
− | ===Windows===
| |
− | | |
− | On windows, many clients are available.
| |
− | The best one for Windows 7 and 8 is: « OpenVPN Connect Client Download for Windows »
| |
− | https://openvpn.net/index.php?option=com_content&id=357
| |
− | | |
− | Note: The file must be around 15 Mb.
| |
− | | |
− | ===MacOSX===
| |
− | The best VPN client is “tunnelblick”
| |
− | http://code.google.com/p/tunnelblick
| |
− | * Configuration files are in ~/librairies/openvpn
| |
− | * That’s the libraries [“bibliothèque”] folder of the current user
| |
− | | |
− | | |
− | ==Client files==
| |
− | | |
− | The client requires:
| |
− | * Authority of certification ca.cert
| |
− | * Client private key client.key
| |
− | * Client certificate client.crt
| |
− | | |
− | Then, you can setup client configuration.
| |
− | * See “client_conf.ovpn”
| |
| | | |
| | | |
− | '''Notes:'''
| |
− | You have to edit the configuration file.
| |
| | | |
− | * Adjust paths on lines 30-38
| |
| | | |
− | * On Windows you must you the double slash \\
| + | =Next steps= |
| | | |
− | * On Linux don’t forget to uncomment the following lines for better security:
| |
− | <syntaxhighlight lang="bash">
| |
− | # Downgrade privileges after initialization (non-Windows only)
| |
− | user nobody
| |
− | group nobody
| |
− | </syntaxhighlight>
| |
| | | |
− | * Linux: depending on your distribution you might need to adjust user / group default name. | + | * [[VPN server]] |
| + | * [[VPN client]] |