Difference between revisions of "VPN"

(Next steps)
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[Category:Linux]]
 +
 
VIRTUAL PRIVATE NETWORK (VPN)
 
VIRTUAL PRIVATE NETWORK (VPN)
  
Line 6: Line 8:
  
 
==Reminder: What is a “VPN”?==
 
==Reminder: What is a “VPN”?==
 +
 +
Nice explanations:
  
 
* French: http://www.frameip.com/vpn/  
 
* French: http://www.frameip.com/vpn/  
Line 12: Line 16:
  
  
==Sources==
 
  
* Linode: https://library.linode.com/networking/openvpn/debian-6-squeeze#sph_id7
+
As a quick reminder, you can use a VPN for 3 things:
* WebSite (1) : http://dev.shyd.de/2011/02/dockstar-howto-setup-openvpn-debian/
+
* Mask your source IP @
  
 +
[[File:VPN change ip address 1.png|none|VPN change ip address (1)]]
  
 +
[[File:VPN change ip address 2.png|none|VPN change ip address (2)]]
  
=Installation=
 
  
 +
* Secure communication through the VPN server
  
==Binary==
+
[[File:VPN client to client.png|none|VPN client to client]]
  
Installation is easy. You just need “openvpn”.
 
  
<syntaxhighlight lang="bash">
+
* Access remote LAN
apt-get update && apt-get upgrade
 
apt-get install openvpn easy-rsa
 
</syntaxhighlight>
 
  
==Logs==
+
[[File:VPN to lan.png|none|VPN to LAN]]
  
Create target files
 
  
<syntaxhighlight lang="bash">
+
Of course you can combine some / all of these usages.
touch /var/log/openvpn.log
 
touch /var/log/openvpn-status.log
 
chmod 777 /var/log/openvpn*
 
</syntaxhighlight>
 
  
Create symlinks
 
  
<syntaxhighlight lang="bash">
 
ln -s /var/log/openvpn.log /etc/openvpn/openvpn.log
 
ln -s /var/log/openvpn-status.log /etc/openvpn/openvpn-status.log
 
</syntaxhighlight>
 
  
Adjust '/etc/openvpn/server.conf' accordingly
 
 
<syntaxhighlight lang="bash">
 
/var/log/openvpn.log => real time log
 
/var/log/openvpn-status.log => list of connected clients
 
</syntaxhighlight>
 
 
 
 
=Public Key Infrastructure=
 
 
The OpenVPN package provides a set of encryption-related tools called "easy-rsa".
 
 
These scripts are located by default in the ''/usr/share/doc/openvpn/examples/easy-rsa/'' directory.
 
 
However, in order to function properly, these scripts should be located in the /etc/openvpn directory.
 
 
 
==Installation==
 
 
Copy these files with the following command:
 
 
[Old Ubuntu - before 14.04]
 
<syntaxhighlight lang="bash">
 
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
 
</syntaxhighlight>
 
 
[New Ubuntu distro - 14.04 and later]
 
<syntaxhighlight lang="bash">
 
cp -R /usr/share/easy-rsa/ /etc/openvpn
 
</syntaxhighlight>
 
 
==Configure Public Key Infrastructure Variables==
 
 
 
 
===Default values===
 
 
Before you can generate the public key infrastructure for OpenVPN, you must configure a few variables that the easy-rsa scripts will use to generate the scripts.
 
 
These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file.
 
 
 
 
[Old Ubuntu]
 
 
Don't forget to add /etc/openvpn/easy-rsa/'''2.0/''' everywhere !!
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/openvpn/easy-rsa/vars
 
</syntaxhighlight>
 
 
 
Here is an example of the relevant values:
 
 
<syntaxhighlight lang="bash">
 
export KEY_COUNTRY="SE"
 
export KEY_PROVINCE="Västra Götaland"
 
export KEY_CITY="Goteborg"
 
export KEY_ORG="daxiongmao.eu"
 
export KEY_EMAIL="guillaume@qin-diaz.com"
 
</syntaxhighlight>
 
 
>> Alter the examples to reflect your configuration.
 
 
This information will be included in certificates you create!
 
That must be accurate, particularly the KEY_ORG and KEY_EMAIL values.
 
 
 
 
===Initialize the Public Key Infrastructure (PKI)===
 
 
Generate the Authority of Certification (AC):
 
 
 
<syntaxhighlight lang="bash">
 
cd /etc/openvpn/easy-rsa/
 
. /etc/openvpn/easy-rsa/vars
 
. /etc/openvpn/easy-rsa/clean-all
 
. /etc/openvpn/easy-rsa/build-ca
 
</syntaxhighlight>
 
 
When asked, use your COMPANY name as "common name".
 
 
 
 
===Generate OpenVPN Server Certificates and Private Key===
 
 
 
<syntaxhighlight lang="bash">
 
cd /etc/openvpn/easy-rsa/
 
source /etc/openvpn/easy-rsa/vars
 
. /etc/openvpn/easy-rsa/build-key-server [server]
 
</syntaxhighlight>
 
 
[server] replace server by your actual server name !
 
 
 
This script will also prompt you for additional information.
 
 
Common Name = Name of the current server (server DNS name)
 
 
 
 
===Generate Clients certificates and private keys===
 
 
<syntaxhighlight lang="bash">
 
cd /etc/openvpn/easy-rsa/
 
source /etc/openvpn/easy-rsa/vars
 
. /etc/openvpn/easy-rsa/build-key [clientName]
 
</syntaxhighlight>
 
 
Replace the ''[clientName]'' parameter with a relevant identifier for each client.
 
* The client common name must be unique
 
* It helps you to identify each client. Don’t hesitate to use meaningful name.
 
 
 
The name is put inside the certificate.
 
 
All other information can remain the same
 
 
 
 
===Generate Diffie Hellman Parameters===
 
 
The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server.
 
 
<syntaxhighlight lang="bash">
 
cd /etc/openvpn/easy-rsa/
 
. /etc/openvpn/easy-rsa/build-dh
 
</syntaxhighlight>
 
 
 
 
===Generate shared security key===
 
 
'''NOT TESTED – July 2013'''
 
 
To increase security, you can use a share common key between server and clients.
 
Each client will need the shared key + its own key to communicate.
 
 
<syntaxhighlight lang="bash">
 
openvpn --genkey --secret ./keys/ta.key
 
</syntaxhighlight>
 
 
==Distribute keys==
 
 
 
 
===Client files===
 
 
In order to authenticate to the VPN, you'll need to copy a number of certificate and key files to the remote client machines.
 
They are:
 
* Authority of certification ca.crt
 
* Client certificate [clientName].crt
 
* Client private key [clientName].key
 
 
!!! These keys should transferred with the utmost attention to security.
 
Anyone who has the key is able to gain full access to your virtual private network !!!
 
 
 
 
===Server files===
 
 
The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them.
 
These files are:
 
* Authority of certification ca.crt
 
* Authority private key ca.key
 
* Diffie Hellman props dh1024.pem  !! on new distro it might be dh2048.pem by default !!
 
* Server certificate server.crt
 
* Server private key server.key
 
 
 
<syntaxhighlight lang="bash">
 
cd /etc/openvpn/
 
ln -s /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/ca.crt
 
ln -s /etc/openvpn/easy-rsa/keys/ca.key /etc/openvpn/ca.key
 
ln -s /etc/openvpn/easy-rsa/keys/dh1024.pem /etc/openvpn/dh1024.pem
 
ln -s /etc/openvpn/easy-rsa/keys/myServer.crt /etc/openvpn/server.crt
 
ln -s /etc/openvpn/easy-rsa/keys/myServer.key /etc/openvpn/server.key
 
</syntaxhighlight>
 
 
 
!! Apart 'ca.crt', all these files mustn't leave your server!!
 
 
==Revoking Client Certificates==
 
 
''How to remove a user's access to the VPN server?''
 
 
<syntaxhighlight lang="bash">
 
cd /etc/openvpn/easy-rsa/
 
. /etc/openvpn/easy-rsa/vars
 
. /etc/openvpn/easy-rsa/evoke-full [clientName]
 
</syntaxhighlight>
 
 
 
This will revoke the ability of users who have the [clientName] certificate to access the VPN.
 
 
For this reason, keeping track of which users are in possession of which certificates is crucial.
 
 
=Server configuration=
 
 
 
==Configuration file==
 
 
===Basic setup===
 
 
<syntaxhighlight lang="bash">
 
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
 
cd /etc/openvpn/
 
gzip -d server.conf.gz
 
</syntaxhighlight>
 
 
 
===Security algorithms and hash===
 
 
'''Cryptographic algorithms'''
 
<syntaxhighlight lang="bash">
 
openvpn --show-ciphers
 
</syntaxhighlight>
 
 
Search for: AES-128-CBC, AES-256-CBC
 
 
 
'''Hash algorithms'''
 
<syntaxhighlight lang="bash">
 
openvpn --show-digests
 
</syntaxhighlight>
 
 
Search for: MD5
 
 
 
'''Handshake algorithms'''
 
<syntaxhighlight lang="bash">
 
openvpn --show-tls
 
</syntaxhighlight>
 
 
 
 
=Server configuration=
 
 
This is how you configuration should look like:
 
 
<syntaxhighlight lang="bash">
 
#################################################
 
# OpenVPN 2.0 config file                      #
 
# --------------------------------------------- #
 
# version 1.0 - April 2011 - Guillaume Diaz
 
# version 1.2 - June 2013 - Guillaume Diaz
 
#                          conf update + chroot
 
#################################################
 
 
 
# OpenVPN configuration
 
##########################
 
# Which local IP address should OpenVPN listen on? (optional)
 
local 192.168.1.2
 
 
# VPN interface
 
# Which TCP/UDP port should OpenVPN listen on?
 
# TCP or UDP server?
 
dev tun
 
proto udp
 
port 8080
 
 
 
# SECURITY - Crypto
 
########################
 
# SSL/TLS root certificate (ca)
 
# Server certificate and private key
 
# Diffie hellman parameters
 
ca /etc/openvpn/ca.crt
 
cert /etc/openvpn/server.crt
 
key /etc/openvpn/server.key
 
dh /etc/openvpn/dh2048.pem
 
 
# Shared secret key by both server and clients
 
;tls-auth /etc/openvpn/ta.key 0
 
 
# Crypto settings
 
cipher AES-128-CBC
 
auth MD5
 
 
# Reduce OpenVPN daemon rights after application start
 
# To chroot OpenVPN to its own folder
 
user nobody
 
group nogroup
 
chroot /etc/openvpn/
 
 
 
 
# SERVER CONF
 
##########################
 
# Server mode and VPN subset
 
server 192.168.15.0 255.255.255.0
 
# Maintain a record of client <-> virtual IP address associations in this file. 
 
ifconfig-pool-persist ipp.txt
 
# Keepalive (ping-like)
 
# 1 ping every 10s. 120s timeout = disconnect client
 
keepalive 10 120
 
# Keep server connection up and running
 
persist-key
 
persist-tun
 
# Compression of data exchange
 
comp-lzo
 
 
 
 
 
# CLIENTS CONF
 
##########################
 
# Maximum number of concurrently connected clients
 
;max-clients 100
 
 
# Allow different clients to be able to "see" each other.
 
client-to-client
 
# One certificate, multiple clients
 
#  Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
 
;duplicate-cn
 
# Fix for Microsoft Windows clients
 
mssfix
 
# Server security level
 
script-security 2
 
 
 
# Push routes to the client
 
#  >> VPN route. required to allow connections
 
push "route 192.168.15.0 255.255.255.0"
 
#  >> Set the VPN server as global gateway
 
push "redirect-gateway def1"
 
#  >> set the DNS Server
 
push "dhcp-option DNS 8.8.8.8"
 
push "dhcp-option DNS 8.8.4.4"
 
 
 
 
 
# LOGS
 
##########################
 
# Short status file showing current connections
 
# this is truncated and rewritten every minute.
 
status /etc/openvpn/openvpn-status.log
 
 
# Log in a dedicated file instead of /var/log/messages
 
log        /etc/openvpn/openvpn.log
 
log-append  /etc/openvpn/openvpn.log
 
 
# Log level
 
# 0 is silent, except for fatal errors
 
# 4 is reasonable for general usage
 
# 5 and 6 can help to debug connection problems
 
# 9 is extremely verbose
 
verb 6
 
 
# Silence repeating messages. 
 
# At most xx sequential same messages will be output to the log file.
 
mute 10
 
</syntaxhighlight>
 
 
 
You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.
 
 
Be careful when you choose the port number!
 
Common open ports:
 
* 80 (http)
 
* 443 (HTTPS)
 
* 8080 (Proxy / JEE servers)
 
 
=Firewall=
 
 
You can use the following firewall script:
 
 
<syntaxhighlight lang="bash">
 
MODPROBE=`which modprobe`
 
IPTABLES=`which iptables`
 
INT_ETH = eth0
 
INT_VPN = tun0
 
IP_LAN_VPN = 10.8.0.0/24
 
 
# --- #
 
# VPN #
 
# --- #
 
$MODPROBE iptable_nat
 
 
echo " ... Enable NAT features"
 
echo 1 > /proc/sys/net/ipv4/ip_forward
 
 
echo " ... Allow all VPN communications (no filter)"
 
$IPTABLES -A INPUT -i $INT_VPN -m state ! --state INVALID -j ACCEPT
 
$IPTABLES -A OUTPUT -o $INT_VPN -m state ! --state INVALID -j ACCEPT
 
 
echo " ... Allowing VPN forwarding"
 
# Allow forwarding
 
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
$IPTABLES -A FORWARD -i $INT_VPN -s $IP_LAN_VPN -j ACCEPT
 
$IPTABLES -A FORWARD -j REJECT
 
# Allow devices communication $ETH0 <--> tun0
 
$IPTABLES -t nat -A POSTROUTING -s $IP_LAN_VPN -o $INT_ETH -j MASQUERADE
 
# Forward Established, Related
 
$IPTABLES -A FORWARD -s $IP_LAN_VPN -p tcp -m state --state RELATED,ESTABLISHED --sport 1024:65535 --dport 1024:65535 -j ACCEPT
 
$IPTABLES -A FORWARD -s $IP_LAN_VPN -p udp -m state --state RELATED,ESTABLISHED --sport 1024:65535 --dport 1024:65535 -j ACCEPT
 
 
Off course, you should also have:
 
echo -e " ... Keep$GREEN ESTABLISHED$BLACK connections "
 
# Keep established connections
 
$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
 
$IPTABLES -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
 
 
# keep related connections
 
echo -e " ... Keep$GREEN RELATED$BLACK connections"
 
$IPTABLES -A INPUT -m state --state RELATED -j ACCEPT
 
$IPTABLES -A OUTPUT -m state --state RELATED -j ACCEPT
 
</syntaxhighlight>
 
 
 
 
=Startup=
 
 
==Restart services==
 
 
<syntaxhighlight lang="bash">
 
service openvpn restart
 
service firewall restart
 
</syntaxhighlight>
 
 
 
==Client Software==
 
 
 
 
===Linux===
 
 
<syntaxhighlight lang="bash">
 
apt-get install openssl openssh-server openvpn
 
</syntaxhighlight>
 
 
 
 
===Windows===
 
 
On windows, many clients are available.
 
The best one for Windows 7 and 8 is: « OpenVPN Connect Client Download for Windows »
 
https://openvpn.net/index.php?option=com_content&id=357
 
 
Note: The file must be around 15 Mb.
 
 
 
 
===MacOSX===
 
The best VPN client is “tunnelblick”
 
http://code.google.com/p/tunnelblick
 
* Configuration files are in ~/librairies/openvpn
 
* That’s the libraries [“bibliothèque”] folder of the current user
 
 
==Client files==
 
 
The client requires:
 
* Authority of certification ca.cert
 
* Client private key client.key
 
* Client certificate client.crt
 
 
Then, you can setup client configuration.
 
* See “client_conf.ovpn”
 
 
 
'''Notes:'''
 
You have to edit the configuration file.
 
 
* Adjust paths on lines 30-38
 
 
* On Windows you must you the double slash \\
 
 
* On Linux don’t forget to uncomment the following lines for better security:
 
<syntaxhighlight lang="bash">
 
# Downgrade privileges after initialization (non-Windows only)
 
user nobody
 
group nobody
 
</syntaxhighlight>
 
 
* Linux: depending on your distribution you might need to adjust user / group default name.
 
 
 
 
 
=Fail2ban=
 
 
It's a good idea to protect your server against brute force attacks and intruders.
 
 
 
==Create new rule==
 
 
Create a new rule in Fail2Ban:
 
 
<syntaxhighlight lang="bash">
 
vim /etc/fail2ban/filter.d/openvpn.conf
 
</syntaxhighlight>
 
 
 
Add:
 
 
<syntaxhighlight lang="bash">
 
[Definition]
 
failregex = [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Auth Error:.*
 
    [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} VERIFY ERROR:.*
 
    [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
 
</syntaxhighlight>
 
 
 
==Apply rule==
 
 
Edit Fail2Ban main configuration:
 
 
<syntaxhighlight lang="bash">
 
vim /etc/fail2ban/jail.conf
 
</syntaxhighlight>
 
 
 
At the end of the file, add:
 
 
<syntaxhighlight lang="bash">
 
[openvpn]
 
enabled = true
 
port = 8080
 
protocol = udp
 
filter = openvpn
 
logpath = /etc/openvpn/openvpn.log
 
maxretry = 3
 
</syntaxhighlight>
 
  
 +
==Sources==
  
 +
* Linode: https://library.linode.com/networking/openvpn/debian-6-squeeze#sph_id7
 +
* WebSite (1) : http://dev.shyd.de/2011/02/dockstar-howto-setup-openvpn-debian/
  
=Advanced stuff=
 
  
Logrotate
 
http://guillaume.vaillant.me/?p=393
 
  
  
 +
=Next steps=
  
=Sources=
 
  
http://guillaume.vaillant.me/?p=393
+
* [[VPN server]]
 +
* [[VPN client]]

Latest revision as of 17:23, 8 August 2014


VIRTUAL PRIVATE NETWORK (VPN)


Introduction

Reminder: What is a “VPN”?

Nice explanations:

  • English:


As a quick reminder, you can use a VPN for 3 things:

  • Mask your source IP @
VPN change ip address (1)
VPN change ip address (2)


  • Secure communication through the VPN server
VPN client to client


  • Access remote LAN
VPN to LAN


Of course you can combine some / all of these usages.



Sources



Next steps