Today we want secure access to our corporate LAN from anywhere in the world. Secure access should be available from mobile devices and from corporate notebooks. And oh, yes, our corporate LAN features IPv6, so by preference the solution should support ipv6 as well as ipv4, i.e. dual-stack.

In order to meet the requirements we chose openvpn version 2.3 as the foundation for our solution. Openvpn version 2.3 is ready for ipv6 and a prebuilt package is available through the Debian Wheezy backports repository.

Openvpn clients are available for all of today's best operating systems, amongst them GNU/Linux and, euhhh, for some other operating systems as well. Anyway, let's get going!

As openvpn version 2.3 doesn't include the 'easy-rsa' software package anymore, copy the 'easy-rsa' directory tree from openvpn version 2.2 or earlier. Put it in /etc/openvpn right after the installation of the openvpn package as described below in install.

Another option is to use 'easy-rsa' version 3 from github, though we haven't tested version 3 ourselves yet:

https://github.com/OpenVPN/easy-rsa

In addition to issueing individual client certificates we want our remote users to provide a username and password before they can connect to the openvpn server. Furthermore only members of the group 'vpnusers' will be allowed to connect. We'll configure openvpn to use pam in order to make this happen. Create an openvpn configuration file for pam like so in /etc/pam.d/openvpn

@include common-auth
account     required     pam_succeed_if.so user ingroup vpnusers
@include common-account
@include common-session

In case you have a lot of users, you might want to store their credentials in LDAP instead of creating separate user accounts on the openvpn server. Check our existing Hannibal documentation on howto configure pam and nss to connect to an LDAP backend.

Add the repository for Wheezy-backports to /etc/apt/sources.list

deb http://ftp.debian.org/debian/ wheezy-backports main contrib

Install openvpn version 2.3.2

apt-get update
apt-get install -t wheezy-backports openvpn

In order to be able to create the necessary keys and certificates we have to configure the 'easy-rsa' tool. First we adjust the /etc/openvpn/easy-rsa/2.0/vars file so that the 'easy-rsa' output will represent the correct data for our organization. Don't forget to increase the 'KEY_SIZE' to 2048. Then we have to add its variables to our environment and clean the existing history. Now 'easy-rsa' is ready for usage. We'll create a certificate authority, a key/cert pair for the openvpn server, a Diffie-Hellman parameters file and individual key/cert pairs for our remote users.

cd /etc/openvpn/easy-rsa/2.0
. vars
./clean-all
./build-ca
./build-key-server servername
./build-dh
./build-key client1

In the key files table in the pki-section on the openvpn.net website you can read exactly how to handle all the key/cert files that you've just created.

Let's add an additional layer of security to the ones provided by the default openvpn SSL/TLS handshake. We'll add an HMAC-signature for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped, so without the correct signature the openvpn SSL/TLS handshake won't succeed. Incorrect and unauthorized connection attempts will be blocked as early in the process as possible. Create the tls-auth shared-secret key in the '/etc/openvpn/easy-rsa/2.0/keys' subdirectory

cd /etc/openvpn/easy-rsa/2.0/keys/
openvpn --genkey --secret ta.key

Openvpn stores the IP addresses it dynamically assignes to clients in a file (cfm. the 'ifconfig-pool-persist' directive in server.conf as described in the next chapter):

cd /etc/openvpn
touch ipp.txt
chown nobody.nogroup ipp.txt

Create an openvpn status log file:

touch openvpn-status.log

In order to harden the security level of our openvpn server, we'll tell openvpn to run chrooted in subdirectory /etc/openvpn/jail Openvpn needs access to /dev and /tmp directories within the chroot.

mkdir -p /etc/openvpn/jail/dev
mkdir -p /etc/openvpn/jail/tmp
chown -R nobody.nogroup /etc/openvpn/jail/tmp
chmod -R 770 /etc/openvpn/jail/tmp

As soon as openvpn will run chrooted, it can't open new file handles outside the chroot. So we'll configure rsyslog to add a socket for logging within the openvpn chroot.

echo '$AddUnixListenSocket /etc/openvpn/jail/dev/log' > /etc/rsyslog.d/openvpn.conf

service rsyslog restart

The main configuration file for openvpn is /etc/openvpn/server.conf

port 1194
proto udp
topology subnet
dev tun
tun-ipv6
server-ipv6 2001:392:a17b:8::/64
server 192.0.2.0 255.255.255.0
push "route-ipv6 2000::/3"
push "dhcp-option DNS 2001:4860:4860::8888"
push "dhcp-option DNS 2001:4860:4860::8844"
ifconfig-pool-persist ipp.txt
tls-server
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/debalix.crt
key /etc/openvpn/easy-rsa/2.0/keys/debalix.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so /etc/pam.d/openvpn 
cipher AES-256-CBC
user nobody
group nogroup
chroot jail
keepalive 10 120
persist-tun
persist-key
comp-lzo
script-security 3
status openvpn-status.log
verb 4

Now our openvpn server setup should be ready! Restart the service:

service openvpn restart

At last, we're done:

service coffee refill