picoenterprise:openvpn
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
picoenterprise:openvpn [2013/11/26 11:09] Olivier Brugman [openvpn] |
picoenterprise:openvpn [2013/12/01 18:57] (current) Olivier Brugman [configuration openvpn server] |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| =====openvpn===== | =====openvpn===== | ||
| - | Today we want secure access to our corporate LAN from anywhere in the world. And oh, yes, our corporate LAN features IPv6, so by preference the solution should support ipv6 as well as ipv4, i.e. dual-stack. | + | Today we want secure access to our corporate LAN from anywhere in the world. Secure access should be available from mobile devices and from corporate notebooks. And oh, yes, our corporate LAN features IPv6, so by preference the solution should support ipv6 as well as ipv4, i.e. dual-stack. |
| In order to meet the requirements we chose openvpn version 2.3 as the foundation for our solution. Openvpn version 2.3 is ready for ipv6 and a prebuilt package is available through the Debian Wheezy backports repository. | In order to meet the requirements we chose openvpn version 2.3 as the foundation for our solution. Openvpn version 2.3 is ready for ipv6 and a prebuilt package is available through the Debian Wheezy backports repository. | ||
| + | |||
| + | Openvpn clients are available for all of today's best operating systems, amongst them GNU/Linux 8-) and, euhhh, for some other operating systems as well. | ||
| + | Anyway, let's get going! | ||
| ====pre-install==== | ====pre-install==== | ||
| As openvpn version 2.3 doesn't include the 'easy-rsa' software package anymore, copy the 'easy-rsa' directory tree from openvpn version 2.2 or earlier. | As openvpn version 2.3 doesn't include the 'easy-rsa' software package anymore, copy the 'easy-rsa' directory tree from openvpn version 2.2 or earlier. | ||
| - | Put it in /etc/openvpn right after the installation of the openvpn package as described below in 'install 1)'. | + | Put it in /etc/openvpn right after the installation of the openvpn package as described below in [[picoenterprise:openvpn#install_openvpn_server|install]]. |
| Another option is to use 'easy-rsa' version 3 from github, though we haven't tested version 3 ourselves yet: | Another option is to use 'easy-rsa' version 3 from github, though we haven't tested version 3 ourselves yet: | ||
| Line 21: | Line 24: | ||
| account required pam_succeed_if.so user ingroup vpnusers | account required pam_succeed_if.so user ingroup vpnusers | ||
| @include common-account | @include common-account | ||
| - | @include common-session | + | @include common-session |
| - | ====install==== | + | |
| - | 1) Add the repository for Wheezy-backports to /etc/apt/sources.list | + | In case you have a lot of users, you might want to store their credentials in LDAP instead of creating separate user accounts on the openvpn server. Check our existing [[hannibal:ldap-auth|Hannibal documentation]] on howto configure pam and nss to connect to an LDAP backend. |
| + | |||
| + | ====install openvpn server==== | ||
| + | |||
| + | Add the repository for Wheezy-backports to /etc/apt/sources.list | ||
| deb http://ftp.debian.org/debian/ wheezy-backports main contrib | deb http://ftp.debian.org/debian/ wheezy-backports main contrib | ||
| Line 36: | Line 42: | ||
| - | 2b) In order to be able to create the necessary keys and certificates we have to configure the 'easy-rsa' tool. First we adjust the /etc/openvpn/easy-rsa/2.0/vars file so that the 'easy-rsa' output will represent the correct data for our organization. Don't forget to increase the 'KEY_SIZE' to 2048. | + | In order to be able to create the necessary keys and certificates we have to configure the 'easy-rsa' tool. First we adjust the /etc/openvpn/easy-rsa/2.0/vars file so that the 'easy-rsa' output will represent the correct data for our organization. Don't forget to increase the 'KEY_SIZE' to 2048. |
| Then we have to add its variables to our environment and clean the existing history. Now 'easy-rsa' is ready for usage. We'll create a certificate authority, a key/cert pair for the openvpn server, a Diffie-Hellman parameters file and individual key/cert pairs for our remote users. | Then we have to add its variables to our environment and clean the existing history. Now 'easy-rsa' is ready for usage. We'll create a certificate authority, a key/cert pair for the openvpn server, a Diffie-Hellman parameters file and individual key/cert pairs for our remote users. | ||
| Line 44: | Line 50: | ||
| ./clean-all | ./clean-all | ||
| ./build-ca | ./build-ca | ||
| - | ./build-key-server servernaam | + | ./build-key-server servername |
| ./build-dh | ./build-dh | ||
| ./build-key client1 | ./build-key client1 | ||
| </code> | </code> | ||
| + | In the key files table in the [[http://openvpn.net/index.php/open-source/documentation/howto.html#pki|pki-section]] on the openvpn.net website you can read exactly how to handle all the key/cert files that you've just created. | ||
| Let's add an additional layer of security to the ones provided by the default openvpn SSL/TLS handshake. We'll add an HMAC-signature for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped, so without the correct signature the openvpn SSL/TLS handshake won't succeed. Incorrect and unauthorized connection attempts will be blocked as early in the process as possible. | Let's add an additional layer of security to the ones provided by the default openvpn SSL/TLS handshake. We'll add an HMAC-signature for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped, so without the correct signature the openvpn SSL/TLS handshake won't succeed. Incorrect and unauthorized connection attempts will be blocked as early in the process as possible. | ||
| - | Create the tls-auth shared-secret key in the '/etc/openvpn/easy-rsa/2.0/keys' subdir. | + | Create the tls-auth shared-secret key in the '/etc/openvpn/easy-rsa/2.0/keys' subdirectory |
| cd /etc/openvpn/easy-rsa/2.0/keys/ | cd /etc/openvpn/easy-rsa/2.0/keys/ | ||
| Line 57: | Line 64: | ||
| - | 3) The main configuration file for openvpn is /etc/openvpn/server.conf | + | Openvpn stores the IP addresses it dynamically assignes to clients in a file (cfm. the 'ifconfig-pool-persist' directive in server.conf as described in the next chapter): |
| + | |||
| + | cd /etc/openvpn | ||
| + | touch ipp.txt | ||
| + | chown nobody.nogroup ipp.txt | ||
| + | |||
| + | Create an openvpn status log file: | ||
| + | |||
| + | touch openvpn-status.log | ||
| + | |||
| + | |||
| + | In order to harden the security level of our openvpn server, we'll tell openvpn to run chrooted in subdirectory /etc/openvpn/jail | ||
| + | Openvpn needs access to /dev and /tmp directories within the chroot. | ||
| + | |||
| + | mkdir -p /etc/openvpn/jail/dev | ||
| + | mkdir -p /etc/openvpn/jail/tmp | ||
| + | chown -R nobody.nogroup /etc/openvpn/jail/tmp | ||
| + | chmod -R 770 /etc/openvpn/jail/tmp | ||
| + | |||
| + | As soon as openvpn will run chrooted, it can't open new file handles outside the chroot. So we'll configure rsyslog to add a socket for logging within the openvpn chroot. | ||
| + | |||
| + | echo '$AddUnixListenSocket /etc/openvpn/jail/dev/log' > /etc/rsyslog.d/openvpn.conf | ||
| + | |||
| + | service rsyslog restart | ||
| + | |||
| + | |||
| + | ====configuration openvpn server==== | ||
| + | |||
| + | The main configuration file for openvpn is /etc/openvpn/server.conf | ||
| <code> | <code> | ||
| port 1194 | port 1194 | ||
| Line 90: | Line 125: | ||
| </code> | </code> | ||
| - | + | Now our openvpn server setup should be ready! Restart the service: | |
| - | 4) Openvpn stores the IP addresses it dynamically assignes to clients in a file (cfm. the 'ifconfig-pool-persist' directive in server.conf): | + | |
| - | + | ||
| - | cd /etc/openvpn | + | |
| - | touch ipp.txt | + | |
| - | chown nobody.nogroup ipp.txt | + | |
| - | + | ||
| - | Create an openvpn status log file: | + | |
| - | + | ||
| - | touch openvpn-status.log | + | |
| - | + | ||
| - | + | ||
| - | 5) In order to harden the security level of our openvpn server, we'll tell openvpn to run chrooted in subdirectory /etc/openvpn/jail | + | |
| - | Openvpn needs access to /dev and /tmp directories within the chroot. | + | |
| - | + | ||
| - | mkdir -p /etc/openvpn/jail/dev | + | |
| - | mkdir -p /etc/openvpn/jail/tmp | + | |
| - | chown -R nobody.nogroup /etc/openvpn/jail/tmp | + | |
| - | chmod -R 770 /etc/openvpn/jail/tmp | + | |
| - | + | ||
| - | As soon as openvpn will run chrooted, it can't open new file handles outside the chroot. So we'll configure rsyslog to add a socket for logging within the openvpn chroot. | + | |
| - | + | ||
| - | echo '$AddUnixListenSocket /etc/openvpn/jail/dev/log' > /etc/rsyslog.d/openvpn.conf | + | |
| - | + | ||
| - | service rsyslog restart | + | |
| - | + | ||
| - | + | ||
| - | 6) Now our openvpn server configuration should be ready! Restart the service: | + | |
| service openvpn restart | service openvpn restart | ||
| - | 7) | + | At last, we're done: |
| service coffee refill | service coffee refill | ||
picoenterprise/openvpn.1385460556.txt.gz · Last modified: 2013/11/26 11:09 by Olivier Brugman
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
