picoenterprise:openvpn
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
picoenterprise:openvpn [2013/11/26 11:45] Olivier Brugman [install] |
picoenterprise:openvpn [2013/12/01 18:57] (current) Olivier Brugman [configuration openvpn server] |
||
|---|---|---|---|
| Line 11: | Line 11: | ||
| As openvpn version 2.3 doesn't include the 'easy-rsa' software package anymore, copy the 'easy-rsa' directory tree from openvpn version 2.2 or earlier. | As openvpn version 2.3 doesn't include the 'easy-rsa' software package anymore, copy the 'easy-rsa' directory tree from openvpn version 2.2 or earlier. | ||
| - | Put it in /etc/openvpn right after the installation of the openvpn package as described below in 'install 1)'. | + | Put it in /etc/openvpn right after the installation of the openvpn package as described below in [[picoenterprise:openvpn#install_openvpn_server|install]]. |
| Another option is to use 'easy-rsa' version 3 from github, though we haven't tested version 3 ourselves yet: | Another option is to use 'easy-rsa' version 3 from github, though we haven't tested version 3 ourselves yet: | ||
| Line 24: | Line 24: | ||
| account required pam_succeed_if.so user ingroup vpnusers | account required pam_succeed_if.so user ingroup vpnusers | ||
| @include common-account | @include common-account | ||
| - | @include common-session | + | @include common-session |
| - | ====install==== | + | |
| - | 1) Add the repository for Wheezy-backports to /etc/apt/sources.list | + | In case you have a lot of users, you might want to store their credentials in LDAP instead of creating separate user accounts on the openvpn server. Check our existing [[hannibal:ldap-auth|Hannibal documentation]] on howto configure pam and nss to connect to an LDAP backend. |
| + | |||
| + | ====install openvpn server==== | ||
| + | |||
| + | Add the repository for Wheezy-backports to /etc/apt/sources.list | ||
| deb http://ftp.debian.org/debian/ wheezy-backports main contrib | deb http://ftp.debian.org/debian/ wheezy-backports main contrib | ||
| Line 39: | Line 42: | ||
| - | 2b) In order to be able to create the necessary keys and certificates we have to configure the 'easy-rsa' tool. First we adjust the /etc/openvpn/easy-rsa/2.0/vars file so that the 'easy-rsa' output will represent the correct data for our organization. Don't forget to increase the 'KEY_SIZE' to 2048. | + | In order to be able to create the necessary keys and certificates we have to configure the 'easy-rsa' tool. First we adjust the /etc/openvpn/easy-rsa/2.0/vars file so that the 'easy-rsa' output will represent the correct data for our organization. Don't forget to increase the 'KEY_SIZE' to 2048. |
| Then we have to add its variables to our environment and clean the existing history. Now 'easy-rsa' is ready for usage. We'll create a certificate authority, a key/cert pair for the openvpn server, a Diffie-Hellman parameters file and individual key/cert pairs for our remote users. | Then we have to add its variables to our environment and clean the existing history. Now 'easy-rsa' is ready for usage. We'll create a certificate authority, a key/cert pair for the openvpn server, a Diffie-Hellman parameters file and individual key/cert pairs for our remote users. | ||
| Line 47: | Line 50: | ||
| ./clean-all | ./clean-all | ||
| ./build-ca | ./build-ca | ||
| - | ./build-key-server servernaam | + | ./build-key-server servername |
| ./build-dh | ./build-dh | ||
| ./build-key client1 | ./build-key client1 | ||
| </code> | </code> | ||
| + | In the key files table in the [[http://openvpn.net/index.php/open-source/documentation/howto.html#pki|pki-section]] on the openvpn.net website you can read exactly how to handle all the key/cert files that you've just created. | ||
| Let's add an additional layer of security to the ones provided by the default openvpn SSL/TLS handshake. We'll add an HMAC-signature for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped, so without the correct signature the openvpn SSL/TLS handshake won't succeed. Incorrect and unauthorized connection attempts will be blocked as early in the process as possible. | Let's add an additional layer of security to the ones provided by the default openvpn SSL/TLS handshake. We'll add an HMAC-signature for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped, so without the correct signature the openvpn SSL/TLS handshake won't succeed. Incorrect and unauthorized connection attempts will be blocked as early in the process as possible. | ||
| Line 60: | Line 64: | ||
| - | 3) The main configuration file for openvpn is /etc/openvpn/server.conf | + | Openvpn stores the IP addresses it dynamically assignes to clients in a file (cfm. the 'ifconfig-pool-persist' directive in server.conf as described in the next chapter): |
| + | |||
| + | cd /etc/openvpn | ||
| + | touch ipp.txt | ||
| + | chown nobody.nogroup ipp.txt | ||
| + | |||
| + | Create an openvpn status log file: | ||
| + | |||
| + | touch openvpn-status.log | ||
| + | |||
| + | |||
| + | In order to harden the security level of our openvpn server, we'll tell openvpn to run chrooted in subdirectory /etc/openvpn/jail | ||
| + | Openvpn needs access to /dev and /tmp directories within the chroot. | ||
| + | |||
| + | mkdir -p /etc/openvpn/jail/dev | ||
| + | mkdir -p /etc/openvpn/jail/tmp | ||
| + | chown -R nobody.nogroup /etc/openvpn/jail/tmp | ||
| + | chmod -R 770 /etc/openvpn/jail/tmp | ||
| + | |||
| + | As soon as openvpn will run chrooted, it can't open new file handles outside the chroot. So we'll configure rsyslog to add a socket for logging within the openvpn chroot. | ||
| + | |||
| + | echo '$AddUnixListenSocket /etc/openvpn/jail/dev/log' > /etc/rsyslog.d/openvpn.conf | ||
| + | |||
| + | service rsyslog restart | ||
| + | |||
| + | |||
| + | ====configuration openvpn server==== | ||
| + | |||
| + | The main configuration file for openvpn is /etc/openvpn/server.conf | ||
| <code> | <code> | ||
| port 1194 | port 1194 | ||
| Line 93: | Line 125: | ||
| </code> | </code> | ||
| - | + | Now our openvpn server setup should be ready! Restart the service: | |
| - | 4) Openvpn stores the IP addresses it dynamically assignes to clients in a file (cfm. the 'ifconfig-pool-persist' directive in server.conf): | + | |
| - | + | ||
| - | cd /etc/openvpn | + | |
| - | touch ipp.txt | + | |
| - | chown nobody.nogroup ipp.txt | + | |
| - | + | ||
| - | Create an openvpn status log file: | + | |
| - | + | ||
| - | touch openvpn-status.log | + | |
| - | + | ||
| - | + | ||
| - | 5) In order to harden the security level of our openvpn server, we'll tell openvpn to run chrooted in subdirectory /etc/openvpn/jail | + | |
| - | Openvpn needs access to /dev and /tmp directories within the chroot. | + | |
| - | + | ||
| - | mkdir -p /etc/openvpn/jail/dev | + | |
| - | mkdir -p /etc/openvpn/jail/tmp | + | |
| - | chown -R nobody.nogroup /etc/openvpn/jail/tmp | + | |
| - | chmod -R 770 /etc/openvpn/jail/tmp | + | |
| - | + | ||
| - | As soon as openvpn will run chrooted, it can't open new file handles outside the chroot. So we'll configure rsyslog to add a socket for logging within the openvpn chroot. | + | |
| - | + | ||
| - | echo '$AddUnixListenSocket /etc/openvpn/jail/dev/log' > /etc/rsyslog.d/openvpn.conf | + | |
| - | + | ||
| - | service rsyslog restart | + | |
| - | + | ||
| - | + | ||
| - | 6) Now our openvpn server configuration should be ready! Restart the service: | + | |
| service openvpn restart | service openvpn restart | ||
| - | 7) | + | At last, we're done: |
| service coffee refill | service coffee refill | ||
picoenterprise/openvpn.1385462712.txt.gz · Last modified: 2013/11/26 11:45 by Olivier Brugman
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
