HannibalWiki

User Tools

Site Tools

You are here: start » picoenterprise » openvpn
Trace: creation_of_a_domu openvpn
picoenterprise:openvpn

This is an old revision of the document!

Table of Contents

openvpn

Today we want secure access to our corporate LAN from anywhere in the world. Secure access should be available from mobile devices and from corporate notebooks. And oh, yes, our corporate LAN features IPv6, so by preference the solution should support ipv6 as well as ipv4, i.e. dual-stack.

In order to meet the requirements we chose openvpn version 2.3 as the foundation for our solution. Openvpn version 2.3 is ready for ipv6 and a prebuilt package is available through the Debian Wheezy backports repository.

Openvpn clients are available for all of today's best operating systems, amongst them GNU/Linux 8-) and, euhhh, for other operating systems as well. Anyway, let's get going!

pre-install

As openvpn version 2.3 doesn't include the 'easy-rsa' software package anymore, copy the 'easy-rsa' directory tree from openvpn version 2.2 or earlier. Put it in /etc/openvpn right after the installation of the openvpn package as described below in 'install 1)'.

Another option is to use 'easy-rsa' version 3 from github, though we haven't tested version 3 ourselves yet: 

https://github.com/OpenVPN/easy-rsa

In addition to issueing individual client certificates we want our remote users to provide a username and password before they can connect to the openvpn server. Furthermore only members of the group 'vpnusers' will be allowed to connect. We'll configure openvpn to use pam in order to make this happen. Create an openvpn configuration file for pam like so in /etc/pam.d/openvpn 

@include common-auth
account     required     pam_succeed_if.so user ingroup vpnusers
@include common-account
@include common-session

install

1) Add the repository for Wheezy-backports to /etc/apt/sources.list 

deb http://ftp.debian.org/debian/ wheezy-backports main contrib

Install openvpn version 2.3.2 

apt-get update
apt-get install -t wheezy-backports openvpn

2b) In order to be able to create the necessary keys and certificates we have to configure the 'easy-rsa' tool. First we adjust the /etc/openvpn/easy-rsa/2.0/vars file so that the 'easy-rsa' output will represent the correct data for our organization. Don't forget to increase the 'KEY_SIZE' to 2048. Then we have to add its variables to our environment and clean the existing history. Now 'easy-rsa' is ready for usage. We'll create a certificate authority, a key/cert pair for the openvpn server, a Diffie-Hellman parameters file and individual key/cert pairs for our remote users. 

cd /etc/openvpn/easy-rsa/2.0
. vars
./clean-all
./build-ca
./build-key-server servernaam
./build-dh
./build-key client1

Let's add an additional layer of security to the ones provided by the default openvpn SSL/TLS handshake. We'll add an HMAC-signature for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped, so without the correct signature the openvpn SSL/TLS handshake won't succeed. Incorrect and unauthorized connection attempts will be blocked as early in the process as possible. Create the tls-auth shared-secret key in the '/etc/openvpn/easy-rsa/2.0/keys' subdir. 

cd /etc/openvpn/easy-rsa/2.0/keys/
openvpn --genkey --secret ta.key

3) The main configuration file for openvpn is /etc/openvpn/server.conf 

port 1194
proto udp
topology subnet
dev tun
tun-ipv6
server-ipv6 2001:392:a17b:8::/64
server 192.0.2.0 255.255.255.0
push "route-ipv6 2000::/3"
push "dhcp-option DNS 2001:4860:4860::8888"
push "dhcp-option DNS 2001:4860:4860::8844"
ifconfig-pool-persist ipp.txt
tls-server
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/debalix.crt
key /etc/openvpn/easy-rsa/2.0/keys/debalix.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so /etc/pam.d/openvpn 
cipher AES-256-CBC
user nobody
group nogroup
chroot jail
keepalive 10 120
persist-tun
persist-key
comp-lzo
script-security 3
status openvpn-status.log
verb 4

4) Openvpn stores the IP addresses it dynamically assignes to clients in a file (cfm. the 'ifconfig-pool-persist' directive in server.conf): 

cd /etc/openvpn
touch ipp.txt
chown nobody.nogroup ipp.txt

Create an openvpn status log file: 

touch openvpn-status.log

5) In order to harden the security level of our openvpn server, we'll tell openvpn to run chrooted in subdirectory /etc/openvpn/jail Openvpn needs access to /dev and /tmp directories within the chroot. 

mkdir -p /etc/openvpn/jail/dev
mkdir -p /etc/openvpn/jail/tmp
chown -R nobody.nogroup /etc/openvpn/jail/tmp
chmod -R 770 /etc/openvpn/jail/tmp

As soon as openvpn will run chrooted, it can't open new file handles outside the chroot. So we'll configure rsyslog to add a socket for logging within the openvpn chroot. 

echo '$AddUnixListenSocket /etc/openvpn/jail/dev/log' > /etc/rsyslog.d/openvpn.conf
service rsyslog restart

6) Now our openvpn server configuration should be ready! Restart the service: 

service openvpn restart

7) 

service coffee refill
picoenterprise/openvpn.1385461345.txt.gz · Last modified: 2013/11/26 11:22 by Olivier Brugman

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki