OpenVPN workshop Sat 16 Jan 2010 14:00 till Sat 16 Jan 2010 20:00 What: openvpn workshop Tagline: I can haz VPN-connections Where: HSB Brussels,Belgium Cost: Donation Who: Christophe, Wouter, Askarel URL:

Setting up VPNs, for fun and profit

Presentation[edit]

http://docs.google.com/present/view?id=dfm4r95r_15gm5jkdkc

HOWTO eID connections: http://christophe.vandeplas.com/2008/02/08/database-authorization-openvpn-eid http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid

Topics[edit]

• Configuring server + client with password authentication
  • Local pam auth
  • Database auth
• with certificate authentication
• with Belgian eID authentication

Then some more exotic things:

• Create extremely cheap layer2 link between two datacenters
• The fun and risks of using up and down scripts

Participants[edit]

• Wouter
• Thomas
• Tazo
• Koert
• ptr_
• Erik
• Xflame
• fs111
• zoobab
• F.Maulana (AcehDevelopment - Indonesia)
• .... (you? please add your name )

We need[edit]

• at least two switches (ok, avail at hsb)
• >= 2 laptops (should be ok, participants laptops)
• >= 2 machines with 2+ interfaces (can be wireless) (idem)

• • There are 2 servers in HSB that can be used for this in the DatenKlo.
  • i will bring a eid card reader (Wouter)

Suggestions[edit]

• Try to connect HSB to DN42?
  • there is a workshop for connecting to dn42 during 26c3, will try to go there (fs111)
  • Yes will most probably attend that one (tazo)
  • As far as I have understood on the video recording of the talk, DN42 uses Tinc because of its peer based approach, am I right? (zoobab)
• Create 2 openvpn TUNs on 2 machines in IPv6, and try to load balance ctorrent-ipv6 (zoobab)
• Install Openwrt-UML, UML, Linux Containers (LXC), OpenVZ, KVM, Qemu, or any other virtualisation to play with multiple openvpn
• Make an Howto with using OpenVPN through an HTTP proxy
• Fon-ng: Anyone willing to improve (advanced) the openvpn support on fon-ng to make such vpn 2 vpn connections?
  • source: http://trac.fonosfera.org/fon-ng/browser/trunk/fon/openvpn
  • source: http://trac.fonosfera.org/fon-ng/browser/trunk/luci/applications/luci-openvpn (gui)
  • Price : a fonera 2.0n (+-79euro at the moment)
  • Description : currently it can create an "openvpn" server and you can create "openvpn" clients & download generated client configuration files... (it's still considered beta though...)
  • Target/wanted : be able to use it as a "vpn client" and bridge selective/all lan/wifi interfaces to the vpn server in eg germany?
  • you can download the whole cross compile environment from svn & compile & test gui on your linux pc : http://trac.fonosfera.org/fon-ng/wiki/build

Final Configs[edit]

These configurations help you to build an openvpn server with PAM authentication (local users)

server.conf[edit]

Files required: server.conf, ca.crt, server.crt, server.key, dh1024.pem

Generate server ssl keys:

/usr/share/doc/openvpn/examples/easy-rsa/2.0# source vars 
# ./clean-all
# ./build-ca
# ./build-key server      # dont give a passwd to the key
# ./build-dh

Copy the files keys/ca.crt, server.crt, server.key, dh1024.pem to /etc/openvpn

/etc/openvpn# grep -v -e "^#" -e "^;" -e "^$" server.conf 
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
plugin /usr/lib/openvpn/openvpn-auth-pam.so "login login USERNAME password PASSWORD"
client-cert-not-required
username-as-common-name

Firewall script to activate NAT (needs to run at system or openvpn server startup)

/etc/openvpn# cat firewall.sh 
#!/bin/bash
/sbin/iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

Activate IP routing at boot, by uncommenting a line:

root@chri-desktop:/etc# grep -n forward /etc/sysctl.conf 
27:# Uncomment the next line to enable packet forwarding for IPv4
28:net.ipv4.ip_forward=1
30:# Uncomment the next line to enable packet forwarding for IPv6
31:#net.ipv6.conf.all.forwarding=1

Then change the live setting:

sysctl -w net.ipv4.ip_forward=1

client.conf[edit]

Configuration for authentication using user/pass. Required files: client.conf, ca.crt

/etc/openvpn# grep -v -e "^#" -e "^;" -e "^$" client.conf 
client
dev tun
proto tcp
remote vpn.hackerspace.be 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
ns-cert-type server
comp-lzo
verb 3
auth-user-pass

Openvpn workshop @ HSB (by chri)

Table of Contents
===========

1. Presentation
2. Config files examples for OpenVPN server
3. Config files examples for OpenVPN client
3. Network Diagram

1. Presentation
=========

http://docs.google.com/a/vandeplas.com/present/view?id=dfm4r95r_15gm5jkdkc

3. Network Diagram
============

howto draw network schema / structure network

OSI model
*  7layers 
**  physical
** layer2: the mac address : your local lan base for connectivity
** layer3: routing etc

Please Do not Throw Sausage Pizza Away

http://wiki.olc.edu/images/f/f3/Osi_model.JPG


banana-network.vsd -- basic sketch of the network (live drawing)

CROSS arrows: routers
PARALLEL arrows : switches

 // what's in a netmask 192.168.1.2/24  (relation of the '24' with the binary netmask)

192.168.1.2/24 (A) wants to talk to 192.168.1.3/24 (B)
* first A checks if B is on the same network (using the configured netmask) 
* it finds  out B is on the same network (using it's netmask)
* so A will do a ARP request (broadcast a arp question, 'who is 192.168.1.3?') 
* B  responds with it's MAC,
* so A knows the MAC which to talk to, and can initiate the communication.

A wants to talk with C (192.168.2.2/24) -- 
  * C is in a different network (IP-A && netmask != IP-B && netmask)
    * A looks at the routing table if it can find C
    * (let's say it doesn't find it in it's routing table)
    * A sends the packet to the MAC of the gateway/router, witch forwards it to C's network (the router can talk locally on both networks alike previous case)

(so a router needs an ip for each network it want to directly talk  to)

'''bridge''': you throw packets in at one side, they come out the other end (eg a hub, Wifi Access Point,  etc.) A switch is an intelligent kind of bridge.


'''firewall''':  filters according to rules
eg. routers most of the time support simple filtering
firewall also keeps state of opened connections etc

NAT-ing : connect your whole local thingy to the big bad stormy internet

* 1-1NAT: just replace the IP-address field in the IP-packet
* Hide NAT: keeps a table of which local ip should be forwarded the connection on specific port (on the internet side) (eg. think your little home internet connection box) -- in linux this is called masquerading.
* port forwarding: 


=2 OpenVPN specifics=

==architecture==
libssl (apparently ssl has default way to format packets)

===those damn certificates===
kinds of certificates
* Public Key + Private Key = valid Keypair 

(little comment on PGP which doesn't have the hierarchical nature of PKI/SSL http://xkcd.com/364/ )

==tunneltjes===
* tun - layer3 ipv4
* tun6 - layer3 ipv6
* tap - layer2 -- like you're on the same switch
   
why would i use tun then ? tap seems so much cooler & easier ?
 - a lot of layer2 protocols broadcast their info (ARP etc), so all these msgs will also end up coming to you, which is mostly not desirable
  (so layer2 is only used when you're got a big pipe, and want to connect two sites)
  
==authentication==

authentication means verifying you're talking to the person you think you're talking to.

user auth : username+passwd or using PKI (certificates)
server auth: using PKI (certificates)

==authorisation==

who can access what : user rights

eg. 
IT-dude: access everything over VPN
financial dude: should only access fin. server
--> not possible with OpenVPN unless you go scripting the thing

==up & down scripts==
a whole bunch



=3 practical stuff=

== install openvpn  ==

get sources http://openvpn.net/index.php/open-source/downloads.html
or use yr beloved packagemanager

== example directory ==
there/usr/share/doc/openvpn/examples/sample-config-files

static-home.conf    -- not using certificates for auth
it's a client config will connect to remote 1.2.3.4
setting static ip config for client -- chri doesn't like it so we get out of here

== config the server ==

server.conf.gz -- extracted the bunch & put it to /etc/openvpn

# ; are both comments !

default sending traffic over udp (for efficiency reasons)
proto udp  
( or use tcp if you want to traverse nat etc)

ssl aka UFBP protocol - 'universal firewall bypass'


ca : certificate authority the server certificate is signed with
cert : public key of yr server
key : private key of yr server
 specify 
 
 dh  : diffie-hellman: this will be used for the encryption (instead of using some random value?)
 
 
 in the default config: any user with a certificate, signed by this ca is granted access
 

server : ip settings for our tun device
(for tap interfaces openvpn won't play yr mam)


push:  pushed from server to client
(the client can setup/change routes on it's own of course)

push "redirect-gateway def1 bypass-dhcp"

def1: a hack to be sure openvpn doesn't delete your  gateway config -- just adds it's own routing - which is nice when you disconnect yr vpn, as openvpn will delete it's routing rules, and your old gateway routing will be effective again.


client-to-client: default as tun is a point-to-point link, clients don't see each other (and end up in separate networks!)

keepalive: tcp will monitor the state of the link through connection status, udp will use keepalive settings

user 
group
reduce privileges (only be aware that the openvpn server upon disconnecting will not be able to do full cleanup (routes etc)

== add some PAM ==

plugin /usr/lib/openvpn/openvp-aut-pam.so "loging login USERNAME etc

to add some authentication mechanism to your server


== now generate some certificates & get them signed ==

we need a
CA
certificates signed by this CA


=== generate a CA ===
easy-rsa (in the examples of openvpn)
/usr/share/doc/openvpn/examples/easy-rsa/2.0

#source ./vars  
(execute the 'vars' script:  puts some parameters in yr environment)

#./clean-all
#./build-ca

=== generate and sign a certificate for yr server ===

./build-key-server servername



===  startup openvpn ===

openvpn --config server.conf

=== get some clients connected ===

./build-key myuser

(off course in a real world, the user would create his own private,public key, generate a CSR (certificate signing request), which you can sign and send back)



== config the client ==

find a sample conf here
/usr/share/doc/openvpn/examples/sample-config-files

-- if you configured the PAM thing,
add 
auth-user-pass
to the config

http://openvpn.net/index.php/open-source/documentation/examples.html


Certificate based authentication: http://openvpn.net/index.php/open-source/documentation/howto.html#pki



This looks interesting: http://github.com/lkeijser/stonevpn#readme

other material (not related to workshop, but good intro to openvpn)[edit]

• http://www.linuxconfig.org/VPN_-_Virtual_Private_Network_and_OpenVPN
• http://www.linuxconfig.org/Page-9