OpenVPN workshop
Setting up VPNs, for fun and profit
Contents
Presentation[edit]
http://docs.google.com/present/view?id=dfm4r95r_15gm5jkdkc
HOWTO eID connections: http://christophe.vandeplas.com/2008/02/08/database-authorization-openvpn-eid http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
Topics[edit]
- Configuring server + client with password authentication
- Local pam auth
- Database auth
- with certificate authentication
- with Belgian eID authentication
Then some more exotic things:
- Create extremely cheap layer2 link between two datacenters
- The fun and risks of using up and down scripts
Participants[edit]
- Wouter
- Thomas
- Tazo
- Koert
- ptr_
- Erik
- Xflame
- fs111
- zoobab
- F.Maulana (AcehDevelopment - Indonesia)
- .... (you? please add your name )
We need[edit]
- at least two switches (ok, avail at hsb)
- >= 2 laptops (should be ok, participants laptops)
- >= 2 machines with 2+ interfaces (can be wireless) (idem)
- There are 2 servers in HSB that can be used for this in the DatenKlo.
- i will bring a eid card reader (Wouter)
Suggestions[edit]
- Try to connect HSB to DN42?
- there is a workshop for connecting to dn42 during 26c3, will try to go there (fs111)
- Yes will most probably attend that one (tazo)
- As far as I have understood on the video recording of the talk, DN42 uses Tinc because of its peer based approach, am I right? (zoobab)
- Create 2 openvpn TUNs on 2 machines in IPv6, and try to load balance ctorrent-ipv6 (zoobab)
- Install Openwrt-UML, UML, Linux Containers (LXC), OpenVZ, KVM, Qemu, or any other virtualisation to play with multiple openvpn
- Make an Howto with using OpenVPN through an HTTP proxy
- Fon-ng: Anyone willing to improve (advanced) the openvpn support on fon-ng to make such vpn 2 vpn connections?
- source: http://trac.fonosfera.org/fon-ng/browser/trunk/fon/openvpn
- source: http://trac.fonosfera.org/fon-ng/browser/trunk/luci/applications/luci-openvpn (gui)
- Price : a fonera 2.0n (+-79euro at the moment)
- Description : currently it can create an "openvpn" server and you can create "openvpn" clients & download generated client configuration files... (it's still considered beta though...)
- Target/wanted : be able to use it as a "vpn client" and bridge selective/all lan/wifi interfaces to the vpn server in eg germany?
- you can download the whole cross compile environment from svn & compile & test gui on your linux pc : http://trac.fonosfera.org/fon-ng/wiki/build
Final Configs[edit]
These configurations help you to build an openvpn server with PAM authentication (local users)
server.conf[edit]
Files required: server.conf, ca.crt, server.crt, server.key, dh1024.pem
Generate server ssl keys:
/usr/share/doc/openvpn/examples/easy-rsa/2.0# source vars # ./clean-all # ./build-ca # ./build-key server # dont give a passwd to the key # ./build-dh
Copy the files keys/ca.crt, server.crt, server.key, dh1024.pem to /etc/openvpn
/etc/openvpn# grep -v -e "^#" -e "^;" -e "^$" server.conf port 443 proto tcp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" keepalive 10 120 comp-lzo persist-key persist-tun status /var/log/openvpn-status.log verb 3 plugin /usr/lib/openvpn/openvpn-auth-pam.so "login login USERNAME password PASSWORD" client-cert-not-required username-as-common-name
Firewall script to activate NAT (needs to run at system or openvpn server startup)
/etc/openvpn# cat firewall.sh #!/bin/bash /sbin/iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
Activate IP routing at boot, by uncommenting a line:
root@chri-desktop:/etc# grep -n forward /etc/sysctl.conf 27:# Uncomment the next line to enable packet forwarding for IPv4 28:net.ipv4.ip_forward=1 30:# Uncomment the next line to enable packet forwarding for IPv6 31:#net.ipv6.conf.all.forwarding=1
Then change the live setting:
sysctl -w net.ipv4.ip_forward=1
client.conf[edit]
Configuration for authentication using user/pass. Required files: client.conf, ca.crt
/etc/openvpn# grep -v -e "^#" -e "^;" -e "^$" client.conf client dev tun proto tcp remote vpn.hackerspace.be 443 resolv-retry infinite nobind persist-key persist-tun ca ca.crt ns-cert-type server comp-lzo verb 3 auth-user-pass
Openvpn workshop @ HSB (by chri) Table of Contents =========== 1. Presentation 2. Config files examples for OpenVPN server 3. Config files examples for OpenVPN client 3. Network Diagram 1. Presentation ========= http://docs.google.com/a/vandeplas.com/present/view?id=dfm4r95r_15gm5jkdkc 3. Network Diagram ============ howto draw network schema / structure network OSI model * 7layers ** physical ** layer2: the mac address : your local lan base for connectivity ** layer3: routing etc Please Do not Throw Sausage Pizza Away http://wiki.olc.edu/images/f/f3/Osi_model.JPG banana-network.vsd -- basic sketch of the network (live drawing) CROSS arrows: routers PARALLEL arrows : switches // what's in a netmask 192.168.1.2/24 (relation of the '24' with the binary netmask) 192.168.1.2/24 (A) wants to talk to 192.168.1.3/24 (B) * first A checks if B is on the same network (using the configured netmask) * it finds out B is on the same network (using it's netmask) * so A will do a ARP request (broadcast a arp question, 'who is 192.168.1.3?') * B responds with it's MAC, * so A knows the MAC which to talk to, and can initiate the communication. A wants to talk with C (192.168.2.2/24) -- * C is in a different network (IP-A && netmask != IP-B && netmask) * A looks at the routing table if it can find C * (let's say it doesn't find it in it's routing table) * A sends the packet to the MAC of the gateway/router, witch forwards it to C's network (the router can talk locally on both networks alike previous case) (so a router needs an ip for each network it want to directly talk to) '''bridge''': you throw packets in at one side, they come out the other end (eg a hub, Wifi Access Point, etc.) A switch is an intelligent kind of bridge. '''firewall''': filters according to rules eg. routers most of the time support simple filtering firewall also keeps state of opened connections etc NAT-ing : connect your whole local thingy to the big bad stormy internet * 1-1NAT: just replace the IP-address field in the IP-packet * Hide NAT: keeps a table of which local ip should be forwarded the connection on specific port (on the internet side) (eg. think your little home internet connection box) -- in linux this is called masquerading. * port forwarding: =2 OpenVPN specifics= ==architecture== libssl (apparently ssl has default way to format packets) ===those damn certificates=== kinds of certificates * Public Key + Private Key = valid Keypair (little comment on PGP which doesn't have the hierarchical nature of PKI/SSL http://xkcd.com/364/ ) ==tunneltjes=== * tun - layer3 ipv4 * tun6 - layer3 ipv6 * tap - layer2 -- like you're on the same switch why would i use tun then ? tap seems so much cooler & easier ? - a lot of layer2 protocols broadcast their info (ARP etc), so all these msgs will also end up coming to you, which is mostly not desirable (so layer2 is only used when you're got a big pipe, and want to connect two sites) ==authentication== authentication means verifying you're talking to the person you think you're talking to. user auth : username+passwd or using PKI (certificates) server auth: using PKI (certificates) ==authorisation== who can access what : user rights eg. IT-dude: access everything over VPN financial dude: should only access fin. server --> not possible with OpenVPN unless you go scripting the thing ==up & down scripts== a whole bunch =3 practical stuff= == install openvpn == get sources http://openvpn.net/index.php/open-source/downloads.html or use yr beloved packagemanager == example directory == there/usr/share/doc/openvpn/examples/sample-config-files static-home.conf -- not using certificates for auth it's a client config will connect to remote 1.2.3.4 setting static ip config for client -- chri doesn't like it so we get out of here == config the server == server.conf.gz -- extracted the bunch & put it to /etc/openvpn # ; are both comments ! default sending traffic over udp (for efficiency reasons) proto udp ( or use tcp if you want to traverse nat etc) ssl aka UFBP protocol - 'universal firewall bypass' ca : certificate authority the server certificate is signed with cert : public key of yr server key : private key of yr server specify dh : diffie-hellman: this will be used for the encryption (instead of using some random value?) in the default config: any user with a certificate, signed by this ca is granted access server : ip settings for our tun device (for tap interfaces openvpn won't play yr mam) push: pushed from server to client (the client can setup/change routes on it's own of course) push "redirect-gateway def1 bypass-dhcp" def1: a hack to be sure openvpn doesn't delete your gateway config -- just adds it's own routing - which is nice when you disconnect yr vpn, as openvpn will delete it's routing rules, and your old gateway routing will be effective again. client-to-client: default as tun is a point-to-point link, clients don't see each other (and end up in separate networks!) keepalive: tcp will monitor the state of the link through connection status, udp will use keepalive settings user group reduce privileges (only be aware that the openvpn server upon disconnecting will not be able to do full cleanup (routes etc) == add some PAM == plugin /usr/lib/openvpn/openvp-aut-pam.so "loging login USERNAME etc to add some authentication mechanism to your server == now generate some certificates & get them signed == we need a CA certificates signed by this CA === generate a CA === easy-rsa (in the examples of openvpn) /usr/share/doc/openvpn/examples/easy-rsa/2.0 #source ./vars (execute the 'vars' script: puts some parameters in yr environment) #./clean-all #./build-ca === generate and sign a certificate for yr server === ./build-key-server servername === startup openvpn === openvpn --config server.conf === get some clients connected === ./build-key myuser (off course in a real world, the user would create his own private,public key, generate a CSR (certificate signing request), which you can sign and send back) == config the client == find a sample conf here /usr/share/doc/openvpn/examples/sample-config-files -- if you configured the PAM thing, add auth-user-pass to the config http://openvpn.net/index.php/open-source/documentation/examples.html Certificate based authentication: http://openvpn.net/index.php/open-source/documentation/howto.html#pki This looks interesting: http://github.com/lkeijser/stonevpn#readme