Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung Nächste ÜberarbeitungBeide Seiten der Revision |
openvpn [23/08/2017 - 15:03] – [CA einrichten] thommie | openvpn [09/09/2018 - 12:57] – thommie3 |
---|
| https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN |
| |
====== Server-Konfiguration ====== | ====== Server-Konfiguration ====== |
| |
**–verify-x509-name name type** Accept connections only if a host's X.509 name is equal to **name.** The remote host must also pass all other tests of verification. | ''############################################################################## # sources for configuration: # http://sarwiki.informatik.hu-berlin.de/OpenVPN_(deutsch) # http://www.online--tutorials.net/security/openvpn-tutorial/ ### BASICS mode server # bridged vpn with client IP range server-bridge 192.168.72.1 255.255.255.0 192.168.72.61 192.168.72.100 # Protocol/port proto udp port 1194 ### Type of operation # operation with PKI tls-server # instead for using a symmetric key # secret /etc/openvpn/server_static.key # for vpn with shared key # tls-auth xxx 1 # Device type dev tap0 # receive connection request on this local adress only # if not defined, use all interfaces local 192.168.172.1 # topology and network topology subnet # make IPs persistant ifconfig-pool-persist ipp.txt # clients can see each other client-to-client # see http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/ sndbuf 393216 rcvbuf 393216 ## PKI - certificates and keys, directory of cert/key cd /etc/openvpn ## Root CA which signed openvpn server and client certs ca /etc/easyrsa-pki/ca.crt ## cert of openvpn server cert /etc/openvpn/locutus.netzwissen.local.crt ## key of server key /etc/openvpn/locutus.netzwissen.local.key # diffie hellman parameter # create with: openssl genpkey -genparam -algorithm DH -out /etc/openvpn/dh2014.pem dh /etc/easyrsa-pki/dh.pem # certificate revocation list, should be copied from CA crl-verify /etc/openvpn/crl.pem # Verification of certs # Details: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage # old method (Name/name-prefix from CN field) # verify-x509-name locutus.netzwissen.local name # new method from RFC3280: type of certificate must be client remote-cert-eku "TLS Web Client Authentication" # Cipher algorithm cipher AES-256-CBC # HMAC Authentication auth SHA256 # tunnel compression comp-lzo # hardening. Beware: can exclude pre-2.3.3 clients # tls-version-min 1.2 ## pushed configs for clients for routing & dns ## redirect all traffic to VPN ## push "redirect-gateway def1" push "route 192.168.72.0 255.255.255.0 172.168.72.1" push "dhcp-option DOMAIN netzwissen.local" push "dhcp-option DNS 192.168.72.1" push "dhcp-option WINS 192.168.72.1" # http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/ push "sndbuf 393216" push "rcvbuf 393216" # will not work with --ifconfig-pool-persist # duplicate-cn # permissions after connect user nobody group nogroup # dont re-read keys after --ping-restart persist-key # dont restart tun after --ping-restart persist-tun ### LOGGING log /var/log/openvpn.log # Status info status /var/log/openvpn-status.log 20 # dont repeat messages so often mute 20 # Log-Levels: 0 no logging, 4 standard, 5 + 6 debugging, 9 max verb 6 # Daemon-Mode: write to syslog - activate after the configuration finished daemon # Management console management localhost 7505 '' |
| |
Which X.509 name is compared to **name** depends on the setting of type. **type** can be "subject" to match the complete subject DN (default), "name" to match a subject RDN or "name-prefix" to match a subject RDN prefix. Which RDN is verified as name depends on the **–x509-username-field** option. But it defaults to the common name (CN), e.g. a certificate with a subject DN "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by: | |
| |
**–verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'** and **–verify-x509-name Server-1 name** or you could use **–verify-x509-name Server- name-prefix** if you want a client to only accept connections to "Server-1", "Server-2", etc. | |
| |
**–verify-x509-name** is a useful replacement for the **–tls-verify** option to verify the remote host, because **–verify-x509-name** works in a **–chroot** environment without any dependencies. | |
| |
Using a name prefix is a useful alternative to managing a CRL (Certificate Revocation List) on the client, since it allows the client to refuse all certificates except for those associated with designated servers. | |
| |
**NOTE:** Test against a name prefix only when you are using OpenVPN with a custom CA certificate that is under your control. Never use this option with type "name-prefix" when your client certificates are signed by a third party, such as a commercial web CA | |
====== Management Console ====== | ====== Management Console ====== |
| |
Die Management Konsole läuft auf localhost und ist über P. 7505 erreichbar. | Die Management Konsole läuft auf localhost und ist über P. 7505 erreichbar. |
| |
<code> | ''root@server6:/etc/openvpn/staticclients# telnet localhost 7505 '' |
root@server6:/etc/openvpn/staticclients# telnet localhost 7505 | |
</code> | |
| |
Beenden mit quit. | Beenden mit quit. |
| |
<code> | '' INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info help Management Interface for OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016 Commands: auth-retry t : Auth failure retry mode (none,interact,nointeract). bytecount n : Show bytes in/out, update every n secs (0=off). echo [on|off] [N|all] : Like log, but only show messages in echo buffer. exit|quit : Close management session. forget-passwords : Forget passwords entered so far. help : Print this message. hold [on|off|release] : Set/show hold flag to on/off state, or release current hold and start tunnel. kill cn : Kill the client instance(s) having common name cn. kill IP:port : Kill the client instance connecting from IP:port. load-stats : Show glsobal server load stats. log [on|off] [N|all] : Turn on/off realtime log display + show last N lines or 'all' for entire history. mute [n] : Set log mute level to n, or show level if n is absent. needok type action : Enter confirmation for NEED-OK request of 'type', where action = 'ok' or 'cancel'. needstr type action : Enter confirmation for NEED-STR request of 'type', where action is reply string. net : (Windows only) Show network info and routing table. password type p : Enter password p for a queried OpenVPN password. remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP. proxy type [host port flags] : Enter dynamic proxy server info. pid : Show process ID of the current OpenVPN process. pkcs11-id-count : Get number of available PKCS#11 identities. pkcs11-id-get index : Get PKCS#11 identity at index. client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE) client-auth-nt CID KID : Authenticate client-id/key-id CID/KID client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason text R and optional client reason text CR client-kill CID [M] : Kill client instance CID with message M (def=RESTART) env-filter [level] : Set env-var filter level client-pf CID : Define packet filter for client CID (MULTILINE) rsa-sig : Enter an RSA signature in response to >RSA_SIGN challenge Enter signature base64 on subsequent lines followed by END signal s : Send signal s to daemon, s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2. state [on|off] [N|all] : Like log, but show state history. status [n] : Show current daemon status info using format #n. test n : Produce n lines of output for testing/debugging. username type u : Enter username u for a queried OpenVPN username. verb [n] : Set log verbosity level to n, or show if n is absent. version : Show current version number. '' |
INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info | |
help | |
Management Interface for OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016 | |
Commands: | |
auth-retry t : Auth failure retry mode (none,interact,nointeract). | |
bytecount n : Show bytes in/out, update every n secs (0=off). | |
echo [on|off] [N|all] : Like log, but only show messages in echo buffer. | |
exit|quit : Close management session. | |
forget-passwords : Forget passwords entered so far. | |
help : Print this message. | |
hold [on|off|release] : Set/show hold flag to on/off state, or | |
release current hold and start tunnel. | |
kill cn : Kill the client instance(s) having common name cn. | |
kill IP:port : Kill the client instance connecting from IP:port. | |
load-stats : Show glsobal server load stats. | |
log [on|off] [N|all] : Turn on/off realtime log display | |
+ show last N lines or 'all' for entire history. | |
mute [n] : Set log mute level to n, or show level if n is absent. | |
needok type action : Enter confirmation for NEED-OK request of 'type', | |
where action = 'ok' or 'cancel'. | |
needstr type action : Enter confirmation for NEED-STR request of 'type', | |
where action is reply string. | |
net : (Windows only) Show network info and routing table. | |
password type p : Enter password p for a queried OpenVPN password. | |
remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP. | |
proxy type [host port flags] : Enter dynamic proxy server info. | |
pid : Show process ID of the current OpenVPN process. | |
pkcs11-id-count : Get number of available PKCS#11 identities. | |
pkcs11-id-get index : Get PKCS#11 identity at index. | |
client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE) | |
client-auth-nt CID KID : Authenticate client-id/key-id CID/KID | |
client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason | |
text R and optional client reason text CR | |
client-kill CID [M] : Kill client instance CID with message M (def=RESTART) | |
env-filter [level] : Set env-var filter level | |
client-pf CID : Define packet filter for client CID (MULTILINE) | |
rsa-sig : Enter an RSA signature in response to>RSA_SIGN challenge | |
Enter signature base64 on subsequent lines followed by END | |
signal s : Send signal s to daemon, | |
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2. | |
state [on|off] [N|all] : Like log, but show state history. | |
status [n] : Show current daemon status info using format #n. | |
test n : Produce n lines of output for testing/debugging. | |
username type u : Enter username u for a queried OpenVPN username. | |
verb [n] : Set log verbosity level to n, or show if n is absent. | |
version : Show current version number. | |
</code> | |
====== Debugging auf OpenVPN Client Seite (Linux) ====== | ====== Debugging auf OpenVPN Client Seite (Linux) ====== |
| |
<code> | ''journalctl -fu NetworkManager '' |
journalctl -fu NetworkManager | |
</code> | |
====== Client IPs fest zuweisen ====== | ====== Client IPs fest zuweisen ====== |
| |
In die *.conf kommt eine neue Direktive: | In die *.conf kommt eine neue Direktive: |
| |
<code> | ''client-config-dir /etc/openvpn/staticclients '' |
client-config-dir /etc/openvpn/staticclients | |
</code> | |
| |
In diesem Verzeichnis für jeden Client einen Datei openvpn_dvsdnet_[name] legen. Diese enthält die IP Adresse und die Netzmaske des Clients: | In diesem Verzeichnis für jeden Client einen Datei openvpn_dvsdnet_[name] legen. Diese enthält die IP Adresse und die Netzmaske des Clients: |
| |
<code> | '' ifconfig-push 192.168.50.16 255.255.255.0 '' |
ifconfig-push 192.168.50.16 255.255.255.0 | |
</code> | |
| |
OpenVPN liest diese Datei beim Connect zusätzlich ein, aber DNS und Gateway kommen weiterhin über die zentralen push Kommandos. Ggf kann man auch ein Client-spezifisches Push anhängen, siehe dazu [[http://michlstechblog.info/blog/openvpn-set-a-static-ip-address-for-a-client/|http://michlstechblog.info/blog/openvpn-set-a-static-ip-address-for-a-client/]] | OpenVPN liest diese Datei beim Connect zusätzlich ein, aber DNS und Gateway kommen weiterhin über die zentralen push Kommandos. Ggf kann man auch ein Client-spezifisches Push anhängen, siehe dazu [[http://michlstechblog.info/blog/openvpn-set-a-static-ip-address-for-a-client/|http://michlstechblog.info/blog/openvpn-set-a-static-ip-address-for-a-client/]] |
Quelle: [[https://github.com/OpenVPN/easy-rsa|https://github.com/OpenVPN/easy-rsa]] | Quelle: [[https://github.com/OpenVPN/easy-rsa|https://github.com/OpenVPN/easy-rsa]] |
| |
====== CA einrichten ====== | ====== EASYRSA: CA einrichten ====== |
| |
<code > | ''./easyrsa init-pki ./easyrsa build-ca '' |
./easyrsa init-pki | |
./easyrsa build-ca | |
</code> | |
| |
DH erzeugen | DH erzeugen |
| |
<code > | '' ./easyrsa gen-dh '' |
./easyrsa gen-dh | ====== EASYRSA: Zertifikate erzeugen ====== |
</code> | |
====== Zertifikate erzeugen ====== | |
| |
Signing Request (CSR) erzeugen, mit **nopass** = Key **ohne** Passwort | Signing Request (CSR) erzeugen, mit **nopass** = Key **ohne** Passwort |
<code > | |
./easyrsa gen-req EntityName | |
| |
./easyrsa gen-req EntityName nopass | ''./easyrsa gen-req EntityName ./easyrsa gen-req EntityName nopass '' |
</code> | |
| |
danach signieren mit | danach signieren mit |
| |
<code > | '' ./easyrsa sign-req server EntityName ./easyrsa sign-req client EntityName '' |
./easyrsa sign-req server EntityName | |
| |
./easyrsa sign-req client EntityName | |
</code> | |
| |
//server// und //client// bestimmt, ob es ein Server oder Client Zertifikat ist. | //server// und //client// bestimmt, ob es ein Server oder Client Zertifikat ist. |
====== Zertifikate zurückziehen ====== | |
| |
<code > | **Achtung bei OpenVPN**: der Client sollte den im OpenVPN Zertifikat angegebenen Common Name prüfen. Server prüft seinerseits den Zertifikatstyp des Clients (RFC3280): |
./easyrsa revoke server EntityName | |
</code> | |
| |
Danachmit easyrsa gen-crl die zurückgezogenen zertifikate in die crl aufnehmen. | '' # Verification of certs # Details: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage # old method (Name/name-prefix from CN field) # verify-x509-name locutus.netzwissen.local name # new method from RFC3280: type of certificate must be client remote-cert-eku "TLS Web Client Authentication" '' |
| ====== EASYRSA: Zertifikate zurückziehen ====== |
| |
pki/index.txt zeigt, welche Zertifikate zurückkgezogen wurden. | ''./easyrsa revoke server EntityName '' |
| |
| Danach mit easyrsa gen-crl die zurückgezogenen zertifikate in die crl aufnehmen. |
| |
===== Achtung bei OpenVPN ===== | pki/index.txt zeigt, welche Zertifikate zurückkgezogen wurden. |
| |
Common Name für das Server Zertifikat und die Client Zertifikate muss den Präfix aus der Server Config enthalten, Beispiel: | ===== ===== |
| |
<code> | ====== Inhalte kontrollieren ====== |
--verify-x509-name openvpn name-prefix | |
</code> | |
| |
**Easyrsa3** | **CSR** |
<code> | |
locutus:~/easy-rsa/easyrsa3 # ./easyrsa sign-req server openvpn.locutus.netzwissen.local | |
| |
You are about to sign the following certificate. | ''openssl req -in www2.netzwissen.de.csr -text -noout '' |
Please check over the details shown below for accuracy. Note that this request | |
has not been cryptographically verified. Please be sure it came from a trusted | |
source or that you have verified the request checksum with the sender. | |
| |
Request subject, to be signed as a server certificate for 3650 days: | |
| |
subject= | |
commonName = openvpn.locutus.netzwissen.local | |
</code> | |
| |
Signieren (client oder server) | |
| |
<code> | |
./easyrsa sign-req client EntityName | |
</code> | |
| |
<code> | |
./easyrsa sign-req server EntityName | |
</code> | |
| |
Zurückziehen | |
| |
<code> | |
./easyrsa revoke EntityName | |
</code> | |
| |
CRL erzeugen | |
| |
<code> | |
./easyrsa gen-crl | |
</code> | |
| |
Zertifikats Inhalte anzeigen | |
| |
<code> | |
./easyrsa show-req EntityName | |
./easyrsa show-cert EntityName | |
</code> | |
| |
Key Passwörter ändern | |
| |
<code> | |
./easyrsa set-rsa-pass EntityName | |
./easyrsa set-ec-pass EntityName | |
</code> | |
| |
Mit "nopass" wird ein Passwort entfernt | |
| |
===== Inhalte kontrollieren ===== | |
| |
**CSR** | |
<code> | |
openssl req -in www2.netzwissen.de.csr -text -noout | |
</code> | |
| |
**Zertifikat** | **Zertifikat** |
<code> | |
openssl x509 -in certificate.crt -text -noout | |
</code> | |
| |
Achtung bei OpenVPN: Server prüft Präfix-String im CN, z.B: bei Devoteam: | |
| |
<code> | '' openssl x509 -in certificate.crt -text -noout '' |
CN=openvpn_dvsdnet_thomas.rother@devoteam.com | |
</code> | |
| |
| |