Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung Nächste ÜberarbeitungBeide Seiten der Revision | ||
openvpn [23/08/2017 - 15:03] – [Inhalte kontrollieren] thommie | openvpn [24/08/2017 - 09:24] – [Zertifikate zurückziehen] thommie | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
====== Server-Konfiguration ====== | ====== Server-Konfiguration ====== | ||
- | **–verify-x509-name name type** Accept connections only if a host's X.509 name is equal to **name.** The remote host must also pass all other tests of verification. | + | < |
+ | ############################################################################## | ||
+ | # sources for configuration: | ||
+ | # http:// | ||
+ | # http://www.online--tutorials.net/ | ||
- | Which X.509 name is compared to **name** depends on the setting of type. **type** can be " | + | ### BASICS |
+ | mode server | ||
+ | # bridged vpn with client IP range | ||
+ | server-bridge 192.168.72.1 255.255.255.0 192.168.72.61 192.168.72.100 | ||
- | **–verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1' | + | # Protocol/ |
+ | proto udp | ||
+ | port 1194 | ||
- | **–verify-x509-name** is a useful replacement | + | ### Type of operation |
+ | # operation with PKI | ||
+ | tls-server | ||
+ | # instead for using a symmetric key | ||
+ | # secret / | ||
+ | # for vpn with shared key | ||
+ | # tls-auth xxx 1 | ||
+ | |||
+ | # Device type | ||
+ | dev tap0 | ||
+ | |||
+ | # receive connection request on this local adress only | ||
+ | # if not defined, use all interfaces | ||
+ | local 192.168.172.1 | ||
+ | |||
+ | # topology and network | ||
+ | topology subnet | ||
+ | # make IPs persistant | ||
+ | ifconfig-pool-persist ipp.txt | ||
+ | # clients can see each other | ||
+ | client-to-client | ||
+ | |||
+ | # see http:// | ||
+ | sndbuf 393216 | ||
+ | rcvbuf 393216 | ||
+ | |||
+ | ## PKI - certificates and keys, directory of cert/key | ||
+ | cd / | ||
+ | ## Root CA which signed openvpn server and client certs | ||
+ | ca / | ||
+ | ## cert of openvpn server | ||
+ | cert / | ||
+ | ## key of server | ||
+ | key / | ||
+ | # diffie hellman parameter | ||
+ | # create with: openssl genpkey -genparam -algorithm DH -out / | ||
+ | dh / | ||
+ | # certificate revocation list, should be copied from CA | ||
+ | crl-verify / | ||
+ | |||
+ | # Verification of certs | ||
+ | # Details: https:// | ||
+ | # old method (Name/ | ||
+ | # verify-x509-name | ||
+ | # new method from RFC3280: type of certificate must be client | ||
+ | remote-cert-eku "TLS Web Client Authentication" | ||
+ | |||
+ | # Cipher algorithm | ||
+ | cipher AES-256-CBC | ||
+ | # HMAC Authentication | ||
+ | auth SHA256 | ||
+ | |||
+ | # tunnel compression | ||
+ | comp-lzo | ||
+ | |||
+ | # hardening. Beware: can exclude pre-2.3.3 clients | ||
+ | # tls-version-min 1.2 | ||
+ | |||
+ | ## pushed configs for clients for routing & dns | ||
+ | ## redirect all traffic to VPN | ||
+ | ## push " | ||
+ | push "route 192.168.72.0 255.255.255.0 172.168.72.1" | ||
+ | push " | ||
+ | push " | ||
+ | push " | ||
+ | # http:// | ||
+ | push " | ||
+ | push " | ||
+ | |||
+ | # will not work with --ifconfig-pool-persist | ||
+ | # duplicate-cn | ||
+ | # permissions after connect | ||
+ | user nobody | ||
+ | group nogroup | ||
+ | # dont re-read keys after --ping-restart | ||
+ | persist-key | ||
+ | # dont restart tun after --ping-restart | ||
+ | persist-tun | ||
+ | |||
+ | ### LOGGING | ||
+ | log / | ||
+ | # Status info | ||
+ | status / | ||
+ | # dont repeat messages so often | ||
+ | mute 20 | ||
+ | # Log-Levels: 0 no logging, 4 standard, 5 + 6 debugging, 9 max | ||
+ | verb 6 | ||
+ | |||
+ | # Daemon-Mode: | ||
+ | daemon | ||
+ | |||
+ | # Management console | ||
+ | management localhost 7505 | ||
+ | </ | ||
- | Using a name prefix is a useful alternative to managing a CRL (Certificate Revocation List) on the client, since it allows the client to refuse all certificates except for those associated with designated servers. | ||
- | **NOTE:** Test against a name prefix only when you are using OpenVPN with a custom CA certificate that is under your control. Never use this option with type " | ||
====== Management Console ====== | ====== Management Console ====== | ||
Die Management Konsole läuft auf localhost und ist über P. 7505 erreichbar. | Die Management Konsole läuft auf localhost und ist über P. 7505 erreichbar. | ||
- | < | + | <code > |
| | ||
</ | </ | ||
Zeile 22: | Zeile 122: | ||
Beenden mit quit. | Beenden mit quit. | ||
- | < | + | <code > |
INFO: | INFO: | ||
help | help | ||
Zeile 73: | Zeile 173: | ||
====== Debugging auf OpenVPN Client Seite (Linux) ====== | ====== Debugging auf OpenVPN Client Seite (Linux) ====== | ||
- | < | + | <code > |
| | ||
</ | </ | ||
Zeile 81: | Zeile 181: | ||
In die *.conf kommt eine neue Direktive: | In die *.conf kommt eine neue Direktive: | ||
- | < | + | <code > |
| | ||
</ | </ | ||
Zeile 87: | Zeile 187: | ||
In diesem Verzeichnis für jeden Client einen Datei openvpn_dvsdnet_[name] legen. Diese enthält die IP Adresse und die Netzmaske des Clients: | In diesem Verzeichnis für jeden Client einen Datei openvpn_dvsdnet_[name] legen. Diese enthält die IP Adresse und die Netzmaske des Clients: | ||
- | < | + | <code > |
| | ||
</ | </ | ||
Zeile 95: | Zeile 195: | ||
Quelle: [[https:// | Quelle: [[https:// | ||
- | ====== CA einrichten ====== | + | ====== |
<code > | <code > | ||
Zeile 107: | Zeile 207: | ||
| | ||
</ | </ | ||
- | ====== Zertifikate erzeugen ====== | + | |
+ | ====== | ||
Signing Request (CSR) erzeugen, mit **nopass** = Key **ohne** Passwort | Signing Request (CSR) erzeugen, mit **nopass** = Key **ohne** Passwort | ||
Zeile 125: | Zeile 226: | ||
//server// und //client// bestimmt, ob es ein Server oder Client Zertifikat ist. | //server// und //client// bestimmt, ob es ein Server oder Client Zertifikat ist. | ||
- | ====== Zertifikate zurückziehen ====== | ||
+ | **Achtung bei OpenVPN**: der Client sollte den im OpenVPN Zertifikat angegebenen Common Name prüfen. Server prüft seinerseits den Zertifikatstyp des Clients (RFC3280): | ||
<code > | <code > | ||
- | ./easyrsa revoke server EntityName | + | # Verification of certs |
+ | # Details: https:// | ||
+ | # old method (Name/ | ||
+ | # verify-x509-name locutus.netzwissen.local name | ||
+ | # new method from RFC3280: type of certificate must be client | ||
+ | remote-cert-eku "TLS Web Client Authentication" | ||
</ | </ | ||
- | Danachmit easyrsa gen-crl die zurückgezogenen zertifikate in die crl aufnehmen. | ||
- | pki/ | + | ====== EASYRSA: |
- | + | <code > | |
- | ===== Achtung bei OpenVPN ===== | + | ./easyrsa revoke server EntityName |
- | + | ||
- | Common Name für das Server Zertifikat und die Client Zertifikate muss den Präfix aus der Server Config enthalten, Beispiel: | + | |
- | + | ||
- | < | + | |
- | --verify-x509-name openvpn name-prefix | + | |
</ | </ | ||
- | **Easyrsa3** | + | Danach mit easyrsa |
- | < | + | |
- | locutus: | + | |
- | You are about to sign the following certificate. | + | pki/index.txt zeigt, welche Zertifikate zurückkgezogen wurden. |
- | Please check over the details shown below for accuracy. Note that this request | + | |
- | has not been cryptographically verified. Please be sure it came from a trusted | + | |
- | source or that you have verified the request checksum with the sender. | + | |
- | Request subject, to be signed as a server certificate for 3650 days: | + | ===== ===== |
- | subject= | ||
- | commonName | ||
- | </ | ||
- | |||
- | Signieren (client oder server) | ||
- | |||
- | < | ||
- | ./easyrsa sign-req client EntityName | ||
- | </ | ||
- | |||
- | < | ||
- | ./easyrsa sign-req server EntityName | ||
- | </ | ||
- | |||
- | Zurückziehen | ||
- | |||
- | < | ||
- | ./easyrsa revoke EntityName | ||
- | </ | ||
- | |||
- | CRL erzeugen | ||
- | |||
- | < | ||
- | ./easyrsa gen-crl | ||
- | </ | ||
- | |||
- | Zertifikats Inhalte anzeigen | ||
- | |||
- | < | ||
- | ./easyrsa show-req EntityName | ||
- | ./easyrsa show-cert EntityName | ||
- | </ | ||
- | |||
- | Key Passwörter ändern | ||
- | |||
- | < | ||
- | ./easyrsa set-rsa-pass EntityName | ||
- | ./easyrsa set-ec-pass EntityName | ||
- | </ | ||
- | |||
- | Mit " | ||
====== Inhalte kontrollieren ====== | ====== Inhalte kontrollieren ====== | ||
Zeile 207: | Zeile 261: | ||
<code > | <code > | ||
openssl x509 -in certificate.crt -text -noout | openssl x509 -in certificate.crt -text -noout | ||
- | </ | ||
- | |||
- | Achtung bei OpenVPN: Server prüft Präfix-String im CN, z.B: bei Devoteam: | ||
- | |||
- | <code > | ||
- | CN=openvpn_dvsdnet_thomas.rother@devoteam.com | ||
</ | </ | ||