Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- openvpn [23/08/2017 - 15:03] – [Inhalte kontrollieren] thommie
+++ openvpn [24/08/2017 - 09:24] – [Zertifikate zurückziehen] thommie
@@ Zeile 1: / Zeile 1: @@
 ====== Server-Konfiguration ======
-**–verify-x509-name name type** Accept connections only if a host's X.509 name is equal to **name.** The remote host must also pass all other tests of verification.
+<code>
+##############################################################################
+# sources for configuration:
+# http://sarwiki.informatik.hu-berlin.de/OpenVPN_(deutsch)
+# http://www.online--tutorials.net/security/openvpn-tutorial/
-Which X.509 name is compared to **name** depends on the setting of type. **type** can be "subject" to match the complete subject DN (default), "name" to match a subject RDN or "name-prefix" to match a subject RDN prefix. Which RDN is verified as name depends on the **–x509-username-field** option. But it defaults to the common name (CN), e.g. a certificate with a subject DN "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by:
+### BASICS
+mode server
+# bridged vpn with client IP range
+server-bridge 192.168.72.1 255.255.255.0 192.168.72.61 192.168.72.100
-**–verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'** and **–verify-x509-name Server-1 name** or you could use **–verify-x509-name Server- name-prefix** if you want a client to only accept connections to "Server-1", "Server-2", etc.
+# Protocol/port
+proto udp
+port 1194
-**–verify-x509-name** is a useful replacement for the **–tls-verify** option to verify the remote host, because **–verify-x509-name** works in a **–chroot** environment without any dependencies.
+### Type of operation
+# operation with PKI
+tls-server
+# instead for using a symmetric key
+# secret /etc/openvpn/server_static.key
+# for vpn with shared key
+# tls-auth xxx 1
+# Device type
+dev tap0
+# receive connection request on this local adress only
+# if not defined, use all interfaces
+local 192.168.172.1
+# topology and network
+topology subnet
+# make IPs persistant
+ifconfig-pool-persist ipp.txt
+# clients can see each other
+client-to-client
+# see http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/
+sndbuf 393216
+rcvbuf 393216
+## PKI - certificates and keys, directory of cert/key
+cd /etc/openvpn
+## Root CA which signed openvpn server and client certs
+ca /etc/easyrsa-pki/ca.crt
+## cert of openvpn server
+cert /etc/openvpn/locutus.netzwissen.local.crt
+## key of server
+key /etc/openvpn/locutus.netzwissen.local.key
+# diffie hellman parameter
+# create with: openssl genpkey -genparam -algorithm DH -out /etc/openvpn/dh2014.pem
+dh /etc/easyrsa-pki/dh.pem
+# certificate revocation list, should be copied from CA
+crl-verify /etc/openvpn/crl.pem
+# Verification of certs
+# Details: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
+# old method (Name/name-prefix from CN field)
+# verify-x509-name locutus.netzwissen.local name
+# new method from RFC3280: type of certificate must be client
+remote-cert-eku "TLS Web Client Authentication"
+# Cipher algorithm
+cipher AES-256-CBC
+# HMAC Authentication
+auth SHA256
+# tunnel compression
+comp-lzo
+# hardening. Beware: can exclude pre-2.3.3 clients
+# tls-version-min 1.2
+## pushed configs for clients for routing & dns
+## redirect all traffic to VPN
+## push "redirect-gateway def1"
+push "route 192.168.72.0 255.255.255.0 172.168.72.1"
+push "dhcp-option DOMAIN netzwissen.local"
+push "dhcp-option DNS 192.168.72.1"
+push "dhcp-option WINS 192.168.72.1"
+# http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/
+push "sndbuf 393216"
+push "rcvbuf 393216"
+# will not work with --ifconfig-pool-persist
+# duplicate-cn
+# permissions after connect
+user nobody
+group nogroup
+# dont re-read keys after --ping-restart
+persist-key
+# dont restart tun after --ping-restart
+persist-tun
+### LOGGING
+log /var/log/openvpn.log
+# Status info
+status /var/log/openvpn-status.log 20
+# dont repeat messages so often
+mute 20
+# Log-Levels: 0 no logging, 4 standard, 5 + 6 debugging, 9 max
+verb 6
+# Daemon-Mode: write to syslog - activate after the configuration finished
+daemon
+# Management console
+management localhost 7505
+</code>
-Using a name prefix is a useful alternative to managing a CRL (Certificate Revocation List) on the client, since it allows the client to refuse all certificates except for those associated with designated servers.
-**NOTE:** Test against a name prefix only when you are using OpenVPN with a custom CA certificate that is under your control. Never use this option with type "name-prefix" when your client certificates are signed by a third party, such as a commercial web CA
 ====== Management Console ======
 Die Management Konsole läuft auf localhost und ist über P. 7505 erreichbar.
-<code>
+<code >
  root@server6:/etc/openvpn/staticclients# telnet localhost 7505
 </code>
@@ Zeile 22: / Zeile 122: @@
 Beenden mit quit.
-<code>
+<code >
 INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
 help
@@ Zeile 73: / Zeile 173: @@
 ====== Debugging auf OpenVPN Client Seite (Linux) ======
-<code>
+<code >
  journalctl -fu NetworkManager
 </code>
@@ Zeile 81: / Zeile 181: @@
 In die *.conf kommt eine neue Direktive:
-<code>
+<code >
  client-config-dir /etc/openvpn/staticclients
 </code>
@@ Zeile 87: / Zeile 187: @@
 In diesem Verzeichnis für jeden Client einen Datei openvpn_dvsdnet_[name] legen. Diese enthält die IP Adresse und die Netzmaske des Clients:
-<code>
+<code >
  ifconfig-push 192.168.50.16 255.255.255.0
 </code>
@@ Zeile 95: / Zeile 195: @@
 Quelle: [[https://github.com/OpenVPN/easy-rsa|https://github.com/OpenVPN/easy-rsa]]
-====== CA einrichten ======
+====== EASYRSA: CA einrichten ======
 <code >
@@ Zeile 107: / Zeile 207: @@
  ./easyrsa gen-dh
 </code>
-====== Zertifikate erzeugen ======
+====== EASYRSA: Zertifikate erzeugen ======
 Signing Request (CSR) erzeugen, mit **nopass** = Key **ohne** Passwort
@@ Zeile 125: / Zeile 226: @@
 //server// und //client// bestimmt, ob es ein Server oder Client Zertifikat ist.
-====== Zertifikate zurückziehen ======
+**Achtung bei OpenVPN**: der Client sollte den im OpenVPN Zertifikat angegebenen Common Name prüfen. Server prüft seinerseits den Zertifikatstyp des Clients (RFC3280):
 <code >
-./easyrsa revoke server EntityName
+# Verification of certs
+# Details: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
+# old method (Name/name-prefix from CN field)
+# verify-x509-name locutus.netzwissen.local name
+# new method from RFC3280: type of certificate must be client
+remote-cert-eku "TLS Web Client Authentication"
 </code>
-Danachmit easyrsa gen-crl die zurückgezogenen zertifikate in die crl aufnehmen.
-pki/index.txt zeigt, welche Zertifikate zurückkgezogen wurden.
+====== EASYRSA: Zertifikate zurückziehen ======
+<code >
-===== Achtung bei OpenVPN =====
+./easyrsa revoke server EntityName
-Common Name für das Server Zertifikat und die Client Zertifikate muss den Präfix aus der Server Config enthalten, Beispiel:
-<code>
---verify-x509-name openvpn name-prefix
 </code>
-**Easyrsa3**
+Danach mit easyrsa gen-crl die zurückgezogenen zertifikate in die crl aufnehmen.
-<code>
-locutus:~/easy-rsa/easyrsa3 # ./easyrsa sign-req server openvpn.locutus.netzwissen.local
-You are about to sign the following certificate.
+pki/index.txt zeigt, welche Zertifikate zurückkgezogen wurden.
-Please check over the details shown below for accuracy. Note that this request
-has not been cryptographically verified. Please be sure it came from a trusted
-source or that you have verified the request checksum with the sender.
-Request subject, to be signed as a server certificate for 3650 days:
+=====   =====
-subject=
-    commonName                = openvpn.locutus.netzwissen.local
-</code>
-Signieren (client oder server)
-<code>
-./easyrsa sign-req client EntityName
-</code>
-<code>
-./easyrsa sign-req server EntityName
-</code>
-Zurückziehen
-<code>
-  ./easyrsa revoke EntityName
-</code>
-CRL erzeugen
-<code>
-  ./easyrsa gen-crl
-</code>
-Zertifikats Inhalte anzeigen
-<code>
-  ./easyrsa show-req EntityName
-  ./easyrsa show-cert EntityName
-</code>
-Key Passwörter ändern
-<code>
-  ./easyrsa set-rsa-pass EntityName
-  ./easyrsa set-ec-pass EntityName
-</code>
-Mit "nopass" wird ein Passwort entfernt
 ====== Inhalte kontrollieren ======
@@ Zeile 207: / Zeile 261: @@
 <code >
 openssl x509 -in certificate.crt -text -noout
-</code>
-Achtung bei OpenVPN: Server prüft Präfix-String im CN, z.B: bei Devoteam:
-<code >
-CN=openvpn_dvsdnet_thomas.rother@devoteam.com
 </code>