Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
openvpn [23/08/2017 - 15:04] – [CA einrichten] thommie | openvpn [17/08/2024 - 07:06] (aktuell) – Externe Bearbeitung 127.0.0.1 | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | https:// | ||
+ | |||
====== Server-Konfiguration ====== | ====== Server-Konfiguration ====== | ||
- | **–verify-x509-name name type** Accept connections only if a host's X.509 name is equal to **name.** The remote host must also pass all other tests of verification. | + | '' |
- | Which X.509 name is compared to **name** depends on the setting of type. **type** can be " | + | ''### |
- | **–verify-x509-name | + | '' |
- | **–verify-x509-name** is a useful replacement for the **–tls-verify** option to verify the remote host, because **–verify-x509-name** works in a **–chroot** environment without any dependencies. | + | ''# |
- | Using a name prefix is a useful alternative to managing a CRL (Certificate Revocation List) on the client, since it allows the client to refuse all certificates except for those associated with designated servers. | + | '' |
- | **NOTE:** Test against a name prefix only when you are using OpenVPN with a custom CA certificate that is under your control. Never use this option with type " | + | ''# |
- | ====== Management Console ====== | + | |
- | Die Management Konsole läuft auf localhost und ist über P. 7505 erreichbar. | + | ''# |
- | < | + | '' |
- | | + | |
- | </ | + | |
- | Beenden mit quit. | + | '' |
- | < | + | '' |
- | INFO: | + | |
- | help | + | |
- | Management Interface for OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016 | + | |
- | Commands: | + | |
- | auth-retry t : Auth failure retry mode (none, | + | |
- | bytecount n : Show bytes in/out, update every n secs (0=off). | + | |
- | echo [on|off] [N|all] | + | |
- | exit|quit | + | |
- | forget-passwords | + | |
- | help : Print this message. | + | |
- | hold [on|off|release] | + | |
- | | + | |
- | kill cn : Kill the client instance(s) having common name cn. | + | |
- | kill IP: | + | |
- | load-stats | + | |
- | log [on|off] [N|all] | + | |
- | + show last N lines or 'all' | + | |
- | mute [n] : Set log mute level to n, or show level if n is absent. | + | |
- | needok type action | + | |
- | where action = ' | + | |
- | needstr type action | + | |
- | where action is reply string. | + | |
- | net : (Windows only) Show network info and routing table. | + | |
- | password type p : Enter password p for a queried OpenVPN password. | + | |
- | remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP. | + | |
- | proxy type [host port flags] : Enter dynamic proxy server info. | + | |
- | pid : Show process ID of the current OpenVPN process. | + | |
- | pkcs11-id-count | + | |
- | pkcs11-id-get index : Get PKCS#11 identity at index. | + | |
- | client-auth CID KID : Authenticate client-id/ | + | |
- | client-auth-nt CID KID : Authenticate client-id/ | + | |
- | client-deny CID KID R [CR] : Deny auth client-id/ | + | |
- | text R and optional client reason text CR | + | |
- | client-kill CID [M] : Kill client instance CID with message M (def=RESTART) | + | |
- | env-filter [level] | + | |
- | client-pf CID : Define packet filter for client CID (MULTILINE) | + | |
- | rsa-sig | + | |
- | Enter signature base64 on subsequent lines followed by END | + | |
- | signal s : Send signal s to daemon, | + | |
- | s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2. | + | |
- | state [on|off] [N|all] : Like log, but show state history. | + | |
- | status [n] : Show current daemon status info using format #n. | + | |
- | test n : Produce n lines of output for testing/ | + | |
- | username type u : Enter username u for a queried OpenVPN username. | + | |
- | verb [n] : Set log verbosity level to n, or show if n is absent. | + | |
- | version | + | |
- | </ | + | |
- | ====== Debugging auf OpenVPN Client Seite (Linux) ====== | + | '' |
- | < | + | ''# |
- | journalctl -fu NetworkManager | + | ''# |
- | </ | + | |
- | ====== Client IPs fest zuweisen ====== | + | '' |
- | In die *.conf kommt eine neue Direktive: | + | ''# |
+ | subnet '' | ||
- | < | + | ''# |
- | client-config-dir / | + | ifconfig-pool-persist ipp.txt '' |
- | </ | + | |
- | In diesem Verzeichnis für jeden Client einen Datei openvpn_dvsdnet_[name] legen. Diese enthält die IP Adresse und die Netzmaske des Clients: | + | ''# |
+ | client-to-client '' | ||
- | < | + | ''# |
- | | + | sndbuf 393216\\ |
- | </code> | + | rcvbuf 393216 '' |
- | OpenVPN liest diese Datei beim Connect zusätzlich ein, aber DNS und Gateway kommen weiterhin über die zentralen push Kommandos. Ggf kann man auch ein Client-spezifisches Push anhängen, siehe dazu [[http://michlstechblog.info/ | + | ''## |
+ | cd /etc/ | ||
- | Quelle: [[https://github.com/OpenVPN/easy-rsa|https://github.com/OpenVPN/easy-rsa]] | + | ''## |
+ | ca /etc/easyrsa-pki/ | ||
+ | ## cert of openvpn server\\ | ||
+ | cert /etc/openvpn/ | ||
+ | ''## | ||
+ | key / | ||
+ | # diffie hellman parameter\\ | ||
+ | # create with: openssl genpkey -genparam -algorithm DH -out /etc/openvpn/ | ||
+ | dh /etc/easyrsa-pki/dh.pem '' | ||
- | ====== EASYRSA: | + | ''# |
+ | crl-verify / | ||
- | <code > | + | ''# |
- | ./easyrsa init-pki | + | # Details: [[https:// |
- | ./easyrsa build-ca | + | # old method (Name/name-prefix from CN field)\\ |
- | </code> | + | # verify-x509-name locutus.netzwissen.local name '' |
- | DH erzeugen | + | ''# |
+ | remote-cert-eku "TLS Web Client Authentication" | ||
- | <code > | + | ''# |
- | ./easyrsa gen-dh | + | cipher AES-256-CBC\\ |
- | </ | + | # HMAC Authentication\\ |
+ | auth SHA256 '' | ||
+ | ''# | ||
+ | comp-lzo '' | ||
- | ====== Zertifikate erzeugen ====== | + | ''# |
+ | # tls-version-min 1.2 '' | ||
- | Signing Request (CSR) erzeugen, mit **nopass** = Key **ohne** Passwort | + | ''## |
- | <code > | + | ## redirect all traffic to VPN\\ |
- | ./easyrsa gen-req EntityName | + | ## push " |
+ | push "dhcp-option DOMAIN netzwissen.local" | ||
+ | push " | ||
+ | push " | ||
- | ./easyrsa gen-req EntityName nopass | + | ''# |
- | </code> | + | push " |
+ | push " | ||
- | danach signieren mit | + | ''# |
+ | # duplicate-cn # permissions after connect\\ | ||
+ | user nobody\\ | ||
+ | group nogroup '' | ||
- | <code > | + | ''# |
- | ./easyrsa sign-req server EntityName | + | persist-key '' |
- | ./easyrsa sign-req client EntityName | + | ''# |
- | </ | + | persist-tun '' |
- | //server// und //client// bestimmt, ob es ein Server oder Client Zertifikat ist. | + | ''### |
- | ====== Zertifikate zurückziehen ====== | + | log /var/log/openvpn.log '' |
- | <code > | + | ''# |
- | ./easyrsa revoke server EntityName | + | status |
- | </code> | + | \\ |
+ | # dont repeat messages so often\\ | ||
+ | mute 20 '' | ||
- | Danachmit easyrsa gen-crl die zurückgezogenen zertifikate in die crl aufnehmen. | + | ''# |
+ | verb 6 '' | ||
- | pki/ | + | ''# |
+ | daemon '' | ||
+ | ''# | ||
+ | management localhost 7505 '' | ||
- | ===== Achtung bei OpenVPN ===== | ||
- | Common Name für das Server Zertifikat und die Client Zertifikate muss den Präfix aus der Server Config enthalten, Beispiel: | + | ====== Management Console ====== |
- | < | + | Die Management Konsole läuft auf localhost und ist über P. 7505 erreichbar. |
- | --verify-x509-name openvpn name-prefix | + | |
- | </ | + | |
- | **Easyrsa3** | + | '' |
- | < | + | |
- | locutus:~/easy-rsa/easyrsa3 # ./easyrsa sign-req server | + | |
- | You are about to sign the following certificate. | + | Beenden mit quit. |
- | Please check over the details shown below for accuracy. Note that this request | + | |
- | has not been cryptographically verified. Please be sure it came from a trusted | + | |
- | source or that you have verified the request checksum with the sender. | + | |
- | Request subject, to be signed as a server | + | '' |
+ | ====== Debugging auf OpenVPN Client Seite (Linux) ====== | ||
- | subject= | + | '' |
- | | + | ====== Client IPs fest zuweisen ====== |
- | </ | + | |
- | Signieren (client oder server) | + | In die *.conf kommt eine neue Direktive: |
- | < | + | '' |
- | ./easyrsa sign-req | + | |
- | </code> | + | |
- | < | + | In diesem Verzeichnis für jeden Client einen Datei openvpn_dvsdnet_[name] legen. Diese enthält die IP Adresse und die Netzmaske des Clients: |
- | ./easyrsa sign-req server EntityName | + | |
- | </ | + | |
- | Zurückziehen | + | '' |
- | < | + | OpenVPN liest diese Datei beim Connect zusätzlich ein, aber DNS und Gateway kommen weiterhin über die zentralen push Kommandos. Ggf kann man auch ein Client-spezifisches Push anhängen, siehe dazu [[http://michlstechblog.info/ |
- | | + | |
- | </code> | + | |
- | CRL erzeugen | + | Quelle: [[https:// |
- | < | + | ====== EASYRSA: CA einrichten ====== |
- | ./easyrsa gen-crl | + | |
- | </ | + | |
- | Zertifikats Inhalte anzeigen | + | '' |
- | < | + | DH erzeugen |
- | ./easyrsa show-req EntityName | + | |
- | ./easyrsa show-cert EntityName | + | |
- | </ | + | |
- | Key Passwörter ändern | + | '' |
+ | ====== EASYRSA: Zertifikate erzeugen ====== | ||
- | < | + | Signing Request (CSR) erzeugen, mit **nopass** = Key **ohne** Passwort |
- | ./easyrsa set-rsa-pass EntityName | + | |
- | ./easyrsa set-ec-pass EntityName | + | |
- | </ | + | |
- | Mit "nopass" wird ein Passwort entfernt | + | '' |
- | ====== Inhalte kontrollieren ====== | + | danach signieren mit |
- | **CSR** | + | '' |
- | <code > | + | |
- | openssl req -in www2.netzwissen.de.csr | + | //server// und //client// bestimmt, ob es ein Server oder Client Zertifikat ist. |
- | </code> | + | |
+ | **Achtung bei OpenVPN**: der Client sollte den im OpenVPN Zertifikat angegebenen Common Name prüfen. Server prüft seinerseits den Zertifikatstyp des Clients (RFC3280): | ||
+ | |||
+ | '' | ||
+ | ====== EASYRSA: Zertifikate zurückziehen ====== | ||
+ | |||
+ | '' | ||
+ | |||
+ | Danach mit easyrsa gen-crl die zurückgezogenen zertifikate in die crl aufnehmen. | ||
+ | |||
+ | pki/ | ||
+ | |||
+ | ===== | ||
+ | |||
+ | ====== Inhalte kontrollieren ====== | ||
**Zertifikat** | **Zertifikat** | ||
- | <code > | ||
- | openssl x509 -in certificate.crt -text -noout | ||
- | </ | ||
- | Achtung bei OpenVPN: Server prüft Präfix-String im CN, z.B: bei Devoteam: | + | '' |
+ | |||
+ | **CSR** | ||
- | <code > | + | '' |
- | CN=openvpn_dvsdnet_thomas.rother@devoteam.com | + | |
- | </ | + | |