openvpn

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
Nächste ÜberarbeitungBeide Seiten der Revision
openvpn [23/08/2017 - 15:05] – [Inhalte kontrollieren] thommieopenvpn [16/10/2018 - 11:32] – [Inhalte kontrollieren] thommie3
Zeile 1: Zeile 1:
 +https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
 +
 ====== Server-Konfiguration ====== ====== Server-Konfiguration ======
  
-**–verify-x509-name name type** Accept connections only if a host's X.509 name is equal to **name.** The remote host must also pass all other tests of verification.+''sources for configuration: # [[http://sarwiki.informatik.hu-berlin.de/OpenVPN_|http://sarwiki.informatik.hu-berlin.de/OpenVPN_]](deutsch) # [[http://www.online--tutorials.net/security/openvpn-tutorial/|http://www.online--tutorials.net/security/openvpn-tutorial/]] ''
  
-Which X.509 name is compared to **name** depends on the setting of type. **type** can be "subject" to match the complete subject DN (default), "name" to match a subject RDN or "name-prefix" to match a subject RDN prefix. Which RDN is verified as name depends on the **–x509-username-field** option. But it defaults to the common name (CN), e.g. a certificate with a subject DN "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by:+''### BASICS ''
  
-**–verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'** and **–verify-x509-name Server-1 name** or you could use **–verify-x509-name Server- name-prefix** if you want a client to only accept connections to "Server-1", "Server-2", etc.+''mode server ''
  
-**–verify-x509-name** is a useful replacement for the **–tls-verify** option to verify the remote host, because **–verify-x509-name** works in a **–chroot** environment without any dependencies.+''# bridged vpn with client IP range ''
  
-Using a name prefix is a useful alternative to managing a CRL (Certificate Revocation List) on the client, since it allows the client to refuse all certificates except for those associated with designated servers.+''server-bridge 192.168.72.1 255.255.255.0 192.168.72.61 192.168.72.100 ''
  
-**NOTE:** Test against a name prefix only when you are using OpenVPN with a custom CA certificate that is under your control. Never use this option with type "name-prefix" when your client certificates are signed by a third party, such as a commercial web CA +''# Protocol/port proto udp port 1194 ### Type of operation ''
-====== Management Console ======+
  
-Die Management Konsole läuft auf localhost und ist über P. 7505 erreichbar.+''# operation with PKI tls-server ''
  
-<code> +''instead for using a symmetric key ''
- root@server6:/etc/openvpn/staticclientstelnet localhost 7505 +
-</code>+
  
-Beenden mit quit.+''secret /etc/openvpn/server_static.key ''
  
-<code> +''for vpn with shared key ''
-INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info +
-help +
-Management Interface for OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016 +
-Commands: +
-auth-retry t           : Auth failure retry mode (none,interact,nointeract). +
-bytecount n            : Show bytes in/out, update every n secs (0=off). +
-echo [on|off] [N|all]  : Like log, but only show messages in echo buffer. +
-exit|quit              : Close management session. +
-forget-passwords       : Forget passwords entered so far. +
-help                   : Print this message. +
-hold [on|off|release]  : Set/show hold flag to on/off state, or +
-                         release current hold and start tunnel. +
-kill cn                : Kill the client instance(s) having common name cn. +
-kill IP:port           : Kill the client instance connecting from IP:port. +
-load-stats             : Show glsobal server load stats. +
-log [on|off] [N|all]   : Turn on/off realtime log display +
-                         + show last N lines or 'allfor entire history. +
-mute [n]               : Set log mute level to n, or show level if n is absent. +
-needok type action     : Enter confirmation for NEED-OK request of 'type', +
-                         where action = 'ok' or 'cancel'+
-needstr type action    : Enter confirmation for NEED-STR request of 'type', +
-                         where action is reply string. +
-net                    : (Windows only) Show network info and routing table. +
-password type p        : Enter password p for a queried OpenVPN password. +
-remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP. +
-proxy type [host port flags] : Enter dynamic proxy server info. +
-pid                    : Show process ID of the current OpenVPN process. +
-pkcs11-id-count        : Get number of available PKCS#11 identities. +
-pkcs11-id-get index    : Get PKCS#11 identity at index. +
-client-auth CID KID    : Authenticate client-id/key-id CID/KID (MULTILINE) +
-client-auth-nt CID KID : Authenticate client-id/key-id CID/KID +
-client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason +
-                             text R and optional client reason text CR +
-client-kill CID [M]    : Kill client instance CID with message M (def=RESTART) +
-env-filter [level]     : Set env-var filter level +
-client-pf CID          : Define packet filter for client CID (MULTILINE) +
-rsa-sig                : Enter an RSA signature in response to>RSA_SIGN challenge +
-                         Enter signature base64 on subsequent lines followed by END +
-signal s               : Send signal s to daemon, +
-                         s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2. +
-state [on|off] [N|all] : Like log, but show state history. +
-status [n]             : Show current daemon status info using format #n. +
-test n                 : Produce n lines of output for testing/debugging. +
-username type u        : Enter username u for a queried OpenVPN username. +
-verb [n]               : Set log verbosity level to n, or show if n is absent. +
-version                : Show current version number. +
-</code>+
  
-====== Debugging auf OpenVPN Client Seite (Linux) ======+''tls-auth xxx 1 # Device type dev tap0 ''
  
-<code> +''# receive connection request on this local adress only '' \\ 
- journalctl -fu NetworkManager +''# if not defined, use all interfaces ''
-</code>+
  
-====== Client IPs fest zuweisen ======+''local 192.168.172.1 ''
  
-In die *.conf kommt eine neue Direktive:+''# topology and network topology\\ 
 +subnet ''
  
-<code> +''# make IPs persistant\\ 
- client-config-dir /etc/openvpn/staticclients +ifconfig-pool-persist ipp.txt ''
-</code>+
  
-In diesem Verzeichnis für jeden Client einen Datei openvpn_dvsdnet_[name] legen. Diese enthält die IP Adresse und die Netzmaske des Clients:+''# clients can see each other\\ 
 +client-to-client ''
  
-<code> +''# see [[http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/|http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/]]\\ 
- ifconfig-push 192.168.50.16 255.255.255.0 +sndbuf 393216\\ 
-</code>+rcvbuf 393216 ''
  
-OpenVPN liest diese Datei beim Connect zusätzlich ein, aber DNS und Gateway kommen weiterhin über die zentralen push Kommandos. Ggf kann man auch ein Client-spezifisches Push anhängensiehe dazu [[http://michlstechblog.info/blog/openvpn-set-a-static-ip-address-for-a-client/|http://michlstechblog.info/blog/openvpn-set-a-static-ip-address-for-a-client/]]+''## PKI certificates and keysdirectory of cert/key\\ 
 +cd /etc/openvpn ''
  
-Quelle: [[https://github.com/OpenVPN/easy-rsa|https://github.com/OpenVPN/easy-rsa]]+''## Root CA which signed openvpn server and client certs\\ 
 +ca /etc/easyrsa-pki/ca.crt\\ 
 +## cert of openvpn server\\ 
 +cert /etc/openvpn/locutus.netzwissen.local.crt '' \\ 
 +''## key of server\\ 
 +key /etc/openvpn/locutus.netzwissen.local.key\\ 
 +# diffie hellman parameter\\ 
 +# create withopenssl genpkey -genparam -algorithm DH -out /etc/openvpn/dh2014.pem\\ 
 +dh /etc/easyrsa-pki/dh.pem ''
  
-====== EASYRSA: CA einrichten ======+''# certificate revocation list, should be copied from CA\\ 
 +crl-verify /etc/openvpn/crl.pem ''
  
-<code > +''# Verification of certs\\ 
-./easyrsa init-pki +# Details: [[https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage|https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage]]\\ 
-./easyrsa build-ca +# old method (Name/name-prefix from CN field)\\ 
-</code>+# verify-x509-name locutus.netzwissen.local name ''
  
-DH erzeugen+''# new method from RFC3280: type of certificate must be client\\ 
 +remote-cert-eku "TLS Web Client Authentication" ''
  
-<code > +''# Cipher algorithm\\ 
- ./easyrsa gen-dh +cipher AES-256-CBC\\ 
-</code>+# HMAC Authentication\\ 
 +auth SHA256 ''
  
 +''# tunnel compression\\
 +comp-lzo ''
  
-====== Zertifikate erzeugen ======+''# hardening. Beware: can exclude pre-2.3.3 clients\\ 
 +# tls-version-min 1.2 ''
  
-Signing Request (CSR) erzeugen, mit **nopass** = Key **ohne** Passwort +''## pushed configs for clients for routing & dns\\ 
-<code > +## redirect all traffic to VPN\\ 
-./easyrsa gen-req EntityName+## push "redirect-gateway def1" push "route 192.168.72.0 255.255.255.0 172.168.72.1"\\ 
 +push "dhcp-option DOMAIN netzwissen.local"\\ 
 +push "dhcp-option DNS 192.168.72.1"\\ 
 +push "dhcp-option WINS 192.168.72.1" ''
  
-./easyrsa gen-req EntityName nopass +''# [[http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/|http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/]]\\ 
-</code>+push "sndbuf 393216"\\ 
 +push "rcvbuf 393216" ''
  
-danach signieren mit+''# will not work with –ifconfig-pool-persist\\ 
 +# duplicate-cn # permissions after connect\\ 
 +user nobody\\ 
 +group nogroup ''
  
-<code > +''# dont re-read keys after –ping-restart\\ 
-./easyrsa sign-req server EntityName+persist-key ''
  
-./easyrsa sign-req client EntityName +''# dont restart tun after –ping-restart\\ 
-</code>+persist-tun ''
  
-//server// und //client// bestimmt, ob es ein Server oder Client Zertifikat ist. +''### LOGGING\\ 
-====== Zertifikate zurückziehen ======+log /var/log/openvpn.log ''
  
-<code > +''# Status info\\ 
-./easyrsa revoke server EntityName +status /var/log/openvpn-status.log 20\\ 
-</code>+\\ 
 +# dont repeat messages so often\\ 
 +mute 20 ''
  
-Danachmit easyrsa gen-crl die zurückgezogenen zertifikate in die crl aufnehmen.+''# Log-Levels: 0 no logging, 4 standard, 5 + 6 debugging, 9 max\\ 
 +verb 6 ''
  
-pki/index.txt zeigt, welche Zertifikate zurückkgezogen wurden.+''# Daemon-Mode: write to syslog - activate after the configuration finished\\ 
 +daemon ''
  
 +''# Management console\\
 +management localhost 7505 ''
  
-===== Achtung bei OpenVPN ===== 
  
-Common Name für das Server Zertifikat und die Client Zertifikate muss den Präfix aus der Server Config enthalten, Beispiel:+====== Management Console ======
  
-<code> +Die Management Konsole läuft auf localhost und ist über P. 7505 erreichbar.
---verify-x509-name openvpn name-prefix +
-</code>+
  
-**Easyrsa3** +''root@server6:/etc/openvpn/staticclients# telnet localhost 7505 ''
-<code> +
-locutus:~/easy-rsa/easyrsa3 # ./easyrsa sign-req server openvpn.locutus.netzwissen.local+
  
-You are about to sign the following certificate. +Beenden mit quit.
-Please check over the details shown below for accuracy. Note that this request +
-has not been cryptographically verified. Please be sure it came from a trusted +
-source or that you have verified the request checksum with the sender.+
  
-Request subject, to be signed as a server certificate for 3650 days:+'' INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info help Management Interface for OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016 Commands: auth-retry t : Auth failure retry mode (none,interact,nointeract). bytecount n : Show bytes in/out, update every n secs (0=off). echo [on|off] [N|all] : Like log, but only show messages in echo buffer. exit|quit : Close management session. forget-passwords : Forget passwords entered so far. help : Print this message. hold [on|off|release] : Set/show hold flag to on/off state, or release current hold and start tunnel. kill cn : Kill the client instance(s) having common name cn. kill IP:port : Kill the client instance connecting from IP:port. load-stats : Show glsobal server load stats. log [on|off] [N|all] : Turn on/off realtime log display + show last N lines or 'all' for entire history. mute [n] : Set log mute level to n, or show level if n is absent. needok type action : Enter confirmation for NEED-OK request of 'type', where action = 'ok' or 'cancel'. needstr type action : Enter confirmation for NEED-STR request of 'type', where action is reply string. net : (Windows only) Show network info and routing table. password type p : Enter password p for queried OpenVPN password. remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP. proxy type [host port flags] : Enter dynamic proxy server info. pid : Show process ID of the current OpenVPN process. pkcs11-id-count : Get number of available PKCS#11 identities. pkcs11-id-get index : Get PKCS#11 identity at index. client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE) client-auth-nt CID KID : Authenticate client-id/key-id CID/KID client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason text R and optional client reason text CR client-kill CID [M] : Kill client instance CID with message M (def=RESTART) env-filter [level] : Set env-var filter level client-pf CID : Define packet filter for client CID (MULTILINE) rsa-sig : Enter an RSA signature in response to >RSA_SIGN challenge Enter signature base64 on subsequent lines followed by END signal s : Send signal s to daemon, s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2. state [on|off] [N|all] : Like log, but show state history. status [n] : Show current daemon status info using format #n. test n : Produce n lines of output for testing/debugging. username type u : Enter username u for a queried OpenVPN username. verb [n] : Set log verbosity level to n, or show if n is absent. version Show current version number. '' 
 +====== Debugging auf OpenVPN Client Seite (Linux) ======
  
-subject= +''journalctl -fu NetworkManager '' 
-    commonName                openvpn.locutus.netzwissen.local +====== Client IPs fest zuweisen ======
-</code>+
  
-Signieren (client oder server)+In die *.conf kommt eine neue Direktive:
  
-<code> +''client-config-dir /etc/openvpn/staticclients ''
-./easyrsa sign-req client EntityName +
-</code>+
  
-<code> +In diesem Verzeichnis für jeden Client einen Datei openvpn_dvsdnet_[name] legenDiese enthält die IP Adresse und die Netzmaske des Clients:
-./easyrsa sign-req server EntityName +
-</code>+
  
-Zurückziehen+'' ifconfig-push 192.168.50.16 255.255.255.0 ''
  
-<code> +OpenVPN liest diese Datei beim Connect zusätzlich ein, aber DNS und Gateway kommen weiterhin über die zentralen push KommandosGgf kann man auch ein Client-spezifisches Push anhängen, siehe dazu [[http://michlstechblog.info/blog/openvpn-set-a-static-ip-address-for-a-client/|http://michlstechblog.info/blog/openvpn-set-a-static-ip-address-for-a-client/]]
-  ./easyrsa revoke EntityName +
-</code>+
  
-CRL erzeugen+Quelle: [[https://github.com/OpenVPN/easy-rsa|https://github.com/OpenVPN/easy-rsa]]
  
-<code> +====== EASYRSA: CA einrichten ======
-  ./easyrsa gen-crl +
-</code>+
  
-Zertifikats Inhalte anzeigen+''./easyrsa init-pki ./easyrsa build-ca ''
  
-<code> +DH erzeugen
-  ./easyrsa show-req EntityName +
-  ./easyrsa show-cert EntityName +
-</code>+
  
-Key Passwörter ändern+'' ./easyrsa gen-dh '' 
 +====== EASYRSA: Zertifikate erzeugen ======
  
-<code> +Signing Request (CSR) erzeugen, mit **nopass** = Key **ohne** Passwort 
-  ./easyrsa set-rsa-pass EntityName + 
-  ./easyrsa set-ec-pass EntityName + ''./easyrsa gen-req EntityName ./easyrsa gen-req EntityName nopass '' 
-</code>+ 
 +danach signieren mit 
 + 
 +'' ./easyrsa sign-req server EntityName ./easyrsa sign-req client EntityName '' 
 + 
 +//server// und //client// bestimmt, ob es ein Server oder Client Zertifikat ist. 
 + 
 +**Achtung bei OpenVPN**: der Client sollte den im OpenVPN Zertifikat angegebenen Common Name prüfen. Server prüft seinerseits den Zertifikatstyp des Clients (RFC3280): 
 + 
 + '' # Verification of certs # Details: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage # old method (Name/name-prefix from CN field) # verify-x509-name locutus.netzwissen.local name # new method from RFC3280: type of certificate must be client remote-cert-eku "TLS Web Client Authentication" '' 
 +====== EASYRSA: Zertifikate zurückziehen ======
  
-Mit "nopass" wird ein Passwort entfernt+''./easyrsa revoke server EntityName ''
  
-====== Inhalte kontrollieren ======+Danach mit easyrsa gen-crl die zurückgezogenen zertifikate in die crl aufnehmen.
  
-**CSR** +pki/index.txt zeigt, welche Zertifikate zurückkgezogen wurden
-<code > + 
-openssl req -in www2.netzwissen.de.csr -text -noout +=====   ===== 
-</code>+ 
 +====== Inhalte kontrollieren ======
  
 **Zertifikat** **Zertifikat**
-<code > +<code> 
-openssl x509 -in certificate.crt -text -noout+openssl x509 -in pki/issued/openvpn.dvsdnet.local.crt -text -noout
 </code> </code>
 +**CSR**
 +
 +''openssl req -in www2.netzwissen.de.csr -text -noout ''
  
  
  • openvpn.txt
  • Zuletzt geändert: 05/03/2024 - 10:52
  • von 127.0.0.1