Dies ist eine alte Version des Dokuments!
Server-Konfiguration
############################################################################## # sources for configuration: # http://sarwiki.informatik.hu-berlin.de/OpenVPN_(deutsch) # http://www.online--tutorials.net/security/openvpn-tutorial/ ### BASICS mode server # bridged vpn with client IP range server-bridge 192.168.72.1 255.255.255.0 192.168.72.61 192.168.72.100 # Protocol/port proto udp port 1194 ### Type of operation # operation with PKI tls-server # instead for using a symmetric key # secret /etc/openvpn/server_static.key # for vpn with shared key # tls-auth xxx 1 # Device type dev tap0 # receive connection request on this local adress only # if not defined, use all interfaces local 192.168.172.1 # topology and network topology subnet # make IPs persistant ifconfig-pool-persist ipp.txt # clients can see each other client-to-client # see http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/ sndbuf 393216 rcvbuf 393216 ## PKI - certificates and keys, directory of cert/key cd /etc/openvpn ## Root CA which signed openvpn server and client certs ca /etc/easyrsa-pki/ca.crt ## cert of openvpn server cert /etc/openvpn/locutus.netzwissen.local.crt ## key of server key /etc/openvpn/locutus.netzwissen.local.key # diffie hellman parameter # create with: openssl genpkey -genparam -algorithm DH -out /etc/openvpn/dh2014.pem dh /etc/easyrsa-pki/dh.pem # certificate revocation list, should be copied from CA crl-verify /etc/openvpn/crl.pem # Verification of certs # Details: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage # old method (Name/name-prefix from CN field) # verify-x509-name locutus.netzwissen.local name # new method from RFC3280: type of certificate must be client remote-cert-eku "TLS Web Client Authentication" # Cipher algorithm cipher AES-256-CBC # HMAC Authentication auth SHA256 # tunnel compression comp-lzo # hardening. Beware: can exclude pre-2.3.3 clients # tls-version-min 1.2 ## pushed configs for clients for routing & dns ## redirect all traffic to VPN ## push "redirect-gateway def1" push "route 192.168.72.0 255.255.255.0 172.168.72.1" push "dhcp-option DOMAIN netzwissen.local" push "dhcp-option DNS 192.168.72.1" push "dhcp-option WINS 192.168.72.1" # http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/ push "sndbuf 393216" push "rcvbuf 393216" # will not work with --ifconfig-pool-persist # duplicate-cn # permissions after connect user nobody group nogroup # dont re-read keys after --ping-restart persist-key # dont restart tun after --ping-restart persist-tun ### LOGGING log /var/log/openvpn.log # Status info status /var/log/openvpn-status.log 20 # dont repeat messages so often mute 20 # Log-Levels: 0 no logging, 4 standard, 5 + 6 debugging, 9 max verb 6 # Daemon-Mode: write to syslog - activate after the configuration finished daemon # Management console management localhost 7505
Management Console
Die Management Konsole läuft auf localhost und ist über P. 7505 erreichbar.
root@server6:/etc/openvpn/staticclients# telnet localhost 7505
Beenden mit quit.
INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016
Commands:
auth-retry t : Auth failure retry mode (none,interact,nointeract).
bytecount n : Show bytes in/out, update every n secs (0=off).
echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
forget-passwords : Forget passwords entered so far.
help : Print this message.
hold [on|off|release] : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : Kill the client instance(s) having common name cn.
kill IP:port : Kill the client instance connecting from IP:port.
load-stats : Show glsobal server load stats.
log [on|off] [N|all] : Turn on/off realtime log display
+ show last N lines or 'all' for entire history.
mute [n] : Set log mute level to n, or show level if n is absent.
needok type action : Enter confirmation for NEED-OK request of 'type',
where action = 'ok' or 'cancel'.
needstr type action : Enter confirmation for NEED-STR request of 'type',
where action is reply string.
net : (Windows only) Show network info and routing table.
password type p : Enter password p for a queried OpenVPN password.
remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP.
proxy type [host port flags] : Enter dynamic proxy server info.
pid : Show process ID of the current OpenVPN process.
pkcs11-id-count : Get number of available PKCS#11 identities.
pkcs11-id-get index : Get PKCS#11 identity at index.
client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE)
client-auth-nt CID KID : Authenticate client-id/key-id CID/KID
client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason
text R and optional client reason text CR
client-kill CID [M] : Kill client instance CID with message M (def=RESTART)
env-filter [level] : Set env-var filter level
client-pf CID : Define packet filter for client CID (MULTILINE)
rsa-sig : Enter an RSA signature in response to>RSA_SIGN challenge
Enter signature base64 on subsequent lines followed by END
signal s : Send signal s to daemon,
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n] : Show current daemon status info using format #n.
test n : Produce n lines of output for testing/debugging.
username type u : Enter username u for a queried OpenVPN username.
verb [n] : Set log verbosity level to n, or show if n is absent.
version : Show current version number.
Debugging auf OpenVPN Client Seite (Linux)
journalctl -fu NetworkManager
Client IPs fest zuweisen
In die *.conf kommt eine neue Direktive:
client-config-dir /etc/openvpn/staticclients
In diesem Verzeichnis für jeden Client einen Datei openvpn_dvsdnet_[name] legen. Diese enthält die IP Adresse und die Netzmaske des Clients:
ifconfig-push 192.168.50.16 255.255.255.0
OpenVPN liest diese Datei beim Connect zusätzlich ein, aber DNS und Gateway kommen weiterhin über die zentralen push Kommandos. Ggf kann man auch ein Client-spezifisches Push anhängen, siehe dazu http://michlstechblog.info/blog/openvpn-set-a-static-ip-address-for-a-client/
EASYRSA: CA einrichten
./easyrsa init-pki ./easyrsa build-ca
DH erzeugen
./easyrsa gen-dh
EASYRSA: Zertifikate erzeugen
Signing Request (CSR) erzeugen, mit nopass = Key ohne Passwort
./easyrsa gen-req EntityName ./easyrsa gen-req EntityName nopass
danach signieren mit
./easyrsa sign-req server EntityName ./easyrsa sign-req client EntityName
server und client bestimmt, ob es ein Server oder Client Zertifikat ist.
Achtung bei OpenVPN: der Client sollte den im OpenVPN Zertifikat angegebenen Common Name prüfen. Server prüft seinerseits den Zertifikatstyp des Clients (RFC3280):
# Verification of certs # Details: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage # old method (Name/name-prefix from CN field) # verify-x509-name locutus.netzwissen.local name # new method from RFC3280: type of certificate must be client remote-cert-eku "TLS Web Client Authentication"
Zertifikate zurückziehen
./easyrsa revoke server EntityName
Danach mit easyrsa gen-crl die zurückgezogenen zertifikate in die crl aufnehmen.
pki/index.txt zeigt, welche Zertifikate zurückkgezogen wurden.
Inhalte kontrollieren
CSR
openssl req -in www2.netzwissen.de.csr -text -noout
Zertifikat
openssl x509 -in certificate.crt -text -noout