OpenVPN/Installation
From Debuntu
This page is a work in progress and might contain errors or inconsistency. Comment are most appreciated.
This page covers how to set up OpenVPN on Debian etch and will be focused on getting the users authenticated through PAM.
Contents |
Installing OpenVPN
OpenVPN is included in debian etch repository so a simple:
apt-get install openvpn openssl
will get the required packages installed.
Setting up keys and certificates
The server and client requires to have a Certificate Authority (CA) certificate and private key.
These certificates will be signed by a master CA so both clients and server can authenticate each others.
The master CA should be stored on a separate server as this is the most sensitive information.
If one certificate was compromised, it can easily be added to the Certificate Revocation List (CRL) so it will be rejected.
To generate all this, openVPN comes with some handy scripts that will help out.
Generating the Master Certificate Authority
In the openvpn package, there is a folder called easy-rsa copy this folder to /etc/openvpn:
cp -r /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn cd /etc/openvpn/easy-rsa
Now, we will be editing vars file and modify the variables : KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL to your needs.
Then, generate the CA by running:
. ./vars . ./clean-all . ./build-ca
You should now have the master CA certificate and key respectively in /etc/openvpn/easy-rsa/ca.{crt|key}
Generating the server certificate
Now go back to /etc/openvpn/easy-rsa and run the server certificate generation script with:
./build-key-server server
Answer the question, for Common Name and answer yes to both:
* Sign the certificate? [y/n]:y * 1 out of 1 certificate requests certified, commit? [y/n]y
The password is optional, if you decide to enter a password, you will be prompted for it any time you generate or delete a client certificate.
Generating client certificates
To generate clients certificates, you need to use build-key script with a parameter to create the files, client1 will do for the tutorial.
./build-key client1
and answer the question as you done previously, but for the Common Name.
Generating Diffie Hellman parameters
The server needs to generate Diffie-Hellman parameters. this is achieve with:
./build-dh
Generating TLS key
This is optional and can be used to help blocking DoS attacks and UDP port flooding. The key is generated with:
openvpn --genkey --secret ta.key
And will need to be on both the clients and the server.
Summary
You are now with the following files in the keys directory that need to be distributed (over secured channels) to the different entities:
| Filename | Used by | Usage | Private |
|---|---|---|---|
| ca.crt | server and clients | Master CA certificate | No |
| ca.key | Certificated signing server | Master CA key | yes |
| server.crt | server only | server certificate | No |
| server.key | server only | server key | Yes |
| dh*.pem | server only | Diffie-Hellman parameters | No |
| client1.crt | client1 only | client1 certificate | No |
| client1.key | client1 only | client1 key | Yes |
| ta.key | server and clients | avoid DoS attacks and UDP port flooding | No |
Well, to make it simple, keys are private (but for the ta.key), certificate not and the reason is that the 2 ends will be exchanging their certificates and confirm that the certificate is valid by using their key.
Setting up the server configuration
Where are going to use the sample server configuration file as a template. Let copy those files to our openvpn conf folder for further modification and templating:
cd /etc/openvpn cp -r /usr/share/doc/openvpn/examples/sample-config-files /etc/openvpn
And start using the template:
zcat sample-config-files/server.conf.gz > server.conf
An modify the configuration so it looks like:
# use default port over UDP port 1194 proto udp # create routed IP tunnel dev tun # certificate/keys are in keys folder ca keys/ca.crt cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh1024.pem # server will get 10.45.0.1 and dispatch other IPs to client server 10.45.0.0 255.255.255.0 # remember clients assigned IPs ifconfig-pool-persist ipp.txt # make clients aware of our internal subnets # private subnet will need to route packet to 10.45.0.0/24 # through our VPN router push "route 192.168.123.0 255.255.255.0" # allow client to communicate with each others client-to-client keepalive 10 120 # prevent DoS and UDP flooding # clients needs this file and should set the value to 1 tls-auth keys/ta.key 0 # This file is secret # use this cryptographic cypher. Clients need to use the same cipher DES-EDE3-CBC # Triple-DES # enable compression on VPN link, clients need to use the same comp-lzo # drop privileges user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3
Now, we need to copy the keys and certificate to the keys folder:
mkdir /etc/openvpn/keys
cp -a /etc/openvpn/easy-rsa/{ca.crt,dh1024.pem,server.crt,server.key,ta.key} /etc/openvpn/keys
Then finally, make the service be started with init.d scripts by editing /etc/default/openvpn
AUTOSTART="server"
And finally restart the service:
/etc/init.d/openvpn restart
Any issues will be troubleshooted in /var/log/daemon.log and /etc/openvpn/openvpn-status.log
Configuring the client
The client needs to be given:
* ca.crt * client1.crt * client1.key * ta.key
Considering that the configuration file (client.conf) and the certificates/keys will be in the same directory, your configuration will look like:
client dev tun proto udp # change to your vpn server remote vpn.example.com 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ca ca.crt cert client1.crt key client1.key ns-cert-type server tls-auth ta.key 1 cipher DES-EDE3-CBC comp-lzo verb 3
Now, you can start a session with:
sudo openvpn client.conf
Authenticating with LDAP
Server side
You need to enable PAM authentication plugin. Add :
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
Where openvpn is the name of the pam module, e.g /etc/pam.d/openvpn .
Create a file /etc/pam.d/openvpn and add:
account required pam_ldap.so config=/etc/openvpn/pam_ldap.conf auth required pam_ldap.so config=/etc/openvpn/pam_ldap.conf password required pam_ldap.so config=/etc/openvpn/pam_ldap.conf session required pam_ldap.so config=/etc/openvpn/pam_ldap.conf
Create /etc/openvpn/pam_ldap.conf with:
# change to your search base base dc=example,dc=com # change according to your settings uri ldap://127.0.0.1 ldap_version 3 rootbinddn cn=admin,dc=example,dc=com pam_login_attribute uid pam_password crypt
Finally make sure /etc/pam_ldap.secret as the right password for the bind and is :
chmod 600 /etc/pam_ldap.secret
I you use start_tls but you cannot verify the certificate, make sure /etc/ldap/ldap.conf as the following:
TLS_REQCERT never
Client side
On the client, you will need to start the connection like:
sudo openvpn --auth-user-pass --config client.conf
and enter your details.
Or alternatively, you can add you username and password on to line in a file (let say login_details.txt) as:
user password
and then start:
sudo openvpn --auth-user-pass login_details.txt --config client.conf
Another way would be to add:
auth-user-pass
to your configuration file and then simply start:
sudo openvpn --config client.conf
Client Revokation
Setting it up
OpenVPN provides a wrapper to create an empty CRL.
# cd /etc/openvpn-easy-rsa # chmod +x make-crl # . ./vars # ./make-crl /etc/openvpn/keys/crl.pem Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Then, you need to tell the server to check the revoked certificates by adding the following to your server configuration file:
crl-verify keys/crl.pem
Deploying other VPN servers
It is easy to deploy new VPN servers that will accept the same certificates than the one generated by the first server we set up. What you need to do is to generate (on the first server, or the place your master CA is) a new server certificate as per #Generating_the_server_certificate :
./build-key-server server2
And copy this to the new server's /etc/openvpn/keys directory, along with:
- ca.crt
- ta.key
- crl.pem (this file will have to be updated by the master server (primary) and being updated any time a certificate is revoked)
You also need to create a new "Diffie Hellman" file with:
openssl dhparam -out /etc/openvpn/keys/dh1024.pem 1024
So, in the end, here is the list of files in /etc/openvpn/keys/
ca.crt server2.crt server2.key crl.pem dh1024.pem ta.key
The configuration can be copied from the original one, just make sure you change the:
server 10.45.0.0 255.255.255.0
to something that suits your new VPN machine.
Finally, a quick way to get redundancy working for VPN will be to use DNS Round Robin for the VPN hostname, so clients end up randomly on server1 or server2 .
References
http://openvpn.net/index.php/documentation/howto.html
