OpenVPN

From Hack Sphere Labs Wiki
Revision as of 07:48, 16 June 2015 by Webdawg (talk | contribs) (Setup Firewall and IP Forwarding UFW)

Jump to: navigation, search

Certificate Revocation

Note: With easy-rsa 2.0 it seems you cannot make a blank crl.pem
./build-key-pkcs12 revoked
./revoke-full revoked
crl-verify /path/name/crl.pem

Notes

this is from a CRL file, dumped with: openssl -in <crl> -noout -text

iptables/route

/etc/networking/interfaces
up iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
/etc/init.d/vpnroute
#!/bin/bash
/sbin/route add -net 10.37.161.0 netmask 255.255.255.0 gw 10.37.161.1

Setup

Copied From: http://www.monkeedev.co.uk/blog/2009/03/06/setting-up-openvpn-in-debianubuntu/

This is little bit later than I originally intended but I finally got around to setting up OpenVPN, and here’s how I did it.

This guide is pretty simple to follow and should have an OpenVPN server on debian or ubuntu working within half an hour. I’ll also explain how to connect to the VPN from a windows PC.

First, install OpenVPN on the server (you’ll need to be root for all of this guide)

   apt-get install openvpn

Next, we need to configure the server. You need to make a decision here whether you want tun (routed) or tap (bridged) connections. The main difference is that tap will give the client a network address on the server network, whereas tun creates a private network managed by the server. In this guide I will use tap because I find that it works better with windows clients.

Now you need to create certificates for the server and client for authentication purposes (which is much more secure than the passwords used in pptp). This is done through a number of steps:

Preparing to generate the keys

   mkdir /etc/openvpn/easy-rsa
   cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Now you need to edit /etc/openvpn/easy-rsa/vars with your required settings. You only really need to change the last section which is the default values for the fields in the certificates.

Generate the certificate authority (CA) which will be used to sign the server and client certificates.

   cd /etc/openvpn/easy-rsa
Note: If you would like a stronger key please edit the vars file and change KEY_SIZE to 2048
   source ./vars
   ./clean-all
   ./build-ca

Next, we need to create the server keys

   ./build-key-server servername

Answer ‘yes’ when asked to sign the certificate and commit to the database, and then you’ll need to generate the diffie-hellman parameters which are used for key exchange between the client and server.

   ./build-dh

For further security it is recommended that you also do a tls-auth key.

    openvpn --genkey --secret ta.key

This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a pre-existing secure channel to the server and all client machines. It can be placed in the same directory as the RSA .key and .crt files.

In the server configuration, add:

    tls-auth ta.key 0

In the client configuration, add:

    tls-auth ta.key 1

And finally, create some client keys which will be used to allow clients to authenticate with the server. I prefer to use pkcs12 which stores the client public key and certificate in one passworded file.

   ./build-key-pkcs12 client1

As before, sign the key and commit to the database. You will be asked for a password which the client will use to connect to the server.

Now all the keys are created, we need to configure the server.

   vim /etc/openvpn/server.conf
   (add the following lines)
   port 443
   proto tcp
   dev tap
   ca /etc/openvpn/easy-rsa/keys/ca.crt
   cert /etc/openvpn/easy-rsa/keys/servername.crt
   key /etc/openvpn/easy-rsa/keys/servername.key
   dh /etc/openvpn/easy-rsa/keys/dh1024.pem
   ifconfig-pool-persist ipp.txt
   server-bridge 10.1.0.1 255.255.255.0 10.1.0.236 10.1.0.245
   push “route 10.0.0.0 255.0.0.0″
   keepalive 10 120
   comp-lzo
   persist-key
   persist-tun
   status /var/log/openvpn-status.log
   verb 3

Created by me:

port 11111
prote tcp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/bla.crt
key /etc/openvpn/easy-rsa/keys/bla.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.xxx.xxx.0 255.255.255.0
#client-to-client
cipher AES-256-CBC
keepalive 10 120
comp-lzo
max-clients 20
verb 11
client-config-dir ccd
log-append openvpn.log
status openvpn-status.log
ifconfig-pool-persist ipp.txt
route 192.168.0.0 255.255.255.0
#crl-verify crl.pem
max-routes-per-client 3000
management localhost 11111


The only lines which you will need to change are ‘server-bridge’, which is simply the default gateway, subnet mask, and the start and end IP’s to assign the clients, and the push route, which pushes specific routes to all clients.

Now we need to create an ethernet bridge. First, we need to install bridge-utils:

   apt-get install bridge-utils

Rather than explain how to set up a network bridge, I found a shell script which will do it for you. This can be found here. Just edit this with your network settings and execute it. You will also need to set it to create the bridge at boot time:

   update-rc.d bridge defaults

Now you can start the openvpn server

   /etc/init.d/openvpn start

Now we need to set up the windows client. First, download the OpenVPN client from here (at the time of writing, select 2.1 RC15). Install it, and create a file ‘client.conf’ in the config directory with the following parameters

   client
   dev tap
   proto tcp
   remote x.x.x.x 443 # (replace with your server IP)
   resolv-retry infinite
   nobind
   pkcs12 client1.p12 # (replace with the client name)
   ns-cert-type server
   comp-lzo
   verb 3

You can also add ‘redirect-gateway’ to the client configuration to pass all traffic down the VPN tunnel (rather than just traffic intended for the VPN itself).

Now copy the client1.p12 certificate file to the config directory on the client, start the gui, and connect. Everything should now work.

If you need to create any clients in the future, do the following:

   cd /etc/openvpn/easy-rsa
   source ./vars
   ./build-key-pkcs12 clientx

If one of your certificates is compromised, you can revoke it using the guide here.

This guide has been written from my notes and what I remember, so there may be a couple of things which aren’t 100% right. If anything goes wrong then post a comment or contact me and I’ll update the guide.

Notes

Setup Firewall and IP Forwarding UFW

You still need to enable forwarding. See the iptables section below. You should prolly disable ipv6 too.

You also want to edit /etc/default/ufw:

 /etc/default/ufw
Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.

And change the default forward policy to accept.

You want to edit /etc/ufw/before.rules and add below

/etc/ufw/before.rules

#NAT rules for internet out from VPN
*nat
:POSTROUTING ACCEPT [0:0]

#forward vpn traffic through eth0
-A POSTROUTING -s VPN.NET.WORK.ADDY/24 -o eth0 -j MASQUERADE

#COMMIT NAT
COMMIT

You also want to add more but in a different section:

/etc/ufw/before.rules

# Don't delete these required lines, otherwise there will be errors
*filter
#More NAT rules for VPN
-A ufw-before-input -i tun+ -j ACCEPT
-A ufw-before-output -i tun+ -j ACCEPT
-A ufw-before-forward -s VPN.NET.WORK.ADDY/24 -j ACCEPT
-A ufw-before-forward -d VPN.NET.WORK.ADDY/24 -j ACCEPT
#End added NAT rules for VPN

You also want to:

ufw allow port/protocol
ufw allow from VPN.NET.WORK.ADDY/24

Enable and Setup IP Forwarding Linux/Debian

Check if IP Forwarding is enabled

#sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0 
or
cat /proc/sys/net/ipv4/ip_forward
0 

As we can see in both the above examples this was disabled (as show by the value 0).

Enable IP Forwarding on the fly

#sysctl -w net.ipv4.ip_forward=1 
or
#echo 1 > /proc/sys/net/ipv4/ip_forward 

Permanent setting using /etc/sysctl.conf

  1. /etc/sysctl.conf:
net.ipv4.ip_forward = 1
#sysctl -p /etc/sysctl.conf

TUN/TAP forwarding: Allow TUN interface connections to OpenVPN server

# iptables -A INPUT -i tun+ -j ACCEPT

Allow TUN interface connections to be forwarded through other interfaces

# iptables -A FORWARD -i tun+ -j ACCEPT

Allow TAP interface connections to OpenVPN server

# iptables -A INPUT -i tap+ -j ACCEPT

Allow TAP interface connections to be forwarded through other interfaces

# iptables -A FORWARD -i tap+ -j ACCEPT
    • rule iptables for internet sharing from eth1 to eth0.
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#iptables-save
 iptables -t nat -A POSTROUTING -s 10.234.134.0/24 -o eth0 -j MASQUERADE

or the real way

http://wiki.debian.org/iptables

add route perm make a exe file /etc/init.d/vpnroute and add the route to file

route add -net 10.37.161.0 netmask 255.255.255.0 gw 10.37.161.1

Notes

Installing a DNS Server to tunnel DNS over VPN

You want to tunnel your DNS over the VPN. It is more secure espically on hostile networks. Personally I use ubound because I like DNSSEC but as I read into it and use it more I know on some parts of the internet DNSSEC just is not working or fails if you do not configure it right. For now this guide will show you how to use bind9 as a DNS proxy. I have also used unbound.

apt-get install bind9 bind9-doc dnsutils resolvconf
Note: Below is all wrong. Until I update use the gleamynode.net artical in the notes.
 /etc/bind/named.conf.options
Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.

Add the lines below to the file too:

 /etc/bind/named.conf.options
Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.


You also want to:

nano -w /etc/init.d/bind9

and change the line:

# Required-Start:    $remote_fs

to:

# Required-Start:    $remote_fs openvpn

So that bind9 starts after OpenVPN so it can bind to the VPN ip.

Notes

Creating an additional OpenVPN interface in Windows

It was bitching about being not having an additional tun interface. I still had tun0 and tun1 in the config files and did not test if something more generic would work like just tun.

A command from a forum post:

C:\>"C:\Program Files (x86)\OpenVPN\bin\tapinstall.exe" install "C:\Program Files (x86)\OpenVPN\driver\OemWin2k.inf" tap0901

https://forums.openvpn.net/topic8236.html

I have to figure out what the tap0901 means but it looks like if you pass help install that it is a hardware id. It most likely identifies what to pull from the driver.


Found it in official docs: http://openvpn.net/index.php/open-source/documentation/install.html?start=1

Notes -- Manual Install/Update/Uninstall of the TAP-Win32 kernel driver

This is best done using tapinstall.exe, a utility based on a DDK sample which is distributed with the self-installing form of OpenVPN on Windows. Cd to the directory which contains OemWin2k.inf and tap0801.sys.

To install:

   tapinstall install OemWin2k.inf TAP0801

To update:

   tapinstall update OemWin2k.inf TAP0801

To uninstall:

   tapinstall remove TAP0801

By installing multiple times, you will create additional TAP-Win32 adapter instances, which can be used for multiple concurrent VPN tunnels.

It is also possible to install using Control Panel -> Add New Hardware, and it is possible to uninstall using Control Panel -> System -> Hardware -> Device Manager.

OpenVPN Access Server Install Debian 6.0 AKA Squeeze

Note: Looks like you need a license to do this. I will do more with this later.

Notes

OpenVPN Monitor

It is a python script that runs with mod_python so:

apt-get install libapache2-mod-python libapache2-mod-python-doc

Should install apache2 also as a dep.

In your server.conf you need:

management localhost aport

Put openvpn-monitor in your /var/www then:

chown -R www-data:www-data /var/www/*
nano /etc/apache2/sites-available/default

and add:

AddHandler cgi-script .py
Options +ExecCGI

to the directory/site that you would like.

You need to edit: openvpn-monitor.cfg

[VPN1]
host=127.0.0.1
port=younumbericport
name=VPN

You need to edit: openvpn-monitor.py

CONFIG_FILE = "/config/file/location/whatever.cfg"

I also needed to change this:

   locale.setlocale(locale.LC_ALL, 'en_GB.UTF-8')

to

   locale.setlocale(locale.LC_ALL, 'en_US.UTF-8')

You also need:

aptitude install python-geoip

You are going to need a GeoIP City database:

cd /usr/share/GeoIP/
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gunzip GeoLiteCity.dat.gz
mv GeoLiteCity.dat GeoIPCity.dat

For password protection to the openvpn dir:

nano 000-default

add/change

AllowOverride AuthConfig
mkdir /etc/apache2/passwords
htpasswd -c /etc/apache2/passwords/shadow ausername
nano .htaccess
Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.
Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.

Notes

Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.
Template error: are you trying to use the = sign? Visit Help:Template#Escape template-breaking characters for workarounds.
ncat -l -k -p 5001 -c 'nc -U /var/etc/openvpn/server1.sock'