Difference between revisions of "Virtual Private Networks"

From YobiWiki
Jump to navigation Jump to search
Line 139: Line 139:
 
=== Setup of a VPN server in a vserver===
 
=== Setup of a VPN server in a vserver===
 
*cf http://linux-vserver.org/Frequently_Asked_Questions#Can_I_run_an_OpenVPN_Server_in_a_guest.3F
 
*cf http://linux-vserver.org/Frequently_Asked_Questions#Can_I_run_an_OpenVPN_Server_in_a_guest.3F
  +
*You've to use persistent tun/tap, cf [[Vserver administration]]
 
*You cannot dynamically modify iptables, this has to be done on the host.
 
*You cannot dynamically modify iptables, this has to be done on the host.
 
*You've to create manually /dev/net/tun in the vserver:
 
*You've to create manually /dev/net/tun in the vserver:

Revision as of 18:18, 20 April 2007

OpenVPN

Intro

Setup of a VPN server for multiple dynamic clients with certificates

Thanks to Thierry Walrant for his contribution!

Characteristics of this setup

  • Ethernet tunneling (tap) over TCP port 1194
  • Full redirection of the traffic (redirection of the default gateway and DNS server), NATed by server towards Internet
  • Security by certificates
  • Works with Linux or Windows clients
  • Dynamic handling (à la DHCP) of the clients
  • Allows other ipsec VPN softwares to run on top (e.g. enterprise ipsec VPN for Windows)

Setup of the Certificate Authority (CA)

The CA should be another computer than the server!

cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa

Edit the file called vars and adapt the last KEY_xxx vars to your needs

. vars
./clean-all
./build-ca

To create a certificate and sign it in one single step (do that only if the certificate can be transferred to the client via a secure channel, otherwise generate the certificate and the request on the client and sign it on the CA), without password:

  • For the server, use (don't forget to give a Common Name):
./build-key-server server-cert
  • For a client: (don't forget to give a Common Name)
./build-key client-cert

For other situations, see easy-rsa/README.gz
To see content of a certificate:

openssl x509 -in cert.crt -text

Setup on the Linux server

Setup of ip forward

  • Uncomment the following line in /etc/sysctl.conf
net/ipv4/ip_forward=1
  • To try immediately
echo 1 >/proc/sys/net/ipv4/ip_forward

Import the server certificate and its key (securely!) as well as the CA certificate

  • CA:/etc/openvpn/easy-rsa/keys/ca.crt -> server:/etc/openvpn/ca.crt
  • CA:/etc/openvpn/easy-rsa/keys/server-cert.crt -> server:/etc/openvpn/server-cert.crt
  • CA:/etc/openvpn/easy-rsa/keys/server-cert.key -> server:/etc/openvpn/server-cert.key

Create the DH keys via etc-rsa/build-dh or directly with

openssl dhparam -out dh2048.pem 2048

Create /etc/openvpn/iptables.up and make it executable:

#!/bin/sh
SOURCE=$1
DEV=$2
/sbin/iptables -t nat -A POSTROUTING -s $SOURCE -d 0.0.0.0/0 -j SNAT --to-source=<ext_ip>
/sbin/iptables -I FORWARD -i <ext_if> -o $DEV -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -I FORWARD -i $DEV -o <ext_if> -j ACCEPT

Create /etc/openvpn/iptables.down and make it executable:

#!/bin/sh
SOURCE=$1
DEV=$2
/sbin/iptables -D FORWARD -i $DEV -o <ext_if> -j ACCEPT
/sbin/iptables -D FORWARD -i <ext_if> -o $DEV -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -D POSTROUTING -s $SOURCE -d 0.0.0.0/0 -j SNAT --to-source=<ext_ip>

Create /etc/openvpn/server.conf:

proto tcp
dev tap0
ca                    /etc/openvpn/ca.crt
cert                  /etc/openvpn/server-cert.crt
key                   /etc/openvpn/server-cert.key
dh                    /etc/openvpn/dh2048.pem
server                172.16.0.0 255.255.0.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
push                  "redirect-gateway"
push                  "dhcp-option DNS <primary_DNS>"
push                  "dhcp-option DNS <secondary_DNS>"
keepalive             10 120
comp-lzo
max-clients           10
status                /var/log/openvpn-status.log
verb                  3
mute                  20
up                    "/etc/openvpn/iptables.up 172.16.0.0/16"
down                  "/etc/openvpn/iptables.down 172.16.0.0/16"

It will start at boot time, for a first try: /etc/init.d/openvpn start

Setup on a Windows client

  • Download the windows installer and run it.
  • You can try the GUI

Setup on a Linux client

To avoid automatic starting of the tunnel at boot time, edit /etc/default/openvpn:

AUTOSTART="none"

Bring the needed certificate files in e.g.:

  • /etc/openvpn/cacerts/cacert.pem
  • /etc/openvpn/certs/openvpn-myclient.crt.pem
  • /etc/openvpn/private/openvpn-myclient.key.pem

Give read access to them only to root, especially the key file!
Create a configuration file to join the server "myserver": /etc/openvpn/myserver.conf
See the howto for an explanation of the different options.

client
proto                 tcp
remote                <IP_or_FQDN_of_myserver> 1194
dev                   tap
resolv-retry          infinite
nobind
http-proxy-retry
http-proxy            <local_http_proxy_we_have_to_passthrough> <proxy_port>
ca                    /etc/openvpn/cacerts/cacert.pem
cert                  /etc/openvpn/certs/openvpn-myclient.crt.pem
key                   /etc/openvpn/private/openvpn-myclient.key.pem
ns-cert-type          server
comp-lzo
verb                  3
status                /var/log/openvpn.log

To run it manually

/etc/init.d/openvpn start myserver

There is no automatic redefinition of the DNS servers under Linux, so we need a little trick (as seen here):
Be sure to have the resolvconf package.
Add the following to the config file of the client:

up /etc/openvpn/domain.up
plugin /usr/lib/openvpn/openvpn-down-root.so /etc/openvpn/domain.down

Create /etc/openvpn/domain.up and make it executable:

#!/bin/sh
# really naff script to add nameserver entry on up
DEV=$1
set | sed -n "
s/^foreign_option_.* DNS \(.*\)'/nameserver \1/; T next; p;
:next; s/^foreign_option_.* DOMAIN \(.*\)'/domain \1/; T; p;
" | resolvconf -a $DEV
resolvconf -u

Create /etc/openvpn/domain.down and make it executable:

#!/bin/sh
# really naff script to delete nameserver entry on down
DEV=$1
resolvconf -d $DEV
resolvconf -u

If you are not using Debian, see http://forums.gentoo.org/viewtopic-t-233080.html#1655552

Setup of a VPN server in a vserver

cd <vserver>/dev; ./MAKEDEV tun

vtun

Older and with less features than openvpn but very easy to use for basic tunneling (tun or tap)

  • apt-get install vtun
  • transport is done over tcp or udp, default port 5000