-
-
Save samqi/95dfba265fe652808cd285154a261b1d to your computer and use it in GitHub Desktop.
#become root and add key | |
sudo su - | |
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add - | |
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list | |
apt-get update && apt-get install openvpn | |
#Based Linode Hardened https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server/ | |
#require signed HMAC sig file for access | |
openvpn --genkey --secret /etc/openvpn/server/ta.key | |
openssl genpkey -genparam -algorithm DH -out /etc/openvpn/server/dhp4096.pem -pkeyopt dh_paramgen_prime_len:4096 | |
#exit root | |
##############################################VPN Certificate Authority on another machine | |
#Use EasyRSA for VPN CA | |
sudo apt install make-cadir | |
make-cadir ~/ca && cd ~/ca | |
ln -s openssl-1.0.0.cnf openssl.cnf | |
#set defaults here: | |
vim ~/ca/vars | |
######################################## Start of vars file | |
# These are the default values for fields | |
# which will be placed in the certificate. | |
# Don't leave any of these fields blank. | |
export KEY_COUNTRY="US" | |
export KEY_PROVINCE="CA" | |
export KEY_CITY="SanFrancisco" | |
export KEY_ORG="Fort-Funston" | |
export KEY_EMAIL="[email protected]" | |
export KEY_OU="MyOrganizationalUnit" | |
######################################## End of vars file | |
source ./vars # it will loads vars as default | |
#and prompt: "NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/user/ca/keys" | |
./clean-all | |
#Use EasyRSA for VPN Server CA | |
#Use your VPN server’s hostname or some other identifier as the Common Name | |
./build-ca | |
# and leave the challenge password blank. | |
# create the server’s private key, add or edit the information prompts as needed: | |
./build-key-server server | |
# When you’ve completed the question section for the private key, | |
# confirm the signing of the certificate and the certificate requests certified by answering yes to those two questions. | |
# Upload the server credentials to your Linode, using scp from your local computer: | |
scp ./keys/{ca.crt,server.crt,server.key} root@<your_linode's_IP>:/etc/openvpn/server | |
# copy of the HMAC key you created earlier to distribute to each client device: | |
scp root@<your_linode's_IP>:/etc/openvpn/server/ta.key ./keys | |
########################################### | |
#VPN Client credentials CREATION | |
cd ~/ca && source ./vars && ./build-key client1 | |
cd ~/ca && source ./vars && ./build-key-pass client1 | |
cd ~/ca && source ./vars && ./build-key-pass client2 | |
############################################## END of VPN Certificate Authority on another machine | |
# OpenVPN Configuration Files | |
# server config with Cipher | |
sudo vim /etc/openvpn/server.conf | |
######################################## start of server.conf | |
dev tun | |
persist-key | |
persist-tun | |
topology subnet | |
port 1194 | |
proto udp | |
keepalive 10 120 | |
# Location of certificate authority's cert. | |
ca /etc/openvpn/server/ca.crt | |
# Location of VPN server's TLS cert. | |
cert /etc/openvpn/server/server.crt | |
# Location of server's TLS key | |
key /etc/openvpn/server/server.key | |
# Location of DH parameter file. | |
dh /etc/openvpn/server/dhp4096.pem | |
# The VPN's address block starts here. | |
server 10.89.0.0 255.255.255.0 | |
explicit-exit-notify 1 | |
# Drop root privileges and switch to the `ovpn` user after startup. | |
user ovpn | |
# OpenVPN process is exclusive member of ovpn group. | |
group ovpn | |
# Cryptography options. We force these onto clients by | |
# setting them here and not in client.ovpn. See | |
# `openvpn --show-tls`, `openvpn --show-ciphers` and | |
#`openvpn --show-digests` for all supported options. | |
tls-crypt /etc/openvpn/server/ta.key | |
auth SHA512 # This needs to be in client.ovpn too though. | |
tls-version-min 1.2 | |
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 | |
ncp-ciphers AES-256-GCM:AES-256-CBC | |
# Logging options. | |
ifconfig-pool-persist ipp.txt | |
status openvpn-status.log | |
log /var/log/openvpn.log | |
verb 3 | |
######################################## End of server.conf | |
# OpenVPN Client config | |
sudo vim client.ovpn | |
######################################## Start of client.ovpn | |
# No cryptography options are specified here because we want | |
# the VPN server to push those settings to clients rather than | |
# allow clients to dictate their crypto. | |
client | |
dev tun | |
persist-key | |
persist-tun | |
proto udp | |
nobind | |
user ovpn | |
group ovpn | |
remote-cert-tls server | |
auth SHA512 | |
verb 3 | |
# Remote server's IP address and port. IP is | |
# preferable over hostname so as not to rely | |
# on DNS lookups. | |
remote <your_linode's IP address> 1194 | |
# To successfully import this profile, you | |
# want the client device's CA certificate copy, | |
# client certificate and key, and HMAC signature | |
# all in the same location as this .ovpn file. | |
ca ca.crt | |
cert client1.crt | |
key client1.key | |
tls-crypt ta.key | |
######################################## End of client.ovpn | |
######################################## | |
# DISTRIBUTE TO EACH USER: | |
# client1.key # Exclusive to this device. | |
# client1.cert # Exclusive to this device. | |
# CA.pem # Is shared among server and client devices. | |
# ta.key # Is shared among server and client devices. | |
# client.ovpn # Is shared among client devices. | |
############################################################################# | |
# TURN ON THE SYSTEMCTL SERVICE | |
sudo systemctl enable openvpn@server | |
sudo systemctl start openvpn@server | |
sudo systemctl status openvpn@server |
Part 3: Linode: Configure OpenVPN Client Devices
CLIENTS:
Mac: Tunnelblick
Win: OpenVPN for Windows
Linux: CLI
Using vault to do the RSA/PKI stuff :
vault-openvpn is a small wrapper utility to manage OpenVPN configuration combined with a Vault PKI. It enables administrators with Vault access to create client / server configurations with only one command. No more hazzle to manage that easyrsa PKI, just some few commands to set up a Vault PKI and you're done.
but this vault issue means there may be problems:
jeffrai :
@grahamc The PKI backend used to support these sets of options but they were causing problems with various crypto stacks (see e.g. #987), many of which explicitly deviate from the spec. At this point, taking a cue from Google and other very large web sites, only extended usages are added to certs except for CA certs. This seems to be broadly compatible, and being broadly compatible is a nice thing.
We could maybe add a mode to generate OpenVPN-compatible certificates, but they do specify five different ways that this behavior can be worked around. Ideally, they'd stop requiring specific key usage restrictions and instead allow simply the extended key usage since that's what's broadly done.
FreeIPA integration:
client
nobind
dev tun
proto udp
comp-lzo
resolv-retry infinite
max-routes 100
redirect-gateway def1
auth-user-pass
explicit-exit-notify 3
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<dh>
-----BEGIN DH PARAMETERS-----
...
-----END DH PARAMETERS-----
</dh>
<connection>
remote <your_server_ip> 1194 udp
</connection>
#---
#On FreeIPA host on
kinit admin
# adding service and rules table for openvpn users
ipa hbacsvc-add openvpn
ipa hbacrule-add allow_openvpn
ipa hbacrule-add-service allow_openvpn --hbacsvcs=openvpn
ipa hbacrule-find allow_openvpn
ipa hbacrule-add-user allow_openvpn --user=<your_test_user>
ipa hbacrule-add-host allow_openvpn --hosts=<your_openvpn_host>
# testing users
ipa hbactest --user=tj --host=<your_openvpn_host> --service=openvpn
ipa hbactest --user=tj --host=<your_openvpn_host> --service=openvpn
##############
Generating CRT based out of CSR && Private Key:
openssl req \
-key client.key \
-in client.csr \
-x509 -days 365 -out client.crt
Tunnel Your Internet Traffic Through an OpenVPN Server: