OpenVPN, Easy-RSA: cert, cert pass, user-pass (PAM)
Overview and initial setup
OpenVPN can use symmetric (one key for all users) and asymmetric (each user has it's own key).
When asymmetric cryptography is used each user has private and public key.
Public key is used for encryption and private for decryption. Private key must stay on host where it was created and only public keys must be transferred.
Certification authority (CA) - used to verify identity of keys.
Сertificate Revocation List (CRL) - file is used to store revoked certificates.
sudo yum update -y
sudo yum install epel-release -y
sudo yum install -y openvpn wget
wget -O /tmp/easyrsa https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz
tar xfz /tmp/easyrsa
sudo mkdir /etc/openvpn/easy-rsa
sudo cp -rf easy-rsa-old-2.3.3/easy-rsa/2.0/* /etc/openvpn/easy-rsa
ll /etc/openvpn/easy-rsa/
Use user other than root (ex. admin):
sudo chown admin /etc/openvpn/easy-rsa/
Copy sample config files (openvpn server.conf and openssl.conf) to the OpenVPN directories:
sudo cp /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf /etc/openvpn
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
Setup vars template
cd /etc/openvpn/easy-rsa
Change /etc/openvpn/easy-rsa/vars file according to below (but don't delete other setting in that file), this file will be used as template when generating certificates:
export DH_KEY_SIZE=2048
export KEY_SIZE=4096
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
# Enter the two-letter abbreviation of the country of your residence
export KEY_COUNTRY="US"
# This should be the abbreviation of the state of your residence
export KEY_PROVINCE="CA"
# Enter the name of the city you live in.
export KEY_CITY="SanFrancisco"
# Enter the name of your organization or company
export KEY_ORG="Fort-Funston"
# Enter the email address that you want to be connected to the security certificate (more than one mail is allowed)
export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL=mail@host.domain
# Enter the domain, subdomain that resolves to your server or an IP address of your server
# For the purpose of OpenVPN server common name can be really anything
export KEY_CN="www.xxx.yyy.zzz"
# You should enter server here. If you enter something else, you would also have to update the configuration files that reference server.key and server.crt
export KEY_NAME="server"
# Enter the name of the “Organizational Unit” to which you belong, typically either the name of your department or team
export KEY_OU=changeme
Verify file contents:
sudo grep -E "(^[a-z]|^[0-9])" /etc/openvpn/easy-rsa/vars
All below are done only once, when server is setup first time
Add directory for key-cert storage:
mkdir /etc/openvpn/easy-rsa/keys
Use vars template:
source ./vars
Remove any keys and certificates already in the folder
./clean-all
Generate CA. Some questions will appear and you can hit Enter for all because of using vars template:
./build-ca
Generate key-cert for OpenVPN server itself. As with CA vars template is used and you can safely "Enter" and accept defaults. You'll be prompted to enter optional password, if specified clients will enter this password each time they try to connect to OpenVPN server:
./build-key-server server
Generate Diffie-Hellman which necessary if TLS/SSL is used:
./build-dh
Copy generated file to the /etc/openvpn:
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/
Generate static key for encrypting of TLS handshake between server and client:
sudo openvpn --genkey --secret /etc/openvpn/myvpn.tlsauth
Change /etc/openvpn/easy-rsa/vars file according to below (but don't delete other setting in that file), this file will be used as template when generating certificates:
export DH_KEY_SIZE=2048
export KEY_SIZE=4096
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
# Enter the two-letter abbreviation of the country of your residence
export KEY_COUNTRY="US"
# This should be the abbreviation of the state of your residence
export KEY_PROVINCE="CA"
# Enter the name of the city you live in.
export KEY_CITY="SanFrancisco"
# Enter the name of your organization or company
export KEY_ORG="Fort-Funston"
# Enter the email address that you want to be connected to the security certificate (more than one mail is allowed)
export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL=mail@host.domain
# Enter the domain, subdomain that resolves to your server or an IP address of your server
# For the purpose of OpenVPN server common name can be really anything
export KEY_CN="www.xxx.yyy.zzz"
# You should enter server here. If you enter something else, you would also have to update the configuration files that reference server.key and server.crt
export KEY_NAME="server"
# Enter the name of the “Organizational Unit” to which you belong, typically either the name of your department or team
export KEY_OU=changeme
Verify file contents:
sudo grep -E "(^[a-z]|^[0-9])" /etc/openvpn/easy-rsa/vars
Generating server keys and certs
Add directory for key-cert storage:
mkdir /etc/openvpn/easy-rsa/keys
Use vars template:
source ./vars
Remove any keys and certificates already in the folder
./clean-all
Generate CA. Some questions will appear and you can hit Enter for all because of using vars template:
./build-ca
Generate key-cert for OpenVPN server itself. As with CA vars template is used and you can safely "Enter" and accept defaults. You'll be prompted to enter optional password, if specified clients will enter this password each time they try to connect to OpenVPN server:
./build-key-server server
Generate Diffie-Hellman which necessary if TLS/SSL is used:
./build-dh
Copy generated file to the /etc/openvpn:
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/
Generate static key for encrypting of TLS handshake between server and client:
sudo openvpn --genkey --secret /etc/openvpn/myvpn.tlsauth
server.conf file
port 22222 #also iptables rule will be needed iptables - I INPUT -p udp -m state --state NEW -m udp --dport 22222 -j ACCEPT
proto udp4 #udp will work faster on slow connections
dev tun # TUN allows routing
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt # file used to store DHCP infinity bindings
keepalive 10 120
;tls-auth ta.key 0 #comment this out in order to use tls-crypt
tls-crypt myvpn.tlsauth
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log # info about currently connected users is here
verb 3
explicit-exit-notify 1
remote-cert-eku "TLS Web Client Authentication" # ensures that a server will verify that the client certificate provided is truly a client certificate, and vice versa for the client which checks that the server certificate truly aimed for a server
Verify:
grep -E "(^[a-z]|^[0-9])" /etc/openvpn/server.conf
Start and verify OpenVPN server:
sudo systemctl -f enable openvpn@server.service
sudo systemctl start openvpn@server.service
sudo systemctl status openvpn@server.service
Generating client keys and certs
source ./vars
./build-key name.surname # CN must be equal username
ls -1 name.surname*
name.surname.crt
name.surname.csr
name.surname.key
Also other types of client cert are, for example build-key-pass will generate cert with pass. Client will be asked for that pass every time trying to connect to the OpenVPN server.
client side configuration file
We'll use one file approach - name.surname.ovpn:
client
tls-client
remote-cert-eku "TLS Web Server Authentication"
proto udp
remote www.xxx.yyy.zzz 22222 udp
dev tun
topology subnet
pull
user nobody
group nobody
persist-tun
persist-key
cipher AES-256-CBC
keysize 256
tun-mtu 1500
auth-nocache
<ca>
ca.crt content goes here
</ca>
<cert>
name.surname.crt content goes here
</cert>
<key>
name.surname.key content goes here
</key>
<tls-crypt>
/etc/openvpn/myvpn.tlsauth content goes here
</tls-crypt>
Using OpenVPN server as gateway
vi /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
sysctl -p
If you want to "hide" OpenVPN client addresses while accessing network behind OpenVPN server (eth0 in example is gateway NIC on OpenVPN server):
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
If you want to redirect all client traffic to the OpenVPN server (Internet and all other traffic):
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
sudo systemctl restart openvpn@server.service
sudo systemctl status openvpn@server.service
Revoking user certificates
To revoke user cert:
source ./vars
./revoke-full name.username
After that crl.pem is generated inside /etc/openvpn/easy-rsa/keys/ directory and also index.txt file is changed. index.txt file contains list of all generated certificates and information concerning their validity: V - valid or R - revoked.
If revoke cert is not working verify than name.surname.crt file is not empty, if empty, then:
grep name.surname index.txt
Note number of needed user (ex. 07), then:
cp keys/07.pem keys/name.surname.crt
source ./vars
./revoke-full name.surname
After that crl.pem must be copied to /etc/openvpn every time it is changed:
cp crl.pem /etc/openvpn
Also crl-verify crl.pem line must be added to the server.conf
Then restart and verify OpenVPN server (restart is needed only first time after additon of crl-verify parameter):
systemctl restart openvpn@server
systemctl status openvpn@server
By revoking the original certificate, it is possible to generate a new certificate/key pair with the user’s original common name.
Using PAM authentication
Using PAM (Pluggable Authentication Modules) authentication (/etc/pam.d/):
- add user with the same name as in your CN of the client certificate. This user will be without /home directory and ability to login:
- useradd -M -s /sbin/nologin name.surname
- passwd name.surname
- edit /etcp/openvpn/server.conf and add:
- plugin /etc/openvpn/openvpn-plugin-auth-pam.so login
- copy plugin to the /etc/openvpn :
- cp /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/openvpn
- systemctl restart openvpn@server
- sudo systemctl status openvpn@server
- on client side add auth-user-pass to the configuration
- now when trying to connect to the OpenVPN server you'll be prompted for (created above)) user-password
No comments:
Post a Comment