Openvpn: Unterschied zwischen den Versionen
Cbs (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „some general things to secure openvpn == tls-auth == to get extra security use a preshared tls-auth key.<br/> this key is generated at server-side and published…“) |
Cbs (Diskussion | Beiträge) |
||
Zeile 72: | Zeile 72: | ||
this will set a route at client-side to route the range<br/> | this will set a route at client-side to route the range<br/> | ||
10.255.0.0-10.255.63.255 through the tunnel interface... | 10.255.0.0-10.255.63.255 through the tunnel interface... | ||
+ | |||
+ | |||
+ | == tls-verify == | ||
+ | |||
+ | this is an external script which validates CN's of client-key's<br/> | ||
+ | this is to get some more extra-security!! | ||
+ | |||
+ | so put to you server.config: | ||
+ | |||
+ | tls-verify "/etc/openvpn/openvpn-verify-cn /etc/openvpn/valid-CNs" | ||
+ | |||
+ | every time a clients try's to auth with a cert/key the script '''/etc/openvpn/openvpn-verify-cn''' is run<br/> | ||
+ | with the parameter '''/etc/openvpn/valid-CNs''' | ||
+ | |||
+ | '''valid-CNs''' contains all CN's i want to allow to connect, e.g. | ||
+ | <pre> | ||
+ | # this is the cn of "good boy" | ||
+ | openVPN_Good.Boy | ||
+ | </pre> | ||
+ | |||
+ | the validation script 'openvpn-verify-cn' is this: | ||
+ | <!--<source lang="perl">--> | ||
+ | <pre> | ||
+ | #!/usr/bin/perl | ||
+ | |||
+ | # verify-cn -- a sample OpenVPN tls-verify script | ||
+ | # | ||
+ | # Return 0 if cn matches the common name component of | ||
+ | # X509_NAME_oneline, 1 otherwise. | ||
+ | # | ||
+ | # For example in OpenVPN, you could use the directive: | ||
+ | # | ||
+ | # tls-verify "./verify-cn Test-Client" | ||
+ | # | ||
+ | # This would cause the connection to be dropped unless | ||
+ | # the client common name is "Test-Client" | ||
+ | |||
+ | die "usage: verify-cn cn certificate_depth X509_NAME_oneline" if (@ARGV != 3); | ||
+ | |||
+ | # Parse out arguments: | ||
+ | # cn -- The common name which the client is required to have, | ||
+ | # taken from the argument to the tls-verify directive | ||
+ | # in the OpenVPN config file. | ||
+ | # depth -- The current certificate chain depth. In a typical | ||
+ | # bi-level chain, the root certificate will be at level | ||
+ | # 1 and the client certificate will be at level 0. | ||
+ | # This script will be called separately for each level. | ||
+ | # x509 -- the X509 subject string as extracted by OpenVPN from | ||
+ | # the client's provided certificate. | ||
+ | ($cnfile, $depth, $x509) = @ARGV; | ||
+ | |||
+ | my @CNs; | ||
+ | open(IN, "<$cnfile") or die("Unable to open CN file: $!\n"); | ||
+ | while (<IN>) { | ||
+ | chomp; | ||
+ | next if ($_ =~ /^#/); | ||
+ | next if ($_ eq ''); | ||
+ | push(@CNs, $_); | ||
+ | } | ||
+ | close(IN); | ||
+ | |||
+ | if ($depth == 0) { | ||
+ | # If depth is zero, we know that this is the final | ||
+ | # certificate in the chain (i.e. the client certificate), | ||
+ | # and the one we are interested in examining. | ||
+ | # If so, parse out the common name substring in | ||
+ | # the X509 subject string. | ||
+ | |||
+ | if ($x509 =~ /\/CN=([^\/]+)/) { | ||
+ | # Accept the connection if the X509 common name | ||
+ | # string matches the passed cn argument. | ||
+ | my $x509_cn = $1; | ||
+ | |||
+ | foreach my $validCn (@CNs) { | ||
+ | if ($x509_cn =~ m/^${validCn}$/s) { | ||
+ | exit 0; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | |||
+ | # Authentication failed -- Either we could not parse | ||
+ | # the X509 subject string, or the common name in the | ||
+ | # subject string didn't match the passed cn argument. | ||
+ | exit 1; | ||
+ | } | ||
+ | |||
+ | # If depth is nonzero, tell OpenVPN to continue processing | ||
+ | # the certificate chain. | ||
+ | exit 0; | ||
+ | </pre> | ||
+ | <!--</source>--> |
Aktuelle Version vom 7. Juli 2011, 12:41 Uhr
some general things to secure openvpn
Inhaltsverzeichnis
tls-auth
to get extra security use a preshared tls-auth key.
this key is generated at server-side and published to all clients...
do NOT create a new key at client-side! this won't work!
create the key (server):
openvpn --genkey --secret ta.key
activate the key at server-side:
tls-auth ta.key 0 tls-server
be sure to use parameter '0' (zero) at server-side
now copy the ta.key to the client using a secure connection
and add this to the config:
tls-auth ta.key 1 tls-client
be sure to use parameter '1' (one) at client-side
dh (Diffie hellman parameters)
this will be created seperatly for server and clients.
create the file with:
openssl dhparam -out dh1024.pem 1024
or, if you wand to use 2048-bit key
openssl dhparam -out dh2048.pem 2048
and add it to you config-file (same for server and client):
dh dh1024.pem
or
dh dh2048.pem
client-config-dir
asuming that you added
client-config-dir ccd
to your config at server-side, add the following:
route 10.10.0.252 255.255.255.252
this adds the apropriate routes to the server to route the
rage 10.10.0.252-10.10.0.255 through the tunnel-interface...
now create a file inside the ccd directory named like the CN of the signed cert.
so if the CN of the cert is CN=openVPN_Good.Boy then create the file ccd/openVPN_Good.Boy
now add the 2 ip's out of the middle of the range:
ifconfig-push 10.10.0.253 10.10.0.254
the client now gets the ip: 10.8.0.253 with a P-t-P/Peer-Address of 10.8.0.254
you can add additional routes here to push to that client only:
push "route 10.255.0.0 255.255.192.0"
this will set a route at client-side to route the range
10.255.0.0-10.255.63.255 through the tunnel interface...
tls-verify
this is an external script which validates CN's of client-key's
this is to get some more extra-security!!
so put to you server.config:
tls-verify "/etc/openvpn/openvpn-verify-cn /etc/openvpn/valid-CNs"
every time a clients try's to auth with a cert/key the script /etc/openvpn/openvpn-verify-cn is run
with the parameter /etc/openvpn/valid-CNs
valid-CNs contains all CN's i want to allow to connect, e.g.
# this is the cn of "good boy" openVPN_Good.Boy
the validation script 'openvpn-verify-cn' is this:
#!/usr/bin/perl # verify-cn -- a sample OpenVPN tls-verify script # # Return 0 if cn matches the common name component of # X509_NAME_oneline, 1 otherwise. # # For example in OpenVPN, you could use the directive: # # tls-verify "./verify-cn Test-Client" # # This would cause the connection to be dropped unless # the client common name is "Test-Client" die "usage: verify-cn cn certificate_depth X509_NAME_oneline" if (@ARGV != 3); # Parse out arguments: # cn -- The common name which the client is required to have, # taken from the argument to the tls-verify directive # in the OpenVPN config file. # depth -- The current certificate chain depth. In a typical # bi-level chain, the root certificate will be at level # 1 and the client certificate will be at level 0. # This script will be called separately for each level. # x509 -- the X509 subject string as extracted by OpenVPN from # the client's provided certificate. ($cnfile, $depth, $x509) = @ARGV; my @CNs; open(IN, "<$cnfile") or die("Unable to open CN file: $!\n"); while (<IN>) { chomp; next if ($_ =~ /^#/); next if ($_ eq ''); push(@CNs, $_); } close(IN); if ($depth == 0) { # If depth is zero, we know that this is the final # certificate in the chain (i.e. the client certificate), # and the one we are interested in examining. # If so, parse out the common name substring in # the X509 subject string. if ($x509 =~ /\/CN=([^\/]+)/) { # Accept the connection if the X509 common name # string matches the passed cn argument. my $x509_cn = $1; foreach my $validCn (@CNs) { if ($x509_cn =~ m/^${validCn}$/s) { exit 0; } } } # Authentication failed -- Either we could not parse # the X509 subject string, or the common name in the # subject string didn't match the passed cn argument. exit 1; } # If depth is nonzero, tell OpenVPN to continue processing # the certificate chain. exit 0;