===== Basiseinrichtung ===== Als Server-Betriebssystem wird Debian Lenny 5.04 eingesetzt (http://cdimage.debian.org/debian-cd/5.0.4/i386/iso-dvd/)\\ Der Server steht hinter einem Router und kann per DynDNS vom Internet aus erreicht werden: Portforwarding für SSH (12345/TCP) und OpenVPN (1194/UDP). Es wird eine minimal-Installation von DVD ausgeführt: gruppe1.test.xa (Server-Name) ==== ip: ==== vi /etc/network/interfaces auto eth0 iface eth0 inet static address 192.168.63.100 netmask 255.255.255.0 network 192.168.63.0 broadcast 192.168.63.255 gateway: 192.168.63.5 /etc/init.d/networking restart ==== hostname: ==== vi /etc/host 192.168.63.100 gruppe1.test.xa gruppe1 echo gruppe1.test.xa > /etc/hostname /etc/init.d/hostname.sh start ==== ntp: ==== apt-get install ntp ntpdate ==== user: ==== useradd -m rudolf useradd -m claussen useradd -m pump passwd rudolf passwd claussen passwd pump ==== ssh-Zugang: ==== apt-get install ssh openssh-server vi /etc/ssh/sshd_config Port 12345 PermitRootLogin no /etc/init.d/ssh restart ==== ssh-keys (je user): ==== ssh-keygen -t dsa ssh-keygen -t rsa cat ~/.ssh/id*.pub >~/.ssh/authorized_keys ==== SSH-Clients: ==== Putty ([[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html]]) Pscp.exe (Download der privaten Schlüssel): pscp.exe -P 12345 claussen@kurs1599-gruppe1.dyndns.org:/home/claussen/.ssh/id_rsa C:\Daten_priv\id_rsa PuttyGen.exe (Konvertieren von OpenSSH-Format in Putty-Format): Load: C:\Daten_priv\id_rsa Save private key: C:\Daten_priv\id_rsa.ppk Putty (Einrichten der Verbindung): Session - Hostname: kurs1599-gruppe1.dyndns.org Session - Port: 12345 Connection - Data: %username% (rudolf/claussen/pump) Connection - SSH - Auth - Private key for authentication - Browse: C:\Daten_priv\id_rsa.ppk Session - Saved Sessions: OpenVPNServer Session - Save Open ==== SSH-Dienst härten ==== vi /etc/ssh/sshd_config PermitRootLogin no AllowGroups rudolf claussen pump AllowUsers rudolf claussen pump ClientAliveInterval 15 LoginGraceTime 10 PubkeyAuthentication yes MaxAuthTries 3 MaxStartups 1 PrintLastLog yes KeepAlive no PasswordAuthentication no ChallengeResponseAuthentication no RSAAuthentication no UsePam no /etc/init.d/ssh restart ===== OpenVPN ===== ==== openvpn-server: ==== apt-get install openvpn cp -av /usr/share/doc/openvpn/examples/ /etc/openvpn/ Erstellen Master-Zertifikat und -Schluessel (CA): vi /etc/openvpn/examples/easy-rsa/2.0/vars - export KEY_COUNTRY="DE" - export KEY_PROVINCE="HH" - export KEY_CITY="Hamburg" - export KEY_ORG="gruppe1" - export KEY_EMAIL="sven.claussen@fernuni-hagen.de" cd /etc/openvpn/examples/easy-rsa/2.0/ source ./vars ./clean-all ./build-ca Erstellen Server-Zertifikat und -Schluessel: ./build-key-server gruppe1 Erstellen Client-Schluessel: ./build-key client11 ./build-key client12 ./build-key client13 Erstellen Diffie-Hellmann-Parameter: ./build-dh mkdir /etc/openvpn/keys cp ./ca.crt /etc/openvpn/keys/ca.crt cp ./gruppe1.crt /etc/openvpn/keys/gruppe1.crt cp ./gruppe1.key /etc/openvpn/keys/gruppe1.key cp ./dh1024.pem /etc/openvpn/keys/dh1024.pem cp ./ca.crt /home/claussen/.ssh/ca.crt cp ./client11.crt /home/claussen/.ssh/client11.crt cp ./client11.key /home/claussen/.ssh/client11.key chown claussen:claussen /home/claussen/.ssh/ca.crt chown claussen:claussen /home/claussen/.ssh/client11.crt chown claussen:claussen /home/claussen/.ssh/client11.key cd /etc/openvpn/examples/sample-config-files gunzip server.conf.gz cp ./server.conf /etc/openvpn/server.conf vi /etc/openvpn/server.conf: - ca /etc/openvpn/ca.crt - cert /etc/openvpn/gruppe1.crt - key /etc/openvpn/gruppe1.key - dh /etc/openvpn/dh1024.pem - server 10.1.0.0 255.255.255.0 - push ping 110 - push ping-restart 120 - client-to-client - user nobody - group nogroup /etc/init.d/openvpn restart ==== OpenVPN-Clients: ==== OpenVPN-Client-Software ([[http://openvpn.net/index.php/open-source/downloads.html]]) Konfiguration: Client11 (Sven Claussen; Windows XP)): pscp.exe -P 12345 -i C:\Daten_priv\id_rsa.ppk claussen@kurs1599-gruppe1.dyndns.org:/home/claussen/.ssh/ca.crt C:\Daten_priv\ca.crt pscp.exe -P 12345 -i C:\Daten_priv\id_rsa.ppk claussen@kurs1599-gruppe1.dyndns.org:/home/claussen/.ssh/client11.crt C:\Daten_priv\client11.crt pscp.exe -P 12345 -i C:\Daten_priv\id_rsa.ppk claussen@kurs1599-gruppe1.dyndns.org:/home/claussen/.ssh/client11.key C:\Daten_priv\client11.key copy C:\Daten_priv\bundle.txt + c:\Daten_priv\ca.crt C:\Daten_priv\bundle.txt config.ovpn: client dev tun proto udp remote kurs1599-gruppe1.dyndns.org 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings comp-lzo ca C:\\Daten_priv\\ca-bundle.txt cert C:\\Daten_priv\\client11.crt key C:\\Daten_priv\\client11.key ;log openvpn.txt Client12 (Thomas Rudolf): pscp.exe -P 12345 -i C:\Daten_priv\id_rsa.ppk rudolf@kurs1599-gruppe1.dyndns.org:/home/rudolf/.ssh/ca.crt C:\Daten_priv\ca.crt ca.crt, client12.crt, client12.key Client13 (Matthias Pump): ca.crt, client13.crt, client13.key ===== OpenVPN Anbindung an Gruppe 2 (und damit an Gruppe 3) ===== Per WINSCP [[http://portableapps.com/apps/internet/winscp_portable]] die auf dem Server von Gruppe 2 erstellten Zertifikate (ca.crt, server1_client.crt) und Schluessel (server1_client.key) - verschlüsselt per mail übertragen - auf den Server in das Verzeichnis /etc/openvpn/server02keys/ kopieren. vi /etc/openvpn/server02vpn.conf: client dev tun proto udp remote kurs1599-gruppe2.dyndns.org resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings comp-lzo ca /etc/openvpn/server02keys/ca.crt cert /etc/openvpn/server02keys/server1_client.crt key /etc/openvpn/server02keys/server1_client.key ping 110 ping-restart 120 vi /etc/openvpn/server.conf: - push "route 10.2.0.0 255.255.255.0" - push "route 10.3.0.0 255.255.255.0" /etc/init.d/openvpn restart vollständige server.conf: ################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # # # # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine # # configurations (See the Examples page # # on the web site for more info). # # # # This config should work on Windows # # or Linux/BSD systems. Remember on # # Windows to quote pathnames and use # # double backslashes, e.g.: # # "C:\\Program Files\\OpenVPN\\config\\foo.key" # # # # Comments are preceded with '#' or ';' # ################################################# # Which local IP address should OpenVPN # listen on? (optional) ;local a.b.c.d # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port 1194 # TCP or UDP server? ;proto tcp proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. # Use "dev tap0" if you are ethernet bridging # and have precreated a tap0 virtual interface # and bridged it with your ethernet interface. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you # have more than one. On XP SP2 or higher, # you may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/gruppe1.crt key /etc/openvpn/keys/gruppe1.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh /etc/openvpn/keys/dh1024.pem # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.1.0.0 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist ipp.txt # Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate # to connecting clients. Leave this line commented # out unless you are ethernet bridging. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 # Configure server mode for ethernet bridging # using a DHCP-proxy, where clients talk # to the OpenVPN server-side DHCP server # to receive their IP address allocation # and DNS server addresses. You must first use # your OS's bridging capability to bridge the TAP # interface with the ethernet NIC interface. # Note: this mode only works on clients (such as # Windows), where the client-side TAP adapter is # bound to a DHCP client. ;server-bridge # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" push "route 10.2.0.0 255.255.255.0" push "route 10.3.0.0 255.255.255.0" persist-key persist-tun push ping 110 push ping-restart 120 # To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific # configuration files (see man page for more info). # EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 ;client-config-dir ccd ;route 10.3.0.0 255.255.0.0 ;route 10.2.0.0 255.255.0.0 # Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using "dev tun" and "server" directives. # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2 # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. ;learn-address ./script # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # or bridge the TUN/TAP interface to the internet # in order for this to work properly). ;push "redirect-gateway def1 bypass-dhcp" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats # The addresses below refer to the public # DNS servers provided by opendns.com. ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. client-to-client # Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. ;duplicate-cn # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. ;tls-auth ta.key 0 # This file is secret # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo # The maximum number of concurrently connected # clients we want to allow. ;max-clients 100 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. user nobody group nogroup # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). ;log openvpn.log ;log-append openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20 ===== Firewall ===== Die Firewall wird so aufgesetzt, dass aller ausgehender Verkehr ebenso wie sämtlicher Verkehr durch das OpenVPN-Netz (tun+) erlaubt ist. Sonst darf nur eine Verbindung für ssh (tcp 12345) und OpenVPN (udp 1194) von aussen aufgebaut werden. Gepingt werden darf in alle Richtungen. vi /etc/init.d/firewall.sh #!/bin/bash # A Sample OpenVPN-aware firewall. # move script to /etc/init.d/firewall.sh # update-rc.d firewall.sh start 40 S . stop 89 0 6 . # eth0 is connected to the internet. # eth1 is connected to a private subnet. # Change this subnet to correspond to your private # ethernet subnet. Home will use HOME_NET/24 and # Office will use OFFICE_NET/24. PRIVATE=10.1.0.0/24 # Loopback address LOOP=127.0.0.1 if ! [ -x /sbin/iptables ]; then exit 0 fi fw_stop () { # Delete old iptables rules # and temporarily block all traffic. iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F # Set default policies iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP } fw_start () { # Prevent external packets from using loopback addr iptables -A INPUT -i eth0 -s $LOOP -j DROP iptables -A FORWARD -i eth0 -s $LOOP -j DROP iptables -A INPUT -i eth0 -d $LOOP -j DROP iptables -A FORWARD -i eth0 -d $LOOP -j DROP # Anything coming from the Internet should have a real Internet address iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP ##iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP # Block outgoing NetBios (if you have windows machines running # on the private subnet). This will not affect any NetBios # traffic that flows over the VPN tunnel, but it will stop # local windows machines from broadcasting themselves to # the internet. iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP # Check source address validity on packets going out to internet ##iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT iptables -A INPUT -d $LOOP -j ACCEPT # Allow incoming pings (can be disabled) # Log ping Sven (see /var/log/sven.log; /etc/rsyslog.d/sven.conf) iptables -A INPUT -p icmp -s 10.1.0.6 --icmp-type echo-request -j LOG --log-prefix ' ** Sven ** ' iptables -A OUTPUT -p icmp -d 10.1.0.6 --icmp-type echo-reply -j LOG --log-prefix ' ** Sven ** ' iptables -A FORWARD -p icmp -s 10.1.0.6 --icmp-type echo-request -j LOG --log-prefix ' ** Sven ** ' iptables -A FORWARD -p icmp -d 10.1.0.6 --icmp-type echo-reply -j LOG --log-prefix ' ** Sven ** ' # Log ping Thomas iptables -A INPUT -p icmp -s 10.1.0.14 --icmp-type echo-request -j LOG --log-prefix ' ** Thomas ** ' iptables -A OUTPUT -p icmp -d 10.1.0.14 --icmp-type echo-reply -j LOG --log-prefix ' ** Thomas ** ' iptables -A FORWARD -p icmp -s 10.1.0.14 --icmp-type echo-request -j LOG --log-prefix ' ** Thomas ** ' iptables -A FORWARD -p icmp -d 10.1.0.14 --icmp-type echo-reply -j LOG --log-prefix ' ** Thomas ** ' # Log ping Matthias iptables -A INPUT -p icmp -s 10.1.0.22 --icmp-type echo-request -j LOG --log-prefix ' ** Matthias ** ' iptables -A OUTPUT -p icmp -d 10.1.0.22 --icmp-type echo-reply -j LOG --log-prefix ' ** Matthias ** ' iptables -A FORWARD -p icmp -s 10.1.0.22 --icmp-type echo-request -j LOG --log-prefix ' ** Matthias ** ' iptables -A FORWARD -p icmp -d 10.1.0.22 --icmp-type echo-reply -j LOG --log-prefix ' ** Matthias ** ' # Log all ping iptables -A INPUT -p icmp -j LOG iptables -A OUTPUT -p icmp -j LOG iptables -A FORWARD -p icmp -j LOG # Accept Input and Forward ping (output is allowed all) iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT # Allow services such as www and ssh (can be disabled) ##iptables -A INPUT -p tcp --dport http -j ACCEPT ##iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport 12345 -j ACCEPT # Allow incoming OpenVPN packets # Duplicate the line below for each # OpenVPN tunnel, changing --dport n # to match the OpenVPN UDP port. # # In OpenVPN, the port number is # controlled by the --port n option. # If you put this option in the config # file, you can remove the leading '--' # # If you taking the stateful firewall # approach (see the OpenVPN HOWTO), # then comment out the line below. iptables -A INPUT -p udp --dport 1194 -j ACCEPT # Allow packets from TUN/TAP devices. # When OpenVPN is run in a secure mode, # it will authenticate packets prior # to their arriving on a tun or tap # interface. Therefore, it is not # necessary to add any filters here, # unless you want to restrict the # type of packets which can flow over # the tunnel. iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT # Allow packets from private subnets ##iptables -A INPUT -i eth1 -j ACCEPT ##iptables -A FORWARD -i eth1 -j ACCEPT # Keep state of connections from local machine and private subnets iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ##iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT ##iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Masquerade local subnet ##iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE } fw_clear () { /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P OUTPUT ACCEPT } case "$1" in start|restart) echo -n "Starting firewall.." fw_stop fw_start echo "done." ;; stop) echo -n "Stopping firewall.." fw_stop echo "done." ;; clear) echo -n "Clearing firewall.." fw_clear echo "done." ;; *) echo "Usage: $0 {start|stop|restart|clear}" exit 1 ;; esac exit 0 chmod 755 /etc/init.d/firewall.sh update-rc.d /etc/init.d/firewall.sh start 40 S . stop 89 0 6 . /etc/init.d/firewall start ==== Logging ==== gruppe1:/etc/rsyslog.d# touch /var/log/sven.log gruppe1:/etc/rsyslog.d# chown root:adm /var/log/sven.log gruppe1:/etc/rsyslog.d# chmod 640 /var/log/sven.log gruppe1:/etc/rsyslog.d# vi /etc/rsyslog.d/sven.conf :msg,contains,"** Sven **" /var/log/sven.log & ~ gruppe1:/etc/rsyslog.d# touch /var/log/thomas.log gruppe1:/etc/rsyslog.d# chown root:adm /var/log/thomas.log gruppe1:/etc/rsyslog.d# chmod 640 /var/log/thomas.log gruppe1:/etc/rsyslog.d# vi /etc/rsyslog.d/thomas.conf :msg,contains,"** Thomas **" /var/log/thomas.log & ~ gruppe1:/etc/rsyslog.d# touch /var/log/matthias.log gruppe1:/etc/rsyslog.d# chown root:adm /var/log/matthias.log gruppe1:/etc/rsyslog.d# chmod 640 /var/log/matthias.log gruppe1:/etc/rsyslog.d# vi /etc/rsyslog.d/matthias.conf :msg,contains,"** Matthias **" /var/log/matthias.log & ~ gruppe1:/etc/rsyslog.d# /etc/init.d/rsyslog restart ===== Quellen ===== \\ [[http://www.howtoforge.de/howto/der-perfekte-server-debian-lenny-debian-50-ispconfig-2/4/]]\\ [[http://www.asconix.com/howtos/debian/key-ssh-authentication-debian-lenny-howto]] \\ [[http://www.berts-linux.de/2009/05/29/openvpn-server-mit-debian-lenny/]]\\ [[http://wiki.openvpn.eu/index.php/Hauptseite]]\\ [[http://wiki.openvpn.eu/index.php/Erzeugen_einer_PKI_mit_EasyRSA]]\\ [[http://wiki.openvpn.eu/index.php/Config_ServerNET_Routing]]\\ \\ [[http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.de.html#s-rpc]]\\ \\ [[http://forum.mark-puettmann.de/viewtopic.php?f=7&t=49]]\\ \\ ===== Bildschirmausgaben ===== gruppe1:~# apt-get install openvpn Paketlisten werden gelesen... Fertig Abhängigkeitsbaum wird aufgebaut Lese Status-Informationen ein... Fertig Die folgenden zusätzlichen Pakete werden installiert: liblzo2-2 libpkcs11-helper1 openssl openssl-blacklist openvpn-blacklist Vorgeschlagene Pakete: ca-certificates resolvconf Die folgenden NEUEN Pakete werden installiert: liblzo2-2 libpkcs11-helper1 openssl openssl-blacklist openvpn openvpn-blacklist 0 aktualisiert, 6 neu installiert, 0 zu entfernen und 0 nicht aktualisiert. Es müssen noch 1034kB von 8948kB an Archiven heruntergeladen werden. Nach dieser Operation werden 18,5MB Plattenplatz zusätzlich benutzt. Möchten Sie fortfahren [J/n]? J Hole:1 http://ftp.informatik.uni-frankfurt.de lenny/main openssl 0.9.8g-15+lenny7 [1034kB] Es wurden 1034kB in 17s geholt (58,5kB/s) Vorkonfiguration der Pakete ... Wähle vormals abgewähltes Paket openssl. (Lese Datenbank ... 20419 Dateien und Verzeichnisse sind derzeit installiert.) Entpacke openssl (aus .../openssl_0.9.8g-15+lenny7_i386.deb) ... Wähle vormals abgewähltes Paket openssl-blacklist. Entpacke openssl-blacklist (aus .../openssl-blacklist_0.4.2_all.deb) ... Wähle vormals abgewähltes Paket liblzo2-2. Entpacke liblzo2-2 (aus .../lzo2/liblzo2-2_2.03-1_i386.deb) ... Wähle vormals abgewähltes Paket libpkcs11-helper1. Entpacke libpkcs11-helper1 (aus .../libpkcs11-helper1_1.05-1_i386.deb) ... Wähle vormals abgewähltes Paket openvpn-blacklist. Entpacke openvpn-blacklist (aus .../openvpn-blacklist_0.3_all.deb) ... Wähle vormals abgewähltes Paket openvpn. Entpacke openvpn (aus .../openvpn_2.1~rc11-1_i386.deb) ... Verarbeite Trigger für man-db ... Richte openssl ein (0.9.8g-15+lenny7) ... Richte openssl-blacklist ein (0.4.2) ... Richte liblzo2-2 ein (2.03-1) ... Richte libpkcs11-helper1 ein (1.05-1) ... Richte openvpn-blacklist ein (0.3) ... Richte openvpn ein (2.1~rc11-1) ... Restarting virtual private network daemon.:. gruppe1:~# ==================================================== gruppe1:/etc/openvpn/examples/easy-rsa/2.0# vi ./vars gruppe1:/etc/openvpn/examples/easy-rsa/2.0# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/examples/easy-rsa/2.0/keys xgruppe1:/etc/openvpn/examples/easy-rsa/2.0# ls build-ca build-key build-key-server clean-all Makefile pkitool sign-req build-dh build-key-pass build-req inherit-inter openssl-0.9.6.cnf.gz README.gz vars build-inter build-key-pkcs12 build-req-pass list-crl openssl.cnf revoke-full whichopensslcnf gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ./clean-all gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ls build-ca build-key build-key-server clean-all list-crl openssl.cnf revoke-full whichopensslcnf build-dh build-key-pass build-req inherit-inter Makefile pkitool sign-req build-inter build-key-pkcs12 build-req-pass keys openssl-0.9.6.cnf.gz README.gz vars gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ls keys index.txt serial gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ./build-ca Generating a 1024 bit RSA private key ...++++++ ............++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [HH]: Locality Name (eg, city) [Hamburg]: Organization Name (eg, company) [gruppe1]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [gruppe1 CA]:gruppe1CA Email Address [admin@kurs1599-gruppe1.dyndns.org]: gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ============================================= gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ./build-key-server gruppe1 Generating a 1024 bit RSA private key ....................++++++ .....++++++ writing new private key to 'gruppe1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [HH]: Locality Name (eg, city) [Hamburg]: Organization Name (eg, company) [gruppe1]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [gruppe1]: Email Address [admin@kurs1599-gruppe1.dyndns.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/examples/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'HH' localityName :PRINTABLE:'Hamburg' organizationName :PRINTABLE:'gruppe1' commonName :PRINTABLE:'gruppe1' emailAddress :IA5STRING:'admin@kurs1599-gruppe1.dyndns.org' Certificate is to be certified until Jul 8 15:10:13 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ==================================================================== gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ls -al keys insgesamt 48 drwx------ 2 root root 4096 11. Jul 17:10 . drwxr-xr-x 3 root root 4096 11. Jul 17:16 .. -rw-r--r-- 1 root root 3949 11. Jul 17:10 01.pem -rw-r--r-- 1 root root 1261 11. Jul 17:04 ca.crt -rw------- 1 root root 887 11. Jul 17:04 ca.key -rw-r--r-- 1 root root 3949 11. Jul 17:10 gruppe1.crt -rw-r--r-- 1 root root 688 11. Jul 17:10 gruppe1.csr -rw------- 1 root root 887 11. Jul 17:10 gruppe1.key -rw-r--r-- 1 root root 118 11. Jul 17:10 index.txt -rw-r--r-- 1 root root 21 11. Jul 17:10 index.txt.attr -rw-r--r-- 1 root root 0 11. Jul 17:03 index.txt.old -rw-r--r-- 1 root root 3 11. Jul 17:10 serial -rw-r--r-- 1 root root 3 11. Jul 17:03 serial.old gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ==================================================================== gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ./build-key client11 Generating a 1024 bit RSA private key .......................................................................++++++ .........++++++ writing new private key to 'client11.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [HH]: Locality Name (eg, city) [Hamburg]: Organization Name (eg, company) [gruppe1]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client11]: Email Address [admin@kurs1599-gruppe1.dyndns.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/examples/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'HH' localityName :PRINTABLE:'Hamburg' organizationName :PRINTABLE:'gruppe1' commonName :PRINTABLE:'client11' emailAddress :IA5STRING:'admin@kurs1599-gruppe1.dyndns.org' Certificate is to be certified until Jul 8 15:25:17 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated gruppe1:/etc/openvpn/examples/easy-rsa/2.0# =================================================================== gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ./build-key client12 Generating a 1024 bit RSA private key ......++++++ .............................++++++ writing new private key to 'client12.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [HH]: Locality Name (eg, city) [Hamburg]: Organization Name (eg, company) [gruppe1]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client12]: Email Address [admin@kurs1599-gruppe1.dyndns.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/examples/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'HH' localityName :PRINTABLE:'Hamburg' organizationName :PRINTABLE:'gruppe1' commonName :PRINTABLE:'client12' emailAddress :IA5STRING:'admin@kurs1599-gruppe1.dyndns.org' Certificate is to be certified until Jul 8 15:26:42 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ./build-key client13 Generating a 1024 bit RSA private key ..........++++++ ....++++++ writing new private key to 'client13.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [HH]: Locality Name (eg, city) [Hamburg]: Organization Name (eg, company) [gruppe1]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client13]: Email Address [admin@kurs1599-gruppe1.dyndns.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/examples/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'HH' localityName :PRINTABLE:'Hamburg' organizationName :PRINTABLE:'gruppe1' commonName :PRINTABLE:'client13' emailAddress :IA5STRING:'admin@kurs1599-gruppe1.dyndns.org' Certificate is to be certified until Jul 8 15:26:56 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ===================================================================================== gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ls -al keys insgesamt 104 drwx------ 2 root root 4096 11. Jul 17:26 . drwxr-xr-x 3 root root 4096 11. Jul 17:16 .. -rw-r--r-- 1 root root 3949 11. Jul 17:10 01.pem -rw-r--r-- 1 root root 3828 11. Jul 17:25 02.pem -rw-r--r-- 1 root root 3828 11. Jul 17:26 03.pem -rw-r--r-- 1 root root 3828 11. Jul 17:26 04.pem -rw-r--r-- 1 root root 1261 11. Jul 17:04 ca.crt -rw------- 1 root root 887 11. Jul 17:04 ca.key -rw-r--r-- 1 root root 3828 11. Jul 17:25 client11.crt -rw-r--r-- 1 root root 688 11. Jul 17:25 client11.csr -rw------- 1 root root 887 11. Jul 17:25 client11.key -rw-r--r-- 1 root root 3828 11. Jul 17:26 client12.crt -rw-r--r-- 1 root root 688 11. Jul 17:26 client12.csr -rw------- 1 root root 891 11. Jul 17:26 client12.key -rw-r--r-- 1 root root 3828 11. Jul 17:26 client13.crt -rw-r--r-- 1 root root 688 11. Jul 17:26 client13.csr -rw------- 1 root root 887 11. Jul 17:26 client13.key -rw-r--r-- 1 root root 3949 11. Jul 17:10 gruppe1.crt -rw-r--r-- 1 root root 688 11. Jul 17:10 gruppe1.csr -rw------- 1 root root 887 11. Jul 17:10 gruppe1.key -rw-r--r-- 1 root root 475 11. Jul 17:26 index.txt -rw-r--r-- 1 root root 20 11. Jul 17:26 index.txt.attr -rw-r--r-- 1 root root 20 11. Jul 17:26 index.txt.attr.old -rw-r--r-- 1 root root 356 11. Jul 17:26 index.txt.old -rw-r--r-- 1 root root 3 11. Jul 17:26 serial -rw-r--r-- 1 root root 3 11. Jul 17:26 serial.old gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ============================================================================= gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ................++*++*++* gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ============================================================================= gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ls -al keys insgesamt 108 drwx------ 2 root root 4096 11. Jul 17:30 . drwxr-xr-x 3 root root 4096 11. Jul 17:16 .. -rw-r--r-- 1 root root 3949 11. Jul 17:10 01.pem -rw-r--r-- 1 root root 3828 11. Jul 17:25 02.pem -rw-r--r-- 1 root root 3828 11. Jul 17:26 03.pem -rw-r--r-- 1 root root 3828 11. Jul 17:26 04.pem -rw-r--r-- 1 root root 1261 11. Jul 17:04 ca.crt -rw------- 1 root root 887 11. Jul 17:04 ca.key -rw-r--r-- 1 root root 3828 11. Jul 17:25 client11.crt -rw-r--r-- 1 root root 688 11. Jul 17:25 client11.csr -rw------- 1 root root 887 11. Jul 17:25 client11.key -rw-r--r-- 1 root root 3828 11. Jul 17:26 client12.crt -rw-r--r-- 1 root root 688 11. Jul 17:26 client12.csr -rw------- 1 root root 891 11. Jul 17:26 client12.key -rw-r--r-- 1 root root 3828 11. Jul 17:26 client13.crt -rw-r--r-- 1 root root 688 11. Jul 17:26 client13.csr -rw------- 1 root root 887 11. Jul 17:26 client13.key -rw-r--r-- 1 root root 245 11. Jul 17:30 dh1024.pem -rw-r--r-- 1 root root 3949 11. Jul 17:10 gruppe1.crt -rw-r--r-- 1 root root 688 11. Jul 17:10 gruppe1.csr -rw------- 1 root root 887 11. Jul 17:10 gruppe1.key -rw-r--r-- 1 root root 475 11. Jul 17:26 index.txt -rw-r--r-- 1 root root 20 11. Jul 17:26 index.txt.attr -rw-r--r-- 1 root root 20 11. Jul 17:26 index.txt.attr.old -rw-r--r-- 1 root root 356 11. Jul 17:26 index.txt.old -rw-r--r-- 1 root root 3 11. Jul 17:26 serial -rw-r--r-- 1 root root 3 11. Jul 17:26 serial.old gruppe1:/etc/openvpn/examples/easy-rsa/2.0# ============================================================================= gruppe1:/etc/openvpn/examples/easy-rsa/2.0/keys# mkdir /etc/openvpn/keys gruppe1:/etc/openvpn/examples/easy-rsa/2.0/keys# cp ./ca.crt /etc/openvpn/keys/ca.crt gruppe1:/etc/openvpn/examples/easy-rsa/2.0/keys# cp ./gruppe1.crt /etc/openvpn/keys/gruppe1.crt gruppe1:/etc/openvpn/examples/easy-rsa/2.0/keys# cp ./gruppe1.key /etc/openvpn/keys/gruppe1.key gruppe1:/etc/openvpn/examples/easy-rsa/2.0/keys# cp ./dh1024.pem /etc/openvpn/keys/dh1024.pem gruppe1:/etc/openvpn/examples/easy-rsa/2.0/keys# cd /etc/openvpn/keys gruppe1:/etc/openvpn/keys# ls -al insgesamt 24 drwxr-xr-x 2 root root 4096 11. Jul 17:38 . drwxr-xr-x 4 root root 4096 11. Jul 17:37 .. -rw-r--r-- 1 root root 1261 11. Jul 17:37 ca.crt -rw-r--r-- 1 root root 245 11. Jul 17:38 dh1024.pem -rw-r--r-- 1 root root 3949 11. Jul 17:38 gruppe1.crt -rw------- 1 root root 887 11. Jul 17:38 gruppe1.key gruppe1:/etc/openvpn/keys# ============================================================================= /etc/openvpn/server.conf: ============================================================================= ============================================================================= gruppe1:/etc/openvpn# tail -n 25 /var/log/syslog Jul 11 10:59:46 gruppe1 ntpd[2313]: Listening on interface #0 wildcard, 0.0.0.0#123 Disabled Jul 11 10:59:46 gruppe1 ntpd[2313]: Listening on interface #1 wildcard, ::#123 Disabled Jul 11 10:59:46 gruppe1 ntpd[2313]: Listening on interface #2 lo, ::1#123 Enabled Jul 11 10:59:46 gruppe1 ntpd[2313]: Listening on interface #3 eth0, fe80::214:2aff:fed2:8f4f#123 Enabled Jul 11 10:59:46 gruppe1 ntpd[2313]: Listening on interface #4 lo, 127.0.0.1#123 Enabled Jul 11 10:59:46 gruppe1 ntpd[2313]: Listening on interface #5 eth0, 192.168.63.100#123 Enabled Jul 11 10:59:46 gruppe1 ntpd[2313]: kernel time sync status 0040 Jul 11 10:59:46 gruppe1 ntpd[2313]: frequency initialized 74.237 PPM from /var/lib/ntp/ntp.drift Jul 11 10:59:46 gruppe1 kernel: [ 58.929054] warning: `ntpd' uses 32-bit capabilities (legacy support in use) Jul 11 10:59:46 gruppe1 /usr/sbin/cron[2341]: (CRON) INFO (pidfile fd = 3) Jul 11 10:59:46 gruppe1 /usr/sbin/cron[2342]: (CRON) STARTUP (fork ok) Jul 11 10:59:46 gruppe1 /usr/sbin/cron[2342]: (CRON) INFO (Running @reboot jobs) Jul 11 11:03:00 gruppe1 ntpd[2313]: synchronized to 192.168.63.5, stratum 2 Jul 11 11:03:00 gruppe1 ntpd[2313]: kernel time sync status change 0001 Jul 11 11:17:02 gruppe1 /USR/SBIN/CRON[2386]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Jul 11 12:17:01 gruppe1 /USR/SBIN/CRON[2457]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Jul 11 13:17:01 gruppe1 /USR/SBIN/CRON[2605]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Jul 11 14:17:01 gruppe1 /USR/SBIN/CRON[2612]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Jul 11 15:17:01 gruppe1 /USR/SBIN/CRON[2641]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Jul 11 16:17:01 gruppe1 /USR/SBIN/CRON[2649]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Jul 11 17:17:01 gruppe1 /USR/SBIN/CRON[2734]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Jul 11 17:58:42 gruppe1 ovpn-server[2844]: OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 Jul 11 17:58:42 gruppe1 ovpn-server[2844]: Diffie-Hellman initialized with 1024 bit key Jul 11 17:58:42 gruppe1 ovpn-server[2844]: Cannot load certificate file /etc/openvpn/keys/server.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Jul 11 17:58:42 gruppe1 ovpn-server[2844]: Exiting gruppe1:/etc/openvpn# vi server.conf gruppe1:/etc/openvpn# /etc/init.d/openvpn restart Stopping virtual private network daemon:. Starting virtual private network daemon: server. gruppe1:/etc/openvpn# ============================================================================= gruppe1:/etc/openvpn# tail -n 25 /var/log/syslog Jul 11 17:58:42 gruppe1 ovpn-server[2844]: OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 Jul 11 17:58:42 gruppe1 ovpn-server[2844]: Diffie-Hellman initialized with 1024 bit key Jul 11 17:58:42 gruppe1 ovpn-server[2844]: Cannot load certificate file /etc/openvpn/keys/server.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Jul 11 17:58:42 gruppe1 ovpn-server[2844]: Exiting Jul 11 18:05:00 gruppe1 ovpn-server[2875]: OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 Jul 11 18:05:00 gruppe1 ovpn-server[2875]: Diffie-Hellman initialized with 1024 bit key Jul 11 18:05:00 gruppe1 ovpn-server[2875]: /usr/bin/openssl-vulnkey -q -b 1024 -m Jul 11 18:05:02 gruppe1 ovpn-server[2875]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Jul 11 18:05:02 gruppe1 ovpn-server[2875]: ROUTE default_gateway=192.168.63.5 Jul 11 18:05:03 gruppe1 kernel: [25575.562815] tun: Universal TUN/TAP device driver, 1.6 Jul 11 18:05:03 gruppe1 kernel: [25575.562838] tun: (C) 1999-2004 Max Krasnyansky Jul 11 18:05:03 gruppe1 ovpn-server[2875]: TUN/TAP device tun0 opened Jul 11 18:05:03 gruppe1 ovpn-server[2875]: TUN/TAP TX queue length set to 100 Jul 11 18:05:03 gruppe1 kernel: [25575.576349] tun0: Disabled Privacy Extensions Jul 11 18:05:03 gruppe1 ovpn-server[2875]: /sbin/ifconfig tun0 10.1.0.1 pointopoint 10.1.0.2 mtu 1500 Jul 11 18:05:03 gruppe1 ovpn-server[2875]: /sbin/route add -net 10.1.0.0 netmask 255.255.255.0 gw 10.1.0.2 Jul 11 18:05:03 gruppe1 ovpn-server[2875]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Jul 11 18:05:03 gruppe1 ovpn-server[2884]: Socket Buffers: R=[111616->131072] S=[111616->131072] Jul 11 18:05:03 gruppe1 ovpn-server[2884]: UDPv4 link local (bound): [undef]:1194 Jul 11 18:05:03 gruppe1 ovpn-server[2884]: UDPv4 link remote: [undef] Jul 11 18:05:03 gruppe1 ovpn-server[2884]: MULTI: multi_init called, r=256 v=256 Jul 11 18:05:03 gruppe1 ovpn-server[2884]: IFCONFIG POOL: base=10.1.0.4 size=62 Jul 11 18:05:03 gruppe1 ovpn-server[2884]: IFCONFIG POOL LIST Jul 11 18:05:03 gruppe1 ovpn-server[2884]: Initialization Sequence Completed Jul 11 18:09:47 gruppe1 ntpd[2313]: Listening on interface #6 tun0, 10.1.0.1#123 Enabled gruppe1:/etc/openvpn# ============================================================================== gruppe1:/etc/openvpn# ifconfig eth0 Link encap:Ethernet Hardware Adresse 00:14:2a:d2:8f:4f inet Adresse:192.168.63.100 Bcast:192.168.63.255 Maske:255.255.255.0 inet6-Adresse: fe80::214:2aff:fed2:8f4f/64 Gültigkeitsbereich:Verbindung UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1 RX packets:14296 errors:0 dropped:0 overruns:0 frame:0 TX packets:12951 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:1000 RX bytes:1123358 (1.0 MiB) TX bytes:1701768 (1.6 MiB) Interrupt:11 Basisadresse:0xd000 lo Link encap:Lokale Schleife inet Adresse:127.0.0.1 Maske:255.0.0.0 inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine UP LOOPBACK RUNNING MTU:16436 Metrik:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:560 (560.0 B) TX bytes:560 (560.0 B) tun0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet Adresse:10.1.0.1 P-z-P:10.1.0.2 Maske:255.255.255.255 UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metrik:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) gruppe1:/etc/openvpn# ============================================================================== claussen@gruppe1:~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/claussen/.ssh/id_rsa): Created directory '/home/claussen/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/claussen/.ssh/id_rsa. Your public key has been saved in /home/claussen/.ssh/id_rsa.pub. The key fingerprint is: 83:cc:f4:2a:f5:3f:df:b0:6f:61:94:da:ee:e9:b2:71 claussen@gruppe1.test.xa The key's randomart image is: +--[ RSA 2048]----+ | | | | | . . | | + o o | | = S + | | . o . . + | | . . . ooE. | | . .. .*o. | | .o+B* | +-----------------+ claussen@gruppe1:~$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/claussen/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/claussen/.ssh/id_dsa. Your public key has been saved in /home/claussen/.ssh/id_dsa.pub. The key fingerprint is: 3a:13:36:52:2f:0f:4a:70:01:d4:0f:52:5a:fc:9d:0a claussen@gruppe1.test.xa The key's randomart image is: +--[ DSA 1024]----+ | .o=+ | | .o+. | | o..+.. . | | oE.o.o | | o.*.S | | . +.B | | . + . | | o | | | +-----------------+ claussen@gruppe1:~$ ========================================================================================== claussen@gruppe1:~/.ssh$ ls -al insgesamt 24 drwx------ 2 claussen claussen 4096 12. Jul 18:10 . drwxr-xr-x 3 claussen claussen 4096 12. Jul 18:05 .. -rw------- 1 claussen claussen 668 12. Jul 18:10 id_dsa -rw-r--r-- 1 claussen claussen 614 12. Jul 18:10 id_dsa.pub -rw------- 1 claussen claussen 1675 12. Jul 18:05 id_rsa -rw-r--r-- 1 claussen claussen 406 12. Jul 18:05 id_rsa.pub claussen@gruppe1:~/.ssh$ cat authorized_keys ssh-dss AAAAB3NzaC1kc3MAAACBAMmOSxJXn2QcgNiZUyX1j1tu2BEogHj0IUGrwR4UGnTY7usQtI/sZHFe/2aOvK5oWcwcVQjIaSCI9uWCvn6A7DMrfRGSksH8D7WtNnSrGaoGokGNwNET3JIzBoQ WmxNXmoEerJJusXmQfwzJffMMlHpFQs38HfSaj7dtx+q1/3aRAAAAFQDrQGQvQE0gUcjHejmyM2kHWF4QgQAAAIBwuQHXFIdjaIrfDsF9S3hnPRlxxon/g7BGWwx3q6Go9PEOr4CvcaiS3F ofjZVPNrzQ0STDYSn5//zvuuP7ELsJy7tB121wwbmPyEnVzJ4Cl0cFengLB2vdGbrdtiSRANkuvgVFWNII0qz/f5qSM4LeohzMjYGH/UkmAnm6khbz1wAAAIAETxBxDPUdXiYqD98ybmNos yfnrNw8namv363QLoVAw8TjVgQfHlVZncvWcDaCn5DFd5XVr7jF7ENNkXBtoI7Y+gOWJ9WCe0HovSnmqgQBaTNKuGmjyfwMVRsjXpjdCTeFnS1ySoESpWXKz8+cyTO3yw5SlZrH3OF6VGWm 6+WFxg== claussen@gruppe1.test.xa ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxZQYoLel51uA+iwTmR0tfn/OrnIBaKjoAr9pcq+6ITgLCJLwtEHdk/c6gM5DvD42JT8t7z9ZTSoBUm1ikjEarZLpvkh5e/5tIhk8jxLwO1IHz12eXnK kQrMgjU0QGQ3niOe541OGEfxevXayw6kaOGu82w7lpUuiLLTxG25DSyvnhOYzlleuUZL9/Fs08pw2/dL3+M6nyNm7p36NGtfliLiEgeKkqXfIOsBg6Rv+McJjwJkhYa90zqR8EUCmc/vJ0q QefVOTOpOaaR7Cmib8KF/rOJ6FRNSFAdJ/5uGSacRMV1USRYGJdVKGogvNITUgId2q4WKMwNgcp3oK82g1nw== claussen@gruppe1.test.xa ===== Ping-Test innerhalb der Gruppe ===== | Sven: | 10.1.0.6 | client11 | | Thomas: | 10.1.0.14 | client12 | | Matthias: | 10.1.0.22 | client13 | ==== Client11 (Sven): ==== C:\>ping 10.1.0.14\\ \\ Ping wird ausgeführt für 10.1.0.14 mit 32 Bytes Daten:\\ \\ Antwort von 10.1.0.14: Bytes=32 Zeit=50ms TTL=128\\ Antwort von 10.1.0.14: Bytes=32 Zeit=47ms TTL=128\\ Antwort von 10.1.0.14: Bytes=32 Zeit=48ms TTL=128\\ Antwort von 10.1.0.14: Bytes=32 Zeit=47ms TTL=128\\ \\ Ping-Statistik für 10.1.0.14:\\ Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),\\ Ca. Zeitangaben in Millisek.:\\ Minimum = 47ms, Maximum = 50ms, Mittelwert = 48ms\\ \\ C:\>ping 10.1.0.22\\ \\ Ping wird ausgeführt für 10.1.0.22 mit 32 Bytes Daten:\\ \\ Zeitüberschreitung der Anforderung.\\ Antwort von 10.1.0.22: Bytes=32 Zeit=34ms TTL=64\\ Antwort von 10.1.0.22: Bytes=32 Zeit=34ms TTL=64\\ Antwort von 10.1.0.22: Bytes=32 Zeit=34ms TTL=64\\ \\ Ping-Statistik für 10.1.0.22:\\ Pakete: Gesendet = 4, Empfangen = 3, Verloren = 1 (25% Verlust),\\ Ca. Zeitangaben in Millisek.:\\ Minimum = 34ms, Maximum = 34ms, Mittelwert = 34ms\\ \\ C:\>ping 10.1.0.22\\ \\ Ping wird ausgeführt für 10.1.0.22 mit 32 Bytes Daten:\\ \\ Antwort von 10.1.0.22: Bytes=32 Zeit=34ms TTL=64\\ Antwort von 10.1.0.22: Bytes=32 Zeit=34ms TTL=64\\ Antwort von 10.1.0.22: Bytes=32 Zeit=34ms TTL=64\\ Antwort von 10.1.0.22: Bytes=32 Zeit=34ms TTL=64\\ \\ Ping-Statistik für 10.1.0.22:\\ Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),\\ Ca. Zeitangaben in Millisek.:\\ Minimum = 34ms, Maximum = 34ms, Mittelwert = 34ms\\ \\ C:\>tracert 10.1.0.22\\ \\ Routenverfolgung zu 10.1.0.22 über maximal 30 Abschnitte\\ \\ 1 35 ms 33 ms 33 ms 10.1.0.22\\ \\ Ablaufverfolgung beendet.\\ \\ C:\>tracert 10.1.0.14\\ \\ Routenverfolgung zu 10.1.0.14 über maximal 30 Abschnitte\\ \\ 1 50 ms 49 ms 53 ms 10.1.0.14\\ \\ Ablaufverfolgung beendet.\\ \\ C:\>\\ \\ ==== Server gruppe1: ==== gruppe1:/etc/openvpn# cat openvpn-status.log\\ OpenVPN CLIENT LIST\\ Updated,Thu Jul 22 22:06:30 2010\\ Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since\\ client12,178.203.65.232:59585,10479,49549,Thu Jul 22 21:48:32 2010\\ client11,192.168.62.13:1426,75748,80984,Thu Jul 22 19:27:03 2010\\ client13,84.46.68.32:64833,105559,43213,Thu Jul 22 20:34:52 2010\\ ROUTING TABLE\\ Virtual Address,Common Name,Real Address,Last Ref\\ 10.1.0.22,client13,84.46.68.32:64833,Thu Jul 22 22:00:26 2010\\ 10.1.0.6,client11,192.168.62.13:1426,Thu Jul 22 22:01:02 2010\\ 10.1.0.14,client12,178.203.65.232:59585,Thu Jul 22 22:06:29 2010\\ GLOBAL STATS\\ Max bcast/mcast queue length,1\\ END\\ gruppe1:/etc/openvpn# ping 10.1.0.14\\ PING 10.1.0.14 (10.1.0.14) 56(84) bytes of data.\\ 64 bytes from 10.1.0.14: icmp_seq=1 ttl=128 time=48.5 ms\\ 64 bytes from 10.1.0.14: icmp_seq=2 ttl=128 time=46.8 ms\\ ^C\\ --- 10.1.0.14 ping statistics ---\\ 2 packets transmitted, 2 received, 0% packet loss, time 1003ms\\ rtt min/avg/max/mdev = 46.857/47.723/48.589/0.866 ms\\ gruppe1:/etc/openvpn# ping 10.1.0.22\\ PING 10.1.0.22 (10.1.0.22) 56(84) bytes of data.\\ 64 bytes from 10.1.0.22: icmp_seq=1 ttl=64 time=33.6 ms\\ 64 bytes from 10.1.0.22: icmp_seq=2 ttl=64 time=34.1 ms\\ ^C\\ --- 10.1.0.22 ping statistics ---\\ 2 packets transmitted, 2 received, 0% packet loss, time 1003ms\\ rtt min/avg/max/mdev = 33.635/33.889/34.144/0.314 ms\\ gruppe1:/etc/openvpn# ping 10.1.0.6\\ PING 10.1.0.6 (10.1.0.6) 56(84) bytes of data.\\ 64 bytes from 10.1.0.6: icmp_seq=1 ttl=128 time=2.15 ms\\ 64 bytes from 10.1.0.6: icmp_seq=2 ttl=128 time=1.60 ms\\ 64 bytes from 10.1.0.6: icmp_seq=3 ttl=128 time=1.68 ms\\ ^C\\ --- 10.1.0.6 ping statistics ---\\ 3 packets transmitted, 3 received, 0% packet loss, time 2007ms\\ rtt min/avg/max/mdev = 1.606/1.815/2.153/0.241 ms\\ gruppe1:/etc/openvpn#\\ ===== Ping-Test innerhalb des Netzes ===== ==== Client11 (Sven): ==== Netz Gruppe1 Ping wird ausgefhrt fr 10.1.0.1 mit 32 Bytes Daten: Antwort von 10.1.0.1: Bytes=32 Zeit=2ms TTL=64 Antwort von 10.1.0.1: Bytes=32 Zeit=2ms TTL=64 Ping-Statistik fr 10.1.0.1: Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 2ms, Maximum = 2ms, Mittelwert = 2ms ============================================ Sven Ping wird ausgefhrt fr 10.1.0.6 mit 32 Bytes Daten: Antwort von 10.1.0.6: Bytes=32 Zeit<1ms TTL=128 Antwort von 10.1.0.6: Bytes=32 Zeit<1ms TTL=128 Ping-Statistik fr 10.1.0.6: Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms ============================================ Thomas Ping wird ausgefhrt fr 10.1.0.14 mit 32 Bytes Daten: Antwort von 10.1.0.14: Bytes=32 Zeit=53ms TTL=128 Antwort von 10.1.0.14: Bytes=32 Zeit=55ms TTL=128 Ping-Statistik fr 10.1.0.14: Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 53ms, Maximum = 55ms, Mittelwert = 54ms ============================================ Matthias Ping wird ausgefhrt fr 10.1.0.22 mit 32 Bytes Daten: Antwort von 10.1.0.22: Bytes=32 Zeit=41ms TTL=64 Antwort von 10.1.0.22: Bytes=32 Zeit=41ms TTL=64 Ping-Statistik fr 10.1.0.22: Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 41ms, Maximum = 41ms, Mittelwert = 41ms ============================================ Netz Gruppe2 Ping wird ausgefhrt fr 10.2.0.1 mit 32 Bytes Daten: Antwort von 10.2.0.1: Bytes=32 Zeit=54ms TTL=63 Antwort von 10.2.0.1: Bytes=32 Zeit=46ms TTL=63 Ping-Statistik fr 10.2.0.1: Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 46ms, Maximum = 54ms, Mittelwert = 50ms ============================================ Robert Ping wird ausgefhrt fr 10.2.0.5 mit 32 Bytes Daten: Antwort von 10.2.0.5: Bytes=32 Zeit=110ms TTL=127 Antwort von 10.2.0.5: Bytes=32 Zeit=112ms TTL=127 Ping-Statistik fr 10.2.0.5: Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 110ms, Maximum = 112ms, Mittelwert = 111ms ============================================ Peter Ping wird ausgefhrt fr 10.2.0.9 mit 32 Bytes Daten: Antwort von 10.2.0.9: Bytes=32 Zeit=292ms TTL=63 Antwort von 10.2.0.9: Bytes=32 Zeit=319ms TTL=63 Ping-Statistik fr 10.2.0.9: Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 292ms, Maximum = 319ms, Mittelwert = 305ms ============================================ Dennis Ping wird ausgefhrt fr 10.2.0.13 mit 32 Bytes Daten: Antwort von 10.2.0.13: Bytes=32 Zeit=97ms TTL=63 Antwort von 10.2.0.13: Bytes=32 Zeit=121ms TTL=63 Ping-Statistik fr 10.2.0.13: Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 97ms, Maximum = 121ms, Mittelwert = 109ms ============================================ Netz Gruppe3 Ping wird ausgefhrt fr 10.3.0.1 mit 32 Bytes Daten: Antwort von 10.3.0.1: Bytes=32 Zeit=86ms TTL=63 Antwort von 10.3.0.1: Bytes=32 Zeit=81ms TTL=63 Ping-Statistik fr 10.3.0.1: Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 81ms, Maximum = 86ms, Mittelwert = 83ms ============================================ Niklas Ping wird ausgefhrt fr 10.3.0.6 mit 32 Bytes Daten: Antwort von 10.3.0.6: Bytes=32 Zeit=74ms TTL=126 Antwort von 10.3.0.6: Bytes=32 Zeit=90ms TTL=126 Ping-Statistik fr 10.3.0.6: Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 74ms, Maximum = 90ms, Mittelwert = 82ms ============================================ Timo Ping wird ausgefhrt fr 10.3.0.10 mit 32 Bytes Daten: Antwort von 10.3.0.10: Bytes=32 Zeit=157ms TTL=126 Antwort von 10.3.0.10: Bytes=32 Zeit=134ms TTL=126 Ping-Statistik fr 10.3.0.10: Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 134ms, Maximum = 157ms, Mittelwert = 145ms ============================================ Martin Ping wird ausgefhrt fr 10.3.0.14 mit 32 Bytes Daten: Antwort von 10.3.0.14: Bytes=32 Zeit=143ms TTL=62 Antwort von 10.3.0.14: Bytes=32 Zeit=132ms TTL=62 Ping-Statistik fr 10.3.0.14: Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 132ms, Maximum = 143ms, Mittelwert = 137ms ==== Server gruppe1: ==== gruppe1:/etc/openvpn# cat openvpn-status.log OpenVPN CLIENT LIST Updated,Mon Aug 2 20:47:14 2010 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since client11,192.168.62.16:1077,245622,246257,Mon Aug 2 18:08:38 2010 client12,178.203.65.232:62449,145940,147684,Mon Aug 2 20:07:51 2010 client13,84.46.40.26:62721,26874,27569,Mon Aug 2 20:38:58 2010 ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref 10.1.0.14,client12,178.203.65.232:62449,Mon Aug 2 20:42:06 2010 10.1.0.6,client11,192.168.62.16:1077,Mon Aug 2 20:42:12 2010 10.1.0.22,client13,84.46.40.26:62721,Mon Aug 2 20:43:55 2010 GLOBAL STATS Max bcast/mcast queue length,1 END