====== Praktische Umsetzung ====== Hier geht's zur Dokumentation, die abgegeben werden soll [[fernuni:dokumentation_server_gruppe_2]] ===== Zusammenfassung ===== - Servername: kurs1599-gruppe2.dyndns.org - Server-Zertifikat: - IP-Konfiguration (intern) * Netzwerk: 10.2.0.0/255.255.255.0 bzw. 10.2.0.0/24 * Client 1 (peter): 10.2.0.9 * Client 2 (robert): 10.2.0.5 * Client 3 (dennis): 10.2.0.13 ===== Grund-Installation, Einrichtung und Härtung des Systems ====== ==== Betriebssystem ==== === Version === dennis@ubuntu-dmz:/etc$ cat lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=10.04 DISTRIB_CODENAME=lucid DISTRIB_DESCRIPTION="Ubuntu 10.04 LTS" === Kernel === dennis@ubuntu-dmz:/etc$ uname -a Linux ubuntu-dmz 2.6.32-23-server #37-Ubuntu SMP Fri Jun 11 09:11:11 UTC 2010 x86_64 GNU/Linux === Download === http://www.mirrorservice.org/sites/releases.ubuntu.com/10.04/ubuntu-10.04-server-amd64.iso ==== Netzwerk-Konfiguration ===== dennis@ubuntu-dmz:~$ ifconfig eth0 Link encap:Ethernet HWaddr 00:50:56:b0:34:0c inet addr:213.178.77.174 Bcast:213.178.77.191 Mask:255.255.255.224 inet6 addr: fe80::250:56ff:feb0:340c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4886 errors:0 dropped:0 overruns:0 frame:0 TX packets:1256 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:348402 (348.4 KB) TX bytes:141452 (141.4 KB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) ==== Dienste ==== dennis@ubuntu-dmz:~$ sudo netstat -nlpt [sudo] password for dennis: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 1187/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 885/master tcp6 0 0 :::2222 ==== Benutzereinrichtung ==== dennis@ubuntu-dmz:~$ sudo adduser peter [sudo] password for dennis: Adding user `peter' ... Adding new group `peter' (1003) ... Adding new user `peter' (1002) with group `peter' ... Creating home directory `/home/peter' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for peter Enter the new value, or press ENTER for the default Full Name []: peter Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] dennis@ubuntu-dmz:~$ sudo adduser robert Adding user `robert' ... Adding new group `robert' (1004) ... Adding new user `robert' (1003) with group `robert' ... Creating home directory `/home/robert' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for robert Enter the new value, or press ENTER for the default Full Name []: robert Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] ==== SSH-Verzeichnis anlegen ==== root@ubuntu-dmz:~# mkdir /home/peter/.ssh\\ root@ubuntu-dmz:~# chown peter:peter /home/peter/.ssh root@ubuntu-dmz:~# mkdir /home/robert/.ssh\\ root@ubuntu-dmz:~# chown robert:robert /home/robert/.ssh ==== Generierung Public/Private-Keys SSH ==== d@idefix ~/Desktop/20100701_openvpn/ssh/ $ ssh-keygen -b 2048 -f id_rsa.peter Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsa.peter. Your public key has been saved in id_rsa.peter.pub. The key fingerprint is: e5:7a:b2:c8:29:05:27:21:8d:25:f1:48:a3:f0:21:28 d@idefix The key's randomart image is: +--[ RSA 2048]----+ |+ *=. | |E=o*o | |o o... . | | o . o | | + S . | | . . | | . o . | | .. o + | | .+ . | +-----------------+ d@idefix ~/Desktop/20100701_openvpn/ssh/ $ ll insgesamt 16 drwx------ 2 d d 4096 2010-07-05 19:57 . drwx------ 3 d d 4096 2010-07-05 19:56 .. -rw------- 1 d d 1743 2010-07-05 19:57 id_rsa.peter -rw------- 1 d d 390 2010-07-05 19:57 id_rsa.peter.pub d@idefix ~/Desktop/20100701_openvpn/ssh/ $ ssh-keygen -b 2048 -f id_rsa.robert Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsa.robert. Your public key has been saved in id_rsa.robert.pub. The key fingerprint is: b6:ca:32:4a:93:17:4e:4c:d0:11:c8:42:e6:50:c1:c8 d@idefix The key's randomart image is: +--[ RSA 2048]----+ |+B++oo | |*E+.. | | o . | | o | | + S | | + . . . | | + o . | | . oo. . | | .. oo | +-----------------+ ==== SSH-Schluessel autorisieren ==== d@idefix ~/Desktop/20100701_openvpn/ssh/ $ cat id_rsa.peter.pub | ssh peter@213.178.77.174 -p 2222 'cat >> .ssh/authorized_keys' peter@213.178.77.174's password: d@idefix ~/Desktop/20100701_openvpn/ssh/ $ cat id_rsa.robert.pub | ssh robert@213.178.77.174 -p 2222 'cat >> .ssh/authorized_keys' robert@213.178.77.174's password: ==== Absicherung der SSH-Schlüssel ==== root@ubuntu-dmz:~# chown root:root /home/robert/.ssh/authorized_keys \\ root@ubuntu-dmz:~# chown root:root /home/peter/.ssh/authorized_keys \\ root@ubuntu-dmz:~# chown root:root /home/dennis/.ssh/authorized_keys\\ ==== SSH-Schlüssel versand-fertig machen ==== d@idefix ~/Desktop/20100701_openvpn/ssh/ $ tar -czf id_rsa.peter.tar.gz id_rsa.peter* d@idefix ~/Desktop/20100701_openvpn/ssh/ $ tar -tf id_rsa.peter.tar.gz id_rsa.peter id_rsa.peter.pub d@idefix ~/Desktop/20100701_openvpn/ssh/ $ tar -czf id_rsa.robert.tar.gz id_rsa.robert* d@idefix ~/Desktop/20100701_openvpn/ssh/ $ tar -tf id_rsa.robert.tar.gz id_rsa.robert id_rsa.robert.pub ==== Benutzer Standard-Gruppe hinzufügen ==== dennis@ubuntu-dmz:~$ sudo adduser robert kurs1599 Adding user `robert' to group `kurs1599' ... Adding user robert to group kurs1599 Done. dennis@ubuntu-dmz:~$ sudo adduser peter kurs1599 Adding user `peter' to group `kurs1599' ... Adding user peter to group kurs1599 Done. ==== Deaktivierung Passwort-Anmeldung per SSH deaktivieren ==== dennis@ubuntu-dmz:~$ sudo vim /etc/ssh/sshd_config [...] 1. Change to no to disable tunnelled clear text passwords PasswordAuthentication no [...] ==== Einschränken der Gruppen-Rechte via sudo ==== dennis@ubuntu-dmz:~$ sudo visudo %kurs1599 ALL = (root) /usr/bin/* /etc/openvpn/*, /bin/* /etc/openvpn/*, /etc/init.de/openvpn ==== Einrichtung DNS ==== Externe IP 213.178.77.174 Externes DNS Domain: kurs1599-gruppe2.dyndns.org Anbieter: DynDNS ===== Installation und Einrichtung des OpenVPN-Servers für Client-To-Server-VPN-Verbindungen ===== ==== OpenVPN-Version ==== dennis@ubuntu-dmz:/etc$ apt-cache policy openvpn openvpn: Installed: 2.1.0-1ubuntu1 Candidate: 2.1.0-1ubuntu1 Version table: *** 2.1.0-1ubuntu1 0 500 http://de.archive.ubuntu.com/ubuntu/ lucid/main Packages 100 /var/lib/dpkg/status ==== OpenVPN-Downloads ==== === Server === * Red Hat http://www.openvpn.net/index.php/access-server/download-openvpn-as.html?osfamily=RedHat * CentOS http://www.openvpn.net/index.php/access-server/download-openvpn-as.html?osfamily=CentOS * Ubuntu http://www.openvpn.net/index.php/access-server/download-openvpn-as.html?osfamily=Ubuntu * Fedora http://www.openvpn.net/index.php/access-server/download-openvpn-as.html?osfamily=Fedora * Windows http://www.openvpn.net/index.php/access-server/download-openvpn-as/202.html?osfamily=Virtual%20Appliance%20Windows%20(VHD)&ex=1 === Clients === * Windows http://swupdate.openvpn.net/downloads/openvpn-client.msi * Linux (Anleitung) http://www.openvpn.net/index.php/access-server/howto-openvpn-as/182-how-to-connect-to-access-server-with-linux-clients.html * Mac OS X (Anleitung) http://www.openvpn.net/index.php/access-server/howto-openvpn-as/183-how-to-connect-to-access-server-from-a-mac.html ==== Installation openvpn-software ==== dennis@ubuntu-dmz:/var/tmp/easy-rsa$ sudo aptitude install openvpn Reading package lists... Done Building dependency tree Reading state information... Done Reading extended state information Initializing package states... Done The following NEW packages will be installed: liblzo2-2{a} libpkcs11-helper1{a} openssl-blacklist{a} openvpn openvpn-blacklist{a} 0 packages upgraded, 5 newly installed, 0 to remove and 0 not upgraded. Need to get 7,963kB of archives. After unpacking 16.3MB will be used. Do you want to continue? [Y/n/?] Writing extended state information... Done Get:1 http://de.archive.ubuntu.com/ubuntu/ lucid/main openssl-blacklist 0.5-2 [6,338kB] Get:2 http://de.archive.ubuntu.com/ubuntu/ lucid/main liblzo2-2 2.03-2 [59.2kB] Get:3 http://de.archive.ubuntu.com/ubuntu/ lucid/main libpkcs11-helper1 1.07-1build1 [48.1kB] Get:4 http://de.archive.ubuntu.com/ubuntu/ lucid/main openvpn-blacklist 0.4 [1,068kB] Get:5 http://de.archive.ubuntu.com/ubuntu/ lucid/main openvpn 2.1.0-1ubuntu1 [449kB] Fetched 7,963kB in 33s (240kB/s) Preconfiguring packages ... Selecting previously deselected package openssl-blacklist. (Reading database ... 45616 files and directories currently installed.) Unpacking openssl-blacklist (from .../openssl-blacklist_0.5-2_all.deb) ... Selecting previously deselected package liblzo2-2. Unpacking liblzo2-2 (from .../liblzo2-2_2.03-2_amd64.deb) ... Selecting previously deselected package libpkcs11-helper1. Unpacking libpkcs11-helper1 (from .../libpkcs11-helper1_1.07-1build1_amd64.deb) ... Selecting previously deselected package openvpn-blacklist. Unpacking openvpn-blacklist (from .../openvpn-blacklist_0.4_all.deb) ... Selecting previously deselected package openvpn. Unpacking openvpn (from .../openvpn_2.1.0-1ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up openssl-blacklist (0.5-2) ... Setting up liblzo2-2 (2.03-2) ... Setting up libpkcs11-helper1 (1.07-1build1) ... Setting up openvpn-blacklist (0.4) ... Setting up openvpn (2.1.0-1ubuntu1) ... * Restarting virtual private network daemon(s)... * No VPN is running. Processing triggers for libc-bin ... ldconfig deferred processing now taking place Reading package lists... Done Building dependency tree Reading state information... Done Reading extended state information Initializing package states... Done Writing extended state information... Done ==== Erstellung Kopie Basis-Konfiguration ==== dennis@ubuntu-dmz:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /var/tmp/easy-rsa ==== Anpassen der Basis-Konfiguration ==== dennis@ubuntu-dmz:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ cd /var/tmp/easy-rsa/ dennis@ubuntu-dmz:/var/tmp/easy-rsa$ vim vars [...] # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="DE" export KEY_PROVINCE="NRW" export KEY_CITY="Hagen" export KEY_ORG="Fernuniversitaet Hagen" export KEY_EMAIL="dummy@dummy.org" [...] ==== Setzen der Standard-Werte für die Generierung der Schlüssel ==== dennis@ubuntu-dmz:/var/tmp/easy-rsa$ source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /var/tmp/easy-rsa/keys ==== Löschen alter RSA-Schlüssel ==== dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./clean-all ==== Erstellen des CA-Zertifikates mit dem zugehörigen Schlüssel ==== dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-ca Generating a 1024 bit RSA private key ..................++++++ .................................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Hagen]: Organization Name (eg, company) [Fernuniversitaet Hagen]: Organizational Unit Name (eg, section) []:Kurs 1599 Common Name (eg, your name or your server's hostname) [Fernuniversitaet Hagen CA]:Fernuniversitaet Hagen Kurs 1599 Gruppe 2 Name []: Email Address [dummy@dummy.org]: ==== Erstellen des Zertifikates und des privaten Schlüssels für den OpenVPN-Server ==== dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-key-server server Generating a 1024 bit RSA private key .........................++++++ ...................................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Hagen]: Organization Name (eg, company) [Fernuniversitaet Hagen]: Organizational Unit Name (eg, section) []:Kurs 1599 Common Name (eg, your name or your server's hostname) [server]:213.178.77.174 Name []: Email Address [dummy@dummy.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /var/tmp/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'NRW' localityName :PRINTABLE:'Hagen' organizationName :PRINTABLE:'Fernuniversitaet Hagen' organizationalUnitName:PRINTABLE:'Kurs 1599' commonName :PRINTABLE:'213.178.77.174' emailAddress :IA5STRING:'dummy@dummy.org' Certificate is to be certified until Jul 3 16:24:15 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ==== Erstellen des ersten Client-Zertifikates ==== dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-key client1 Generating a 1024 bit RSA private key ........................++++++ .............++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Hagen]: Organization Name (eg, company) [Fernuniversitaet Hagen]: Organizational Unit Name (eg, section) []:Kurs 1599 Common Name (eg, your name or your server's hostname) [client1]:peter Name []:Peter Palsbroeker Email Address [dummy@dummy.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /var/tmp/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'NRW' localityName :PRINTABLE:'Hagen' organizationName :PRINTABLE:'Fernuniversitaet Hagen' organizationalUnitName:PRINTABLE:'Kurs 1599' commonName :PRINTABLE:'peter' name :PRINTABLE:'Peter Palsbroeker' emailAddress :IA5STRING:'dummy@dummy.org' Certificate is to be certified until Jul 3 16:25:08 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ==== Erstellen des zweiten Client-Zertifikates ==== dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-key client2 Generating a 1024 bit RSA private key ..................++++++ ..++++++ writing new private key to 'client2.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Hagen]: Organization Name (eg, company) [Fernuniversitaet Hagen]: Organizational Unit Name (eg, section) []:Kurs 1599 Common Name (eg, your name or your server's hostname) [client2]:robert Name []:Robert Saunders Email Address [dummy@dummy.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /var/tmp/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'NRW' localityName :PRINTABLE:'Hagen' organizationName :PRINTABLE:'Fernuniversitaet Hagen' organizationalUnitName:PRINTABLE:'Kurs 1599' commonName :PRINTABLE:'robert' name :PRINTABLE:'Robert Saunders' emailAddress :IA5STRING:'dummy@dummy.org' Certificate is to be certified until Jul 3 16:26:07 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ==== Erstellen des dritten Client-Zertifikates ==== dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-key client3 Generating a 1024 bit RSA private key ...........++++++ ..............................++++++ writing new private key to 'client3.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Hagen]: Organization Name (eg, company) [Fernuniversitaet Hagen]: Organizational Unit Name (eg, section) []:Kurs 1599 Common Name (eg, your name or your server's hostname) [client3]:dennis Name []:Dennis Guennewig Email Address [dummy@dummy.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /var/tmp/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'NRW' localityName :PRINTABLE:'Hagen' organizationName :PRINTABLE:'Fernuniversitaet Hagen' organizationalUnitName:PRINTABLE:'Kurs 1599' commonName :PRINTABLE:'dennis' name :PRINTABLE:'Dennis Guennewig' emailAddress :IA5STRING:'dummy@dummy.org' Certificate is to be certified until Jul 3 16:26:27 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ==== Generierung der Diffie-Hell-Parameter für den OpenVPN-Server ==== dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ..........+........................................+.....+............+....................+...................................+.....+..+...................................................................................+.................................+...............................................................+.............................+...............................................+.................................................+..................................................................................................................................................+..............................................................................................................................................................................+...................................................+.................................................................................................+...................................................................+..........+........................+...........................+..............................++*++*++* ==== Erstellen einer Sicherheitskopie der erstellten Zertifikate und Schlüssel ==== dennis@ubuntu-dmz:/var/tmp/easy-rsa$ tar -czf keys.tar.gz keys/ d@idefix ~/Desktop/20100701_openvpn/openvpn/ $ scp openvpn:/var/tmp/easy*/keys.tar.gz ./ ==== Zertifikate und Server Schlüssel ablegen ==== root@ubuntu-dmz:/etc/openvpn# mkdir certs root@ubuntu-dmz:/etc/openvpn#cp /var/tmp/easy*/keys/server2.crt /var/tmp/easy*/keys/server2.key /var/tmp/easy*/keys/ca.crt ./certs/ ==== Anpassung an Server.conf ==== Konfigurationsdatei des Servers: {{:fernuni:server.conf.gz|}} root@ubuntu-dmz:/etc/openvpn# cat server.conf [...] ca certs/ca.crt cert certs/server.crt key certs/server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh certs/dh1024.pem # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.2.0.0 255.255.255.0 # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. push "route 10.0.0.0 255.0.0.0" # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: client-config-dir ccd route 10.2.0.0 255.255.255.252 # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. client-to-client # The maximum number of concurrently connected # clients we want to allow. max-clients 3 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. user nobody group nogroup # Output a short status file showing # current connections, truncated # and rewritten every minute. status /var/log/openvpn/openvpn-status.log # while "log-append" will append to it. Use one # or the other (but not both). ;log openvpn.log log-append /var/log/openvpn/openvpn.log # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 [...] ==== Anpassen der client.conf ==== Konfigurationsdatei der Clients: {{:fernuni:client.conf.gz|}} root@ubuntu-dmz:/etc/openvpn# cat client.conf # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote kurs1599-gruppe.dyndns.org 1194 ;remote my-server-2 1194 # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca keys/ca.crt cert keys/client23.crt key keys/client23.key [...] ==== Client-Konfiguration für statische IP-Adressen anlegen ==== dennis@ubuntu-dmz:/etc/openvpn$ cat ccd/robert ifconfig-push 10.2.0.5 10.2.0.6 dennis@ubuntu-dmz:/etc/openvpn$ cat ccd/peter ifconfig-push 10.2.0.9 10.2.0.10 dennis@ubuntu-dmz:/etc/openvpn$ cat ccd/dennis ifconfig-push 10.2.0.13 10.2.0.14 ==== Aktivieren des Routings auf dem Server ==== dennis@ubuntu-dmz:~$ sudo sysctl -e net.ipv4.conf.all.forwarding=1 dennis@ubuntu-dmz:~$ cat /etc/sysctl.conf [...] # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 [...] ===== Test der OpenVPN-Verbindung ==== ==== Robert ==== c:\>ping 10.2.0.13 REM Dennis Ping wird ausgeführt für 10.2.0.13 mit 32 Bytes Daten: Antwort von 10.2.0.13: Bytes=32 Zeit=107ms TTL=64 Antwort von 10.2.0.13: Bytes=32 Zeit=108ms TTL=64 Antwort von 10.2.0.13: Bytes=32 Zeit=105ms TTL=64 Antwort von 10.2.0.13: Bytes=32 Zeit=107ms TTL=64 Ping-Statistik für 10.2.0.13: Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 105ms, Maximum = 108ms, Mittelwert = 106ms c:\>ping 10.2.0.9 REM Peter Ping wird ausgeführt für 10.2.0.9 mit 32 Bytes Daten: Antwort von 10.2.0.9: Bytes=32 Zeit=288ms TTL=64 Antwort von 10.2.0.9: Bytes=32 Zeit=221ms TTL=64 Antwort von 10.2.0.9: Bytes=32 Zeit=299ms TTL=64 Antwort von 10.2.0.9: Bytes=32 Zeit=349ms TTL=64 Ping-Statistik für 10.2.0.9: Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 221ms, Maximum = 349ms, Mittelwert = 289ms ==== Peter ==== c:\Dokumente und Einstellungen\Administrator>ping 10.2.0.5 REM Robert Ping wird ausgeführt für 10.2.0.5 mit 32 Bytes Daten: Antwort von 10.2.0.5: Bytes=32 Zeit=242ms TTL=128 Antwort von 10.2.0.5: Bytes=32 Zeit=1891ms TTL=128 Antwort von 10.2.0.5: Bytes=32 Zeit=227ms TTL=128 Antwort von 10.2.0.5: Bytes=32 Zeit=209ms TTL=128 Ping-Statistik für 10.2.0.5: Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 209ms, Maximum = 1891ms, Mittelwert = 642ms c:\Dokumente und Einstellungen\Administrator>ping 10.2.0.13 REM Dennis Ping wird ausgeführt für 10.2.0.13 mit 32 Bytes Daten: Antwort von 10.2.0.13: Bytes=32 Zeit=738ms TTL=64 Antwort von 10.2.0.13: Bytes=32 Zeit=452ms TTL=64 Antwort von 10.2.0.13: Bytes=32 Zeit=207ms TTL=64 Antwort von 10.2.0.13: Bytes=32 Zeit=193ms TTL=64 Ping-Statistik für 10.2.0.13: Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 193ms, Maximum = 738ms, Mittelwert = 397ms ==== Dennis ==== d@idefix ~/ $ ping 10.2.0.9 #Peter PING 10.2.0.9 (10.2.0.9) 56(84) bytes of data. 64 bytes from 10.2.0.9: icmp_seq=1 ttl=64 time=291 ms 64 bytes from 10.2.0.9: icmp_seq=2 ttl=64 time=213 ms 64 bytes from 10.2.0.9: icmp_seq=3 ttl=64 time=209 ms 64 bytes from 10.2.0.9: icmp_seq=4 ttl=64 time=573 ms 64 bytes from 10.2.0.9: icmp_seq=5 ttl=64 time=209 ms ^C --- 10.2.0.9 ping statistics --- 20 packets transmitted, 20 received, 0% packet loss, time 19004ms rtt min/avg/max/mdev = 206.355/270.732/573.781/101.273 ms d@idefix ~/ $ ping 10.2.0.5 #Robert PING 10.2.0.5 (10.2.0.5) 56(84) bytes of data. 64 bytes from 10.2.0.5: icmp_seq=1 ttl=128 time=111 ms 64 bytes from 10.2.0.5: icmp_seq=2 ttl=128 time=109 ms 64 bytes from 10.2.0.5: icmp_seq=3 ttl=128 time=112 ms 64 bytes from 10.2.0.5: icmp_seq=4 ttl=128 time=108 ms 64 bytes from 10.2.0.5: icmp_seq=5 ttl=128 time=111 ms 64 bytes from 10.2.0.5: icmp_seq=6 ttl=128 time=110 ms 64 bytes from 10.2.0.5: icmp_seq=7 ttl=128 time=109 ms ^C --- 10.2.0.5 ping statistics --- 7 packets transmitted, 7 received, 0% packet loss, time 6005ms rtt min/avg/max/mdev = 108.271/110.448/112.551/1.509 ms ===== Installation und Einrichtung des OpenVPN-Servers für Server-To-Server-VPN-Verbindungen ===== ==== Erstellen der Client-Zertifikate mit dem zugehörigen Schlüssel ==== === Server 1 === dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-key server1_client Generating a 1024 bit RSA private key .++++++ ...........................++++++ writing new private key to 'server1_client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Hagen]: Organization Name (eg, company) [Fernuniversitaet Hagen]: Organizational Unit Name (eg, section) []:Kurs 1599 Common Name (eg, your name or your server's hostname) [server1_client]: Name []: Email Address [dummy@dummy.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /var/tmp/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'NRW' localityName :PRINTABLE:'Hagen' organizationName :PRINTABLE:'Fernuniversitaet Hagen' organizationalUnitName:PRINTABLE:'Kurs 1599' commonName :T61STRING:'server1_client' emailAddress :IA5STRING:'dummy@dummy.org' Certificate is to be certified until Jul 23 11:29:17 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated === Server 3 === dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-key server3_client Generating a 1024 bit RSA private key ..............................................................................................................................++++++ ....................................................++++++ writing new private key to 'server3_client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Hagen]: Organization Name (eg, company) [Fernuniversitaet Hagen]: Organizational Unit Name (eg, section) []:Kurs 1599 Common Name (eg, your name or your server's hostname) [server3_client]: Name []:Client-Zertifikat Server 3 Email Address [dummy@dummy.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /var/tmp/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'NRW' localityName :PRINTABLE:'Hagen' organizationName :PRINTABLE:'Fernuniversitaet Hagen' organizationalUnitName:PRINTABLE:'Kurs 1599' commonName :T61STRING:'server3_client' name :PRINTABLE:'Client-Zertifikat Server 3' emailAddress :IA5STRING:'dummy@dummy.org' Certificate is to be certified until Jul 23 11:28:56 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ====== Fazit ====== * Ausblick * Kritikpunkte * Verbesserungsvorschläge