fernuni:einrichtung_server_gruppe_2
Table of Contents
Praktische Umsetzung
Hier geht's zur Dokumentation, die abgegeben werden soll dokumentation_server_gruppe_2
Zusammenfassung
- Servername: kurs1599-gruppe2.dyndns.org
- Server-Zertifikat:
- IP-Konfiguration (intern)
- Netzwerk: 10.2.0.0/255.255.255.0 bzw. 10.2.0.0/24
- Client 1 (peter): 10.2.0.9
- Client 2 (robert): 10.2.0.5
- Client 3 (dennis): 10.2.0.13
Grund-Installation, Einrichtung und Härtung des Systems
Betriebssystem
Version
dennis@ubuntu-dmz:/etc$ cat lsb-release
DISTRIB_ID=Ubuntu DISTRIB_RELEASE=10.04 DISTRIB_CODENAME=lucid DISTRIB_DESCRIPTION="Ubuntu 10.04 LTS"
Kernel
dennis@ubuntu-dmz:/etc$ uname -a
Linux ubuntu-dmz 2.6.32-23-server #37-Ubuntu SMP Fri Jun 11 09:11:11 UTC 2010 x86_64 GNU/Linux
Download
Netzwerk-Konfiguration
dennis@ubuntu-dmz:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:b0:34:0c
inet addr:213.178.77.174 Bcast:213.178.77.191 Mask:255.255.255.224
inet6 addr: fe80::250:56ff:feb0:340c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4886 errors:0 dropped:0 overruns:0 frame:0
TX packets:1256 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:348402 (348.4 KB) TX bytes:141452 (141.4 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Dienste
dennis@ubuntu-dmz:~$ sudo netstat -nlpt
[sudo] password for dennis: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 1187/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 885/master tcp6 0 0 :::2222
Benutzereinrichtung
dennis@ubuntu-dmz:~$ sudo adduser peter
[sudo] password for dennis: Adding user `peter' ... Adding new group `peter' (1003) ... Adding new user `peter' (1002) with group `peter' ... Creating home directory `/home/peter' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for peter Enter the new value, or press ENTER for the default Full Name []: peter Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n]
dennis@ubuntu-dmz:~$ sudo adduser robert
Adding user `robert' ... Adding new group `robert' (1004) ... Adding new user `robert' (1003) with group `robert' ... Creating home directory `/home/robert' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for robert Enter the new value, or press ENTER for the default Full Name []: robert Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n]
SSH-Verzeichnis anlegen
root@ubuntu-dmz:~# mkdir /home/peter/.ssh
root@ubuntu-dmz:~# chown peter:peter /home/peter/.ssh
root@ubuntu-dmz:~# mkdir /home/robert/.ssh
root@ubuntu-dmz:~# chown robert:robert /home/robert/.ssh
Generierung Public/Private-Keys SSH
d@idefix ~/Desktop/20100701_openvpn/ssh/ $ ssh-keygen -b 2048 -f id_rsa.peter
Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsa.peter. Your public key has been saved in id_rsa.peter.pub. The key fingerprint is: e5:7a:b2:c8:29:05:27:21:8d:25:f1:48:a3:f0:21:28 d@idefix The key's randomart image is: +--[ RSA 2048]----+ |+ *=. | |E=o*o | |o o... . | | o . o | | + S . | | . . | | . o . | | .. o + | | .+ . | +-----------------+
d@idefix ~/Desktop/20100701_openvpn/ssh/ $ ll
insgesamt 16 drwx------ 2 d d 4096 2010-07-05 19:57 . drwx------ 3 d d 4096 2010-07-05 19:56 .. -rw------- 1 d d 1743 2010-07-05 19:57 id_rsa.peter -rw------- 1 d d 390 2010-07-05 19:57 id_rsa.peter.pub
d@idefix ~/Desktop/20100701_openvpn/ssh/ $ ssh-keygen -b 2048 -f id_rsa.robert
Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsa.robert. Your public key has been saved in id_rsa.robert.pub. The key fingerprint is: b6:ca:32:4a:93:17:4e:4c:d0:11:c8:42:e6:50:c1:c8 d@idefix The key's randomart image is: +--[ RSA 2048]----+ |+B++oo | |*E+.. | | o . | | o | | + S | | + . . . | | + o . | | . oo. . | | .. oo | +-----------------+
SSH-Schluessel autorisieren
d@idefix ~/Desktop/20100701_openvpn/ssh/ $ cat id_rsa.peter.pub | ssh peter@213.178.77.174 -p 2222 'cat » .ssh/authorized_keys'
peter@213.178.77.174's password:
d@idefix ~/Desktop/20100701_openvpn/ssh/ $ cat id_rsa.robert.pub | ssh robert@213.178.77.174 -p 2222 'cat » .ssh/authorized_keys'
robert@213.178.77.174's password:
Absicherung der SSH-Schlüssel
root@ubuntu-dmz:~# chown root:root /home/robert/.ssh/authorized_keys
root@ubuntu-dmz:~# chown root:root /home/peter/.ssh/authorized_keys
root@ubuntu-dmz:~# chown root:root /home/dennis/.ssh/authorized_keys
SSH-Schlüssel versand-fertig machen
d@idefix ~/Desktop/20100701_openvpn/ssh/ $ tar -czf id_rsa.peter.tar.gz id_rsa.peter*
d@idefix ~/Desktop/20100701_openvpn/ssh/ $ tar -tf id_rsa.peter.tar.gz
id_rsa.peter id_rsa.peter.pub
d@idefix ~/Desktop/20100701_openvpn/ssh/ $ tar -czf id_rsa.robert.tar.gz id_rsa.robert*
d@idefix ~/Desktop/20100701_openvpn/ssh/ $ tar -tf id_rsa.robert.tar.gz
id_rsa.robert id_rsa.robert.pub
Benutzer Standard-Gruppe hinzufügen
dennis@ubuntu-dmz:~$ sudo adduser robert kurs1599
Adding user `robert' to group `kurs1599' ... Adding user robert to group kurs1599 Done.
dennis@ubuntu-dmz:~$ sudo adduser peter kurs1599
Adding user `peter' to group `kurs1599' ... Adding user peter to group kurs1599 Done.
Deaktivierung Passwort-Anmeldung per SSH deaktivieren
dennis@ubuntu-dmz:~$ sudo vim /etc/ssh/sshd_config
[...] 1. Change to no to disable tunnelled clear text passwords PasswordAuthentication no [...]
Einschränken der Gruppen-Rechte via sudo
dennis@ubuntu-dmz:~$ sudo visudo
%kurs1599 ALL = (root) /usr/bin/* /etc/openvpn/*, /bin/* /etc/openvpn/*, /etc/init.de/openvpn
Einrichtung DNS
Externe IP 213.178.77.174
Externes DNS Domain: kurs1599-gruppe2.dyndns.org Anbieter: DynDNS
Installation und Einrichtung des OpenVPN-Servers für Client-To-Server-VPN-Verbindungen
OpenVPN-Version
dennis@ubuntu-dmz:/etc$ apt-cache policy openvpn
openvpn:
Installed: 2.1.0-1ubuntu1
Candidate: 2.1.0-1ubuntu1
Version table:
*** 2.1.0-1ubuntu1 0
500 http://de.archive.ubuntu.com/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status
OpenVPN-Downloads
Server
Clients
Installation openvpn-software
dennis@ubuntu-dmz:/var/tmp/easy-rsa$ sudo aptitude install openvpn Reading package lists… Done Building dependency tree Reading state information… Done Reading extended state information Initializing package states… Done The following NEW packages will be installed:
liblzo2-2{a} libpkcs11-helper1{a} openssl-blacklist{a} openvpn openvpn-blacklist{a}
0 packages upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 7,963kB of archives. After unpacking 16.3MB will be used.
Do you want to continue? [Y/n/?]
Writing extended state information... Done
Get:1 http://de.archive.ubuntu.com/ubuntu/ lucid/main openssl-blacklist 0.5-2 [6,338kB]
Get:2 http://de.archive.ubuntu.com/ubuntu/ lucid/main liblzo2-2 2.03-2 [59.2kB]
Get:3 http://de.archive.ubuntu.com/ubuntu/ lucid/main libpkcs11-helper1 1.07-1build1 [48.1kB]
Get:4 http://de.archive.ubuntu.com/ubuntu/ lucid/main openvpn-blacklist 0.4 [1,068kB]
Get:5 http://de.archive.ubuntu.com/ubuntu/ lucid/main openvpn 2.1.0-1ubuntu1 [449kB]
Fetched 7,963kB in 33s (240kB/s)
Preconfiguring packages ...
Selecting previously deselected package openssl-blacklist.
(Reading database ... 45616 files and directories currently installed.)
Unpacking openssl-blacklist (from .../openssl-blacklist_0.5-2_all.deb) ...
Selecting previously deselected package liblzo2-2.
Unpacking liblzo2-2 (from .../liblzo2-2_2.03-2_amd64.deb) ...
Selecting previously deselected package libpkcs11-helper1.
Unpacking libpkcs11-helper1 (from .../libpkcs11-helper1_1.07-1build1_amd64.deb) ...
Selecting previously deselected package openvpn-blacklist.
Unpacking openvpn-blacklist (from .../openvpn-blacklist_0.4_all.deb) ...
Selecting previously deselected package openvpn.
Unpacking openvpn (from .../openvpn_2.1.0-1ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up openssl-blacklist (0.5-2) ...
Setting up liblzo2-2 (2.03-2) ...
Setting up libpkcs11-helper1 (1.07-1build1) ...
Setting up openvpn-blacklist (0.4) ... Setting up openvpn (2.1.0-1ubuntu1) ... * Restarting virtual private network daemon(s)... * No VPN is running.
Processing triggers for libc-bin ... ldconfig deferred processing now taking place Reading package lists... Done Building dependency tree Reading state information... Done Reading extended state information Initializing package states... Done Writing extended state information... Done
Erstellung Kopie Basis-Konfiguration
dennis@ubuntu-dmz:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /var/tmp/easy-rsa
Anpassen der Basis-Konfiguration
dennis@ubuntu-dmz:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ cd /var/tmp/easy-rsa/
dennis@ubuntu-dmz:/var/tmp/easy-rsa$ vim vars
[...] # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="DE" export KEY_PROVINCE="NRW" export KEY_CITY="Hagen" export KEY_ORG="Fernuniversitaet Hagen" export KEY_EMAIL="dummy@dummy.org" [...]
Setzen der Standard-Werte für die Generierung der Schlüssel
dennis@ubuntu-dmz:/var/tmp/easy-rsa$ source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /var/tmp/easy-rsa/keys
Löschen alter RSA-Schlüssel
dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./clean-all
Erstellen des CA-Zertifikates mit dem zugehörigen Schlüssel
dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-ca
Generating a 1024 bit RSA private key ..................++++++ .................................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Hagen]: Organization Name (eg, company) [Fernuniversitaet Hagen]: Organizational Unit Name (eg, section) []:Kurs 1599 Common Name (eg, your name or your server's hostname) [Fernuniversitaet Hagen CA]:Fernuniversitaet Hagen Kurs 1599 Gruppe 2 Name []: Email Address [dummy@dummy.org]:
Erstellen des Zertifikates und des privaten Schlüssels für den OpenVPN-Server
dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-key-server server
Generating a 1024 bit RSA private key .........................++++++ ...................................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Hagen]: Organization Name (eg, company) [Fernuniversitaet Hagen]: Organizational Unit Name (eg, section) []:Kurs 1599 Common Name (eg, your name or your server's hostname) [server]:213.178.77.174 Name []: Email Address [dummy@dummy.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /var/tmp/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'NRW' localityName :PRINTABLE:'Hagen' organizationName :PRINTABLE:'Fernuniversitaet Hagen' organizationalUnitName:PRINTABLE:'Kurs 1599' commonName :PRINTABLE:'213.178.77.174' emailAddress :IA5STRING:'dummy@dummy.org' Certificate is to be certified until Jul 3 16:24:15 2020 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Erstellen des ersten Client-Zertifikates
dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-key client1
Generating a 1024 bit RSA private key ........................++++++ .............++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Hagen]: Organization Name (eg, company) [Fernuniversitaet Hagen]: Organizational Unit Name (eg, section) []:Kurs 1599 Common Name (eg, your name or your server's hostname) [client1]:peter Name []:Peter Palsbroeker Email Address [dummy@dummy.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /var/tmp/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'NRW' localityName :PRINTABLE:'Hagen' organizationName :PRINTABLE:'Fernuniversitaet Hagen' organizationalUnitName:PRINTABLE:'Kurs 1599' commonName :PRINTABLE:'peter' name :PRINTABLE:'Peter Palsbroeker' emailAddress :IA5STRING:'dummy@dummy.org' Certificate is to be certified until Jul 3 16:25:08 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Erstellen des zweiten Client-Zertifikates
dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-key client2
Generating a 1024 bit RSA private key ..................++++++ ..++++++ writing new private key to 'client2.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Hagen]: Organization Name (eg, company) [Fernuniversitaet Hagen]: Organizational Unit Name (eg, section) []:Kurs 1599 Common Name (eg, your name or your server's hostname) [client2]:robert Name []:Robert Saunders Email Address [dummy@dummy.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /var/tmp/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'NRW' localityName :PRINTABLE:'Hagen' organizationName :PRINTABLE:'Fernuniversitaet Hagen' organizationalUnitName:PRINTABLE:'Kurs 1599' commonName :PRINTABLE:'robert' name :PRINTABLE:'Robert Saunders' emailAddress :IA5STRING:'dummy@dummy.org' Certificate is to be certified until Jul 3 16:26:07 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Erstellen des dritten Client-Zertifikates
dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-key client3
Generating a 1024 bit RSA private key ...........++++++ ..............................++++++ writing new private key to 'client3.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Hagen]: Organization Name (eg, company) [Fernuniversitaet Hagen]: Organizational Unit Name (eg, section) []:Kurs 1599 Common Name (eg, your name or your server's hostname) [client3]:dennis Name []:Dennis Guennewig Email Address [dummy@dummy.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /var/tmp/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'NRW' localityName :PRINTABLE:'Hagen' organizationName :PRINTABLE:'Fernuniversitaet Hagen' organizationalUnitName:PRINTABLE:'Kurs 1599' commonName :PRINTABLE:'dennis' name :PRINTABLE:'Dennis Guennewig' emailAddress :IA5STRING:'dummy@dummy.org' Certificate is to be certified until Jul 3 16:26:27 2020 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Generierung der Diffie-Hell-Parameter für den OpenVPN-Server
dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ..........+........................................+.....+............+....................+...................................+.....+..+...................................................................................+.................................+...............................................................+.............................+...............................................+.................................................+..................................................................................................................................................+..............................................................................................................................................................................+...................................................+.................................................................................................+...................................................................+..........+........................+...........................+..............................++*++*++*
Erstellen einer Sicherheitskopie der erstellten Zertifikate und Schlüssel
dennis@ubuntu-dmz:/var/tmp/easy-rsa$ tar -czf keys.tar.gz keys/
d@idefix ~/Desktop/20100701_openvpn/openvpn/ $ scp openvpn:/var/tmp/easy*/keys.tar.gz ./
Zertifikate und Server Schlüssel ablegen
root@ubuntu-dmz:/etc/openvpn# mkdir certs
root@ubuntu-dmz:/etc/openvpn#cp /var/tmp/easy*/keys/server2.crt /var/tmp/easy*/keys/server2.key /var/tmp/easy*/keys/ca.crt ./certs/
Anpassung an Server.conf
Konfigurationsdatei des Servers: server.conf.gz
root@ubuntu-dmz:/etc/openvpn# cat server.conf
[...] ca certs/ca.crt cert certs/server.crt key certs/server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh certs/dh1024.pem # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.2.0.0 255.255.255.0 # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. push "route 10.0.0.0 255.0.0.0"
# EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: client-config-dir ccd route 10.2.0.0 255.255.255.252 # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. client-to-client # The maximum number of concurrently connected # clients we want to allow. max-clients 3 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. user nobody group nogroup # Output a short status file showing # current connections, truncated # and rewritten every minute. status /var/log/openvpn/openvpn-status.log # while "log-append" will append to it. Use one # or the other (but not both). ;log openvpn.log log-append /var/log/openvpn/openvpn.log # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 [...]
Anpassen der client.conf
Konfigurationsdatei der Clients: client.conf.gz
root@ubuntu-dmz:/etc/openvpn# cat client.conf
# The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote kurs1599-gruppe.dyndns.org 1194 ;remote my-server-2 1194 # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca keys/ca.crt cert keys/client23.crt key keys/client23.key [...]
Client-Konfiguration für statische IP-Adressen anlegen
dennis@ubuntu-dmz:/etc/openvpn$ cat ccd/robert
ifconfig-push 10.2.0.5 10.2.0.6
dennis@ubuntu-dmz:/etc/openvpn$ cat ccd/peter
ifconfig-push 10.2.0.9 10.2.0.10
dennis@ubuntu-dmz:/etc/openvpn$ cat ccd/dennis
ifconfig-push 10.2.0.13 10.2.0.14
Aktivieren des Routings auf dem Server
dennis@ubuntu-dmz:~$ sudo sysctl -e net.ipv4.conf.all.forwarding=1
dennis@ubuntu-dmz:~$ cat /etc/sysctl.conf
[...] # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 [...]
Test der OpenVPN-Verbindung
Robert
c:\>ping 10.2.0.13 REM Dennis
Ping wird ausgeführt für 10.2.0.13 mit 32 Bytes Daten:
Antwort von 10.2.0.13: Bytes=32 Zeit=107ms TTL=64
Antwort von 10.2.0.13: Bytes=32 Zeit=108ms TTL=64
Antwort von 10.2.0.13: Bytes=32 Zeit=105ms TTL=64
Antwort von 10.2.0.13: Bytes=32 Zeit=107ms TTL=64
Ping-Statistik für 10.2.0.13:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 105ms, Maximum = 108ms, Mittelwert = 106ms
c:\>ping 10.2.0.9 REM Peter
Ping wird ausgeführt für 10.2.0.9 mit 32 Bytes Daten:
Antwort von 10.2.0.9: Bytes=32 Zeit=288ms TTL=64
Antwort von 10.2.0.9: Bytes=32 Zeit=221ms TTL=64
Antwort von 10.2.0.9: Bytes=32 Zeit=299ms TTL=64
Antwort von 10.2.0.9: Bytes=32 Zeit=349ms TTL=64
Ping-Statistik für 10.2.0.9:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 221ms, Maximum = 349ms, Mittelwert = 289ms
Peter
c:\Dokumente und Einstellungen\Administrator>ping 10.2.0.5 REM Robert
Ping wird ausgeführt für 10.2.0.5 mit 32 Bytes Daten:
Antwort von 10.2.0.5: Bytes=32 Zeit=242ms TTL=128
Antwort von 10.2.0.5: Bytes=32 Zeit=1891ms TTL=128
Antwort von 10.2.0.5: Bytes=32 Zeit=227ms TTL=128
Antwort von 10.2.0.5: Bytes=32 Zeit=209ms TTL=128
Ping-Statistik für 10.2.0.5:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 209ms, Maximum = 1891ms, Mittelwert = 642ms
c:\Dokumente und Einstellungen\Administrator>ping 10.2.0.13 REM Dennis
Ping wird ausgeführt für 10.2.0.13 mit 32 Bytes Daten:
Antwort von 10.2.0.13: Bytes=32 Zeit=738ms TTL=64
Antwort von 10.2.0.13: Bytes=32 Zeit=452ms TTL=64
Antwort von 10.2.0.13: Bytes=32 Zeit=207ms TTL=64
Antwort von 10.2.0.13: Bytes=32 Zeit=193ms TTL=64
Ping-Statistik für 10.2.0.13:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 193ms, Maximum = 738ms, Mittelwert = 397ms
Dennis
d@idefix ~/ $ ping 10.2.0.9 #Peter
PING 10.2.0.9 (10.2.0.9) 56(84) bytes of data. 64 bytes from 10.2.0.9: icmp_seq=1 ttl=64 time=291 ms 64 bytes from 10.2.0.9: icmp_seq=2 ttl=64 time=213 ms 64 bytes from 10.2.0.9: icmp_seq=3 ttl=64 time=209 ms 64 bytes from 10.2.0.9: icmp_seq=4 ttl=64 time=573 ms 64 bytes from 10.2.0.9: icmp_seq=5 ttl=64 time=209 ms ^C --- 10.2.0.9 ping statistics --- 20 packets transmitted, 20 received, 0% packet loss, time 19004ms rtt min/avg/max/mdev = 206.355/270.732/573.781/101.273 ms
d@idefix ~/ $ ping 10.2.0.5 #Robert
PING 10.2.0.5 (10.2.0.5) 56(84) bytes of data. 64 bytes from 10.2.0.5: icmp_seq=1 ttl=128 time=111 ms 64 bytes from 10.2.0.5: icmp_seq=2 ttl=128 time=109 ms 64 bytes from 10.2.0.5: icmp_seq=3 ttl=128 time=112 ms 64 bytes from 10.2.0.5: icmp_seq=4 ttl=128 time=108 ms 64 bytes from 10.2.0.5: icmp_seq=5 ttl=128 time=111 ms 64 bytes from 10.2.0.5: icmp_seq=6 ttl=128 time=110 ms 64 bytes from 10.2.0.5: icmp_seq=7 ttl=128 time=109 ms ^C --- 10.2.0.5 ping statistics --- 7 packets transmitted, 7 received, 0% packet loss, time 6005ms rtt min/avg/max/mdev = 108.271/110.448/112.551/1.509 ms
Installation und Einrichtung des OpenVPN-Servers für Server-To-Server-VPN-Verbindungen
Erstellen der Client-Zertifikate mit dem zugehörigen Schlüssel
Server 1
dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-key server1_client
Generating a 1024 bit RSA private key .++++++ ...........................++++++ writing new private key to 'server1_client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Hagen]: Organization Name (eg, company) [Fernuniversitaet Hagen]: Organizational Unit Name (eg, section) []:Kurs 1599 Common Name (eg, your name or your server's hostname) [server1_client]: Name []: Email Address [dummy@dummy.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /var/tmp/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'NRW' localityName :PRINTABLE:'Hagen' organizationName :PRINTABLE:'Fernuniversitaet Hagen' organizationalUnitName:PRINTABLE:'Kurs 1599' commonName :T61STRING:'server1_client' emailAddress :IA5STRING:'dummy@dummy.org' Certificate is to be certified until Jul 23 11:29:17 2020 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Server 3
dennis@ubuntu-dmz:/var/tmp/easy-rsa$ ./build-key server3_client
Generating a 1024 bit RSA private key ..............................................................................................................................++++++ ....................................................++++++ writing new private key to 'server3_client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [NRW]: Locality Name (eg, city) [Hagen]: Organization Name (eg, company) [Fernuniversitaet Hagen]: Organizational Unit Name (eg, section) []:Kurs 1599 Common Name (eg, your name or your server's hostname) [server3_client]: Name []:Client-Zertifikat Server 3 Email Address [dummy@dummy.org]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /var/tmp/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'NRW' localityName :PRINTABLE:'Hagen' organizationName :PRINTABLE:'Fernuniversitaet Hagen' organizationalUnitName:PRINTABLE:'Kurs 1599' commonName :T61STRING:'server3_client' name :PRINTABLE:'Client-Zertifikat Server 3' emailAddress :IA5STRING:'dummy@dummy.org' Certificate is to be certified until Jul 23 11:28:56 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Fazit
- Ausblick
- Kritikpunkte
- Verbesserungsvorschläge
fernuni/einrichtung_server_gruppe_2.txt · Last modified: 2010/07/26 11:58 by 127 0 0 1