Difference between revisions of "FreeBSD OpenVPN Server/Routed"

From Secure Computing Wiki
Jump to: navigation, search
m (Reverted edits by 140.113.152.201 (Talk); changed back to last version by 173.8.113.101)
m (i removed the push route, this writeup doesnt talk much about routing so i figure we should try to keep it simple, feel free to re-add it if you want)
 
(12 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
{{OpenVPN_Menu}}
 
Many people feel overwhelmed by the installation and configuration of OpenVPN.  Here, I'll try to write an easy to understand installation guide.   
 
Many people feel overwhelmed by the installation and configuration of OpenVPN.  Here, I'll try to write an easy to understand installation guide.   
  
Line 13: Line 14:
  
 
== Setup SSL Certificates/Keys ==
 
== Setup SSL Certificates/Keys ==
I think setting up SSL is the toughest part of OpenVPN for most people, including myself.  I've written a script to help manage my network OpenSSL certificates.  You can download this file [https://www.secure-computing.net/trac/browser/trunk/ssl-admin here].  Extract the tgz in your home directory (for now).  You should see two files, ssl-admin.pl, and openssl.cnf.   
+
I think setting up SSL is the toughest part of OpenVPN for most people, including myself.  I've written a script to help manage my network OpenSSL certificates.   
  
=== Tuning ssl-admin.pl ===
+
=== Install ===
 +
On FreeBSD systems with recent ports trees, simply do the following:
 +
<pre># cd /usr/ports/security/ssl-admin && make install</pre>
 +
 
 +
=== Tuning ssl-admin.conf ===
 
You '''must''' edit the perl script to work correctly on your network.  When initially downloaded, the script with exit, reminding you to setup all the variables at the top of the file.  By default, the top of the file looks like this:
 
You '''must''' edit the perl script to work correctly on your network.  When initially downloaded, the script with exit, reminding you to setup all the variables at the top of the file.  By default, the top of the file looks like this:
  
<pre>### Comment out the line with a # when you edit this file.
+
<pre>## Set default values here.
die("\n\n\n\nPlease edit variables and comment out this line.\n\n\n\n");
+
#
### SSL CERT Variables here ###
+
# The following values can be changed without affecting
$ENV{'KEY_COUNTRY'} = "COUNTRY";
+
# your CA key.
$ENV{'KEY_PROVINCE'} = "STATE/PROVINCE";
+
$ENV{'KEY_CITY'} = "CITY";
+
$ENV{'KEY_ORG'} = "ORGANIZATION";
+
$ENV{'KEY_EMAIL'} = 'EMAIL_ADDRESS';
+
$ENV{'KEY_SIZE'} = "1024";
+
$ENV{'KEY_DIR'} = "/usr/local/etc/openvpn/ssl";
+
$ENV{'KEY_DAYS'} = "3650";
+
$ENV{'KEY_CN'} = "";
+
$ENV{'KEY_CRL_LOC'} = "URI:http://CRL_URI";</pre>
+
  
We need to change each of these values.  The top of my file, with all the variables set, looks like this:
 
 
<pre>### Comment out the line with a # when you edit this file.
 
#die("\n\n\n\nPlease edit variables and comment out this line.\n\n\n\n");
 
### SSL CERT Variables here ###
 
$ENV{'KEY_COUNTRY'} = "US";
 
$ENV{'KEY_PROVINCE'} = "MN";
 
$ENV{'KEY_CITY'} = "Minneapolis";
 
$ENV{'KEY_ORG'} = "Secure Computing Networks";
 
$ENV{'KEY_EMAIL'} = 'root@secure-computing.net';
 
 
$ENV{'KEY_SIZE'} = "1024";
 
$ENV{'KEY_SIZE'} = "1024";
$ENV{'KEY_DIR'} = "/usr/local/etc/openvpn/ssl";
 
 
$ENV{'KEY_DAYS'} = "3650";
 
$ENV{'KEY_DAYS'} = "3650";
 
$ENV{'KEY_CN'} = "";
 
$ENV{'KEY_CN'} = "";
$ENV{'KEY_CRL_LOC'} = "URI:https://www.secure-computing.net/crl.pem";</pre>
+
$ENV{'KEY_CRL_LOC'} = "URI:http://CRL_URI";
  
There are a couple points to note.  First, make sure you comment out the die("... line.  Failure to do so will result in the script failing to run.  Second, the KEY_CRL_LOC is an optional variable, for use if you want to make your certificate revocation list available to the public.  This script will '''not''' upload the CRL to your URI location.  This must be manually done. 
 
  
For OpenVPN purposes, I would not recommend making a key smaller than 1024. The KEY_DAYS variable determines how long your certificates are good for.  Essentially, this is how often you'll have to reissue ssl certificates to your users. You can always revoke a certificate, so there's little worry about lost/stolen/fired/etc users.
+
## WARNING!!! ##
 +
#
 +
# Changing the following values has vast consequences.  
 +
# These values must match what's in your root CA certificate.
  
Lastly, your KEY_DIR directory must already exist, or the script will error out.  In our test installation here, we need to create this directory:
+
$ENV{'KEY_COUNTRY'} = "COUNTRY";
<pre>mkdir /usr/local/etc/openvpn/ssl</pre>
+
$ENV{'KEY_PROVINCE'} = "STATE/PROVINCE";
 +
$ENV{'KEY_CITY'} = "CITY";
 +
$ENV{'KEY_ORG'} = "ORGANIZATION";
 +
$ENV{'KEY_EMAIL'} = 'EMAIL_ADDRESS';
 +
</pre>
  
I keep my ssl-admin.pl script in /usr/local/etc/openvpn.  This script will keep all of the files it needs to run in its own directory, which helps keep this my openvpn directory clean.
+
The KEY_CRL_LOC is an optional variable, for use if you want to make your certificate revocation list available to the public.  This script will '''not''' upload the CRL to your URI location.  This must be manually done. 
 +
 
 +
For OpenVPN purposes, I would not recommend making a key smaller than 1024.  The KEY_DAYS variable determines how long your certificates are good for.  Essentially, this is how often you'll have to reissue ssl certificates to your users. You can always revoke a certificate, so there's little worry about lost/stolen/fired/etc users.
  
 
=== Executing ssl-admin.pl ===
 
=== Executing ssl-admin.pl ===
We should now be ready to run ssl-admin.pl for the first time.  Please note, you will need to have perl 5.8.8 or later installed for this script to run.  At this time, there are no other dependencies. To run the script, simply use the following command:
+
<pre>ssl-admin</pre>
<pre>KEY_DIR/ssl-admin.pl</pre>
+
''Replace KEY_DIR with the directory where the ssl-admin.pl script resides.  If you're CWD is that directory, use the following command:
+
<pre>./ssl-admin.pl</pre>
+
  
 
=== First Run ===
 
=== First Run ===
Line 71: Line 61:
  
 
Once the CA certificate has been created (or pointed to), you should get a menu that appears as follows:
 
Once the CA certificate has been created (or pointed to), you should get a menu that appears as follows:
<pre>=====================================================
+
<pre>This program will walk you through requesting, signing,
 +
organizing and revoking SSL certificates.
 +
 
 +
ssl-admin installed Tue Dec 16 09:39:57 CST 2008
 +
I can't find your OpenVPN client config.  Please copy your config to
 +
/usr/local/etc/ssl-admin/packages/client.ovpn
 +
 
 +
=====================================================
 
#                  SSL-ADMIN                        #
 
#                  SSL-ADMIN                        #
 
=====================================================
 
=====================================================
 
Please enter the menu option from the following list:
 
Please enter the menu option from the following list:
 
1) Update run-time options:
 
1) Update run-time options:
     Common Name: vpn
+
     Common Name:  
 
     Key Duration (days): 3650
 
     Key Duration (days): 3650
 
     Current Serial #: 01
 
     Current Serial #: 01
Line 89: Line 86:
 
8) View index information for certificate.
 
8) View index information for certificate.
 
z) Zip files for end user.
 
z) Zip files for end user.
 +
dh) Generate Diffie Hellman parameters.
 
CA) Create new Self-Signed CA certificate.
 
CA) Create new Self-Signed CA certificate.
q) Quit ssl-admin</pre>
+
S) Create new Signed Server certificate.
 +
q) Quit ssl-admin
 +
 
 +
Menu Item:</pre>
  
 
I'll cover the full operation of my script in another document, but you should be able to figure out most of the functions on your own.  Please feel free to email me at [mailto:ecrist@secure-computing.net ecrist@secure-computing.net] with specific questions or bugs.  Also, please, please, please, feel free to help me and add to/modify this script.  Send me your updates!
 
I'll cover the full operation of my script in another document, but you should be able to figure out most of the functions on your own.  Please feel free to email me at [mailto:ecrist@secure-computing.net ecrist@secure-computing.net] with specific questions or bugs.  Also, please, please, please, feel free to help me and add to/modify this script.  Send me your updates!
  
 
=== Known Bugs ===
 
=== Known Bugs ===
* There isn't a blank CRL generated on intial install.  This causes OpenVPN to die if it's checking for CRL.
+
* <strike>There isn't a blank CRL generated on intial install.  This causes OpenVPN to die if it's checking for CRL.</strike>
 
* There isn't any way to view the entire index.
 
* There isn't any way to view the entire index.
* File permissions aren't being set correctly on new install.
+
* <strike>File permissions aren't being set correctly on new install.</strike>
  
 
== OpenVPN Configuration ==
 
== OpenVPN Configuration ==
Line 103: Line 104:
 
<pre>openssl dhparam -out KEY_DIR/active/dh1024.pem 1024</pre>
 
<pre>openssl dhparam -out KEY_DIR/active/dh1024.pem 1024</pre>
 
''Replace KEY_DIR with your OpenVPN directory.''
 
''Replace KEY_DIR with your OpenVPN directory.''
 +
''This can now be done with option '''dh''' in ssl-admin.''
  
 
Finally, we can create our OpenVPN configuration file.  I will show you the file I use, and explain the entries as best I can:
 
Finally, we can create our OpenVPN configuration file.  I will show you the file I use, and explain the entries as best I can:
Line 112: Line 114:
 
dev tun
 
dev tun
  
ca      /usr/local/etc/openvpn/ssl/active/ca.crt
+
ca      /usr/local/etc/ssl-admin/active/ca.crt
cert    /usr/local/etc/openvpn/ssl/active/server.crt
+
cert    /usr/local/etc/ssl-admin/active/server.crt
key    /usr/local/etc/openvpn/ssl/active/server.key
+
key    /usr/local/etc/ssl-admin/active/server.key
dh      /usr/local/etc/openvpn/ssl/active/dh1024.pem
+
dh      /usr/local/etc/ssl-admin/active/dh1024.pem
  
 
server 172.30.0.0 255.255.255.0
 
server 172.30.0.0 255.255.255.0
 
push "route 10.0.0.0 255.255.255.0"
 
  
 
# this is necessary for clients to reach  
 
# this is necessary for clients to reach  
Line 142: Line 142:
 
verb 4
 
verb 4
  
crl-verify              /usr/local/etc/openvpn/ssl/prog/crl.pem</pre>
+
crl-verify              /usr/local/etc/ssl-admin/prog/crl.pem</pre>
  
 
'''daemon''' - This tells OpenVPN that we want to run a server.  On client machines, you'll use client.
 
'''daemon''' - This tells OpenVPN that we want to run a server.  On client machines, you'll use client.
Line 150: Line 150:
 
<br />'''ca/cert/key/dh''' - If you're using my ssl-admin.pl script, your keys/certficates will be in KEY_DIR/active/.
 
<br />'''ca/cert/key/dh''' - If you're using my ssl-admin.pl script, your keys/certficates will be in KEY_DIR/active/.
 
<br />'''server''' - The IP address and subnet the virtual interface should have.  Your clients will get addresses on this network.
 
<br />'''server''' - The IP address and subnet the virtual interface should have.  Your clients will get addresses on this network.
<br />''' push''' - We're pushing our LAN network route across to the VPN clients.  Note, the 192.168/16 network is not advised, as most home networks run on this network, and routing will break for your client.
 
 
<br />'''client-to-client''' - This is necessary for clients to reach other clients behind the OpenVPN gateway.
 
<br />'''client-to-client''' - This is necessary for clients to reach other clients behind the OpenVPN gateway.
 
<br />'''keepalive 10 120''' -  
 
<br />'''keepalive 10 120''' -  

Latest revision as of 09:23, 26 January 2011

OpenVPN Topics

GENERAL: RoutingRIP RoutingBridgingFAQFirewallVPN ChainingHigh-AvailabilityTroubleshootingDonationsIRC meetingsDeveloper DocsTester Docs
OS RELATED: FreeBSD Routed FreeBSD Bridged

Many people feel overwhelmed by the installation and configuration of OpenVPN. Here, I'll try to write an easy to understand installation guide.

Install OpenVPN

The first step toward a running OpenVPN installation is to install OpenVPN. On FreeBSD, we can do so from the ports tree:

cd /usr/ports/security/openvpn && make install clean

Once the installation is complete, we need to setup our directories for storing our SSL keys, CRL, etc. I keep all this information in /usr/local/etc/openvpn.

mkdir /usr/local/etc/openvpn

In order for OpenVPN to start, we need to add the following lines to /etc/rc.conf:

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"

Setup SSL Certificates/Keys

I think setting up SSL is the toughest part of OpenVPN for most people, including myself. I've written a script to help manage my network OpenSSL certificates.

Install

On FreeBSD systems with recent ports trees, simply do the following:

# cd /usr/ports/security/ssl-admin && make install

Tuning ssl-admin.conf

You must edit the perl script to work correctly on your network. When initially downloaded, the script with exit, reminding you to setup all the variables at the top of the file. By default, the top of the file looks like this:

## Set default values here.  
#
# The following values can be changed without affecting
# your CA key.

$ENV{'KEY_SIZE'} = "1024";
$ENV{'KEY_DAYS'} = "3650";
$ENV{'KEY_CN'} = "";
$ENV{'KEY_CRL_LOC'} = "URI:http://CRL_URI";


## WARNING!!! ##
# 
# Changing the following values has vast consequences. 
# These values must match what's in your root CA certificate.

$ENV{'KEY_COUNTRY'} = "COUNTRY";
$ENV{'KEY_PROVINCE'} = "STATE/PROVINCE";
$ENV{'KEY_CITY'} = "CITY";
$ENV{'KEY_ORG'} = "ORGANIZATION";
$ENV{'KEY_EMAIL'} = 'EMAIL_ADDRESS';

The KEY_CRL_LOC is an optional variable, for use if you want to make your certificate revocation list available to the public. This script will not upload the CRL to your URI location. This must be manually done.

For OpenVPN purposes, I would not recommend making a key smaller than 1024. The KEY_DAYS variable determines how long your certificates are good for. Essentially, this is how often you'll have to reissue ssl certificates to your users. You can always revoke a certificate, so there's little worry about lost/stolen/fired/etc users.

Executing ssl-admin.pl

ssl-admin

First Run

The first time (after you've set your variables), you're going to be prompted to either create a new CA root certificate, or point the script to your existing one. For the purpose of this document, we're going to create a new certificate.

  • For the certificate owner's name, I used vpn. Note, you cannot have spaces, capitol letters, or special characters.
  • ALWAYS protect your CA certificate with a password. Otherwise, why have a VPN if you're going to give keys to the world?
  • You'll note that most questions are answered automatically for you, based on the variables at the head of our script.

Once the CA certificate has been created (or pointed to), you should get a menu that appears as follows:

This program will walk you through requesting, signing,
organizing and revoking SSL certificates.

ssl-admin installed Tue Dec 16 09:39:57 CST 2008
I can't find your OpenVPN client config.  Please copy your config to
/usr/local/etc/ssl-admin/packages/client.ovpn

=====================================================
#                  SSL-ADMIN                        #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
     Common Name: 
     Key Duration (days): 3650
     Current Serial #: 01
     Key Size (bits): 1024
     Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin

Menu Item:

I'll cover the full operation of my script in another document, but you should be able to figure out most of the functions on your own. Please feel free to email me at ecrist@secure-computing.net with specific questions or bugs. Also, please, please, please, feel free to help me and add to/modify this script. Send me your updates!

Known Bugs

  • There isn't a blank CRL generated on intial install. This causes OpenVPN to die if it's checking for CRL.
  • There isn't any way to view the entire index.
  • File permissions aren't being set correctly on new install.

OpenVPN Configuration

Now that we've got our SSL setup complete, we can move on to setting up the remainder of OpenVPN. To begin, we need a Diffie Hellman key. Create this with the following command:

openssl dhparam -out KEY_DIR/active/dh1024.pem 1024

Replace KEY_DIR with your OpenVPN directory. This can now be done with option dh in ssl-admin.

Finally, we can create our OpenVPN configuration file. I will show you the file I use, and explain the entries as best I can:

daemon
port 1194

proto udp

dev tun

ca      /usr/local/etc/ssl-admin/active/ca.crt
cert    /usr/local/etc/ssl-admin/active/server.crt
key     /usr/local/etc/ssl-admin/active/server.key
dh      /usr/local/etc/ssl-admin/active/dh1024.pem

server 172.30.0.0 255.255.255.0

# this is necessary for clients to reach 
# clients behind the openvpn gateways
client-to-client

keepalive 10 120

## allow multiple access from the same client
duplicate-cn

user vpn
group vpn

persist-key
persist-tun

status                  /var/openvpn/openvpn-status.log

log-append              /var/log/openvpn.log

verb 4

crl-verify              /usr/local/etc/ssl-admin/prog/crl.pem

daemon - This tells OpenVPN that we want to run a server. On client machines, you'll use client.
port 1194 - The tells OpenVPN to run on port 1194.
proto udp - Run with UDP protocol. I don't know why this is better than TCP, if it is.
dev tun - What device to use. Use tun for routed OpenVPN.
ca/cert/key/dh - If you're using my ssl-admin.pl script, your keys/certficates will be in KEY_DIR/active/.
server - The IP address and subnet the virtual interface should have. Your clients will get addresses on this network.
client-to-client - This is necessary for clients to reach other clients behind the OpenVPN gateway.
keepalive 10 120 -
duplicate-cn - Allow clients to connect more than once.
user/group - The user and group openvpn should run as.
persist-key/tun - Try to avoid accessing certain resources after perms have downgraded.
status - Keep a log of openvpn status.
log-append - Log file for messages, append rather than truncate.
verb 4' - Log file verbosity. 4 is 'reasonable.' Max of 9.
crl-verify - IMPORTANT This tells openvpn to verify ssl certificates against our Certificate Revocation List.

More options and documentation is available at http://openvpn.net/howto.html#config.

Put this file in your openvpn directory. I named mine server.conf. We pointed to this file in /etc/rc.conf.

Start OpenVPN

Once all of the configuration has been completed, you're ready to start the server.

/usr/local/etc/rc.d/openvpn start