UNI-FIX Computer

Jeg lægger ud med en nyinstalleret debian på vpn.eksempel.dk og starter ud med at installere lidt grundlæggende værktøjer:

root@vpn:~# apt-get install vim ssh openvpn bridge-utils

Jeg redigerer /etc/network/interfaces

auto lo br0
iface lo inet loopback

allow-hotplug eth0
iface br0 inet static
        address 260.260.260.2
        netmask 255.255.255.0
        gateway 260.260.260.2
        bridge_ports eth0 tap0
        pre-up openvpn --mktun --dev tap0
        post-down openvon --rmtun --dev tap0

For at oprette krypteringsnøgler til serveren og klienten bruger vi et script der følger med OpenVPN ved navn “easy-rsa”:

root@vpn:~# cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

Rediger /etc/openvpn/easy-rsa/2.0/vars , de nederste 4 værdier skal tilpasses, som f.eks:

export KEY_COUNTRY="DK"
export KEY_PROVINCE="DK"
export KEY_CITY="Copenhagen"
export KEY_ORG="Mikjaer ApS"
export KEY_EMAIL="noc@mikjaer.com"

Påbegynd generation af dit CA ved at køre flg.:

#  cd /etc/openvpn/easy-rsa/2.0
# . /etc/openvpn/easy-rsa/2.0/vars
# . /etc/openvpn/easy-rsa/2.0/clean-all
# . /etc/openvpn/easy-rsa/2.0/build-ca

og siden vi har gemt vores ønskede værdier i vars kan vi køre ./build-ca uden at gøre andet end at acceptere alle “standardværdierne” ved at trykke enter ved hver prompt, herefter er vi klar til at lave serverens nøgle:

root@vpn:/etc/openvpn/easy-rsa/2.0# . /etc/openvpn/easy-rsa/2.0/build-key-server server
Generating a 1024 bit RSA private key
..++++++
.........................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DK]:
State or Province Name (full name) [DK]:
Locality Name (eg, city) [Copenhagen]:
Organization Name (eg, company) [Mikjaer ApS]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:
Email Address [noc@mikjaer.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DK'
stateOrProvinceName   :PRINTABLE:'DK'
localityName          :PRINTABLE:'Copenhagen'
organizationName      :PRINTABLE:'Mikjaer ApS'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'noc@mikjaer.com'
Certificate is to be certified until Apr 18 21:30:33 2023 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Herefter skal vi bruge (mindst) en klient nøgle:

root@vpn:/etc/openvpn/easy-rsa/2.0# . /etc/openvpn/easy-rsa/2.0/build-key client1
Generating a 1024 bit RSA private key
..++++++
.............++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DK]:
State or Province Name (full name) [DK]:
Locality Name (eg, city) [Copenhagen]:
Organization Name (eg, company) [Mikjaer ApS]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Name []:
Email Address [noc@mikjaer.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DK'
stateOrProvinceName   :PRINTABLE:'DK'
localityName          :PRINTABLE:'Copenhagen'
organizationName      :PRINTABLE:'Mikjaer ApS'
commonName            :PRINTABLE:'client1'
emailAddress          :IA5STRING:'noc@mikjaer.com'
Certificate is to be certified until Apr 18 21:32:45 2023 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Og til sidst skal du også køre flg. for at generere nøgler til SSL/TLS Handshake (Jeg er faktisk ikke sikker på hvor vigtig rækkefølgen er her):

root@vpn:~/easy-rsa# ./build-dh 
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..........................................................................+.............................+.......................+.
.................+..................................................................................................................
......................................+...........................+...................................................+...........
........................+............+..................+..........+.............................................................
......................................+..........................................................................+.................
........................................................................+...........+..............................................
........................................................+......+...................................................................
......+.............................................................................................................................
...................................................................................+................................................
................+.........................................................................................+........................
....................................................................................+...........................................++
*++*++*

Kopier server-certifikatere på plads:

root@vpn:/etc/openvpn/easy-rsa/2.0/keys# cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/

Som det sidste skal openvpn.conf tilpasses: vim /etc/openvpn/server.conf:

float
port 1194
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server-bridge 260.260.260.1 255.255.255.0 260.260.260.100 260.260.260.200
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
mute 10

Server-bridge syntax:

server-bridge <gateway> <netmask> <ip-range-start> <ip-range-stop>

Resten burde du ikke få brug for at rette i lige umiddelbart, på det her tidspunkt plejer jeg at genstarte maskinen, primært for at se at alt kommer op som det skal 🙂

Men så er du tilgengæld også klar til at forbinde dine maskiner med VPN Klienter.