Aici veti gasi detalii tehnice despre cum se pot realiza configurari software+ hardware.
Here you can find tehnical details about software/hardware configuration.

miercuri, 26 august 2009

OpenVPN under FreeBSD





Getting OpenVPN to play nice with FreeBSD was not as easy as I normally
get from a FreeBSD port

This is due to both my learning on the fly and lack of good
BSD related documentation



Here's my notes on how I accomplished it

I hope it helps you


Feel free to use/share/mod



Sorry it's not yet all that perty



I used/did

FreeBSD 6.2/7.0

portsnap

cd /usr/ports/security/openvpn

make install clean




I like to copy the scripts to
/etc/openvpn


cd /usr/local/share/doc/openvpn/easy-rsa

mkdir /etc/openvpn

cp -R * /etc/openvpn

cd /etc/openvpn

Edit vars to your environment (http://openvpn.net/howto.html)



Now run the scripts.  They are
bash scripts !!





sh

. ./vars

sh ./clean-all

sh ./build-ca

sh ./build-key-server server

sh ./build-key-pass client

sh ./build-dh  (takes a while, grab a drink/chill)




Copy/Edit the config.  I like to
keep the openvpn.conf in the normal configuration location.  Edit
/usr/local/etc/rc.d/openvpn to adjust the default location

mkdir /usr/local/etc/openvpn

cp /usr/local/share/doc/openvpn/sample-config-files/server.conf 
/usr/local/etc/openvpn/openvpn.conf





Edit
/usr/local/etc/openvpn/openvpn.conf to add the correct path to these
files



ca.crt

server.crt

server.key

dh1024.pem



Like



ca /etc/openvpn/2.0/keys/ca.crt

cert /etc/openvpn/2.0/keys/server.crt

key /etc/openvpn/2.0/keys/server.key


dh /etc/openvpn/2.0/keys/dh1024.pem





Add this to /etc/rc.conf



openvpn_enable="YES"

gateway_enable="YES"



openvpn_if="tun" for Tunneling

or

openvpn_if="tap" for Bridging






Make sure IP Forwarding is enabled

Check it with

sysctl -a |grep net.inet.ip.f



It should look like this

inet.inet.ip.forwarding: 1



If your /etc/rc.conf has gateway_enable="YES",
it will be set on reboot




You can have this /etc/rc.conf setting read without a reboot by doing
this

/etc/rc/d/routing restart



You can also set IP Forwarding manaully with sysctl

sysctl inet.inet.ip.forwarding=1





Edit
/usr/local/etc/openvpn/openvpn.conf enough
to get tunelling going


Leave it at that if you want




For me it was a pain to configure routing on the server side

I found it necessary to
add permanent routes back as static routes on my gateway did not seem
to help

This probably will be less painful if your gateway is your OpenVPN
server.

It wasnt for my install

I did eventually choose bridging but here's my route notes for history



FreeBSD

Temporary

route add -net 10.8.0.0/24 192.168.10.1




Permanent

/etc/rc.conf

static_routes="openvpn"

openvpn="-net 10.8.0.0/24 192.168.10.1"



Windows

Temporary

route ADD 10.8.0.0 MASK 255.255.255.0 192.168.10.1




Permanent

route -p ADD 10.8.0.0 MASK 255.255.255.0 192.168.10.1





Because of the routing pain, I then
tried Bridge


OpenVPN's scripts do not automatically create the bridge device

I could not find a solution

Based on some reading, I made a startup script to build the bridge at
startup

So far so good, It's probably a bad hack, maybe someone will help me
out here




/usr/local/etc/rc.d/create-bridge.sh

ifconfig bridge0 create

ifconfig bridge0 addm fxp0 addm tap0 up

ifconfig bridge0 inet 192.168.10.12 netmask 255.255.255.0



The script

1. Creates the bridge device

2. Adds a hardware NIC and TAP0 device, brings it up

3. Assigns a static IP




You'll have to edit the interface name and bridged IP to taste



For a bridge, you have to modify the
openvpn.conf


Change from tun to tap

dev tap

;dev tun



Modify server-bridge for the bridge IP
and pushed out IP range


server-bridge 192.168.10.12  255.255.255.0 192.168.10.100
192.168.110.109




Your dmesg will fill up with stuff
like this


arp: 192.168.10.2 is on fxp0 but got reply from 00:0a:5e:4d:37:ee on
bridge0

I turned off logging of this with sysctl
net.link.ether.inet.log_arp_wrong_iface=0



Add net.link.ether.inet.log_arp_wrong_iface=0

 to /etc/sysctl.conf for a permanent change to this setting



Optional improved security

Use tls-auth


openvpn --genkey --secret ta.key

Copy ta.key to server and client

In the server configuration, add:

tls-auth ta.key 0



In the client configuration, add:

tls-auth ta.key 1



Larger RSA keys like 2048

Edit vars to include


export KEY_SIZE=2048



Revoke a certificate if someone gets
the boot (aka fired), hopefully not me


. ./vars

./revoke-full client2

This Creates crl.pem

Edit server config to point to this file

crl-verify crl.pem

Watch permissions


I needed to copy the crl.pem to /usr/local/sbin as the openvpn daemon
running as nobody could not see it in the location is was created



Adding authentication seemed an easy
improvement method for security


Add to client config

auth-user-pass



Add to server config

plugin /usr/local/lib/openvpn-auth-pam.so login



For lab use I did this


# Uncomment this directive if multiple clients

# might connect with the same certificate/key

# files or common names.  This is recommended

# only for testing purposes.  For production use,

# each client should have its own certificate/key

# pair.

#


# IF YOU HAVE NOT GENERATED INDIVIDUAL

# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

# EACH HAVING ITS OWN UNIQUE "COMMON NAME",

# UNCOMMENT THIS LINE OUT.

;duplicate-cn

--duplicate-cn



Cipher strength hmmm

3 choices


;cipher BF-CBC        # Blowfish
(default)

;cipher AES-128-CBC   # AES

;cipher DES-EDE3-CBC  # Triple-DES



Here's a cool command to test
throughput relative to cipher


openssl speed bf-cbc des-ede3 aes-128-cbc


The 'numbers' are in 1000s of bytes per second processed.

type            
16 bytes     64 bytes    256
bytes   1024 bytes   8192 bytes

des ede3        
11884.66k    11914.43k   

11951.81k    11965.71k    11963.80k

blowfish cbc     52814.10k   
53821.89k    54053.87k   
54415.30k    53871.86k


aes-128 cbc      40888.23k   
38975.23k    39728.08k   
40106.78k    39669.99k



Want to delete a person in order to
create a new key or changes
password?


Delete their .crt .key and .csr


Then remove their entry from the OpenVPN keys directory in the file
index.txt



I was getting - Initialization
Sequence Completed With Errors


ip-win32 netsh - was the fix for me



Here's a rip from some docs

Make sure that the DHCP Client Service is started.

If the above fix doesn't work, then it's possible that the TAP-Win32
adapter is being firewalled. In general, it's safe to disable the
firewall on the TAP-Win32 adapter because OpenVPN makes sure that only
an authenticated machine on the other end of the connection can
communicate through it. Having said that, there have been reports that
certain third party firewalls will block the TAP-Win32 adapter after an
XP SP2 upgrade.

You can also try changing the ip-win32 setting to a non-DHCP method.
For example:




ip-win32 netsh

ip-win32 ipapi

ip-win32 manual



Signing the Certificate.  I chose
the allow the users to create
their own key.  They then sent me a csr which I signed ...


Transfer the csr to the server in /etc/openvpn/2.0/keys

From /etc/openvpn/2.0




sh

. ./vars

sh ./pkitool --sign dsuzuki



This creates a certificate *.crt in /etc/openvpn/2.0/keys

Sent this back to the client



Fast Forwarding

I dont know why I wrote this
down originally


It looks cool so I left it

net.inet.ip.fastforwarding=1



Here's notes from the FreeBSD Kernel Interfaces Manual for inet(4)



(ip.fastforwarding)

Boolean: enable/disable the use of fast IP forwarding code.

Defaults to off



When fast IP forwarding is enabled, IP packets are forwarded directly
to the appropriate network interface with direct processing to
completion, which


greatly improves the throughput.

All packets for local IP addresses, non-unicast, or with IP optionsare
handled by the normal IP input processing path.

All features of the normal (slow) IP forwarding path are supported
including firewall (through pfil(9) hooks) checking, except ipsec(4)
tunnel brokering.

The IP fastforwarding path does not generate ICMP redirect or source
quench messages.



Have fun


miercuri, 5 august 2009

Installing FreeBSD onto a USB stick

The easy way



A little secret - the easy way to do this is to boot from the installation CDROM while you have the USB stick in and just install to it.



You didn't come here for that though, did you?



The slightly more involved way



It doesn't qualify as "hard".



You'll still need to grab that ISO — get the latest one.




  • Mount that ISO on /dist:



     # mkdir /dist
# mdconfig -a -f /a/FreeBSD/6.1-BETA4-i386-disc1.iso
md17
# mount -t cd9660 /dev/md17 /dist



  • Insert the stick. They come preformatted with a FAT32 partition on, so we'll need to throw a BSD slice label on there — this command will destroy all existing slices. If you get a warning regarding "Geom not found", don't worry.:



    # fdisk -BI /dev/da0

  • We need a disk label:



    # bsdlabel -B -w da0s1

  • and a filesystem, which we'll mount on /mnt:



    # newfs -U /dev/da0s1a
    /dev/da0s1a: 481.0MB (985040 sectors) block size 16384, fragment size 2048
    using 4 cylinder groups of 120.25MB, 7696 blks, 15424 inodes.
    with soft updates
    super-block backups (for fsck -b #) at:
    160, 246432, 492704, 738976
    # mount /dev/da0s1a /mnt

  • Now to do an install the blindingly easy way:



    # cd /dist/6.1-BETA4/base
    # DESTDIR=/mnt ./install.sh
    You are about to extract the base distribution into /mnt - are you SURE
    you want to do this over your installed system (y/n)? y

  • Since we are using 6.1-BETA4, there is some additional messing about to do. This is very likely to change in later release candidates (since it is somewhat broken), but this works for 6.1-BETA4:



    # cd /dist/6.1-BETA4/kernels
    # DESTDIR=/mnt sh ./install.sh generic
    # rmdir /mnt/boot/kernel
    # mv /mnt/GENERIC /mnt/boot/kernel

  • Make the USB stick bootable:



    # boot0cfg -v -B da0
    # flag start chs type end chs offset size
    1 0x80 0: 1: 1 0xa5 480: 63:32 32 985056


    version=1.0 drive=0x80 mask=0xf ticks=182
    options=packet,update,nosetdrv
    default_selection=F1 (Slice 1)


  • Create an fstab(5) file on the USB stick. Here's a simple one:



    /dev/da0s1a /      ufs    rw                      1 1
    md /tmp mfs rw,-s16M,nosuid,noatime 0 0
    /dev/acd0 /cdrom cd9660 ro,noauto,nosuid 0 0
    proc /proc procfs rw 0 0

  • Install any packages you might want:



    # chroot /mnt /bin/sh
    # pkg_add -r lsof rsync unzip zsh kde...



You're done.

Map


Visitor Map