miercuri, 26 august 2009
OpenVPN under FreeBSD
Getting OpenVPN to play nice with FreeBSD was not as easy as I normally
get from a FreeBSD port
This is due to both my learning on the fly and lack of good
BSD related documentation
Here's my notes on how I accomplished it
I hope it helps you
Feel free to use/share/mod
Sorry it's not yet all that perty
I used/did
FreeBSD 6.2/7.0
portsnap
cd /usr/ports/security/openvpn
make install clean
I like to copy the scripts to
/etc/openvpn
cd /usr/local/share/doc/openvpn/easy-rsa
mkdir /etc/openvpn
cp -R * /etc/openvpn
cd /etc/openvpn
Edit vars to your environment (http://openvpn.net/howto.html)
Now run the scripts. They are
bash scripts !!
sh
. ./vars
sh ./clean-all
sh ./build-ca
sh ./build-key-server server
sh ./build-key-pass client
sh ./build-dh (takes a while, grab a drink/chill)
Copy/Edit the config. I like to
keep the openvpn.conf in the normal configuration location. Edit
/usr/local/etc/rc.d/openvpn to adjust the default location
mkdir /usr/local/etc/openvpn
cp /usr/local/share/doc/openvpn/sample-config-files/server.conf
/usr/local/etc/openvpn/openvpn.conf
Edit
/usr/local/etc/openvpn/openvpn.conf to add the correct path to these
files
ca.crt
server.crt
server.key
dh1024.pem
Like
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/server.crt
key /etc/openvpn/2.0/keys/server.key
dh /etc/openvpn/2.0/keys/dh1024.pem
Add this to /etc/rc.conf
openvpn_enable="YES"
gateway_enable="YES"
openvpn_if="tun" for Tunneling
or
openvpn_if="tap" for Bridging
Make sure IP Forwarding is enabled
Check it with
sysctl -a |grep net.inet.ip.f
It should look like this
inet.inet.ip.forwarding: 1
If your /etc/rc.conf has gateway_enable="YES",
it will be set on reboot
You can have this /etc/rc.conf setting read without a reboot by doing
this
/etc/rc/d/routing restart
You can also set IP Forwarding manaully with sysctl
sysctl inet.inet.ip.forwarding=1
Edit
/usr/local/etc/openvpn/openvpn.conf enough
to get tunelling going
Leave it at that if you want
For me it was a pain to configure routing on the server side
I found it necessary to
add permanent routes back as static routes on my gateway did not seem
to help
This probably will be less painful if your gateway is your OpenVPN
server.
It wasnt for my install
I did eventually choose bridging but here's my route notes for history
FreeBSD
Temporary
route add -net 10.8.0.0/24 192.168.10.1
Permanent
/etc/rc.conf
static_routes="openvpn"
openvpn="-net 10.8.0.0/24 192.168.10.1"
Windows
Temporary
route ADD 10.8.0.0 MASK 255.255.255.0 192.168.10.1
Permanent
route -p ADD 10.8.0.0 MASK 255.255.255.0 192.168.10.1
Because of the routing pain, I then
tried Bridge
OpenVPN's scripts do not automatically create the bridge device
I could not find a solution
Based on some reading, I made a startup script to build the bridge at
startup
So far so good, It's probably a bad hack, maybe someone will help me
out here
/usr/local/etc/rc.d/create-bridge.sh
ifconfig bridge0 create
ifconfig bridge0 addm fxp0 addm tap0 up
ifconfig bridge0 inet 192.168.10.12 netmask 255.255.255.0
The script
1. Creates the bridge device
2. Adds a hardware NIC and TAP0 device, brings it up
3. Assigns a static IP
You'll have to edit the interface name and bridged IP to taste
For a bridge, you have to modify the
openvpn.conf
Change from tun to tap
dev tap
;dev tun
Modify server-bridge for the bridge IP
and pushed out IP range
server-bridge 192.168.10.12 255.255.255.0 192.168.10.100
192.168.110.109
Your dmesg will fill up with stuff
like this
arp: 192.168.10.2 is on fxp0 but got reply from 00:0a:5e:4d:37:ee on
bridge0
I turned off logging of this with sysctl
net.link.ether.inet.log_arp_wrong_iface=0
Add net.link.ether.inet.log_arp_wrong_iface=0
to /etc/sysctl.conf for a permanent change to this setting
Optional improved security
Use tls-auth
openvpn --genkey --secret ta.key
Copy ta.key to server and client
In the server configuration, add:
tls-auth ta.key 0
In the client configuration, add:
tls-auth ta.key 1
Larger RSA keys like 2048
Edit vars to include
export KEY_SIZE=2048
Revoke a certificate if someone gets
the boot (aka fired), hopefully not me
. ./vars
./revoke-full client2
This Creates crl.pem
Edit server config to point to this file
crl-verify crl.pem
Watch permissions
I needed to copy the crl.pem to /usr/local/sbin as the openvpn daemon
running as nobody could not see it in the location is was created
Adding authentication seemed an easy
improvement method for security
Add to client config
auth-user-pass
Add to server config
plugin /usr/local/lib/openvpn-auth-pam.so login
For lab use I did this
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
--duplicate-cn
Cipher strength hmmm
3 choices
;cipher BF-CBC # Blowfish
(default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
Here's a cool command to test
throughput relative to cipher
openssl speed bf-cbc des-ede3 aes-128-cbc
The 'numbers' are in 1000s of bytes per second processed.
type
16 bytes 64 bytes 256
bytes 1024 bytes 8192 bytes
des ede3
11884.66k 11914.43k
11951.81k 11965.71k 11963.80k
blowfish cbc 52814.10k
53821.89k 54053.87k
54415.30k 53871.86k
aes-128 cbc 40888.23k
38975.23k 39728.08k
40106.78k 39669.99k
Want to delete a person in order to
create a new key or changes
password?
Delete their .crt .key and .csr
Then remove their entry from the OpenVPN keys directory in the file
index.txt
I was getting - Initialization
Sequence Completed With Errors
ip-win32 netsh - was the fix for me
Here's a rip from some docs
Make sure that the DHCP Client Service is started.
If the above fix doesn't work, then it's possible that the TAP-Win32
adapter is being firewalled. In general, it's safe to disable the
firewall on the TAP-Win32 adapter because OpenVPN makes sure that only
an authenticated machine on the other end of the connection can
communicate through it. Having said that, there have been reports that
certain third party firewalls will block the TAP-Win32 adapter after an
XP SP2 upgrade.
You can also try changing the ip-win32 setting to a non-DHCP method.
For example:
ip-win32 netsh
ip-win32 ipapi
ip-win32 manual
Signing the Certificate. I chose
the allow the users to create
their own key. They then sent me a csr which I signed ...
Transfer the csr to the server in /etc/openvpn/2.0/keys
From /etc/openvpn/2.0
sh
. ./vars
sh ./pkitool --sign dsuzuki
This creates a certificate *.crt in /etc/openvpn/2.0/keys
Sent this back to the client
Fast Forwarding
I dont know why I wrote this
down originally
It looks cool so I left it
net.inet.ip.fastforwarding=1
Here's notes from the FreeBSD Kernel Interfaces Manual for inet(4)
(ip.fastforwarding)
Boolean: enable/disable the use of fast IP forwarding code.
Defaults to off
When fast IP forwarding is enabled, IP packets are forwarded directly
to the appropriate network interface with direct processing to
completion, which
greatly improves the throughput.
All packets for local IP addresses, non-unicast, or with IP optionsare
handled by the normal IP input processing path.
All features of the normal (slow) IP forwarding path are supported
including firewall (through pfil(9) hooks) checking, except ipsec(4)
tunnel brokering.
The IP fastforwarding path does not generate ICMP redirect or source
quench messages.
Have fun
miercuri, 5 august 2009
Installing FreeBSD onto a USB stick
The easy way
A little secret - the easy way to do this is to boot from the installation CDROM while you have the USB stick in and just install to it.
You didn't come here for that though, did you?
The slightly more involved way
It doesn't qualify as "hard".
You'll still need to grab that ISO — get the latest one.
- Mount that ISO on /dist:
# mkdir /dist
# mdconfig -a -f /a/FreeBSD/6.1-BETA4-i386-disc1.iso
md17
# mount -t cd9660 /dev/md17 /distInsert the stick. They come preformatted with a FAT32 partition on, so we'll need to throw a BSD slice label on there — this command will destroy all existing slices. If you get a warning regarding "Geom not found", don't worry.:
# fdisk -BI /dev/da0We need a disk label:
# bsdlabel -B -w da0s1and a filesystem, which we'll mount on
/mnt:# newfs -U /dev/da0s1a
/dev/da0s1a: 481.0MB (985040 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 120.25MB, 7696 blks, 15424 inodes.
with soft updates
super-block backups (for fsck -b #) at:
160, 246432, 492704, 738976
# mount /dev/da0s1a /mntNow to do an install the blindingly easy way:
# cd /dist/6.1-BETA4/base
# DESTDIR=/mnt ./install.sh
You are about to extract the base distribution into /mnt - are you SURE
you want to do this over your installed system (y/n)? ySince we are using 6.1-BETA4, there is some additional messing about to do. This is very likely to change in later release candidates (since it is somewhat broken), but this works for 6.1-BETA4:
# cd /dist/6.1-BETA4/kernels
# DESTDIR=/mnt sh ./install.sh generic
# rmdir /mnt/boot/kernel
# mv /mnt/GENERIC /mnt/boot/kernelMake the USB stick bootable:
# boot0cfg -v -B da0
# flag start chs type end chs offset size
1 0x80 0: 1: 1 0xa5 480: 63:32 32 985056
version=1.0 drive=0x80 mask=0xf ticks=182
options=packet,update,nosetdrv
default_selection=F1 (Slice 1)Create an fstab(5) file on the USB stick. Here's a simple one:
/dev/da0s1a / ufs rw 1 1
md /tmp mfs rw,-s16M,nosuid,noatime 0 0
/dev/acd0 /cdrom cd9660 ro,noauto,nosuid 0 0
proc /proc procfs rw 0 0Install any packages you might want:
# chroot /mnt /bin/sh
# pkg_add -r lsof rsync unzip zsh kde...
You're done.
Abonați-vă la:
Postări (Atom)
Map
