Thursday, 16 March 2017

VPN Road Worrier -Let's make it more secure


OpenBSD is a Multi – Platform Ultra Secure Operating System.

This article intend to configure OpenVPN server under OpenBSD 6.0.
Also this setup can be easy adapted to run on other platforms.

Before doing OVPN configurations we need to setup our network and pf in OBSD.

Let's start......

Create file /etc/sysctl.conf and Add this to enable forwarding(Important step).
=======================================================
net.inet.ip.forwarding=1

Then configure NICs for static configurations

=================================
#vi /etc/hostname.vmx0  <---- .vmx0 is my NIC name

mine is as but your NIC name and IP will be different please adjust as per your scenario

inet 192.168.x.x 255.255.255.0 


Create VPN tunnel interface
=====================

#touch /etc/hostname.tun0
#vi /etc/hostname.tun0

Mine configuration is as

up
group openvpn

 description "OpenVPN to local neti 192.168.0.x "
! /usr/local/sbin/openvpn --daemon  --config  /etc/openvpn/server.conf  --dev $if --server 10.30.0.0 255.255.255.0 --push "route 192.168.x.x 255.255.255.0" & false

 #route add -net 192.168.x.0/24 10.30.0.1

Now configure PF
=============================
edit /etc/pf.conf and add NAT rule and rest as per your scenario.

Here is mine
 #cat /etc/pf.conf                                                                                                              
services="{1194, 53, 80, 113, 3306}"
WebSTO="(max 150, source-track rule, max-src-states 25, max-src-nodes 
15, max-src-conn-rate 200/200, overload <BLOCKTEMP> flush global)"
SshSTO="(max 5, source-track rule, max-src-states 5, max-src-nodes 5, 
max-src-conn-rate  5/60)"
TcpState ="flags S/SA modulate state"
# Options
set block-policy return
set skip on lo
set fingerprints "/etc/pf.os"
set reassemble yes
#set block-policy drop
set state-policy if-bound

 # Match rules (VPN)
match out on egress from 10.30.0.0/24 to any nat-to egress:0

# Tables
table <BLOCKTEMP> counters
#table <BLOCKPERM> counters file "/etc/pftables/pf_block_permanent"
table <spamd-white>
#Block Perm table
block in quick on egress inet proto tcp from <BLOCKPERM> to any
block in quick on egress inet proto udp from <BLOCKPERM> to any
# Block all
block in log all
pass out
# Access to protected services
pass in log on egress proto tcp from any to any port www $TcpState 
$WebSTO
pass in log on egress proto tcp from any to any port ssh $TcpState 
$SshSTO

 #Access to other services
pass in log on egress proto tcp from any to any port $services  
#pass in log on egress proto udp from any to any port $services  
pass in log inet6 proto tcp from any to any port $services  
pass in log inet proto udp from any to any  port $services  
pass in inet proto icmp all
pass in on egress inet6 proto icmp6 all
pass in quick from 10.30.0.0/24 to any
pass in quick from 192.168.x.0/24 to any



Now install and configure OVPN
========================

# export PKG_PATH=http://ftp.openbsd.org/pub//OpenBSD/$(uname -r)/packages/$(uname -m)"
# pkg_add openvpn easy-rsa
# mkdir /etc/openvpn

Create server.conf under previously created directory with the follow content:
========================================================

local 192.168.x.x
port 1194
proto tcp
#proto udp
dev tun
comp-lzo
#remote-cert-tls client
topology subnet
ca /etc/openvpn/ca.crt
cert /etc/openvpn/vpnserver.crt
key /etc/openvpn/vpnserver.key
dh /etc/openvpn/dh2048.pem
#tls-auth /etc/openvpn/ta.key 0
server 10.30.0.0 255.255.255.0
ifconfig-pool-persist /var/log/ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 192.168.220.0 255.255.255.0 10.30.0.1"


push "route 10.30.0.1 255.255.255.255"
push "route 0.0.0.0 0.0.0.0 10.30.0.1"
#push "redirect-gateway def1 bypass-dhcp"
#push "redirect-gateway autolocal"
push "redirect-gateway"
#client-config-dir /etc/openvpn/private-client-conf/ccd/
client-to-client
duplicate-cn
keepalive 10 120
cipher none
auth none
persist-key
persist-tun

max-clients 100
user _openvpn
group _openvpn
status /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 6 




Generate Certificates
==================================

 # cd /usr/local/share/easy-rsa
# ./easyrsa init-pki
# ./easyrsa build-ca 
# ./easyrsa gen-crl nopass
# ./easyrsa build-server-full yourservername nopass
# ./easyrsa build-client-full clientname nopass

If you're having problem with passphrase and you dont want that please use "nopass" otherwise not required. Easyrsa by default asks you for passphrase.  

Create a file with extesion .ovpn
===================================

# cat client.ovpn


client
proto tcp
remote nabx.ddns.net 1194
dev tun 
nobind 
cipher none
auth none
resolv-retry infinite
persist-key
persist-tun
comp-lzo
key-direction 1

<ca> 
-----BEGIN CERTIFICATE----- 
ca.key should be here
-----END CERTIFICATE----- 
</ca> 
<cert> 
Certificate: 
...
-----BEGIN CERTIFICATE----- 
Client.crt should be here
-----END CERTIFICATE----- 
</cert> 
<key> 
-----BEGIN ENCRYPTED PRIVATE KEY----- 
.Client.key Should be here
-----END ENCRYPTED PRIVATE KEY----- 
</key> 
key-direction 1 
<tls-auth> 
-----BEGIN OpenVPN Static key V1----- 
ta.key should be here or may be not required if you didn't mention "remote-cert-tls" and "tls-auth" options in server.conf, and client.ovpn
-----END OpenVPN Static key V1----- 
</tls-auth>

Reference:
https://www.packtpub.com/networking-and-servers/mastering-openvpn
https://www.openbsd.com/
http://www.meatspaceit.com

at

No comments:

Post a Comment