CMU OpenVPN Implementation

From CMU ITSC Network

บทนำ

บทความนี้เป็นการ implement OpenVPN Server ที่ให้ user log in ด้วย account ที่อยู่บน directory ขององค์กรโดยใช้ protocol radius โดยตัวอย่างจะใช้ server เป็น Ubuntu 18.04

การติดตั้ง package ที่จำเป็น

sudo add-apt-repository universe
sudo apt-get update && sudo apt-get install openvpn easy-rsa libgcrypt11-dev build-essential -y

radiusplugin

ติดตั้ง radiusplugin

cd
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
tar xvf radiusplugin_v2.1a_beta1.tar.gz
cd radiusplugin_v2.1a_beta1
sudo make
sudo mkdir /etc/openvpn/radius
sudo cp -r radiusplugin.so /etc/openvpn/radius

ตั้งค่า radiusplugin

สร้างไฟล์ /etc/openvpn/radius/radius.cnf

NAS-Identifier=openvpn

# The service type which is sent to the RADIUS server
Service-Type=5

# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1

# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5

# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=10.1.1.1 # ip address ของ OpenVPN Server

# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH   (searches for the path)
# status FILE     		   (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name  (if the option is used or not)

OpenVPNConfig=/etc/openvpn/server.conf


# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used. 
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"  
subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
# p2p=10.8.0.1


# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true

# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them.
# default is false
# useauthcontrolfile=false

# Only the accouting functionality is used, if no user name to forwarded to the plugin, the common name of certificate is used
# as user name for radius accounting.
# default is false
# accountingonly=false


# If the accounting is non essential, nonfatalaccounting can be set to true. 
# If set to true all errors during the accounting procedure are ignored, which can be
# - radius accounting can fail
# - FramedRouted (if configured) maybe not configured correctly
# - errors during vendor specific attributes script execution are ignored
# But if set to true the performance is increased because OpenVPN does not block during the accounting procedure.
# default is false
nonfatalaccounting=false

# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl

# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe

# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
	# The UDP port for radius accounting.
	acctport=1813
	# The UDP port for radius authentication.
	authport=1812
	# The name or ip address of the radius server.
	name=192.168.0.153
	# How many times should the plugin send the if there is no response?
	retry=1
	# How long should the plugin wait for a response?
	wait=1
	# The shared secret.
	sharedsecret=mysecret
}

การตั้งค่า OpenVPN Server

สร้าง directory สำหรับเก็บ CA(certificate authority), key pairs,DH, tls-auth-key

cd
make-cadir certificates && cd certificates

ตั้งค่าตัวแปรสำหรับสร้าง CA

แก้ไขไฟล์ vars ในส่วนของตัวแปรต่อไปนี้ตามต้องการ

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

จากนั้นทำการประกาศค่าตัวแปร

ln -s openssl-1.0.0.cnf openssl.cnf
source vars

สร้าง CA

./clean-all && ./build-ca

สร้าง Certificate/Key pairs

./build-key-server server

สร้าง DH

./build-dh

สร้าง shared secret

openvpn --genkey --secret keys/ta.key

Copy CA, Certificate/Key pairs และ share secret

sudo cp keys/{server.crt,server.key,ca.crt,dh2048.pem,ta.key} /etc/openvpn

ตั้งค่า OpenVPN server

สร้างไฟล์ /etc/openvpn/server.conf ดังนี้

port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.10.10.0 255.255.255.0 #ระบุ ip network ที่ต้องการ
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf

ตั้งค่า Firewall policy / NAT / IP Forwarding

อนุญาต ssh และ ssl

ufw allow ssh
ufw allow https
ufw enable

เพิ่ม NAT policy โดยแก้ไขไฟล์ /etc/ufw/before.rules เพิ่มบรรทัดต่อไปนี้ที่บรรทัดบนสุดของไฟล์

*nat
:POSTROUTING ACCEPT [0:0] 
-A POSTROUTING -s 10.10.10.0/24 -o ens3 -j MASQUERADE
COMMIT