CMU OpenVPN Implementation

From CMU ITSC Network
Revision as of 07:29, 14 December 2018 by Supawit (talk | contribs)

บทนำ

บทความนี้เป็นการ implement OpenVPN Server ที่ให้ user log in ด้วย account ที่อยู่บน directory ขององค์กรโดยใช้ protocol radius โดยตัวอย่างจะใช้ server เป็น Ubuntu 18.04

การติดตั้ง package ที่จำเป็น

sudo add-apt-repository universe
sudo apt-get update && sudo apt-get install openvpn easy-rsa libgcrypt11-dev build-essential -y

radiusplugin

ติดตั้ง radiusplugin

cd
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
tar xvf radiusplugin_v2.1a_beta1.tar.gz
cd radiusplugin_v2.1a_beta1
sudo make
sudo mkdir /etc/openvpn/radius
sudo cp -r radiusplugin.so /etc/openvpn/radius

ตั้งค่า radiusplugin

สร้างไฟล์ /etc/openvpn/radius/radius.cnf

NAS-Identifier=openvpn

# The service type which is sent to the RADIUS server
Service-Type=5

# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1

# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5

# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=10.1.1.1 # ip address ของ OpenVPN Server

# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH   (searches for the path)
# status FILE     		   (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name  (if the option is used or not)

OpenVPNConfig=/etc/openvpn/server.conf


# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used. 
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"  
subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
# p2p=10.8.0.1


# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true

# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them.
# default is false
# useauthcontrolfile=false

# Only the accouting functionality is used, if no user name to forwarded to the plugin, the common name of certificate is used
# as user name for radius accounting.
# default is false
# accountingonly=false


# If the accounting is non essential, nonfatalaccounting can be set to true. 
# If set to true all errors during the accounting procedure are ignored, which can be
# - radius accounting can fail
# - FramedRouted (if configured) maybe not configured correctly
# - errors during vendor specific attributes script execution are ignored
# But if set to true the performance is increased because OpenVPN does not block during the accounting procedure.
# default is false
nonfatalaccounting=false

# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl

# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe

# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
	# The UDP port for radius accounting.
	acctport=1813
	# The UDP port for radius authentication.
	authport=1812
	# The name or ip address of the radius server.
	name=192.168.0.153
	# How many times should the plugin send the if there is no response?
	retry=1
	# How long should the plugin wait for a response?
	wait=1
	# The shared secret.
	sharedsecret=mysecret
}

การตั้งค่า OpenVPN Server

สร้าง directory สำหรับเก็บ CA(certificate authority), key pairs,DH, tls-auth-key

cd
make-cadir certificates && cd certificates

ตั้งค่าตัวแปรสำหรับสร้าง CA

แก้ไขไฟล์ vars ในส่วนของตัวแปรต่อไปนี้ตามต้องการ

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

จากนั้นทำการประกาศค่าตัวแปร

ln -s openssl-1.0.0.cnf openssl.cnf
source vars

สร้าง CA

./clean-all && ./build-ca

สร้าง Certificate/Key pairs

./build-key-server server

สร้าง DH

./build-dh

สร้าง shared secret

openvpn --genkey --secret keys/ta.key

Copy CA, Certificate/Key pairs และ share secret

sudo cp keys/{server.crt,server.key,ca.crt,dh2048.pem,ta.key} /etc/openvpn

ตั้งค่า OpenVPN server

สร้างไฟล์ /etc/openvpn/server.conf ดังนี้

port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.10.10.0 255.255.255.0 #ระบุ ip network ที่ต้องการ
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf

ตั้งค่า Firewall policy / NAT / IP Forwarding

อนุญาต ssh และ ssl

ufw allow ssh
ufw allow https
ufw enable