31 July 2009

Dual factor OpenVPN with Active Directory and Certificate Services (Part 3 of 4)

3 Building OpenVPN
It is possible to build from scratch, but here are the instructions for using RPM packages. LZO is the compression library package to boost OpenVPN's performance.

Specifically, these are the packages:
lzo2-2.02-3.el5.rf.i386.rpm
lzo2-devel-2.02-3.el5.rf.i386.rpm (optional)
openvpn-2.0.9-1.el5.rf.i386.rpm


3.1 Build and install the bridge.
The bridge consists of bridge-utils and sysfsutils. This example has an older version.

# yum install bridge-utils:
(1/2): sysfsutils-1.3.0-1 100% |=========================| 64 kB 00:01
(2/2): bridge-utils-1.0.6 100% |=========================| 27 kB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: sysfsutils ######################### [1/2]
Installing: bridge-utils ######################### [2/2]
Installed: bridge-utils.i386 0:1.0.6-1.2
Dependency Installed: sysfsutils.i386 0:1.3.0-1.2.1
Complete!


3.2 Install OpenVPN
The LZO libraries are found at http://www.oberhumer.com/opensource/lzo/. Or you can search for them on RPMfind. LZO is used for data compression. The OpenVPN version 2.0.9 is a bit old, but it is widely supported and is the latest stable. The RC candidates can be explored in future deployments.

Installation is simple:

# rpm -ivh lzo-2.02-2.el5.1.i386.rpm
# rpm -ivh openvpn-2.0.9-1.el5.rf.i386.rpm
# pwd
/usr/share/doc/openvpn-2.0.9
# cp -pR * /etc/openvpn


That is it. You are done – but for one thing, disable OpenVPN in ntsysv. We will use a script to start it, because we need the bridge up before OpenVPN.

3.3 Create the PKI infrastructure
You should already have Active Directory Certificates Services up and running. You will have a total of three keys/certificates at the end:
• an identification certificate from the CA
• a D-H key, used for TLS/SSL encryption
• a TA.key, which prevents untrusted clients from even connecting to the system


3.3.1 Get the identification certificate
Go to https://yourdomain/certsrv/
Select the ComputerALL Template
"Name" is the name of the machine, not your name…
INCLUDE ALL CERTIFICATES = check (this package must include the CA path and certificate)
ENABLE STRONG PROTECTION = no check
Get the PFX file and move it on the vpn server. Use MOVE, not COPY. We do not want multiple copies of this file.
If you do not want to enter a password every time you start OpenVPN, then do not include a password on the PFX file.

On the OpenVPN box:

# pwd
/etc/openvpn/easy-rsa
# mkdir keys
# chmod 700 keys
# mv [source] openvpnServer.pfx
# chmod 600 openvpnServer.pfx


3.3.2 Generate the DH key
Edit the vars file to generate the DH key in the easy-rsa folder. Keep the key length at 1024.
export KEY_COUNTRY=YOURCOUNTRY
export KEY_PROVINCE=YOURSTATE
export KEY_CITY=YOURCITY
export KEY_ORG="YOURGROUP"
export KEY_EMAIL="noreply@yourdomain.com"


Then build the key.
# . ./vars # . ./build-dh

3.3.3 TA key generation
Create the ta key for added security. It is optional, but the causes OpenVPN to drop any connection handshake attempt that does not have the ta key.
# pwd
/etc/openvpn/easy-rsa/keys
# openvpn --genkey --secret ta.key # ls dh1024.pem ta.key openvpnServer.pfx


3.4 Create the bridge
The bridge scripts can be found in the sample-scripts folder. The bridge is what will be used so full access is possible for clients.

# cp -p bridge-start bridge-stop /etc
# chmod 700 bridge-start bridge-stop
# vi /etc/bridge-start
## Define physical ethernet interface to be bridged
## with TAP interface(s) above.
eth="eth0"
eth_ip="
10.X.X.X"
eth_netmask="255.0.0.0"
eth_broadcast="10.X.X.255"


Then start the bridge.
# /etc/bridge-start

If everything is working it should look like this, with a br0 and a tap0 – the tap does NOT have an ip address, everything else should:

# ifconfig
br0 Link encap:Ethernet HWaddr 00:0C:29:1F:F7:F2
inet addr:10.X.X.X Bcast:10.X.X.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0 Link encap:Ethernet HWaddr 00:0C:29:1F:F7:F2
inet addr:10.
X.X.X Bcast:10.X.X.255 Mask:255.0.0.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

eth1 Link encap:Ethernet HWaddr 00:0C:29:1F:F7:FC
inet addr:1.X.X.X Bcast:1.X.X.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1

tap0 Link encap:Ethernet HWaddr 7A:DD:C3:66:AA:2C
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

You also have to add these to allow traffic. They will work, even if iptables is off.

# iptables -A INPUT -i tap0 -j ACCEPT
# iptables -A INPUT -i br0 -j ACCEPT
# iptables -A FORWARD -i br0 -j ACCEPT


3.5 Starting at boot

Now, set it all up to start automatically. You likely will need to add a route command so the VPN is available on the inside network from areas other than the subnet.

# pwd
#/etc/rc.d/rc3.d

# vi S99local
/etc/bridge-start
service openvpn start
route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.X.X.X


Then get the server.conf file configured.
Make sure this line is in there:
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login

Details of what should be in the conf file can be found by looking at a sample.

Then start the openvpn service:

service openvpn start
If there is a FAILURE to start, check the openvpn.log to see what is going on. I find tail –f in a separate window is very handy, as it is a live look at the log file.

vi /etc/sysconfig/network and set the gateway to the outside address.

Next, we will set up the client.

No comments: