This post basically adds onto the steps outlined in the previous post. By adding username/password authentication, you are essentially providing a two factor authentication mechanism to your openvpn server. The client would need a usable client certificate and key to authenticate itself to the server, as well as provide a valid username and password.
We have already discussed using certifcate authentication in the previous post so i wont be going over that here. To add the user/pass mechanism we would be adding to our already existing configuration files one or two lines.
In the server config file, add the following:
plugin /usr/lib/openvpn/openvpn-atuh-pam.so system-auth
On the server create a group called vpn
# groupadd vpn
Then we can create each user:
# useradd -s /bin/false -g vpn vpntest // this creates the user and puts them in the vpn group
# passwd vpntest // gives the user vpntest a password for authentication
On the client config file, add the following:
auth-user-pass
pull
Thats it. Keep in mind that we were adding to our config files from the previous post, so it is presumed that you already have a working openvpn server that accepts client key/certificate authentication
Resources/Good Reading:
http://www.uno-code.com/?q=node/120
Tuesday, May 31, 2011
Saturday, May 28, 2011
OpenVPN configs made easy
If you are reading this, i'm assuming that you would already know what a VPN is. If you are not familiar with the term, you can read this Wikipedia entry to get up to speed with the technology.
This guide would not be a full featured guide on how to setup the "complicated" openvpn software. For quite sometime now, i have avoided Openvpn as i've always read about how hard it is to setup up and configure. I've used other VPN technologies such as hamachi and adito. While these solutions are great, i've always felt like i was holding myself back by not giving Openvpn a chance. After following some tutorials, some quite simple and others very complex, i am happy to say that i've finally set up Openvpn server. The best thing that i have taken from this experience is that its not all that hard to set up. There are guides out there that seem very intimidating on the topic and my hope is to try and take this confusion away and give you the quick 101 of openvpn.
I've used Backtrack 5 to setup my server (you can use other linux distros as well)
Starting the server and client take identical commands and require root privileges. Onceyou are root, you can start the server and client like so: # openvpn --config /etc/openvpn/openvpn.conf
Once the connection is established both the server and client terminal windows should give some details similar to this:
To test your VPN connection, you can use the ping utility.
Once the connection is established both the server and client terminal windows should give some details similar to this:
To test your VPN connection, you can use the ping utility and ping each node.
Extra:
If you want revoke client keys:
# ./revoke-full client1
This would add client1 to a sort of black list that would not allow them to connect to our VPN anymore. The file that houses this black list is crl.pem. Create a hardlink (ln without the -s option)to this file in the /etc/openvpn/ directory.
You would also need to add this line to the configuration file on the server. This causes the server to check its revocation list whenever clients try to establish a connection to the VPN server.
crl-verify /etc/openvpn/crl.pem
I noticed that when a revoked client tried to connect to the vpn, not only were they denied service, the VPN server was also shutting down. It seems like the when openvpn shuts the connection down, it tries to reinitialize its tun interface, but fails to do so because in our config file, we dropped our priveledges to nobody. This issue is quickly resolved by commenting out or deleting the lines with the parameters user and group on the server config file.
Resources/Good Reading:
http://openmaniak.com/openvpn_tutorial.php
http://www.adamsinfo.com/quick-linux-and-windows-openvpn-howto-and-tutorial-including-vpn-routing/
This guide would not be a full featured guide on how to setup the "complicated" openvpn software. For quite sometime now, i have avoided Openvpn as i've always read about how hard it is to setup up and configure. I've used other VPN technologies such as hamachi and adito. While these solutions are great, i've always felt like i was holding myself back by not giving Openvpn a chance. After following some tutorials, some quite simple and others very complex, i am happy to say that i've finally set up Openvpn server. The best thing that i have taken from this experience is that its not all that hard to set up. There are guides out there that seem very intimidating on the topic and my hope is to try and take this confusion away and give you the quick 101 of openvpn.
---+++Using openvpn with secret key.+++---
I've used Backtrack 5 to setup my server (you can use other linux distros as well)
- Install Openvpn. Backrack 5 already comes with it pre-installed. If your distro didn't come with it already install, you can install by issuing # apt-get install openvpn (applicable for debian based systems that use apt for managing packages)
- Navigate to openvpns config dir. # cd /etc/openvp
- Create a secret key. # openvpn --genkey --secret secret.key
- By default no config file is available. Lets create one. # touch openvpn.conf
- Using your favorite text editor, open up the config file that you've just created and enter in the following:
proto udp # protocol to use. Either tcp or udpThats it for the server set up. Now copy the secret.key file and the openvpn.conf file to another linux client that already has openvpn installed. Note that the server and client config files are almost identical with few minor changes. Copy the files to the location /home/user/.openvpn (this location is not mandatory but lets just be organized).
port 1194 # port num
dev tun # can be either tun or tap. Tun is simpler to sertup
ifconfig 10.0.0.1 10.0.0.2 # The 10.0.0.1 is the desired IP for our server's virtual interface and the other is the peer
secret /etc/openvpn/secret.key # secret key used for authentication
cipher AES-128-CBC # encryption cipher to use
user nobody # drop priveledges to this user
group nobody # same as above
verb 3 # logging level
- First change permissions of config and secret key file. # chmod 644 secret.txt ; chmod 644 openvpn.conf
- We need to add 1 line to the openvpn.conf file and modify the ifconfig parameter. So the client's openvpn.conf file will look like this
remote 192.168.0.5 # VPN's server's real ipThats all for the client configurati0n.
proto udp
port 1194
dev tun
ifconfig 10.0.0.2 10.0.0.1 # notice the change here
secret /home/user/.openvpn/secret.key
cipher AES-128-CBC
user nobody
group nobody
verb 3
Starting the server and client take identical commands and require root privileges. Onceyou are root, you can start the server and client like so: # openvpn --config /etc/openvpn/openvpn.conf
Once the connection is established both the server and client terminal windows should give some details similar to this:
Sat May 28 20:53:16 2011 Initialization Sequence Completed
To test your VPN connection, you can use the ping utility.
---+++Using openvpn with certificates.+++---
Server setup:- Copy scripts for handling certificates to /etc/openvpn directory. # cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
- Goto scripts dir. # cd /etc/openvpn/easy-rsa/2.0
- Modify the "vars" file. The variables that you want to modify are at the bottom of the file. These include KEY_COUNTRY, KEY_PROVINCE etc.
- After modifying the vars file, issue this command on the file. # source ./vars
- Clean up older keys. # ./clean-all
- Create CA key and certificate. # ./build-ca
- Create the openvpn server's certifcate and key. # ./build-key-server openvpn_server
- Create client keys and certificates. # ./build-key client1
- Create dh key. # ./build-dh # this can take a 2-4 mins to create. Move your mouse around an be patient :)
- Goto keys directory. # cd keys
- Copy the dh1024.pem, ca.crt, openvpn_server.crt and the openvpn_server.key files to /etc/openvpn/ directory
- Lets create our server config file:
tls-server # this would be the server in tls modeClient setup:
proto udp # protocol to use. Either tcp or udp
port 1194 # port num
dev tun # can be either tun or tap. Tun is simpler to sertup
ifconfig 10.0.0.1 10.0.0.2 # The 10.0.0.1 is the desired IP for our server's virtual interface and the other is the peer
ca /etc/openvpn/ca.crt
cert /etc/openvpn/openvpn_server.crt
key etc/openvpn/openvpn_server.key
dh etc/openvpn/dh1024.pem
cipher AES-128-CBC # encryption cipher to use
user nobody # drop priveledges to this user
group nobody # same as above
verb 3 # logging level
- Copy the ca.crt, client1.crt and the client1.key files to the client
- Create its config file:
tls-client # this would act as client in tls modeAgain, starting the server and client take the same commands but you must have root privileges. Once you are root, you can start the server and client like so: # openvpn --config /etc/openvpn/openvpn.conf
remote 192.168.0.5 # VPN's server's real ip
proto udp
port 1194
dev tun
ifconfig 10.0.0.2 10.0.0.1 # notice the change here
ca /home/user/.openvpn/ca.crt
cert /home/user/.openvpn/client1.crt
key /home/user/.openvpn/client.key
cipher AES-128-CBC
user nobody
group nobody
verb 3
Once the connection is established both the server and client terminal windows should give some details similar to this:
Sat May 28 20:53:16 2011 Initialization Sequence Completed
To test your VPN connection, you can use the ping utility and ping each node.
Extra:
If you want revoke client keys:
# ./revoke-full client1
This would add client1 to a sort of black list that would not allow them to connect to our VPN anymore. The file that houses this black list is crl.pem. Create a hardlink (ln without the -s option)to this file in the /etc/openvpn/ directory.
You would also need to add this line to the configuration file on the server. This causes the server to check its revocation list whenever clients try to establish a connection to the VPN server.
crl-verify /etc/openvpn/crl.pem
I noticed that when a revoked client tried to connect to the vpn, not only were they denied service, the VPN server was also shutting down. It seems like the when openvpn shuts the connection down, it tries to reinitialize its tun interface, but fails to do so because in our config file, we dropped our priveledges to nobody. This issue is quickly resolved by commenting out or deleting the lines with the parameters user and group on the server config file.
Resources/Good Reading:
http://openmaniak.com/openvpn_tutorial.php
http://www.adamsinfo.com/quick-linux-and-windows-openvpn-howto-and-tutorial-including-vpn-routing/
Monday, May 23, 2011
Vicompress: http proxy server
Vicompress is an http proxy server, with the ability to cache requests in memory. It has a small footprint but because of its ability to cache contents in memory, it can eventually use up tons of memory resources. It has decent log statistics capabilities too and outputs to an html formatted page. Most important to me, setup and configuration is quite simple.
Installation:
1 . Download the installation package from visolve website. In my case, i downloaded the .deb version of the package.
2. To install i used the command: # dpkg -i
Configuration:
For details on all configuration parameters, go here
The default configuration would do just fine, but its useful to learn of its parameters
Here is a snapshot of my vicompress.conf configuration file:
listen 0.0.0.0 8080
outgoingip 0.0.0.0
enable_compression yes
enable_caching yes
cache_memory 200
max_cacheditem_size 10000
cache_expires 2
enable_dns_caching yes
dns_expires 2
user nobody
rotatesize 10
logformat squid
enable_debug no
accesslog /usr/local/vicompress/log/accesslog
errorlog /usr/local/vicompress/log/errorlog
errorpage /usr/local/vicompress/etc/errorpage.html
logstats /usr/local/vicompress/logstats
To start the server: # /usr/local/vicompress/bin/vicompress.sh start
To view the statistics of your proxy server, usually a report gets generated every hour. You can speed this process by issueing this command:
# cd /usr/local/vicompress
# ./bin/update_log_stats /log/accesslog logstats
To view the report issue: # firefox /usr/local/vicompress/logstats/statsindex.html
Resources / Goodreading:
visolve
Installation:
1 . Download the installation package from visolve website. In my case, i downloaded the .deb version of the package.
2. To install i used the command: # dpkg -i
Configuration:
For details on all configuration parameters, go here
The default configuration would do just fine, but its useful to learn of its parameters
Here is a snapshot of my vicompress.conf configuration file:
listen 0.0.0.0 8080
outgoingip 0.0.0.0
enable_compression yes
enable_caching yes
cache_memory 200
max_cacheditem_size 10000
cache_expires 2
enable_dns_caching yes
dns_expires 2
user nobody
rotatesize 10
logformat squid
enable_debug no
accesslog /usr/local/vicompress/log/accesslog
errorlog /usr/local/vicompress/log/errorlog
errorpage /usr/local/vicompress/etc/errorpage.html
logstats /usr/local/vicompress/logstats
To start the server: # /usr/local/vicompress/bin/vicompress.sh start
To view the statistics of your proxy server, usually a report gets generated every hour. You can speed this process by issueing this command:
# cd /usr/local/vicompress
# ./bin/update_log_stats /log/accesslog logstats
To view the report issue: # firefox /usr/local/vicompress/logstats/statsindex.html
Resources / Goodreading:
visolve
Saturday, May 14, 2011
Inetd and perl
Just a quick simple trick that you can help you set up servers quick and easy. You don't have to know alot about programming either but it helps to know what Inetd is in linux.
Inetd, on its manpages is known as a internet superserver. All those big words aside, it can basically listen on a given port for you and when a connection comes in, it calls the appropriate application to handle them. It so turns out that you can use Inetd's sockets for network communication instead of programming your own. What that means is that inetd can listen on port 80, and when a connection comes in on that port, we can run a shell script that simply sends back some text or html tags. Inetd's output is piped to the calling program or script's standard input and that program's output is redirected to Inetd's standard input.
Lets quickly demonstrate this with a bash script.
Now save that script to a file called hello.sh and give the file executable permissions.
# chmod 555 hello.sh
Now configure /etc/inetd.conf as follows
Now save the file.
Run the inetd daemon
# /etc/init.d/inetutils-inetd start
now netcat to port 8080 (which is what http-alt) service is and you should revecieve a response:
Start the inetd daemon as shown above and use netcat to connect to the service :)
Inetd, on its manpages is known as a internet superserver. All those big words aside, it can basically listen on a given port for you and when a connection comes in, it calls the appropriate application to handle them. It so turns out that you can use Inetd's sockets for network communication instead of programming your own. What that means is that inetd can listen on port 80, and when a connection comes in on that port, we can run a shell script that simply sends back some text or html tags. Inetd's output is piped to the calling program or script's standard input and that program's output is redirected to Inetd's standard input.
Lets quickly demonstrate this with a bash script.
#!/bin/bash
echo "Hello World"
Now save that script to a file called hello.sh and give the file executable permissions.
# chmod 555 hello.sh
Now configure /etc/inetd.conf as follows
http-alt stream tcp4 nowait root /root/hello.sh
Now save the file.
Run the inetd daemon
# /etc/init.d/inetutils-inetd start
now netcat to port 8080 (which is what http-alt) service is and you should revecieve a response:
root@bt~#: nc 127.0.0.1 8080All should work well if done right. Now to get a lil bit more fancy, i've put together a perl script that takes an input and returns the MD5 hash of that input (an MD5 hashing service if you will).
Hello World
root@bt~#:
#!/usr/bin/perl -wSave the perl script to a file like md5.pl and chmod 555 your file.
# A simple inetd socket server.
use strict;
my $old_fh = select(STDOUT);
$| = 1;
select($old_fh);
print "++ MD5 pass generator ++\n\n";
print "Type \'exit\' at anytime to quit\n";
print "Enter string to be hashed: ";
while( my $line =)
{
$line =~ s/\r?\n$//;
#chomp($line);
if ($line =~ /^exit$/)
{
die "shutting down\n";
}
# do your processing here!
$line = `echo -n $line | openssl md5`;
print "$line\n";
print "Enter string to be hashed: ";
}
Start the inetd daemon as shown above and use netcat to connect to the service :)
Backtrack 5 is out
Backtrack 5 is out folks. Head on over to the backtrack website to get yourself a copy of this well put together masterpiece. There are 32 and 64 bit versions available now, as well as the classic KDE styled version and a new GNOME version, which put you in an Ubuntu like environment. I've decided to go with the Gnome version, as im use to Ubuntu and it was refreshing to use something other than the classic desktop environment. All versions should have the same tools and capabilities so its all a matter of preference.
What are you waiting for? Get your copy here.
What are you waiting for? Get your copy here.
Subscribe to:
Posts (Atom)