Preparando Lan-Warrior VPN

Posted on September 3, 2010 by restauracion

*.Vamos a realizar unos pasos para configurar el servidor y el o los clientes.*

Instalando openvpn
stationx:~# aptitude install openvpn
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Reading task descriptions... Done
The following NEW packages will be installed:
  liblzo2-2{a} libpkcs11-helper1{a} openvpn openvpn-blacklist{a}

Luego hagamos esto:
Antes de comenzar vamos a copiar estos archivos:
#cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

Luego vamos a
# cd /etc/openvpn/easy-rsa/2.0/

*. El proximo paso es crear los certificados de autoridad.*
Luego editamos este archivo y le ponen los valores que correspondan.
stationx:/etc/openvpn/easy-rsa/2.0# tail -n 5 vars
export KEY_COUNTRY=”AR”
export KEY_PROVINCE=”BS”
export KEY_CITY=”CAMPANA”
export KEY_ORG=”RESTAURACION”
export KEY_EMAIL=”restaurador@restauradordeleyes.com.ar”
stationx:/etc/openvpn/easy-rsa/2.0#

Vamos a limpiar todo con estos comandos.

stationx:/etc/openvpn/easy-rsa/2.0# . vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
stationx:/etc/openvpn/easy-rsa/2.0# sh clean-all

stationx:/etc/openvpn/easy-rsa/2.0# sh build-ca
Generating a 1024 bit RSA private key
….++++++
..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AR]:^C
stationx:/etc/openvpn/easy-rsa/2.0# sh build-ca
Generating a 1024 bit RSA private key
…………++++++
………………………..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AR]:
State or Province Name (full name) [BS]:
Locality Name (eg, city) [CAMPANA]:
Organization Name (eg, company) [RESTAURACION]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [RESTAURACION CA]:
Email Address [restaurador@restauradordeleyes.com.ar]:
stationx:/etc/openvpn/easy-rsa/2.0#

*.Ahora vamos tras los certificados de clientes y servidor.*

Servidor:
stationx:/etc/openvpn/easy-rsa/2.0# sh build-key-server restaurador
Generating a 1024 bit RSA private key
…………………………………………………………………………….++++++
…………++++++
writing new private key to ‘restaurador.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AR]:
State or Province Name (full name) [BS]:
Locality Name (eg, city) [CAMPANA]:
Organization Name (eg, company) [RESTAURACION]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [restaurador]:
Email Address [restaurador@restauradordeleyes.com.ar]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :P RINTABLE:’AR’
stateOrProvinceName :P RINTABLE:’BS’
localityName :P RINTABLE:’CAMPANA’
organizationName :P RINTABLE:’RESTAURACION’
commonName :P RINTABLE:’restaurador’
emailAddress :IA5STRING:’restaurador@restauradordeleyes.com.ar’
Certificate is to be certified until Aug 31 20:01:13 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
stationx:/etc/openvpn/easy-rsa/2.0#

Vemos lo que creo.
stationx:/etc/openvpn/easy-rsa/2.0# ls -la keys/res*
-rw-r–r– 1 root root 4049 2010-09-03 16:01 keys/restaurador.crt
-rw-r–r– 1 root root 704 2010-09-03 16:01 keys/restaurador.csr
-rw——- 1 root root 887 2010-09-03 16:01 keys/restaurador.key
stationx:/etc/openvpn/easy-rsa/2.0#

Ahora un cliente:
stationx:/etc/openvpn/easy-rsa/2.0# sh build-key juanmanuel
Generating a 1024 bit RSA private key
.++++++
……..++++++
writing new private key to ‘juanmanuel.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AR]:
State or Province Name (full name) [BS]:
Locality Name (eg, city) [CAMPANA]:
Organization Name (eg, company) [RESTAURACION]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [juanmanuel]:
Email Address [restaurador@restauradordeleyes.com.ar]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :P RINTABLE:’AR’
stateOrProvinceName :P RINTABLE:’BS’
localityName :P RINTABLE:’CAMPANA’
organizationName :P RINTABLE:’RESTAURACION’
commonName :P RINTABLE:’juanmanuel’
emailAddress :IA5STRING:’restaurador@restauradordeleyes.com.ar’
Certificate is to be certified until Aug 31 20:03:03 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
stationx:/etc/openvpn/easy-rsa/2.0#

Otro Cliente:

stationx:/etc/openvpn/easy-rsa/2.0# sh build-key encarnacion
Generating a 1024 bit RSA private key
…..++++++
……….++++++
writing new private key to ‘encarnacion.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AR]:
State or Province Name (full name) [BS]:
Locality Name (eg, city) [CAMPANA]:
Organization Name (eg, company) [RESTAURACION]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [encarnacion]:
Email Address [restaurador@restauradordeleyes.com.ar]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :P RINTABLE:’AR’
stateOrProvinceName :P RINTABLE:’BS’
localityName :P RINTABLE:’CAMPANA’
organizationName :P RINTABLE:’RESTAURACION’
commonName :P RINTABLE:’encarnacion’
emailAddress :IA5STRING:’restaurador@restauradordeleyes.com.ar’
Certificate is to be certified until Aug 31 20:03:37 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
stationx:/etc/openvpn/easy-rsa/2.0#

stationx:/etc/openvpn/easy-rsa/2.0# ls -la keys/juan*
-rw-r–r– 1 root root 3926 2010-09-03 16:03 keys/juanmanuel.crt
-rw-r–r– 1 root root 704 2010-09-03 16:03 keys/juanmanuel.csr
-rw——- 1 root root 887 2010-09-03 16:03 keys/juanmanuel.key
stationx:/etc/openvpn/easy-rsa/2.0# ls -la keys/en*
-rw-r–r– 1 root root 3927 2010-09-03 16:03 keys/encarnacion.crt
-rw-r–r– 1 root root 704 2010-09-03 16:03 keys/encarnacion.csr
-rw——- 1 root root 891 2010-09-03 16:03 keys/encarnacion.key
stationx:/etc/openvpn/easy-rsa/2.0#

*.Generacion del parametro Diffie-Hellman.*

stationx:/etc/openvpn/easy-rsa/2.0# sh build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
……………………………+……………….+………………………………………………………………………………………………+………………………………………+……………………………………………………………………………………+……………………………………….+……………………………………..+………………………………………..+………………+……………………….+……………………..+………………..+………………………….+………..+………….+…………………………………+…………….+……………………….+…………………….+.+……………….+……………………………………………………..+………………………………………..+………………………………………………………………..+……………..+……………………..+………….+………………………………………………….+………………………….+…………………………………………………………………………………………………………………………………+…………………..+……………………………………………………………………………………………………………………………………………………………………………………………………..+……………………………………………………………………………………………………………………………………………………………………………..+………………………+………………….+………………….+……………..+……………………+………………+………………………………………………………..+……………………………………….++*++*++*
stationx:/etc/openvpn/easy-rsa/2.0#

Ahora vamos por parte.. Poner cada archivo en su lugar.

Servidor:
stationx:/etc/openvpn/easy-rsa/2.0/keys# cp ca.crt ca.key restaurador.key restaurador.crt dh1024.pem /etc/openvpn/
stationx:/etc/openvpn/easy-rsa/2.0/keys#

Cliente 1 :
stationx:/etc/openvpn/easy-rsa/2.0/keys# scp ca.crt encarnacion.crt encarnacion.key root@172.16.31.132:/etc/openvpn
root@172.16.31.132′s password:
ca.crt 100% 1322 1.3KB/s 00:00
encarnacion.crt 100% 3927 3.8KB/s 00:00
encarnacion.key 100% 891 0.9KB/s 00:00
stationx:/etc/openvpn/easy-rsa/2.0/keys#

Client 2:

stationx:/etc/openvpn/easy-rsa/2.0/keys# scp ca.crt juanmanuel.crt juanmanuel.key root@172.16.31.128:/etc/openvpn
The authenticity of host ’172.16.31.128 (172.16.31.128)’ can’t be established.
RSA key fingerprint is a2:f6:84:00:e0:13:5b:14:6c:22:24:0f:d0:c2:e8:84.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’172.16.31.128′ (RSA) to the list of known hosts.
root@172.16.31.128′s password:
ca.crt 100% 1322 1.3KB/s 00:00
juanmanuel.crt 100% 3926 3.8KB/s 00:00
juanmanuel.key 100% 887 0.9KB/s 00:00
stationx:/etc/openvpn/easy-rsa/2.0/keys#

Configuracion del servidor:

stationx:/etc/openvpn# cat server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert restaurador.crt
key restaurador.key
dh dh1024.pem
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 192.168.1.0 255.255.255.0″
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 4
stationx:/etc/openvpn#

Configuracion del Cliente:

stationx:/etc/openvpn# cat client.conf
client
dev tun
proto udp
remote 172.16.31.129 # donde me quiero conectar
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert encarnacion.crt
key encarnacion.key
comp-lzo
verb 4

stationx:/etc/openvpn#

Otro Cliente

clientex:/etc/openvpn# cat client.conf
client
dev tun
proto udp
remote 172.16.31.129 # donde me quiero conectar
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert juanmanuel.crt
key juanmanuel.key
comp-lzo
verb 4
clientex:/etc/openvpn#

Aca vemos como se conecto el cliente al servidor
Fri Sep 3 16:35:35 2010 us=289736 MULTI: multi_create_instance called
Fri Sep 3 16:35:35 2010 us=289916 172.16.31.128:39961 Re-using SSL/TLS context
Fri Sep 3 16:35:35 2010 us=289982 172.16.31.128:39961 LZO compression initialized
Fri Sep 3 16:35:35 2010 us=290231 172.16.31.128:39961 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Sep 3 16:35:35 2010 us=290265 172.16.31.128:39961 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Sep 3 16:35:35 2010 us=290324 172.16.31.128:39961 Local Options String: ‘V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server’
Fri Sep 3 16:35:35 2010 us=290347 172.16.31.128:39961 Expected Remote Options String: ‘V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client’
Fri Sep 3 16:35:35 2010 us=290382 172.16.31.128:39961 Local Options hash (VER=V4): ’530fdded’
Fri Sep 3 16:35:35 2010 us=290412 172.16.31.128:39961 Expected Remote Options hash (VER=V4): ’41690919′
Fri Sep 3 16:35:35 2010 us=290477 172.16.31.128:39961 TLS: Initial packet from 172.16.31.128:39961, sid=dd58189d bee53e99
Fri Sep 3 16:35:35 2010 us=414886 172.16.31.128:39961 VERIFY OK: depth=1, /C=AR/ST=BS/L=CAMPANA/O=RESTAURACION/CN=RESTAURACION_CA/emailAddress=restaurador@restauradordeleyes.com.ar
Fri Sep 3 16:35:35 2010 us=415292 172.16.31.128:39961 VERIFY OK: depth=0, /C=AR/ST=BS/L=CAMPANA/O=RESTAURACION/CN=juanmanuel/emailAddress=restaurador@restauradordeleyes.com.ar
Fri Sep 3 16:35:35 2010 us=439296 172.16.31.128:39961 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Fri Sep 3 16:35:35 2010 us=439371 172.16.31.128:39961 Data Channel Encrypt: Using 160 bit message hash ‘SHA1′ for HMAC authentication
Fri Sep 3 16:35:35 2010 us=439458 172.16.31.128:39961 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Fri Sep 3 16:35:35 2010 us=439484 172.16.31.128:39961 Data Channel Decrypt: Using 160 bit message hash ‘SHA1′ for HMAC authentication
Fri Sep 3 16:35:35 2010 us=442726 172.16.31.128:39961 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Sep 3 16:35:35 2010 us=442809 172.16.31.128:39961 [juanmanuel] Peer Connection Initiated with 172.16.31.128:39961
Fri Sep 3 16:35:35 2010 us=442921 juanmanuel/172.16.31.128:39961 MULTI: Learn: 10.1.0.18 -> juanmanuel/172.16.31.128:39961
Fri Sep 3 16:35:35 2010 us=442950 juanmanuel/172.16.31.128:39961 MULTI: primary virtual IP for juanmanuel/172.16.31.128:39961: 10.1.0.18
Fri Sep 3 16:35:36 2010 us=450164 juanmanuel/172.16.31.128:39961 PUSH: Received control message: ‘PUSH_REQUEST’
Fri Sep 3 16:35:36 2010 us=450362 juanmanuel/172.16.31.128:39961 SENT CONTROL [juanmanuel]: ‘PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.1.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.1.0.18 10.1.0.17′ (status=1)

Otro Cliente:

Fri Sep 3 16:35:25 2010 us=963543 MULTI: multi_create_instance called
Fri Sep 3 16:35:25 2010 us=963693 172.16.31.132:33009 Re-using SSL/TLS context
Fri Sep 3 16:35:25 2010 us=963841 172.16.31.132:33009 LZO compression initialized
Fri Sep 3 16:35:25 2010 us=964431 172.16.31.132:33009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Sep 3 16:35:25 2010 us=964467 172.16.31.132:33009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Sep 3 16:35:25 2010 us=964576 172.16.31.132:33009 Local Options String: ‘V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server’
Fri Sep 3 16:35:25 2010 us=964600 172.16.31.132:33009 Expected Remote Options String: ‘V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client’
Fri Sep 3 16:35:25 2010 us=964689 172.16.31.132:33009 Local Options hash (VER=V4): ’530fdded’
Fri Sep 3 16:35:25 2010 us=964721 172.16.31.132:33009 Expected Remote Options hash (VER=V4): ’41690919′
Fri Sep 3 16:35:25 2010 us=964854 172.16.31.132:33009 TLS: Initial packet from 172.16.31.132:33009, sid=ac678f53 911d9e58
Fri Sep 3 16:35:26 2010 us=53783 172.16.31.132:33009 VERIFY OK: depth=1, /C=AR/ST=BS/L=CAMPANA/O=RESTAURACION/CN=RESTAURACION_CA/emailAddress=restaurador@restauradordeleyes.com.ar
Fri Sep 3 16:35:26 2010 us=54275 172.16.31.132:33009 VERIFY OK: depth=0, /C=AR/ST=BS/L=CAMPANA/O=RESTAURACION/CN=encarnacion/emailAddress=restaurador@restauradordeleyes.com.ar
Fri Sep 3 16:35:26 2010 us=76308 172.16.31.132:33009 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Fri Sep 3 16:35:26 2010 us=76386 172.16.31.132:33009 Data Channel Encrypt: Using 160 bit message hash ‘SHA1′ for HMAC authentication
Fri Sep 3 16:35:26 2010 us=76473 172.16.31.132:33009 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Fri Sep 3 16:35:26 2010 us=76500 172.16.31.132:33009 Data Channel Decrypt: Using 160 bit message hash ‘SHA1′ for HMAC authentication
Fri Sep 3 16:35:26 2010 us=80165 172.16.31.132:33009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Sep 3 16:35:26 2010 us=80254 172.16.31.132:33009 [encarnacion] Peer Connection Initiated with 172.16.31.132:33009
Fri Sep 3 16:35:26 2010 us=80349 encarnacion/172.16.31.132:33009 MULTI: Learn: 10.1.0.14 -> encarnacion/172.16.31.132:33009
Fri Sep 3 16:35:26 2010 us=80377 encarnacion/172.16.31.132:33009 MULTI: primary virtual IP for encarnacion/172.16.31.132:33009: 10.1.0.14
Fri Sep 3 16:35:27 2010 us=92272 encarnacion/172.16.31.132:33009 PUSH: Received control message: ‘PUSH_REQUEST’
Fri Sep 3 16:35:27 2010 us=92441 encarnacion/172.16.31.132:33009 SENT CONTROL [encarnacion]: ‘PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.1.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.1.0.14 10.1.0.13′ (status=1)

Bueno esto es todo.. y la proxima prometo mas teoria..

Share
Creative Commons License
The Preparando Lan-Warrior VPN by ITRestauracion, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
This entry was posted in Redes, Seguridad and tagged , . Bookmark the permalink.

Leave a Reply