*

Thursday, 21 July 2016

Hardened OpenVPN Server on Debian 8

Prerequisites

This tutorial assumes you have the following:
  • One fresh Debian 8.1 Droplet
  • A root user

Step 1 — Install OpenVPN

Before installing any packages, update the apt package index.
  • apt-get update
Now, we can install the OpenVPN server along with easy-RSA for encryption.
  • apt-get install openvpn easy-rsa

Step 2 — Configure OpenVPN

The example VPN server configuration file needs to be extracted to /etc/openvpn so we can incorporate it into our setup. This can be done with one command:
  • gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
Once extracted, open the server configuration file using nano or your favorite text editor.
  • nano /etc/openvpn/server.conf
In this file, we will need to make four changes (each will be explained in detail):
  1. Secure server with higher-level encryption
  2. Forward web traffic to destination
  3. Prevent DNS requests from leaking outside the VPN connection
  4. Setup permissions
First, we'll double the RSA key length used when generating server and client keys. After the main comment block and several more chunks, search for the line that reads:
/etc/openvpn/server.conf
# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh1024.pem
Change dh1024.pem to dh2048.pem, so that the line now reads:
/etc/openvpn/server.conf
dh  dh2048.pem
Second, we'll make sure to redirect all traffic to the proper location. Still in server.conf, scroll past more comment blocks, and look for the following section:
/etc/openvpn/server.conf
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
Uncomment push "redirect-gateway def1 bypass-dhcp" so the VPN server passes on clients' web traffic to its destination. It should look like this when done:
/etc/openvpn/server.conf
push "redirect-gateway def1 bypass-dhcp"
Third, we will tell the server to use OpenDNS for DNS resolution where possible. This can help prevent DNS requests from leaking outside the VPN connection. Immediately after the previously modified block, edit the following:
/etc/openvpn/server.conf
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
Uncomment push "dhcp-option DNS 208.67.222.222" and push "dhcp-option DNS 208.67.220.220". It should look like this when done,extra security add cipher and auth.
/etc/openvpn/server.conf
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
cipher AES-256-CBC
auth SHA256
Next, find the HMAC section by looking for the tls-auth directive. Remove the ";" to uncomment the tls-auth line. Below this, add the key-direction parameter set to "0":
/etc/openvpn/server.conf
tls-auth ta.key 0 # This file is secret
key-direction 0
Fourth, we will define permissions in server.conf:
/etc/openvpn/server.conf
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nogroup
Uncomment both user nobody and group nogroup. It should look like this when done:
/etc/openvpn/server.conf
user nobody
group nogroup
By default, OpenVPN runs as the root user and thus has full root access to the system. We'll instead confine OpenVPN to the user nobody and group nogroup. This is an unprivileged user with no default login capabilities, often reserved for running untrusted applications like web-facing servers.
Now save your changes and exit.
OR
Username/pass verify insert following line. Don;t Uncomment both user nobody and group nogroup if use this type verify 
/etc/openvpn/server.conf
plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name

Step 3 — Enable Packet Forwarding

In this section, we will tell the server's kernel to forward traffic from client services out to the Internet. Otherwise, the traffic will stop at the server.
Enable packet forwarding during runtime by entering this command:
  • echo 1 > /proc/sys/net/ipv4/ip_forward
Next, we'll need to make this permanent so that this setting persists after a server reboot. Open the sysctlconfiguration file using nano or your favorite text editor.
  • nano /etc/sysctl.conf
Near the top of the sysctl file, you will see:
/etc/openvpn/server.conf
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
Uncomment net.ipv4.ip_forward. It should look like this when done:
/etc/openvpn/server.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
Save your changes and exit.

Step 4 — Install and Configure ufw

UFW is a front-end for IPTables. We only need to make a few rules and configuration edits. Then we will switch the firewall on. As a reference for more uses for UFW, see How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server.
First, install the ufw package.
  • apt-get install ufw
Second, set UFW to allow SSH:
  • ufw allow ssh
This tutorial will use OpenVPN over UDP, so UFW must also allow UDP traffic over port 1194.
  • ufw allow 1194/udp
The UFW forwarding policy needs to be set as well. We'll do this in the primary configuration file.
  • nano /etc/default/ufw
Look for the following line:
/etc/default/ufw
DEFAULT_FORWARD_POLICY="DROP"
This must be changed from DROP to ACCEPT. It should look like this when done:
/etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"
Save and exit.
Next we will add additional UFW rules for network address translation and IP masquerading of connected clients.
  • nano /etc/ufw/before.rules
Next, add the area in red for OPENVPN RULES:
/etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

# Don't delete these required lines, otherwise there will be errors
*filter
Save and exit.
With the changes made to UFW, we can now enable it. Enter into the command prompt:
  • ufw enable
Enabling UFW will return the following prompt:
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Answer y. The result will be this output:
Firewall is active and enabled on system startup
To check UFW's primary firewall rules:
  • ufw status
The status command should return these entries:
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
1194/udp                   ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
1194/udp (v6)              ALLOW       Anywhere (v6)

Step 5 — Configure and Build the Certificate Authority

OpenVPN uses certificates to encrypt traffic.
In this section, we will setup our own Certificate Authority (CA) in two steps: (1) setup variables and (2) generate the CA.
OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established. We will use Easy RSA's scripts to do this.
First copy over the Easy-RSA generation scripts.
  • cp -r /usr/share/easy-rsa/ /etc/openvpn
Then, create a directory to house the key.
  • mkdir /etc/openvpn/easy-rsa/keys
Next, we will set parameters for our certificate. Open the variables file using nano or your favorite text editor.
  • nano /etc/openvpn/easy-rsa/vars
The variables below marked in red should be changed according to your preference.
/etc/openvpn/easy-rsa/vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="TX"
export KEY_CITY="Dallas"
export KEY_ORG="My Company Name"
export KEY_EMAIL="sammy@example.com"
export KEY_OU="MYOrganizationalUnit"
In the same vars file, also edit this one line shown below. For simplicity, we will use server as the key name. If you want to use a different name, you would also need to update the OpenVPN configuration files that reference server.key and server.crt.
Below, in the same file, we will specify the correct certificate. Look for the line, right after the previously modified block that reads
/etc/openvpn/easy-rsa/vars
# X509 Subject Field
export KEY_NAME="EasyRSA"
Change KEY_NAME's default value of EasyRSA to your desired server name. This tutorial will use the nameserver.
/etc/openvpn/easy-rsa/vars
# X509 Subject Field
export KEY_NAME="server"
Save and exit.
Next, we will generate the Diffie-Helman parameters using a built-in OpenSSL tool called dhparam; this may take several minutes.
The -out flag specifies where to save the new parameters.
  • openssl dhparam -out /etc/openvpn/dh2048.pem 2048
Our certificate is now generated, and it's time to generate a key.
First, we will switch into the easy-rsa directory.
  • cd /etc/openvpn/easy-rsa
Now, we can begin setting up the CA itself. First, initialize the Public Key Infrastructure (PKI).
Pay attention to the dot (.) and space in front of ./vars command. That signifies the current working directory (source).
  • . ./vars
The following warning will be printed. Do not worry, as the directory specified in the warning is empty. NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys.
Next, we'll clear all other keys that may interfere with our installation.
  • ./clean-all
Finally, we will build the CA using an OpenSSL command. This command will prompt you for a confirmation of "Distinguished Name" variables that were entered earlier. Press ENTER to accept existing values.
  • ./build-ca
Press ENTER to pass through each prompt since you just set their values in the vars file.
The Certificate Authority is now setup.

Afterwards, we can generate an HMAC signature to strengthen the server's TLS integrity verification capabilities:
  • openvpn --genkey --secret keys/ta.key

Step 6 — Generate a Certificate and Key for the Server

In this section, we will setup and launch our OpenVPN server.
First, still working from /etc/openvpn/easy-rsa, build your key with the server name. This was specified earlier as KEY_NAME in your configuration file. The default for this tutorial is server.
  • ./build-key-server server
Again, output will ask for confirmation of the Distinguished Name. Hit ENTER to accept defined, default values. This time, there will be two additional prompts.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Both should be left blank, so just press ENTER to pass through each one.
Two additional queries at the end require a positive (y) response:
Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]
You will then be prompted with the following, indicating success.
Output
Write out database with 1 new entries Data Base Updated

Step 7 — Move the Server Certificates and Keys

We will now copy the certificate and key to /etc/openvpn, as OpenVPN will search in that directory for the server's CA, certificate, and key.
  • cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
You can verify the copy was successful with:
  • ls /etc/openvpn
You should see the certificate and key files for the server.
At this point, the OpenVPN server is ready to go. Start it and check the status.
  • service openvpn start
  • service openvpn status
The status command will return something to the following effect:
Output
* openvpn.service - OpenVPN service Loaded: loaded (/lib/systemd/system/openvpn.service; enabled) Active: active (exited) since Thu 2015-06-25 02:20:18 EDT; 9s ago Process: 2505 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 2505 (code=exited, status=0/SUCCESS)
Most importantly, from the output above, you should find Active: active (exited) since... instead ofActive: inactive (dead) since....
Your OpenVPN server is now operational. If the status message says the VPN is not running, then take a look at the /var/log/syslog file for errors such as:
Options error: --key fails with 'server.key': No such file or directory
That error indicates server.key was not copied to /etc/openvpn correctly. Re-copy the file and try again.

Step 8 — Generate Certificates and Keys for Clients

So far we've installed and configured the OpenVPN server, created a Certificate Authority, and created the server's own certificate and key. In this step, we use the server's CA to generate certificates and keys for each client device which will be connecting to the VPN.

Key and Certificate Building

It's ideal for each client connecting to the VPN to have its own unique certificate and key. This is preferable to generating one general certificate and key to use among all client devices.
Note: By default, OpenVPN does not allow simultaneous connections to the server from clients using the same certificate and key. (See duplicate-cn in /etc/openvpn/server.conf.)
To create separate authentication credentials for each device you intend to connect to the VPN, you should complete this step for each device, but change the name client1 below to something different such asclient2 or iphone2. With separate credentials per device, they can later be deactivated at the server individually, if need be. The remaining examples in this tutorial will use client1 as our example client device's name.
As we did with the server's key, now we build one for our client1 example. You should still be working out of/etc/openvpn/easy-rsa.
  • ./build-key client1
Once again, you'll be asked to change or confirm the Distinguished Name variables and these two prompts which should be left blank. Press ENTER to accept the defaults.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
As before, these two confirmations at the end of the build process require a (y) response:
Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]
You will then receive the following output, confirming successful key build.
Write out database with 1 new entries.
Data Base Updated
Then, we'll copy the generated key to the Easy-RSA keys directory that we created earlier. Note that we change the extension from .conf to .ovpn. This is to match convention.
  • cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn
You can repeat this section again for each client, replacing client1 with the appropriate client name throughout.
Note: The name of your duplicated client.ovpn doesn't need to be related to the client device. The client-side OpenVPN application will use the filename as an identifier for the VPN connection itself. Instead, you should duplicate client.ovpn to whatever you want the VPN's name tag to be in your operating system. For example: work.ovpn will be identified as workschool.ovpn as school, etc.
We need to modify each client file to include the IP address of the OpenVPN server so it knows what to connect to. Open client.ovpn using nano or your favorite text editor.
  • nano /etc/openvpn/easy-rsa/keys/client.ovpn
First, edit the line starting with remote. Change my-server-1 to your_server_ip.
/etc/openvpn/easy-rsa/keys/client.ovpn
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote your_server_ip 1194
auth-user-pass #add this line if apply username/pass verify
Next, find the area shown below and uncomment user nobody and group nogroup, just like we did inserver.conf in Step 1. Note: This doesn't apply to Windows so you can skip it. It should look like this when done:
*if apply username/pass method don't uncomment it.
/etc/openvpn/easy-rsa/keys/client.ovpn
# Downgrade privileges after initialization (non-Windows only)
user nobody
group no group
Finally, add the key-direction directive somewhere in the file. This should be set to "1" to work with the server:
~/client-configs/base.conf
key-direction 1
Get cilent.ovpn config from server via filezilla 


No comments:

Post a Comment