VPN

=== modified file 'serverguide/C/vpn.xml' --- serverguide/C/vpn.xml 2017-10-29 16:47:30 +0000 +++ serverguide/C/vpn.xml 2018-08-17 17:24:40 +0000 @@ -1,5 +1,5 @@ - %globalent; @@ -11,7 +11,7 @@ VPN -OpenVPN is a Virtual Private Networking (VPN) solution provided in the Ubuntu Repositories. It is flexible, reliable and secure. It belongs to the family of SSL/TLS VPN stacks (different from IPSec VPNs). This chapter will cover +OpenVPN is a Virtual Private Networking (VPN) solution provided in the Ubuntu Repositories. It is flexible, reliable and secure. It belongs to the family of SSL/TLS VPN stacks (different from IPSec VPNs). This chapter will cover installing and configuring OpenVPN to create a VPN. @@ -22,7 +22,7 @@ If you want more than just pre-shared keys OpenVPN makes it easy to setup and use a Public Key Infrastructure (PKI) to use SSL/TLS certificates for authentication and key exchange between the VPN server and clients. - OpenVPN can be used in a routed or bridged VPN mode and can be configured to use either UDP or TCP. The port number can be configured as well, but port 1194 is the official one. And it is only using that single port for all communication. VPN client implementations are available for almost anything including all Linux distributions, OS X, Windows and OpenWRT based WLAN routers. + OpenVPN can be used in a routed or bridged VPN mode and can be configured to use either UDP or TCP. The port number can be configured as well, but port 1194 is the official one. And it is only using that single port for all communication. VPN client implementations are available for almost anything including all Linux distributions, OS X, Windows and OpenWRT based WLAN routers. @@ -65,8 +65,8 @@ To setup your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients - first copy the easy-rsa directory to /etc/openvpn. This will ensure that any - changes to the scripts will not be lost when the package is updated. + first copy the easy-rsa directory to /etc/openvpn. This will ensure that any + changes to the scripts will not be lost when the package is updated. From a terminal change to user root and: @@ -141,7 +141,7 @@ Client Certificates - The VPN client will also need a certificate to authenticate itself to the server. Usually you create a different certificate for each client. To create the + The VPN client will also need a certificate to authenticate itself to the server. Usually you create a different certificate for each client. To create the certificate, enter the following in a terminal while being user root: @@ -381,7 +381,7 @@ root@client:/etc/openvpn# ifconfig tun0 -tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 +tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 @@ -585,100 +585,72 @@ Prepare interface config for bridging on server - - Make sure you have the bridge-utils package installed: - - -sudo apt install bridge-utils - - - -Before you setup OpenVPN in bridged mode you need to change your interface configuration. Let's assume your server has an interface eth0 connected to the internet and an interface eth1 connected to the LAN you want to bridge. Your /etc/network/interfaces would like this: - - - -auto eth0 -iface eth0 inet static - address 1.2.3.4 - netmask 255.255.255.248 - default 1.2.3.1 - -auto eth1 -iface eth1 inet static - address 10.0.0.4 - netmask 255.255.255.0 - - - -This straight forward interface config needs to be changed into a bridged mode like where the config of interface eth1 moves to the new br0 interface. Plus we configure that br0 should bridge interface eth1. We also need to make sure that interface eth1 is always in promiscuous mode - this tells the interface to forward all ethernet frames to the IP stack. - - - -auto eth0 -iface eth0 inet static - address 1.2.3.4 - netmask 255.255.255.248 - default 1.2.3.1 - -auto eth1 -iface eth1 inet manual - up ip link set $IFACE up promisc on - -auto br0 -iface br0 inet static - address 10.0.0.4 - netmask 255.255.255.0 - bridge_ports eth1 - - - -At this point you need to bring up the bridge. Be prepared that this might not work as expected and that you will lose remote connectivity. Make sure you can solve problems having local access. - - -sudo ifdown eth1 && sudo ifup -a - +First, use netplan to configure a bridge device using the desired ethernet +device. + + +$ cat /etc/netplan/01-netcfg.yaml +# This file describes the network interfaces available on your system +# For more information, see netplan(5). + +network: + version: 2 + renderer: networkd + ethernets: + enp0s31f6: + dhcp4: no + bridges: + br0: + interfaces: [enp0s31f6] + dhcp4: no + addresses: [10.0.1.100/24] + gateway4: 10.0.1.1 + nameservers: + addresses: [10.0.1.1] + + +Static IP addressing is highly suggested. DHCP addressing can also work, +but you will still have to encode a static address in the OpenVPN configuration file. + +The next step on the server is to configure the ethernet device for +promiscuous mode on boot. To do this, ensure the +networkd-dispatcher package is installed and create +the following configuration script. + + +sudo apt update +sudo apt install networkd-dispatcher +sudo touch /usr/lib/networkd-dispatcher/dormant.d/promisc_bridge +sudo chmod +x /usr/lib/networkd-dispatcher/dormant.d/promisc_bridge + + +Then add the following contents. + + +#!/bin/sh +set -e +if [ "$IFACE" = br0 ]; then + # no networkd-dispatcher event for 'carrier' on the physical interface + ip link set eth0 up promisc on +fi + Prepare server config for bridging - Edit /etc/openvpn/server.conf changing the following options to: + Edit /etc/openvpn/server.conf to use tap rather than tun and set the server to use the server-bridge directive: ;dev tun dev tap -up "/etc/openvpn/up.sh br0 eth1" ;server 10.8.0.0 255.255.255.0 server-bridge 10.0.0.4 255.255.255.0 10.0.0.128 10.0.0.254 - Next, create a helper script to add the tap interface to the bridge and to ensure that eth1 is promiscuous mode. Create /etc/openvpn/up.sh: - - - -#!/bin/sh - -BR=$1 -ETHDEV=$2 -TAPDEV=$3 - -/sbin/ip link set "$TAPDEV" up -/sbin/ip link set "$ETHDEV" promisc on -/sbin/brctl addif $BR $TAPDEV - - - - Then make it executable: - - - -sudo chmod 755 /etc/openvpn/up.sh - - - After configuring the server, restart openvpn by entering: @@ -699,7 +671,7 @@ - Then with the server configured and the client certificates copied to the /etc/openvpn/ directory, create a client configuration file by + Then with the server configured and the client certificates copied to the /etc/openvpn/ directory, create a client configuration file by copying the example. In a terminal on the client machine enter: @@ -743,7 +715,7 @@ Many Linux distributions including Ubuntu desktop variants come with Network Manager, -a nice GUI to configure your network settings. It also can manage your VPN connections. Make sure you have package network-manager-openvpn installed. Here you see that the installation installs all other required packages as well: +a nice GUI to configure your network settings. It also can manage your VPN connections. Make sure you have package network-manager-openvpn installed. Here you see that the installation installs all other required packages as well: @@ -927,12 +899,12 @@ - OpenVPN hardening security guide + OpenVPN hardening security guide - Also, Pakt's OpenVPN: Building and Integrating Virtual Private Networks + Also, Pakt's OpenVPN: Building and Integrating Virtual Private Networks is a good resource.