- •Credits
- •About the Author
- •About the Reviewers
- •www.PacktPub.com
- •Table of Contents
- •Preface
- •Introduction
- •Shortest setup possible
- •OpenVPN secret keys
- •Multiple secret keys
- •Plaintext tunnel
- •Routing
- •Configuration files versus the command-line
- •Complete site-to-site setup
- •3-way routing
- •Introduction
- •Setting up the public and private keys
- •Simple configuration
- •Server-side routing
- •Routing: subnets on both sides
- •Redirecting the default gateway
- •Using an 'ifconfig-pool' block
- •Using the status file
- •Management interface
- •Proxy-arp
- •Introduction
- •Simple configuration—non-bridged
- •Enabling client-to-client traffic
- •Bridging—Linux
- •Bridging—Windows
- •Checking broadcast and non-IP traffic
- •External DHCP server
- •Using the status file
- •Management interface
- •Introduction
- •Certificate generation
- •xCA: a GUI for managing a PKI (Part 1)
- •xCA: a GUI for managing a PKI (Part 2)
- •OpenSSL tricks: x509, pkcs12, verify output
- •Revoking certificates
- •The use of CRLs
- •Checking expired/revoked certificates
- •Intermediary CAs
- •Multiple CAs: stacking, using --capath
- •Introduction
- •Initializing a hardware token
- •Getting a hardware token ID
- •Using a hardware token
- •Selecting a PKCS#11 certificate using the management interface
- •Generating a key on the hardware token
- •Private method for getting a PKCS#11 certificate
- •Pin caching example
- •Introduction
- •Using a client-side up/down script
- •Windows login greeter
- •Using client-connect/client-disconnect scripts
- •Using a 'learn-address' script
- •Using a 'tls-verify' script
- •Using an 'auth-user-pass-verify' script
- •Script order
- •Script security and logging
- •Using the 'down-root' plugin
- •Using the PAM authentication plugin
- •Introduction
- •Cipher mismatches
- •TUN versus TAP mismatches
- •Compression mismatches
- •Key mismatches
- •Troubleshooting MTU and tun-mtu issues
- •Troubleshooting network connectivity
- •How to read the OpenVPN log files
- •Introduction
- •The missing return route
- •Missing return routes when 'iroute' is used
- •Source routing
- •Routing and permissions on Windows
- •Troubleshooting client-to-client traffic routing
- •Understanding the 'MULTI: bad source' warnings
- •Failure when redirecting the default gateway
- •Introduction
- •Optimizing performance using 'ping'
- •OpenSSL cipher speed
- •Compression tests
- •Traffic shaping
- •Tuning UDP-based connections
- •Tuning TCP-based connections
- •Analyzing performance using tcpdump
- •Introduction
- •Linux: using NetworkManager
- •MacOS: using Tunnelblick
- •Windows Vista/7: elevated privileges
- •Windows: using the CryptoAPI store
- •Windows: updating the DNS cache
- •Windows: running OpenVPN as a service
- •Windows: public versus private network adapters
- •Windows: routing methods
- •Introduction
- •Including configuration files in config files
- •Details of ifconfig-pool-persist
- •Connecting using a SOCKS proxy
- •Connecting via an HTTP proxy
- •Connecting via an HTTP proxy with authentication
- •Using dyndns
- •IP-less setups (ifconfig-noexec)
- •Introduction
- •Inline certificates
- •Connection blocks
- •Port sharing with an HTTPS server
- •Routing features: redirect-private, allow-pull-fqdn
- •OCSP support
- •New for 2.2: the 'x509_user_name' parameter
- •Index
Two-factor Authentication with PKCS#11
Private method for getting a PKCS#11 certificate
In this recipe we will configure OpenVPN to use a private certificate on a hardware token. Normally, the certificates which are stored on a hardware token are publicly accessible, as a certificate is 'public' anyways. Some tokens allow the user to protect the certificates , so that the token password is always needed to retrieve it. OpenVPN supports this kind of hardware token.
Getting ready
We use the following network layout:
Keep the hardware token from the first recipe at hand. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Fedora 12 Linux and OpenVPN 2.1.1. Keep the server configuration file basic-udp-server.conf from the Chapter 2 recipe Server-side routing at hand.
How to do it...
1.First, we store the certificate client2.crt and corresponding private key client2.key on the token with protection (attribute CKA_PRIVATE) enabled. This is done using the pkcs11-tool command-line option --private:
$ openssl rsa -in client2.key -out client2key.der -outform der $ pkcs11-tool --module /usr/lib64/libeTPkcs11.so \
-w client2key.der --type privkey –-login \ --id 123456 --label "Client2"
$ openssl x509 -in client2.crt -out client2cert.der -outform der $ pkcs11-tool --module /usr/lib64/libeTPkcs11.so \
-w client2cert.der --type cert –-login \ --id 123456 --label "Client2" --private
146
Chapter 5
2.Start the OpenVPN server using the configuration file 'basic-udp-server.conf':
[root@server]# openvpn --config basic-udp-server.conf
3.Next, create the client configuration file:
client proto udp
remote openvpnserver.example.com port 1194
dev tun nobind
ca /etc/openvpn/cookbook/ca.crt tls-auth /etc/openvpn/cookbook/ta.key 1
ns-cert-type server
pkcs11-providers /usr/lib64/libeTPkcs11.so
pkcs11-id 'Aladdin\x20Ltd\x2E/eToken/001a01a9/Cookbook/123456'
pkcs11-cert-private 1
And save it as example5-7-client.conf.
4.Start the client:
[root@client]# openvpn --config example5-7-client.conf
UDPv4 link local: [undef]
UDPv4 link remote: 194.171.96.27:1194 Enter Cookbook token Password:
[openvpnserver] Peer Connection Initiated with openvpnserver:1194
TUN/TAP device tun0 opened
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 192.168.200.3/24 broadcast 192.168.200.255
Initialization Sequence Completed
After entering the hardware token password ('Enter the Cookbook token password') the connection is established.
147
Two-factor Authentication with PKCS#11
How it works...
The following directive tells OpenVPN to log in to the token before attempting to retrieve any information from it:
pkcs11-cert-private 1
This will allow OpenVPN to use the certificate and corresponding private key in a similar fashion to the Using a hardware token recipe.
There's more...
Each hardware token and PKCS#11 module provider has different security features, for example, PIN Pads and biometric devices. OpenVPN can deal with a variety of them using the following directives:
pkcs11-protected-authentication 1 pkcs11-private-mode <mask>
The first is used primarily for keypads and biometric devices. The second contains <mask>, which is encoded as a hexadecimal number consisting of the following:
0 : try to determine automatically (this is the default)
1: use the sign operation on the card to access the private key
2: use the sign recover operation on the card to access the private key
4: use the decrypt operation on the card to access the private key
8: use the unwrap operation on the card to access the private key
This allows OpenVPN to access the private key when starting the SSL handshake with the remote VPN endpoint. Each hardware token and/or PKCS#11 module provider has its own setting.
See also
The recipe Using a hardware token mentioned earlier in this chapter explains the basic setup and interaction with a hardware token.
Pin caching example
By default, OpenVPN caches the hardware token password (or token PIN) for as long as the session lasts. In this recipe, we will configure OpenVPN to "forget" the token PIN after a certain period for even better security. The downside is that the client will fail to reconnect and will exit if it is restarted after this caching period.
148
Chapter 5
Getting ready
We use the following network layout:
Keep the hardware token from the first recipe at hand. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Fedora 12 Linux and OpenVPN 2.1.1. Keep the server configuration file basic-udp-server.conf from the Chapter 2 recipe Server-side routing at hand.
How to do it...
1.Start the server using the configuration file 'basic-udp-server.conf':
[root@server]# openvpn --config basic-udp-server.conf
2.Next, create the client configuration file:
client proto udp
remote openvpnserver.example.com port 1194
dev tun nobind
ca /etc/openvpn/cookbook/ca.crt tls-auth /etc/openvpn/cookbook/ta.key 1
ns-cert-type server
pkcs11-providers /usr/lib64/libeTPkcs11.so
pkcs11-id 'Aladdin\x20Ltd\x2E/eToken/001a01a9/Cookbook/20100703' pkcs11-pin-cache 300
149
Two-factor Authentication with PKCS#11
The directive pkcs11-id and the serialized id Aladdin\x20… need to be specified on a single line. Save it as example5-8-client.conf.
3.Start the client:
[root@client]# openvpn --config example5-8-client.conf
[…]
Initialization Sequence Completed
The PIN code is now cached for 300 seconds. If we cause the OpenVPN client to restart within that period, then it will automatically reconnect.
4.First, we retrieve the process ID of the OpenVPN process and then we use the kill command to send a restart (USR1) signal:
[root@client]# ps -elf | grep '[o]penvpn'
4 S root |
3647 3003 0 80 |
0 - 34458 poll_s 01:25 pts/1 |
00:00:00 |
openvpn --config example5-8-client.confopenvpn –config |
|
example5-8-client.conf |
|
[root@client]# kill –USR1 3647
The OpenVPN client log will show a successful reconnect. However, if the client is restarted after 300 seconds then the re-connect will fail and the client will terminate.
5.We wait for more than 300 seconds and then use the same kill command to restart the client:
[root@client]# kill –USR1 3647
The OpenVPN client log will now show:
…SIGUSR1[hard,] received, process restarting
…NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
…PKCS#11: Cannot get certificate object
…PKCS#11: Cannot get certificate object
…PKCS#11: Unable get rsa object
…Cannot load certificate "Aladdin\x20Ltd\x2E/eToken/001a01a9/ Cookbook/20100703" using PKCS#11 interface
…Error: private key password verification failed
…Exiting
150
Chapter 5
How it works...
The following directive tells OpenVPN to "forget" any cached PIN codes after N seconds:
pkcs11-pin-cache N
If the client needs to reconnect after that period it will fail and will exit.
There's more...
When the PKCS#11 driver 'opensc-pkcs11.so' from the OpenSC package is used, it is convenient to add the following to the OpenVPN configuration file, even if no scripts are used:
script-security 2 system
There is a bug in OpenVPN up to 2.1.4 when this line is not present, which causes rekeying to fail. This means that the OpenVPN session will stop functioning after the rekeying interval, which is normally set to 1 hour. The above line is a work-around for this bug.
See also
The recipe Using a hardware token earlier in this chapter, which explains the basic setup and interaction with a hardware token.
151