Chapter 6
Absolute paths
Note that an absolute path is used for the script. Relative paths are allowed, but especially for the OpenVPN server, it is more secure to use absolute paths. Assuming that the OpenVPN server is always started in the same directory is a bad security practice. An alternative is
to use:
cd /etc/openvpn/cookcook client-connect example6-3-connect.sh
Using a 'learn-address' script
This recipe will demonstrate how to set up a learn-address script that is executed on the server side when there is a change in the address of a connecting client. Learn-address scripts can be used to dynamically set up firewalling rules for specific clients or to adjust routing tables.
In this recipe, we will use a learn-address script to open up a firewall and to set up masquerading for a client. When the client disconnects, the firewall is closed again and the 'iptables' masquerading rule is removed.
Getting ready
Install OpenVPN 2.1 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates using the first recipe from Chapter 2. In this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Windows XP SP3 and OpenVPN 2.1.1. For the client, keep the client configuration file basic-udp-client.ovpn from the Chapter 2 recipe Using an
'ifconfig-pool' block at hand.
How to do it...
1.Create the server configuration file:
proto udp port 1194 dev tun
server 192.168.200.0 255.255.255.0
ca |
/etc/openvpn/cookbook/ca.crt |
cert |
/etc/openvpn/cookbook/server.crt |
key |
/etc/openvpn/cookbook/server.key |
dh |
/etc/openvpn/cookbook/dh1024.pem |
165
Scripting and Plugins
tls-auth /etc/openvpn/cookbook/ta.key 0
persist-key persist-tun keepalive 10 60
topology subnet
daemon
log-append /var/log/openvpn.log script-security 2
learn-address /etc/openvpn/cookbook/example6-4-learn-address.sh push "redirect-gateway def1"
Save it as example6-4-server.conf. Note that this server configuration file does not have the lines user nobody and group nobody (nor group nogroup).
2.Next, create the learn-address script:
#!/bin/bash
#$1 = action (add, update, delete)
#$2 = IP or MAC
#$3 = client_common name
if [ "$1" = "add" ] then
/sbin/iptables -I FORWARD -i tun0 -s $2 -j ACCEPT /sbin/iptables -I FORWARD -o tun0 -d $2 -j ACCEPT /sbin/iptables -t nat -I POSTROUTING -s $2 -o wlan0 -j
MASQUERADE
elif [ "$1" = "delete" ] then
/sbin/iptables -D FORWARD -i tun0 -s $2 -j ACCEPT /sbin/iptables -D FORWARD -o tun0 -d $2 -j ACCEPT /sbin/iptables -t nat -D POSTROUTING -s $2 -o wlan0 -j
MASQUERADE fi
Save this file as example6-4-learn-address.sh.
3.Make sure the script is executable and start the OpenVPN server:
[root@server]# chmod 755 example6-4-learn-address.sh [root@server]# openvpn --config example6-4-server.conf
166
Chapter 6
4. Start the client using the Windows GUI using the basic configuration file:
5.After the client connects to the server, check the 'iptables' firewall rules on the server:
[root@server]# iptables -L FORWARD -n -v
Chain FORWARD (policy ACCEPT 4612K packets, 1761M bytes)
pkts bytes target |
prot |
opt in |
out |
source |
|||
destination |
|
|
|
|
|
|
|
0 |
0 |
ACCEPT |
all |
-- |
* |
tun0 |
0.0.0.0/0 |
192.168.200.2 |
|
|
|
|
|
||
0 |
0 |
ACCEPT |
all |
-- |
tun0 |
* |
192.168.200.2 |
0.0.0.0/0 |
|
|
|
|
|
|
|
[root@server]# iptables -t nat -L POSTROUTING -n -v
Chain POSTROUTING (policy ACCEPT 336K packets, 20M bytes)
pkts bytes |
target |
prot |
opt in |
out |
source |
|
destination |
|
|
|
|
|
|
0 |
0 |
MASQUERADE |
all |
-- * |
wlan0 |
192.168.200.2 |
0.0.0.0/0 |
|
|
|
|
|
|
6.Disconnect the client, wait for a few minutes, and then verify that the 'iptables' rules have been removed.
How it works...
When a client connects to the OpenVPN server or disconnects from it, the OpenVPN server executes the learn-address script with several command-line arguments:
$1: Action (add, update, delete).
$2: IP or MAC. For tun-based network, this is the client IP address. For tap-based networks, this is the client (virtual) MAC address.
$3: client_common name.
167
Scripting and Plugins
In this recipe, the learn-address is used to open up the firewall for the connecting client and to set up the masquerading rules for the client so that the clients can reach the other machines on the server-side LAN.
There's more...
In the following section, some details of the use of the user nobody directive and the update action of the learn-address script are given.
User 'nobody'
As stated earlier, this server configuration does not include the following lines:
user nobody group nobody
(Or, group nogroup on some Linux distributions). If we had added these lines, then the OpenVPN server process would be running as user nobody. This user does not have the required rights to open and close firewall ports using 'iptables', hence they were removed in this example.
The 'update' action
The learn-address script is also called when the OpenVPN server detects an address change on the client side. This can happen most often in a 'TAP'-based network when an external DHCP server is used. The learn-address script can then adjust routing tables or firewalling rules based on the new client IP address.
Using a 'tls-verify' script
OpenVPN has several layers at which the credentials of a connecting client are verified. It is even possible to add a custom layer to the verification process by specifying a tls-verify script. In this recipe, we will demonstrate how such a script can be used to allow access only for a particular certificate.
Getting ready
Install OpenVPN 2.1 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only network. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Windows 2000 and OpenVPN 2.1.1. Keep the client configuration file, basic-udp-client.ovpn, from the Chapter 2 recipe Using an
'ifconfig-pool' block at hand.
168
Chapter 6
How to do it...
1.Create the server configuration file:
proto udp port 1194 dev tun
server 192.168.200.0 255.255.255.0
ca |
/etc/openvpn/cookbook/ca.crt |
cert |
/etc/openvpn/cookbook/server.crt |
key |
/etc/openvpn/cookbook/server.key |
dh |
/etc/openvpn/cookbook/dh1024.pem |
tls-auth /etc/openvpn/cookbook/ta.key 0
persist-key persist-tun keepalive 10 60
topology subnet
user nobody
group nobody # nogroup on some distros daemon
log-append /var/log/openvpn.log
script-security 2
tls-verify /etc/openvpn/cookbook/example6-5-tls-verify.sh
Save it as example6-5-server.conf.
2.Next, create the tls-verify script:
#!/bin/bash
[ $# -lt 2 ] && exit 1
# if the depth is non-zero , continue processing [ "$1" -ne 0 ] && exit 0
allowed_cns=`sed 's/ /_/g' $0.allowed` for i in $allowed_cns
do
169
Scripting and Plugins
[ "$2" = "$i" ] && exit 0 done
# catch-all exit 1
Save this file as example6-5-tls-verify.sh.
3.Make sure the script is executable:
[root@server]# chmod 755 example6-5-tls-verify.sh
4.Finally, create the list of allowed certificates:
[root@server]# echo "/C=NL/O=Cookbook/CN=openvpnclient1/ emailAddress=openvpn-ca@cookbook.example.com" > /etc/openvpn/ cookbook/example6-5-tls-verify.sh.allowed
Note that this is a one-line command.
5.Start the OpenVPN server:
[root@server]# openvpn --config example6-5-server.conf
6.Start the client with the Windows GUI using the basic configuration file:
The client should be able to connect normally.
7.Now, on the OpenVPN server, remove the file /etc/openvpn/cookbook/ example6-5-tls-verify.sh.allowed and reconnect. This time the server log will show the following:
CN not found in /etc/openvpn/cookbook/example6-5-tls-verify. sh.allowed, denying access
…openvpnclient1:9007 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
…openvpnclient1:9007 TLS Error: TLS object -> incoming plaintext read error
…openvpnclient1:9007 TLS Error: TLS handshake failed
This means that the client is denied access by the OpenVPN server.
170