Site-to-Site-VPN-SSL-Openvpn-Client: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) |
Thomas (Diskussion | Beiträge) (→Status) |
||
| (16 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 10: | Zeile 10: | ||
**SSL | **SSL | ||
***Neue SSL-Verbindung | ***Neue SSL-Verbindung | ||
| − | [[Datei:Site-to-Site-VPN-SSL-Sophos- | + | [[Datei:Site-to-Site-VPN-SSL-Sophos-11.png|300px]] |
| + | |||
==Client Konfigurartion runter laden== | ==Client Konfigurartion runter laden== | ||
| − | [[Datei:Site-to-Site-VPN-SSL-Sophos- | + | [[Datei:Site-to-Site-VPN-SSL-Sophos-12.png|500px]] |
=Auf dem Openvpn Client= | =Auf dem Openvpn Client= | ||
==Einrichten== | ==Einrichten== | ||
*apt-get install openvpn | *apt-get install openvpn | ||
| + | hostname.apc auf den openvpn-client kopieren | ||
| + | ==1. Block== | ||
| + | -----BEGIN CERTIFICATE----- | ||
| + | -----END CERTIFICATE----- | ||
| + | in die Datei client.crt kopieren | ||
| + | |||
| + | ==2. Block== | ||
| + | -----BEGIN CERTIFICATE----- | ||
| + | -----END CERTIFICATE----- | ||
| + | in die Datei ca.crt kopieren | ||
| + | |||
| + | ==3. Block== | ||
| + | -----BEGIN PRIVATE KEY----- | ||
| + | -----END PRIVATE KEY----- | ||
| + | in die Datei client.key kopieren | ||
| + | |||
| + | ==Benutzername und Passwort exportieren== | ||
| + | |||
| + | Die Sophos UTM verwendet des weiteren auch noch einen Benutzernamen und ein Passwort für die Verbindung. Auch diese zwei Komponenten können wir aus der Konfigurationsdatei auslesen. | ||
| + | |||
| + | Die Einträge befinden sich am Ende unterhalb des Private Keys. Vor dem Eintrag username findet sich der Benutzername und vor password das dazugehörige Passwort. | ||
| + | |||
| + | Hinweis: Bei manchen Konfiguration findet sich vor dem Passwort bzw. dem Benutzernamen noch eine Klammer. Diese darf nicht mit kopiert werden, da sie nicht zum Kennwort zählt. | ||
| + | |||
| + | |||
| + | Aus unserem Beispiel ergeben sich folgende Zugangsdaten: | ||
| + | |||
| + | ^KREF_AaaUse2^H^@^@^@username^A�^F^@^@-----BEGIN PRIVATE KEY----- | ||
| + | ^KAES-128-CBC^T^@^@^@encryption_algorithm^H~A^K^@^@^@compression | ||
| + | ,REF_SSLSERSSLSERVERF0000ref_sslsersslserverf^H^@^@^@password | ||
| + | |||
| + | |||
| + | Benutzername: REF_AaaUse2 | ||
| + | Passwort: REF_SSLSERSSLSERVERF0000ref_sslsersslserverf | ||
| + | |||
| + | ==user.creds== | ||
| + | REF_AaaUse2 | ||
| + | REF_SSLSERSSLSERVERF0000ref_sslsersslserverf | ||
| + | ==kopieren der Daten== | ||
| + | *mkdir /etc/openvpn/certs | ||
| + | *cp ca.crt client.key client.crt user.creds /etc/openvpn/certs/ | ||
| + | ==/etc/openvpn/server.conf== | ||
| + | <pre> | ||
| + | client | ||
| + | dev tun | ||
| + | proto tcp | ||
| + | hand-window 30 | ||
| + | port 4443 | ||
| + | remote sophos30 | ||
| + | resolv-retry infinite | ||
| + | nobind | ||
| + | persist-key | ||
| + | persist-tun | ||
| + | ca /etc/openvpn/certs/ca.crt | ||
| + | cert /etc/openvpn/certs/client.crt | ||
| + | key /etc/openvpn/certs/client.key | ||
| + | cipher AES-128-CBC | ||
| + | auth SHA1 | ||
| + | comp-lzo | ||
| + | route-delay 4 | ||
| + | verb 3 | ||
| + | reneg-sec 0 | ||
| + | auth-user-pass /etc/openvpn/certs/user.creds | ||
| + | </pre> | ||
| + | ==Test== | ||
| + | *openvpn --config server.conf | ||
| + | <pre> | ||
| + | Sat Sep 17 17:36:01 2016 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016 | ||
| + | Sat Sep 17 17:36:01 2016 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08 | ||
| + | Sat Sep 17 17:36:01 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. | ||
| + | Sat Sep 17 17:36:01 2016 Socket Buffers: R=[87380->131072] S=[16384->131072] | ||
| + | Sat Sep 17 17:36:01 2016 Attempting to establish TCP connection with [AF_INET]192.168.242.81:4443 [nonblock] | ||
| + | Sat Sep 17 17:36:02 2016 TCP connection established with [AF_INET]192.168.242.81:4443 | ||
| + | Sat Sep 17 17:36:02 2016 TCPv4_CLIENT link local: [undef] | ||
| + | Sat Sep 17 17:36:02 2016 TCPv4_CLIENT link remote: [AF_INET]192.168.242.81:4443 | ||
| + | Sat Sep 17 17:36:02 2016 TLS: Initial packet from [AF_INET]192.168.242.81:4443, sid=b9181f79 dde058a4 | ||
| + | Sat Sep 17 17:36:02 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this | ||
| + | Sat Sep 17 17:36:02 2016 VERIFY OK: depth=1, C=de, L=zweibruecken, O=xinux, CN=xinux VPN CA, emailAddress=david.mueller@xinux.de | ||
| + | Sat Sep 17 17:36:02 2016 VERIFY OK: depth=0, C=de, L=zweibruecken, O=xinux, CN=sophos30, emailAddress=david.mueller@xinux.de | ||
| + | Sat Sep 17 17:36:03 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key | ||
| + | Sat Sep 17 17:36:03 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication | ||
| + | Sat Sep 17 17:36:03 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key | ||
| + | Sat Sep 17 17:36:03 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication | ||
| + | Sat Sep 17 17:36:03 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA | ||
| + | Sat Sep 17 17:36:03 2016 [sophos30] Peer Connection Initiated with [AF_INET]192.168.242.81:4443 | ||
| + | Sat Sep 17 17:36:05 2016 SENT CONTROL [sophos30]: 'PUSH_REQUEST' (status=1) | ||
| + | Sat Sep 17 17:36:05 2016 PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.242.2.1,route 10.2.2.0 255.255.255.0,setenv-safe remote_network_1 10.2.2.0/24,setenv-safe local_network_1 172.17.135.0/24,ifconfig 10.242.2.2 255.255.255.0' | ||
| + | Sat Sep 17 17:36:05 2016 OPTIONS IMPORT: --ifconfig/up options modified | ||
| + | Sat Sep 17 17:36:05 2016 OPTIONS IMPORT: route options modified | ||
| + | Sat Sep 17 17:36:05 2016 OPTIONS IMPORT: route-related options modified | ||
| + | Sat Sep 17 17:36:05 2016 OPTIONS IMPORT: environment modified | ||
| + | Sat Sep 17 17:36:05 2016 ROUTE_GATEWAY 192.168.240.100/255.255.248.0 IFACE=eth0:1 HWADDR=b8:27:eb:2a:6f:b0 | ||
| + | Sat Sep 17 17:36:05 2016 TUN/TAP device tun0 opened | ||
| + | Sat Sep 17 17:36:05 2016 TUN/TAP TX queue length set to 100 | ||
| + | Sat Sep 17 17:36:05 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 | ||
| + | Sat Sep 17 17:36:05 2016 /sbin/ip link set dev tun0 up mtu 1500 | ||
| + | Sat Sep 17 17:36:05 2016 /sbin/ip addr add dev tun0 10.242.2.2/24 broadcast 10.242.2.255 | ||
| + | Sat Sep 17 17:36:09 2016 /sbin/ip route add 10.2.2.0/24 via 10.242.2.1 | ||
| + | Sat Sep 17 17:36:09 2016 Initialization Sequence Completed | ||
| + | </pre> | ||
| + | ==Status== | ||
| + | [[Datei:Site-to-Site-VPN-SSL-Sophos-25.png|700px]] | ||
| − | + | =Links= | |
| − | * | + | *http://www.foxplex.com/sites/sophos-utm-site-to-site-vpn-mit-openvpn/ |
| − | |||
| − | |||
| − | |||
Aktuelle Version vom 17. September 2016, 15:40 Uhr
Auf dem SSL Server
Einstellungen
- Site-to-Site-VPN
- SSL
- Einstellungen
- SSL
Einrichten
- Site-to-Site-VPN
- SSL
- Neue SSL-Verbindung
- SSL
Client Konfigurartion runter laden
Auf dem Openvpn Client
Einrichten
- apt-get install openvpn
hostname.apc auf den openvpn-client kopieren
1. Block
-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
in die Datei client.crt kopieren
2. Block
-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
in die Datei ca.crt kopieren
3. Block
-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----
in die Datei client.key kopieren
Benutzername und Passwort exportieren
Die Sophos UTM verwendet des weiteren auch noch einen Benutzernamen und ein Passwort für die Verbindung. Auch diese zwei Komponenten können wir aus der Konfigurationsdatei auslesen.
Die Einträge befinden sich am Ende unterhalb des Private Keys. Vor dem Eintrag username findet sich der Benutzername und vor password das dazugehörige Passwort.
Hinweis: Bei manchen Konfiguration findet sich vor dem Passwort bzw. dem Benutzernamen noch eine Klammer. Diese darf nicht mit kopiert werden, da sie nicht zum Kennwort zählt.
Aus unserem Beispiel ergeben sich folgende Zugangsdaten:
^KREF_AaaUse2^H^@^@^@username^A�^F^@^@-----BEGIN PRIVATE KEY----- ^KAES-128-CBC^T^@^@^@encryption_algorithm^H~A^K^@^@^@compression ,REF_SSLSERSSLSERVERF0000ref_sslsersslserverf^H^@^@^@password
Benutzername: REF_AaaUse2
Passwort: REF_SSLSERSSLSERVERF0000ref_sslsersslserverf
user.creds
REF_AaaUse2 REF_SSLSERSSLSERVERF0000ref_sslsersslserverf
kopieren der Daten
- mkdir /etc/openvpn/certs
- cp ca.crt client.key client.crt user.creds /etc/openvpn/certs/
/etc/openvpn/server.conf
client dev tun proto tcp hand-window 30 port 4443 remote sophos30 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/client.crt key /etc/openvpn/certs/client.key cipher AES-128-CBC auth SHA1 comp-lzo route-delay 4 verb 3 reneg-sec 0 auth-user-pass /etc/openvpn/certs/user.creds
Test
- openvpn --config server.conf
Sat Sep 17 17:36:01 2016 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016 Sat Sep 17 17:36:01 2016 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08 Sat Sep 17 17:36:01 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Sat Sep 17 17:36:01 2016 Socket Buffers: R=[87380->131072] S=[16384->131072] Sat Sep 17 17:36:01 2016 Attempting to establish TCP connection with [AF_INET]192.168.242.81:4443 [nonblock] Sat Sep 17 17:36:02 2016 TCP connection established with [AF_INET]192.168.242.81:4443 Sat Sep 17 17:36:02 2016 TCPv4_CLIENT link local: [undef] Sat Sep 17 17:36:02 2016 TCPv4_CLIENT link remote: [AF_INET]192.168.242.81:4443 Sat Sep 17 17:36:02 2016 TLS: Initial packet from [AF_INET]192.168.242.81:4443, sid=b9181f79 dde058a4 Sat Sep 17 17:36:02 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sat Sep 17 17:36:02 2016 VERIFY OK: depth=1, C=de, L=zweibruecken, O=xinux, CN=xinux VPN CA, emailAddress=david.mueller@xinux.de Sat Sep 17 17:36:02 2016 VERIFY OK: depth=0, C=de, L=zweibruecken, O=xinux, CN=sophos30, emailAddress=david.mueller@xinux.de Sat Sep 17 17:36:03 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Sat Sep 17 17:36:03 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Sep 17 17:36:03 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Sat Sep 17 17:36:03 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Sep 17 17:36:03 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Sat Sep 17 17:36:03 2016 [sophos30] Peer Connection Initiated with [AF_INET]192.168.242.81:4443 Sat Sep 17 17:36:05 2016 SENT CONTROL [sophos30]: 'PUSH_REQUEST' (status=1) Sat Sep 17 17:36:05 2016 PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.242.2.1,route 10.2.2.0 255.255.255.0,setenv-safe remote_network_1 10.2.2.0/24,setenv-safe local_network_1 172.17.135.0/24,ifconfig 10.242.2.2 255.255.255.0' Sat Sep 17 17:36:05 2016 OPTIONS IMPORT: --ifconfig/up options modified Sat Sep 17 17:36:05 2016 OPTIONS IMPORT: route options modified Sat Sep 17 17:36:05 2016 OPTIONS IMPORT: route-related options modified Sat Sep 17 17:36:05 2016 OPTIONS IMPORT: environment modified Sat Sep 17 17:36:05 2016 ROUTE_GATEWAY 192.168.240.100/255.255.248.0 IFACE=eth0:1 HWADDR=b8:27:eb:2a:6f:b0 Sat Sep 17 17:36:05 2016 TUN/TAP device tun0 opened Sat Sep 17 17:36:05 2016 TUN/TAP TX queue length set to 100 Sat Sep 17 17:36:05 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Sat Sep 17 17:36:05 2016 /sbin/ip link set dev tun0 up mtu 1500 Sat Sep 17 17:36:05 2016 /sbin/ip addr add dev tun0 10.242.2.2/24 broadcast 10.242.2.255 Sat Sep 17 17:36:09 2016 /sbin/ip route add 10.2.2.0/24 via 10.242.2.1 Sat Sep 17 17:36:09 2016 Initialization Sequence Completed
Status
