OPENVPN with User-Authentication: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (57 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
| + | =Schaubild= | ||
| + | {{#drawio:OPENVPN with User-Authentication}} | ||
| + | |||
=Install= | =Install= | ||
*sudo apt install openvpn | *sudo apt install openvpn | ||
| Zeile 5: | Zeile 8: | ||
*cd /etc/openvpn | *cd /etc/openvpn | ||
*openssl dhparam -out dh2048.pem 2048 | *openssl dhparam -out dh2048.pem 2048 | ||
| − | + | ==Selbstsigniertes Zertifikat== | |
| + | *[[Selbstsigniertes Zertifikat]] | ||
| + | *Zertifikat der Zertifizierungsstelle | ||
| + | /etc/openvpn/ca.crt | ||
| + | *Zertifikat des Servers | ||
| + | /etc/openvpn/public.crt | ||
| + | *Privater Schlüssel des Servers | ||
| + | /etc/openvpn/private.key | ||
| + | ==Umbenenennen== | ||
| + | *mv fw.*.crt public.crt | ||
| + | *mv fw.*.key private.key | ||
| + | |||
==Server Config== | ==Server Config== | ||
| − | *vi /etc/openvpn/server.conf | + | *vi /etc/openvpn/server/server.conf |
| − | < | + | <span style="color:#000FFF">#Router Modus</span> |
| − | dev tun | + | dev tun |
| − | mode server | + | <span style="color:#000FFF">#Starten als Server und lauscht auf dem untenangegebenen Port</span> |
| − | tls-server | + | mode server |
| − | + | tls-server | |
| − | topology subnet | + | <span style="color:#000FFF">#Subnet und kein Punkt zu Punkt Netz</span> |
| − | server 172. | + | topology subnet |
| − | push "route | + | <span style="color:#000FFF">#Transit Netz</span> |
| − | + | server 172.20.2xx.0 255.255.255.0 | |
| − | link-mtu 1542 | + | <span style="color:#000FFF">#Pushs an die Clients</span> |
| − | + | push "route 172.16.2xx.0 255.255.255.0" | |
| − | + | push "route 10.88.2xx.0 255.255.255.0" | |
| − | client-to-client | + | push "dhcp-option DOMAIN it2xx.int" |
| − | max-clients 150 | + | push "dhcp-option DNS 10.88.2xx.21" |
| − | verb 3 | + | <span style="color:#000FFF">#Symetrisches Protokoll</span> |
| − | dh /etc/openvpn/dh2048.pem | + | data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC |
| − | ca /etc/openvpn/ | + | <span style="color:#000FFF">#maximale Transmit Unit der Verbindung</span> |
| − | cert /etc/openvpn/ | + | link-mtu 1542 |
| − | key /etc/openvpn/ | + | <span style="color:#000FFF">#Die Clients können sich untereinander erreichen</span> |
| − | + | client-to-client | |
| − | + | <span style="color:#000FFF">#maximale Anzahl</span> | |
| − | + | max-clients 150 | |
| − | + | <span style="color:#000FFF">#Log Level</span> | |
| − | plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/login | + | verb 3 |
| − | + | <span style="color:#000FFF">#Diffie Hellman Parameter</span> | |
| − | = | + | dh /etc/openvpn/dh2048.pem |
| − | + | <span style="color:#000FFF">#Zertifikat der Zertifizierungsstelle</span> | |
| − | + | ca /etc/openvpn/ca.crt | |
| − | + | <span style="color:#000FFF">#Zertifikat des Servers</span> | |
| − | + | cert /etc/openvpn/public.crt | |
| − | + | <span style="color:#000FFF">#Privater Schlüssel des Servers</span> | |
| − | + | key /etc/openvpn/private.key | |
| − | cipher AES-256-CBC | + | <span style="color:#000FFF">#Die Clients haben kein Zertifikat</span> |
| − | + | verify-client-cert none | |
| − | + | username-as-common-name | |
| − | + | <span style="color:#000FFF">#Er wird gegen die Plguable Authentication Module authentifiziert</span> | |
| − | + | plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/login | |
| − | + | ||
| − | + | =Manueller Start= | |
| − | + | *openvpn --config server.conf | |
| − | ----- | + | 2022-09-07 09:21:01 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256- GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to - - data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. |
| − | + | 2022-09-07 09:21:01 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional may accept | |
| − | ----- | + | clients which do not present a certificate |
| − | + | 2022-09-07 09:21:01 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] | |
| − | + | [MH/PKTINFO] [AEAD] built on May 14 2021 | |
| − | ----- | + | 2022-09-07 09:21:01 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10 |
| − | + | 2022-09-07 09:21:01 net_route_v4_best_gw query: dst 0.0.0.0 | |
| − | ----- | + | 2022-09-07 09:21:01 net_route_v4_best_gw result: via XX.59.156.161 dev eth0 |
| − | + | 2022-09-07 09:21:01 PLUGIN AUTH-PAM: initialization succeeded (fg) | |
| − | + | 2022-09-07 09:21:01 PLUGIN_INIT: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so | |
| − | ----- | + | '[/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so] [/etc/pam.d/login]' |
| − | + | intercepted=PLUGIN_AUTH_USER_PASS_VERIFY | |
| − | ----- | + | 2022-09-07 09:21:01 Diffie-Hellman initialized with 2048 bit key |
| − | </ | + | 2022-09-07 09:21:01 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu |
| + | 1500 (currently it is 1420) | ||
| + | 2022-09-07 09:21:01 TUN/TAP device tun0 opened | ||
| + | 2022-09-07 09:21:01 PLUGIN AUTH-PAM: BACKGROUND: initialization succeeded | ||
| + | 2022-09-07 09:21:01 net_iface_mtu_set: mtu 1420 for tun0 | ||
| + | 2022-09-07 09:21:01 net_iface_up: set tun0 up | ||
| + | 2022-09-07 09:21:01 net_addr_v4_add: 172.31.2.1/24 dev tun0 | ||
| + | 2022-09-07 09:21:01 Could not determine IPv4/IPv6 protocol. Using AF_INET | ||
| + | 2022-09-07 09:21:01 Socket Buffers: R=[212992->212992] S=[212992->212992] | ||
| + | 2022-09-07 09:21:01 UDPv4 link local (bound): [AF_INET][undef]:5000 | ||
| + | 2022-09-07 09:21:01 UDPv4 link remote: [AF_UNSPEC] | ||
| + | 2022-09-07 09:21:01 MULTI: multi_init called, r=256 v=256 | ||
| + | 2022-09-07 09:21:01 IFCONFIG POOL IPv4: base=172.31.2.2 size=252 | ||
| + | 2022-09-07 09:21:01 <span style="color:#FF0000"> Initialization Sequence Completed </span> | ||
| + | =Automatischer Start= | ||
| + | ;nftables starten normal von openvpn, was zu Problem führt das tun0 noch nicht da ist. | ||
| + | ;Abhilfe | ||
| + | ==nftables durch openvpn starten lassen== | ||
| + | *systemctl edit openvpn-server@server.service | ||
| + | ### Editing /etc/systemd/system/openvpn-server@server.service.d/override.conf | ||
| + | ### Anything between here and the comment below will become the new contents of the file | ||
| + | <span style="color:#FF0000">[Service]</span> | ||
| + | <span style="color:#FF0000">ExecStartPost=/usr/sbin/nft -f /etc/nftables.conf</span> | ||
| + | ### Lines below this comment will be discarded | ||
| + | |||
| + | *systemctl daemon-reload | ||
| + | *systemctl enable openvpn-server@server.service --now | ||
| + | ==Kontrolle== | ||
| + | *ss -lnup | grep 1194 | ||
| − | + | =openvpn und iptables= | |
| + | *[[iptables und openvpn]] | ||
| + | *[[nftables und openvpn]] | ||
Aktuelle Version vom 29. Juli 2025, 11:58 Uhr
Schaubild
![Bearbeiten](javascript:editDrawio("269854515", "OPENVPN with User-Authentication.drawio.png", "png", false, false, false, true, "https://embed.diagrams.net")){kind=link}
Install
- sudo apt install openvpn
Server
Create DH Key
- cd /etc/openvpn
- openssl dhparam -out dh2048.pem 2048
Selbstsigniertes Zertifikat
- Selbstsigniertes Zertifikat
- Zertifikat der Zertifizierungsstelle
/etc/openvpn/ca.crt
- Zertifikat des Servers
/etc/openvpn/public.crt
- Privater Schlüssel des Servers
/etc/openvpn/private.key
Umbenenennen
- mv fw.*.crt public.crt
- mv fw.*.key private.key
Server Config
- vi /etc/openvpn/server/server.conf
#Router Modus dev tun #Starten als Server und lauscht auf dem untenangegebenen Port mode server tls-server #Subnet und kein Punkt zu Punkt Netz topology subnet #Transit Netz server 172.20.2xx.0 255.255.255.0 #Pushs an die Clients push "route 172.16.2xx.0 255.255.255.0" push "route 10.88.2xx.0 255.255.255.0" push "dhcp-option DOMAIN it2xx.int" push "dhcp-option DNS 10.88.2xx.21" #Symetrisches Protokoll data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC #maximale Transmit Unit der Verbindung link-mtu 1542 #Die Clients können sich untereinander erreichen client-to-client #maximale Anzahl max-clients 150 #Log Level verb 3 #Diffie Hellman Parameter dh /etc/openvpn/dh2048.pem #Zertifikat der Zertifizierungsstelle ca /etc/openvpn/ca.crt #Zertifikat des Servers cert /etc/openvpn/public.crt #Privater Schlüssel des Servers key /etc/openvpn/private.key #Die Clients haben kein Zertifikat verify-client-cert none username-as-common-name #Er wird gegen die Plguable Authentication Module authentifiziert plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/login
Manueller Start
- openvpn --config server.conf
2022-09-07 09:21:01 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256- GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to - - data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-09-07 09:21:01 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional may accept
clients which do not present a certificate
2022-09-07 09:21:01 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11]
[MH/PKTINFO] [AEAD] built on May 14 2021
2022-09-07 09:21:01 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
2022-09-07 09:21:01 net_route_v4_best_gw query: dst 0.0.0.0
2022-09-07 09:21:01 net_route_v4_best_gw result: via XX.59.156.161 dev eth0
2022-09-07 09:21:01 PLUGIN AUTH-PAM: initialization succeeded (fg)
2022-09-07 09:21:01 PLUGIN_INIT: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so
'[/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so] [/etc/pam.d/login]'
intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
2022-09-07 09:21:01 Diffie-Hellman initialized with 2048 bit key
2022-09-07 09:21:01 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu
1500 (currently it is 1420)
2022-09-07 09:21:01 TUN/TAP device tun0 opened
2022-09-07 09:21:01 PLUGIN AUTH-PAM: BACKGROUND: initialization succeeded
2022-09-07 09:21:01 net_iface_mtu_set: mtu 1420 for tun0
2022-09-07 09:21:01 net_iface_up: set tun0 up
2022-09-07 09:21:01 net_addr_v4_add: 172.31.2.1/24 dev tun0
2022-09-07 09:21:01 Could not determine IPv4/IPv6 protocol. Using AF_INET
2022-09-07 09:21:01 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-09-07 09:21:01 UDPv4 link local (bound): [AF_INET][undef]:5000
2022-09-07 09:21:01 UDPv4 link remote: [AF_UNSPEC]
2022-09-07 09:21:01 MULTI: multi_init called, r=256 v=256
2022-09-07 09:21:01 IFCONFIG POOL IPv4: base=172.31.2.2 size=252
2022-09-07 09:21:01 Initialization Sequence Completed
Automatischer Start
- nftables starten normal von openvpn, was zu Problem führt das tun0 noch nicht da ist.
- Abhilfe
nftables durch openvpn starten lassen
- systemctl edit openvpn-server@server.service
### Editing /etc/systemd/system/openvpn-server@server.service.d/override.conf ### Anything between here and the comment below will become the new contents of the file [Service] ExecStartPost=/usr/sbin/nft -f /etc/nftables.conf ### Lines below this comment will be discarded
- systemctl daemon-reload
- systemctl enable openvpn-server@server.service --now
Kontrolle
- ss -lnup | grep 1194