Differences
This shows you the differences between two versions of the page.
|
isc:labs:10 [2024/11/17 12:25] florin.stancu |
isc:labs:10 [2024/12/11 10:20] (current) radu.mantu [[20p] 0. Setup & EasyRSA certificate generation] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab 10 - Remote Net Security ====== | + | ====== Lab 10 - Tunnels. Remote Network Security ====== |
| + | |||
| + | ===== Objectives ===== | ||
| + | |||
| + | Today, we're going to learn how to configure two of the most widely used | ||
| + | open-source VPN solutions: OpenVPN and WireGuard! | ||
| + | |||
| + | * Set up OpenVPN and WireGuard servers on a Linux machine; | ||
| + | * Configure clients to connect to each VPN; | ||
| + | * Customize routing through the VPN. | ||
| + | |||
| + | ===== Tasks ===== | ||
| + | |||
| + | As we will need at least two Linux systems (one for the VPN server, another for the client -- for OpenVPN, at least), you will need to work in pairs! | ||
| + | |||
| + | ==== [20p] 0. Setup & EasyRSA certificate generation ==== | ||
| + | |||
| + | 1. Install the ''openvpn'' and ''wireguard-tools'' packages from the APT repository. | ||
| + | |||
| + | 2. We'll use EasyRSA to generate a PKI with CA & leaf certificates for server + clients: | ||
| + | |||
| + | <code bash> | ||
| + | git clone https://github.com/OpenVPN/easy-rsa.git | ||
| + | cd easy-rsa/easyrsa3 | ||
| + | cp vars.example vars | ||
| + | vim vars # or nano, uncomment & edit COUNTRY, CITY, ORG etc. | ||
| + | ./easyrsa init-pki | ||
| + | ./easyrsa build-ca # and enter a min. 4 char password + remember it! | ||
| + | # verify CA details: | ||
| + | ./easyrsa show-ca | ||
| + | </code> | ||
| + | |||
| + | <note important> | ||
| + | Generally, the CA needs to be created by the VPN server provider, while the certificate requests must be done by each client, then transfer it to the server to be signed. | ||
| + | But for simplity, we'll do them all on the same machine. | ||
| + | </note> | ||
| + | |||
| + | 3. Now use the [[https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md|official instructions here]] to request & sign both a "Server" and a "Client" certificate (use whatever Common Names you want, but make them at least descriptive). Note: you must supply a password, though you can disable this by editing the ''vars'' file and uncommenting the ''EASYRSA_NO_PASS 1'' line ;) . | ||
| + | |||
| + | Make sure to set the proper ''client'' or ''server'' certificate type for ''sign-req'''s argument! | ||
| + | |||
| + | Also note the generated certificates path! | ||
| + | You must transfer the CA + Client certificate + private key to the client machine (VM) -- you can do it now, or a bit later when told! | ||
| + | |||
| + | <solution -hidden> | ||
| + | <code bash> | ||
| + | ./easyrsa gen-req Server | ||
| + | ./easyrsa sign-req server Server | ||
| + | ./easyrsa gen-req Client | ||
| + | ./easyrsa sign-req client Client | ||
| + | </code> | ||
| + | </solution> | ||
| + | |||
| + | ==== [40p] 1. OpenVPN Configuration ==== | ||
| + | |||
| + | We will use EasyRSA to generate a CA: | ||
| + | |||
| + | Now choose your role (and help your colleague!): | ||
| + | |||
| + | === A. OpenVPN Server === | ||
| + | |||
| + | **Note:** Must do all these steps logged in as ''root''! | ||
| + | |||
| + | 1. First, copy the server private key + certificate and the CA certificate to the OpenVPN's server configuration directory: | ||
| + | <code> | ||
| + | root in /etc/openvpn/server … | ||
| + | ➜ ls -l | ||
| + | total 16K | ||
| + | -rw------- 1 root root 1.2K 2024-12-08 19:56 ca.crt | ||
| + | -rw------- 1 root root 4.5K 2024-12-08 19:56 Server.crt | ||
| + | -rw------- 1 root root 1.7K 2024-12-08 19:56 Server.key | ||
| + | </code> | ||
| + | |||
| + | 2. Copy the OpenVPN example ''server.conf'': | ||
| + | <code bash> | ||
| + | cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/server.conf | ||
| + | </code> | ||
| + | |||
| + | Open the config with your favorite editor, then: | ||
| + | * ensure that the ''ca'', ''cert'' and ''key'' point to the ones copied from EasyRSA (note: Linux is CaSe SeNsItiVe!); | ||
| + | * read the comments and generate ''ta.key''; | ||
| + | * read the comments and generate the Diffie-Hellman parameters file (''dh2048.pem''); | ||
| + | |||
| + | 3. Start/restart the service: <code bash> | ||
| + | systemctl restart openvpn-server@server.service | ||
| + | </code> | ||
| + | |||
| + | If it didn't complain, the congratulations! You're done with the server! | ||
| + | |||
| + | Use ''journalctl -u openvpn-server@server -n 100 -f'' to display the log flow of the OpenVPN server (also check it in case of any service startup error). | ||
| + | |||
| + | === B. OpenVPN Client === | ||
| + | |||
| + | 1. Transfer the Server CA (''ca.crt''), ''Client.key'' and ''Client.crt'' from the Server (check easyrsa's ''pki/'' directory). | ||
| + | |||
| + | <note tip> | ||
| + | Note: SSH is unusable without public key, so you'll need to do this using another service (e.g., paste bin, Teams / Discord / Messenger, netcat client/server text messaging etc.). | ||
| + | </note> | ||
| + | |||
| + | 2. Copy the example client configuration from ''/usr/share/doc/openvpn/examples/sample-config-files/client.conf'' somewhere you want (e.g., in your home, or inside ''/etc/openvpn/client'', it doesn't really matter). | ||
| + | |||
| + | 3. Edit the config and enter the server's external IP address (the VLAN9 network IP address if on OpenStack) specified using the ''remote'' variable, then also check (and modify) the ''ca'', ''cert'' and ''key'' variables to point to where you have these files (which you've transfered earlier, RIGHT?). | ||
| + | |||
| + | 4. Try to run your client using ''openvpn <path-to-client.conf>''. Inspect the error... Something about ''ta.key'' -- yep, that's right, bring it from the server :( | ||
| + | |||
| + | 5. Finally, connect to the VPN and (from another terminal, unless you spawned OpenVPN in daemon mode), ping it: <code> | ||
| + | ping 10.8.0.1 | ||
| + | </code> | ||
| + | |||
| + | ==== [40p] 2. WireGuard ==== | ||
| + | |||
| + | Wireguard is one of the latest open-source VPN technology, increasingly popular for its low complexity, straight-forward , security and performance due to its use of some modern cryptographic primitives (ChaCha20+Poly1305 for symmetric encryption, Curve25519 for ECDH, BLAKE2s for hashing). | ||
| + | |||
| + | Authentication is done by simply exchanging public keys. Let's go! | ||
| + | |||
| + | 1. Both pairs should generate a private and public key pair and share the public counterpart. This is best done using the ''wg'' CLI utility: <code bash> | ||
| + | wg genkey | tee wg-priv.key | wg pubkey | tee wg-pub.key | ||
| + | # Q: what does `tee` do? (`man` it!) | ||
| + | </code> | ||
| + | |||
| + | Only the public key is displayed on console (both are stored as files for backup!). Share it with your colleague! | ||
| + | |||
| + | 2. Time to create our configuration file. Create a ''.conf'' file inside ''/etc/wireguard/'' (your choice of naming, though ''wg-isc'' sounds quite okay). | ||
| + | |||
| + | Use the following code template and fill the variables (also remove/replace the ''<..>'' placeholders!): <code> | ||
| + | [Interface] | ||
| + | PrivateKey = <paste-your-private-key> | ||
| + | ListenPort = 55820 | ||
| + | |||
| + | [Peer] | ||
| + | PublicKey = <paste-your-colleagues's-pub-key> | ||
| + | Endpoint = <colleague-VM-IP>:55820 | ||
| + | AllowedIPs = <your-tunnel-subnet>/<mask> | ||
| + | </code> | ||
| + | |||
| + | Use a private space as the tunnel subnet address, e.g., ''10.12.34.252/30''. | ||
| + | |||
| + | 3. We'll create the wireguard interfaces the ''iproute2'' way (i.e., using the ''ip'' Linux utility): <code> | ||
| + | ip link add wg-isc type wireguard | ||
| + | wg setconf wg-isc /etc/wireguard/wg-isc.conf # or whatever you named your config | ||
| + | ip address add <your-address>/<mask> dev wg-isc | ||
| + | </code> | ||
| + | |||
| + | 4. Connectivity test! <code> | ||
| + | ping <colleague-private-tunnel-ip> | ||
| + | sudo wg # show wireguard statistics | ||
| + | </code> | ||
| + | |||
| + | <note tip> | ||
| + | **Note:** there are even simpler ways of configuring Wireguard, like [[https://www.man7.org/linux/man-pages/man8/wg-quick.8.html|wg-quick]] (automates interface creation & IP address/routes configuration using a similar .conf file) and [[https://github.com/wg-easy/wg-easy|wg-easy]] (Web GUI for Wireguard) -- but we wanted to demonstrate its purest form (: | ||
| + | </note> | ||
| - | WIP | ||
