Tutorial - Install OpenVPN on Ubuntu 10.04

[SeijiSensei]

Does anybody know what's the best way to prevent private keys copy to another system? I have tried encfs and openssl commands, but I can't use them as we start the OpenVPN client as a server.

Protect them from whom exactly? Anyone with root privileges can copy those files, so the question you ask is really a question about access to the machine itself. If there are people who have physical access to the machine, and know how to reboot the machine into "recovery mode," all your keys can be copied. If someone has root or sudo privileges on the machine, that person can walk off with all the keys. If you can't trust the people who have root on the machine, then all bets are off in terms of security.

I make sure all the keys have 600 permissions so they are only readable by the root user. If you place the keys in a directory like I do (/etc/openvpn/keys), then that directory needs to have 0700 permissions. All the keys and associated directories should be owned by root:root.

[oct]

Well, I was thinking in the case a "bad" user picks the client hard disk, and tries to read the information from another computer, via USB or installing it on the other computer. I'd like to prevent this user to copy the keys so that he/she can use them on another machine.

I'm working on a project where we will deploy several computers with OpenVPN connection to a central server and I want to be sure nobody else can access that server.

Thanks

Oct

[SeijiSensei]

Then make sure it's in a locked facility and don't give anyone sudo or root privileges but yourself. Also apply the restricted permissions on the key files I described above.

Knowledgeable users with physical access can do anything once they gain root. Rebooting into "recovery mode" is one such method, so you need to insure no one can sit at the keyboard but you. Adding a BIOS password can help protect against this method of attack as can locking the server case. Nearly any full-fledged server will come with a case lock.

As for enforcing client security, it appears that OpenVPN has some mechanisms for permitting connections only from specified MAC addresses. That would provide some protection against stealing the keys and connecting from somewhere else. Also you can restrict inbound connections so they can come only from specified client IP addresses. I do that via iptables, but there are also mechanisms to restrict connections by IP in the OpenVPN configuration as well.

[Zenguy]

I'm not an expert on encryption strategies, but it looks like that is the proper solution to your problem. If you can do full disk encryption via truecrypt or encrypt the sensitive folder using another EncFS, then even if someone pulls the drive they can't access the data.

This problem may be beyond the scope of this thread at this point, since it deals more with securing data on the drive rather than VPN issues.

[shreepads]

Just wanted to say thanks for this guide... Not doing anything complicated, just connecting to a public VPN server but your PDF was helpful....

Steps (in case anyone else looking)

a. Install openvpn, bridge-utils (probably not required) and network-manager-openvpn-gnome in admin

b. In ordinary user mode, register for VPN service and download .ovpn file, save securely. At this point you could use the 'Import' feature in the VPN connections tab but that doesn't work in 10.04 (at least with the file I had)

c. Open the file (say client.ovpn) and extract the following sections and save as separate files:

File 1: ca.cert: All the text between the <ca> </ca> tags i.e. somthing like this

Code:

-----BEGIN CERTIFICATE-----
MIIBszCCARygAwIBAgIETYOipDANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpP
...
rxjDjIJbAQ==
-----END CERTIFICATE-----

File 2: user.crt: All the test between the <cert> </cert> tags i.e.

Code:

-----BEGIN CERTIFICATE-----
MIIB1TCCAT6gAwIBAgIDBS88MA0GCSqGSIb3DQEBBQUAMBUxEzARBgNVBAMTCk9w
...
bsjnopP4G0idNeJ5TY60gK9FqCkcUY7Qd6ggLvLXh/KvtExRCfhAO5w=
-----END CERTIFICATE-----

File 3: private.key: All the text between the <key> </key> tags i.e.

Code:

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDHxMtnxqpJsy/eLWud03uk6V+Ot73YzOTmR/mUpq1TmdQrAHgn
...
bW5+zawHMOoH0BMzLy9TlP/bIAarrynqRcffc+k8Rzcl
-----END RSA PRIVATE KEY-----

File 4: tlsauth.key: All the text between the <tls-auth> </tls-auth> tags i.e.

Code:

-----BEGIN OpenVPN Static key V1-----
4f65292e639c83574026ab790f67257b
...
521021b9e6d45cdee7bfd22fce270a49
-----END OpenVPN Static key V1-----

d. Use these files while setting up the VPN connection in Network Manager as described in pgs 8, 9, 10 of the guide.

e. Look for the following bits in the .ovpn file (or may be given in documentation from the VPN provider) and setup accordingly

Code:

remote us.shieldexchange.com 1194 udp  # Map to Gateway, Port & 'Use a TCP Connection' field (Advanced... in this case, no)
dev tun
dev-type tun       # Map to 'Use a TAP device' field in Advanced... (in this case, no)
key-direction 1   # Map to Key Direction in Advanced -> TLS Authentication along with the tlsauth.key

e. In addition to the above fields make sure you use the Cipher and Hash function (under Advanced -> Security) prescribed by the VPN provider. In my case it's BF-CBC (Blowfish-CBC) and SHA1.

[wlraider70]

It appears that my openvpn wont open.

server@philo:/etc/openvpn$ sudo sockstat
USER PROCESS PID PROTO SOURCE ADDRESS FOREIGN ADDRESS STATE
avahi avahi-daemon 724 udp4 *:5353 *:* CLOSED
root openvpn 8053 udp4 *:1194 *:* CLOSED
(clipped)


I'm not entirely sure where my error is, but this seems like a good place to start.

[kevdog]

This almost sounds like a firewall issue.

[ibrahim.k]

Hi,
Can I connect to this VPN Via my Ipad?
thnx

[Zenguy]

Hi,
Can I connect to this VPN Via my Ipad?
thnx

Yes. I believe there are OpenVPN clients for the iPad.

[Spartan117413]

Zenguy I just want to say thanks for the excellent guide. I've been working steadily for about three days on ironing out the issues for creating a bridged VPN server on Precise. You have my appreciation for cranking out this guide.