systemadmin.es > Seguridad > Seguridad en redes wireless mediante OpenVPN (II)

Seguridad en redes wireless mediante OpenVPN (II)

OpenVPN se puede configurar mediante clave compartida o mediante PKI (clave pública-clave privada). A continuación veremos como configurar mediante PKI un OpenVPN para securizar nuestra red wireless.

Con el paquete de OpenVPN hacemos la instalación típica:

./configure
make && make install

Crearemos los certificados mediante easy-rsa, por lo que llenaremos vars con los valores por defecto:

mkdir /usr/local/etc/openvpn/
cp easy-rsa/ /usr/local/etc/openvpn/ -pr
cd /usr/local/etc/openvpn/
echo "export KEY_COUNTRY=ES" >> vars
echo "export KEY_PROVINCE=BARCELONA" >> vars
echo "export KEY_CITY=Barcelona" >> vars
echo "export KEY_ORG=\"systemadmin.es\"" >> vars
echo "export KEY_EMAIL=\"jordi@systemadmin.es\"" >> vars

Procedemos a crear una autoridad de certificación própia:

# . ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/local/etc/openvpn/keys
# ./clean-all
# ./build-ca
Generating a 1024 bit RSA private key
.............+................++++++
..........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:
State or Province Name (full name) [BARCELONA]:
Locality Name (eg, city) [Barcelona]:
Organization Name (eg, company) [systemadmin.es]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:obacs-CA
Email Address [jordi@systemadmin.es]:
#

Creamos el certificado para el servidor y el fimamos con la CA que hemos creado en el paso anterior:

# ./build-key-server obacs.systemadmin.es
Generating a 1024 bit RSA private key
............++++++
............++++++
writing new private key to 'obacs.systemadmin.es.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:
State or Province Name (full name) [BARCELONA]:
Locality Name (eg, city) [Barcelona]:
Organization Name (eg, company) [systemadmin.es]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:obacs.systemadmin.es
Email Address [jordi@systemadmin.es]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'ES'
stateOrProvinceName   :PRINTABLE:'BARCELONA'
localityName          :PRINTABLE:'Barcelona'
organizationName      :PRINTABLE:'systemadmin.es'
commonName            :PRINTABLE:'obacs.systemadmin.es'
emailAddress          :IA5STRING:'jordi@systemadmin.es'
Certificate is to be certified until Oct 11 10:26:02 2018 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Creamos también un certificado para el cliente y también lo firmamos con la CA creada:

# ./build-key cadi.systemadmin.es
Generating a 1024 bit RSA private key
...........++++++
.........................++....................................++++++
writing new private key to 'cadi.systemadmin.es.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:


State or Province Name (full name) [BARCELONA]:
Locality Name (eg, city) [Barcelona]:
Organization Name (eg, company) [systemadmin.es]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:cadi.systemadmin.es
Email Address [jordi@systemadmin.es]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'ES'
stateOrProvinceName   :PRINTABLE:'BARCELONA'
localityName          :PRINTABLE:'Barcelona'
organizationName      :PRINTABLE:'systemadmin.es'
commonName            :PRINTABLE:'cadi.systemadmin.es'
emailAddress          :IA5STRING:'jordi@systemadmin.es'
Certificate is to be certified until Oct 11 10:28:06 2018 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#

Opcionalmente se pueden usar los parámetros Diffie Hellman:

# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
........................+........................................+........+....++*++*++*
#

La configuración del servidor OpenVPN sería, según el dibujo del primer artículo:

local 192.168.255.254
port 1194
proto udp

dev tun

ca keys/ca.crt
cert keys/obacs.systemadmin.es.crt

# Esta a mantener en un lugar seguro
key keys/obacs.systemadmin.es.key 

dh keys/dh1024.pem

server 172.16.0.0 255.255.0.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

max-clients 3

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

verb 3

La configuración del cliente OpenVPN sería:

client

dev tun

proto udp

remote my-server-1 1194

resolv-retry infinite

nobind

user nobody
group nobody

persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key

ns-cert-type server


comp-lzo

verb 3

Con esta configuración tenemos el túnel VPN creado entre extremo y extremo, por lo que las conexiones si se hacen por el direccionamiento privado 172.16.0.0/16 circularán cifradas.

Para más información

En la siguiente entrega vermos como configurar un proxy y el NAT en el servidor para completar el entorno wireless seguro.

Deja un comentario:

XHTML - Tags permitidos:<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>