•
Seguridad en redes wireless mediante OpenVPN (II)
OpenVPN se puede configurar mediante clave compartida o mediante PKI (clave pública-clave privada). A continuación veremos como configurar mediante PKI un OpenVPN para securizar nuestra red wireless.
Con el paquete de OpenVPN hacemos la instalación típica:
./configure make && make install
Crearemos los certificados mediante easy-rsa, por lo que llenaremos vars con los valores por defecto:
mkdir /usr/local/etc/openvpn/ cp easy-rsa/ /usr/local/etc/openvpn/ -pr cd /usr/local/etc/openvpn/ echo "export KEY_COUNTRY=ES" >> vars echo "export KEY_PROVINCE=BARCELONA" >> vars echo "export KEY_CITY=Barcelona" >> vars echo "export KEY_ORG=\"systemadmin.es\"" >> vars echo "export KEY_EMAIL=\"jordi@systemadmin.es\"" >> vars
Procedemos a crear una autoridad de certificación própia:
# . ./vars NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/local/etc/openvpn/keys # ./clean-all # ./build-ca Generating a 1024 bit RSA private key .............+................++++++ ..........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [ES]: State or Province Name (full name) [BARCELONA]: Locality Name (eg, city) [Barcelona]: Organization Name (eg, company) [systemadmin.es]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:obacs-CA Email Address [jordi@systemadmin.es]: #
Creamos el certificado para el servidor y el fimamos con la CA que hemos creado en el paso anterior:
# ./build-key-server obacs.systemadmin.es Generating a 1024 bit RSA private key ............++++++ ............++++++ writing new private key to 'obacs.systemadmin.es.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [ES]: State or Province Name (full name) [BARCELONA]: Locality Name (eg, city) [Barcelona]: Organization Name (eg, company) [systemadmin.es]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:obacs.systemadmin.es Email Address [jordi@systemadmin.es]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'ES' stateOrProvinceName :PRINTABLE:'BARCELONA' localityName :PRINTABLE:'Barcelona' organizationName :PRINTABLE:'systemadmin.es' commonName :PRINTABLE:'obacs.systemadmin.es' emailAddress :IA5STRING:'jordi@systemadmin.es' Certificate is to be certified until Oct 11 10:26:02 2018 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Creamos también un certificado para el cliente y también lo firmamos con la CA creada:
# ./build-key cadi.systemadmin.es Generating a 1024 bit RSA private key ...........++++++ .........................++....................................++++++ writing new private key to 'cadi.systemadmin.es.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [ES]: State or Province Name (full name) [BARCELONA]: Locality Name (eg, city) [Barcelona]: Organization Name (eg, company) [systemadmin.es]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:cadi.systemadmin.es Email Address [jordi@systemadmin.es]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'ES' stateOrProvinceName :PRINTABLE:'BARCELONA' localityName :PRINTABLE:'Barcelona' organizationName :PRINTABLE:'systemadmin.es' commonName :PRINTABLE:'cadi.systemadmin.es' emailAddress :IA5STRING:'jordi@systemadmin.es' Certificate is to be certified until Oct 11 10:28:06 2018 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated #
Opcionalmente se pueden usar los parámetros Diffie Hellman:
# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ........................+........................................+........+....++*++*++* #
La configuración del servidor OpenVPN sería, según el dibujo del primer artículo:
local 192.168.255.254 port 1194 proto udp dev tun ca keys/ca.crt cert keys/obacs.systemadmin.es.crt # Esta a mantener en un lugar seguro key keys/obacs.systemadmin.es.key dh keys/dh1024.pem server 172.16.0.0 255.255.0.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo max-clients 3 user nobody group nobody persist-key persist-tun status openvpn-status.log verb 3
La configuración del cliente OpenVPN sería:
client dev tun proto udp remote my-server-1 1194 resolv-retry infinite nobind user nobody group nobody persist-key persist-tun ca ca.crt cert client.crt key client.key ns-cert-type server comp-lzo verb 3
Con esta configuración tenemos el túnel VPN creado entre extremo y extremo, por lo que las conexiones si se hacen por el direccionamiento privado 172.16.0.0/16 circularán cifradas.
Para más información
En la siguiente entrega vermos como configurar un proxy y el NAT en el servidor para completar el entorno wireless seguro.
Relacionados
Imprimir
Deja un comentario: