Additional signing of OpenVPN packages with tls-auth
With the "tls-auth" directive is it possible to sign OpenVPN packages with a static 160 bit HMAC hash key, by default the HMAC wrapper uses a SHA1 algorithm. This is an additional protection for the tunnel and can specifically used with UDP connections against DoS and Replay attacks.
Procedure:
To enable this function first, a static key (on IPFire) needs to be generated, this key will be copied to the client machine. And in the last step the server and client configuration will be expanded for each, by one row.
The following commands will be executed on IPFire:
cd /var/ipfire/ovpn/certs # Navigate to the target directory
openvpn --genkey --secret ta.key # Generate the static OpenVPN key
chown nobody:nobody ta.key # Ajust the user and the group
chmod 600 ta.key # Adjust the access privileges
scp ta.key user@clientmachin:/the/OpenVPN/client/directory # Secure copy to client machine
After the key has been copied to the appropriate directory on the client machine, the ta.key on the client machine will be adjusted with the right user privileges:
cd /the/OpenVPN/client/directory
chmod 600 ta.key
Adjust the client.ovpn and the server.conf:
Note: To edit the configuration files the editor nano will be used.
Edit the server.conf on IPFire:
nano /var/ipfire/ovpn/server.conf
Now the following line will be written into the configuration:
tls-auth /var/ipfire/ovpn/certs/ta.key 0
The 0 is important because it defines the TLS-server.
In the client.ovpn the following lkine will be added:
tls-auth ta.key 1
The 1 is important because it defines the TLS-client.
| Note! |
|---|
| The direction definition with 0 and 1 can also be omitted. Especially Smartphones can have problems with it. |
| On Net-to-Net connections the directory path needs to be adapted accordingly, for instance this path/var/ipfire/ovpn/certs/ta.key 1 could be used. Don´t forget to set the right permissions for the ta.key --> nobody:nobody and 600 |
That´s all. To check the new feature, in the client and server log should be written something like.
Server Log:
22:56:15 openvpnserver Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for H MAC authentication
22:56:15 openvpnserver Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for H MAC authentication
22:56:15 openvpnserver Control Channel Authentication: using '/var/ipfire/ovpn/certs/ta.key' as a OpenVPN static key file
Client log:
2011-06-07 22:56:41 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
2011-06-07 22:56:41 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2011-06-07 22:56:41 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
| Note! |
|---|
| Above explained directive was already implemented with Core 79. |
client-config-dir or CCD
| Note! |
|---|
| This directive works only for roadwarrior environment. |
This directive and the accompanying directory has been implemented with core 61. This function makes it possible to set client-specific instructions. Since this feature is not yet integrated into the webinterface, the console have to be used. The directory can be found at/var/ipfire/ovpn/ccd .
To create client-specific instructions, navigate to the directory with a
cd /var/ipfire/ovpn/ccd
and create a text file with the "Common Name"
of the connection, in this example "RoadwarriorA01", with the following command
touch RoadwarriorA01
| Note! |
|---|
| It is important that the name of each text file (client) is identical with the common name (stated under the webinterface as "Common Name"). |
In this example, the client is assigned to a static IP via "ifconfig-push," that means you can create IPTables firewall rules tailored to the client. The fixed IP can also be made available to other clients via DNS.
In the case of Windows clients make sure that "ifconfig-push" becomes a IP with the last octet from the following list.
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]
This ensures the compatibility with Windows clients and the TAP-Win32 driver (source -> http://openvpn.net/index.php/open-source/documentation/howto.html#policy).
Also, "redirect-gateway" was activated for this specific client, thus, the directive does not need to be set globally and can be used individually.
In this example also a internal route (using the directive "iroute") was setting up.
The text file will be edited with Nano.
nano /var/ipfire/ovpn/ccd/RoadwarriorA01
###
# ccd file for RoadwarriorA01
###
# The server tells the client to assign a fix IP.
ifconfig-push 10.8.2.5 10.8.2.6
# All IP traffic from the client goes through the VPN.
push redirect-gateway
# The client will be instruct to route a specific network
iroute 192.168.10.123 255.255.255.248
| Note! |
|---|
| iroute can be used well with the new function to push additional routes. |
With CCD a lot more is possible; for additional information, see the following links: