Difference between revisions of "How to connect to the vpn"

From HSG Wiki
Jump to: navigation, search
Line 65: Line 65:
 
</tls-auth>
 
</tls-auth>
 
</pre>
 
</pre>
 +
 +
== Server installation ==
 +
OS of choice: Rocky Linux release 8.4 (Green Obsidian)
 +
 +
# Prepare the OS
 +
<pre>
 +
# Update the OS
 +
dnf update
 +
 +
# Install epel-release
 +
dnf install -y epel-release
 +
 +
# Install necessary packages
 +
dnf install -y wget openvpn https://download-ib01.fedoraproject.org/pub/fedora/linux/releases/33/Everything/x86_64/os/Packages/o/openvpn-auth-ldap-2.0.4-3.fc33.x86_64.rpm
 +
</pre>
 +
 +
# Configure certificates using EasyRSA
 +
<pre>
 +
# Download EasyRSA and store it in /tmp
 +
wget -O /tmp/easyrsa https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
 +
 +
# Extract
 +
tar xfz /tmp/easyrsa
 +
 +
# Copy the binary easyrsa to /usr/bin
 +
 +
# Do the Crypto dance
 +
cd /etc/openvpn/
 +
easyrsa init-pki
 +
 +
# Copy some files from the originally extracted folder of EasyRSA
 +
cp EasyRSA-3.0.8/openssl-easyrsa.cnf /etc/openvpn/pki/
 +
cp -rf EasyRSA-3.0.8/x509-types/ /etc/openvpn/pki/
 +
 +
# Generate all the things
 +
cd /etc/openvpn/
 +
easyrsa build-ca
 +
easyrsa gen-req openvpn nopass
 +
easyrsa gen-dh
 +
easyrsa build-server-full openvpn
 +
easyrsa sign-req server openvpn
 +
openvpn --genkey --secret ta.key
 +
</pre>
 +
 +
# Prepare LDAP authentication
 +
<pre>
 +
# Copy paste the following in /etc/openvpn/auth/ldap.conf
 +
 +
<LDAP>
 +
# LDAP server URL
 +
        URL            ldap://ipa.hackerspace.gent:389
 +
# Bind DN (If your LDAP server doesn't support anonymous binds)
 +
        BindDN          "uid=openvpn,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent"
 +
# Bind Password
 +
Password "**************"
 +
# Network timeout (in seconds)
 +
Timeout 15
 +
# Enable Start TLS
 +
TLSEnable no
 +
# Follow LDAP Referrals (anonymously)
 +
FollowReferrals yes
 +
</LDAP>
 +
 +
<Authorization>
 +
# Base DN
 +
        BaseDN          "cn=users,cn=accounts,dc=hackerspace,dc=gent"
 +
# User Search Filter
 +
SearchFilter "(uid=%u)"
 +
# Require Group Membership
 +
RequireGroup false
 +
# Add non-group members to a PF table (disabled)
 +
#PFTable ips_vpn_users
 +
 +
# Uncomment and set to true to support OpenVPN Challenge/Response
 +
#PasswordIsCR false
 +
#<Group>
 +
# Default is true. Match full user DN if true, uid only if false.
 +
# RFC2307bis  true
 +
 +
# Default is true. Uncomment and set to false if you want to use a Search operation to determine group
 +
# membership instead of Compare. Lower performance, so Compare should generally be used, but Search is
 +
# required in certain LDAP environments.
 +
# UseCompareOperation  true
 +
 +
#BaseDN "ou=Groups,dc=example,dc=com"
 +
#SearchFilter "(|(cn=developers)(cn=artists))"
 +
#MemberAttribute uniqueMember
 +
# Add group members to a PF table (disabled)
 +
#PFTable ips_vpn_eng
 +
#</Group>
 +
</Authorization>
 +
</pre>
 +
 +
 +
[[Category:Hackerspace Gent Manual]]

Revision as of 20:04, 20 July 2021

Client Information

Note: you will need an LDAP account to authenticate with the VPN.

The VPN is implemented using OpenVPN. You can either download the client for Windows here, or use NetworkManager with the OpenVPN plugin, or by other means.

Create a file called HSG.ovpn and paste the following content to import it.

client
remote vpn.h0st.be
port 1194
remote-cert-tls server
verify-x509-name "CN=openvpn"
<ca>
-----BEGIN CERTIFICATE-----
MIIDTjCCAjagAwIBAgIUcOFvJu512Mp0VUX+kx/Tn7wNpFwwDQYJKoZIhvcNAQEL
BQAwFzEVMBMGA1UEAwwMb3BlbnZwbi4weDIwMB4XDTIxMDcxNDIxMzkzMVoXDTMx
MDcxMjIxMzkzMVowFzEVMBMGA1UEAwwMb3BlbnZwbi4weDIwMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHpcpaS5r/NGWbY1mGjn22IGUDQjh2v2/eA/
3hbcxoQpaXzAqEp0fPw3GTBW46fYQt0CjFTvR8JNhagBV1tKibiTRO09/grOpEcQ
v0qV1mp2HStVHqkGiNtEoMREUQOJxuJuWlrh18dnoZDaWR/JIwd0ZDdOmdZ6kPk/
oY/ao988K91XANQwdTR+1IOiClES22XBNWvC8AQ1Q7nM8pEk6YUWdemhcRgum76K
4tbyy6wsmZtROzAvVHUcQlkpYxQfsiHzJcKA+encMczVe6AyEf+0obw7L8RDW9yK
brSFrnTnSbznQT2LbaBFBkT1RjUD7HNOktM9K/p56vAhRNDg8QIDAQABo4GRMIGO
MB0GA1UdDgQWBBQnz9dqDg5KT7WO4sFhTINo9v+njzBSBgNVHSMESzBJgBQnz9dq
Dg5KT7WO4sFhTINo9v+nj6EbpBkwFzEVMBMGA1UEAwwMb3BlbnZwbi4weDIwghRw
4W8m7nXYynRVRf6TH9OfvA2kXDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAN
BgkqhkiG9w0BAQsFAAOCAQEAtpbG+0QlDFy1AZcLnBTESrcV7wo9kXIAkGLmdCoU
p3vvx0GGu0zlRTEgVYT6f3TtzSYfvUKxPINRECoO7o0kL8WFtqDJegNoq4N0cpIA
qO9RcZ5ikWcmWRsdLr+jOqGJrtlVVxsbtcKnOPqRjKvweqPJK2dQLuSK0Kskb59M
/3nqGjexICzCa1lhDee1uitYZ8dM6o+/jGauRRNWP8wVTYy0XLmFBJDNFsrwyPiM
Vppch0z6EpnftbkoAS13xdXfHeqR5pRmVn2osv4048HPSGqHi5UahtDoxwDg6jJK
WDHx35Tw7ZUy6vb7mz6TzxZ/tZFr5U3/lZvkvwKohsUhzg==
-----END CERTIFICATE-----
</ca>
auth-user-pass
cipher AES-256-GCM
dev tun
proto tcp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
4282eb477aef2533a9b03e1cbd6e771e
3f4ec1a0a17e249c56680d6e112bb17e
5b6c2ecffea7c51754983652bb6fb135
fae8c88e479aa8dfdbf11e4d767f2088
a26d8115e0019a8c0fa962602f6f0b3f
24d92567be153119aa8d65beba1a56fd
39420b16d28c2fde26aa984d87386216
52874410651c76d46f46a3f19bc3ef68
ed7dbb6c9421a1b982edea7c6692de63
2e480e5895e21df36963f565cf133ecf
c578c9be5dab8d7c852536de45c73ebf
02dc73b5ca7ef2913307c184a89797d6
f3a888558eb076d40cbe0e4c152f97a7
b0fa90aa14c99a9314b9eea7a8928c2c
67a03984578916d2ea14fba252b6e53f
946a1b18d7864cc0341f91915d1640b5
-----END OpenVPN Static key V1-----
</tls-auth>

Server installation

OS of choice: Rocky Linux release 8.4 (Green Obsidian)

  1. Prepare the OS
# Update the OS
dnf update

# Install epel-release
dnf install -y epel-release

# Install necessary packages
dnf install -y wget openvpn https://download-ib01.fedoraproject.org/pub/fedora/linux/releases/33/Everything/x86_64/os/Packages/o/openvpn-auth-ldap-2.0.4-3.fc33.x86_64.rpm
  1. Configure certificates using EasyRSA
# Download EasyRSA and store it in /tmp
wget -O /tmp/easyrsa https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz

# Extract
tar xfz /tmp/easyrsa

# Copy the binary easyrsa to /usr/bin

# Do the Crypto dance
cd /etc/openvpn/
easyrsa init-pki

# Copy some files from the originally extracted folder of EasyRSA
cp EasyRSA-3.0.8/openssl-easyrsa.cnf /etc/openvpn/pki/
cp -rf EasyRSA-3.0.8/x509-types/ /etc/openvpn/pki/

# Generate all the things
cd /etc/openvpn/
easyrsa build-ca
easyrsa gen-req openvpn nopass
easyrsa gen-dh
easyrsa build-server-full openvpn
easyrsa sign-req server openvpn
openvpn --genkey --secret ta.key
  1. Prepare LDAP authentication
# Copy paste the following in /etc/openvpn/auth/ldap.conf

<LDAP>
	# LDAP server URL
        URL             ldap://ipa.hackerspace.gent:389
	# Bind DN (If your LDAP server doesn't support anonymous binds)
        BindDN          "uid=openvpn,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent"
	# Bind Password
	Password	"**************"
	# Network timeout (in seconds)
	Timeout		15
	# Enable Start TLS
	TLSEnable	no
	# Follow LDAP Referrals (anonymously)
	FollowReferrals yes
</LDAP>

<Authorization>
	# Base DN
        BaseDN          "cn=users,cn=accounts,dc=hackerspace,dc=gent"
	# User Search Filter
	SearchFilter	"(uid=%u)"
	# Require Group Membership
	RequireGroup	false
	# Add non-group members to a PF table (disabled)
	#PFTable	ips_vpn_users

	# Uncomment and set to true to support OpenVPN Challenge/Response
	#PasswordIsCR	false
	#<Group>
		# Default is true. Match full user DN if true, uid only if false.
		# RFC2307bis   true

		# Default is true. Uncomment and set to false if you want to use a Search operation to determine group
		# membership instead of Compare. Lower performance, so Compare should generally be used, but Search is
		# required in certain LDAP environments.
		# UseCompareOperation   true

		#BaseDN		"ou=Groups,dc=example,dc=com"
		#SearchFilter	"(|(cn=developers)(cn=artists))"
		#MemberAttribute	uniqueMember
		# Add group members to a PF table (disabled)
		#PFTable	ips_vpn_eng
	#</Group>
</Authorization>