使用OpenBSD架设OpenVPN
OpenBSD号称最安全的操作系统,我们在OpenBSD上安装OpenVPN,建立个人上网隐私保护最强组合,前面介绍了OpenBSD的安全配置,现在我们其基础上安装OpenVPN,使用easy-rsa包能够更方便建立我们的证书验证CA和其他安全认证。
我们的服务器安全认证协议到达如下目标:
- CA, 服务器和客户端密钥,4096位RSA
- 使用 4096位Diffie-Hellman进行密钥交换
- HMAC SHA1包认证,使用TLS 2048静态密钥
- AES 256位加密隧道
- 完美向前保密Perfect Forward Secrecy (PFS)
服务器端
让我们下载包和创建需要的目录:
$ sudo pkg_add openvpn easy-rsa
$ sudo mkdir -p /usr/local/etc/openvpn/{public,secret,clients/{public,secret},easy-rsa/keys}
$ sudo mkdir /usr/local/share/easy-rsa/keys
$ sudo mkdir -p /var/openvpn/tmp
$ cd /usr/local/share/easy-rsa/
$ chmod +x ./*
你得手工编辑 /usr/local/share/easy-rsa/vars文件,修改KEY_SIZE=1024为KEY_SIZE=2048,编辑/usr/local/share/easy-rsa/build-dh修改2048为406,现在让我们创建我们的CA和密钥,以root登录如下命令:
$ su -
# cd /usr/local/share/easy-rsa/
# cp openssl-1.0.0.cnf ./openssl.cnf
# . ./vars
# ./clean-all
# ./build-ca --keysize 4096
# ./build-key-server --keysize 4096 server
# ./build-key --keysize 4096 myhome
# ./build-key --keysize 4096 myphone
# ./build-dh
# openvpn --genkey --secret ta.key
好了,已经在服务器和两个客户端端建立证书与密钥,包括Diffie-Hellman参数, 和最后的2048 bits TLS静态密钥都是用于HMAC包授权,现在移动/usr/local/etc/openvpn目录下文件到不同位置:
# cp ./* /usr/local/etc/openvpn/easy-rsa
# ./clean-all
# cd /usr/local/etc/openvpn/easy-rsa/keys
# cp ca.crt /usr/local/etc/openvpn/public
# mv ca.crt /usr/local/etc/openvpn/clients/public
# mv ca.key /usr/local/etc/openvpn/secret
# mv dh4096.pem /usr/local/etc/openvpn/public
# mv server.key /usr/local/etc/openvpn/secret
# mv server.crt /usr/local/etc/openvpn/public
# mv myhome.key /usr/local/etc/openvpn/clients/secret
# mv myhome.c* /usr/local/etc/openvpn/clients/public
# mv myphone.key /usr/local/etc/openvpn/clients/secret
# mv myphone.c* /usr/local/etc/openvpn/clients/public
# cp ta.key /usr/local/etc/openvpn/secret
# mv ta.key /usr/local/etc/openvpn/clients/secret
文件是以下面方式分配:
- 服务器端公共文件在/openvpn/public (ca.crt, dh4096.pem, server.crt)
- 服务器安全文件在/openvpn/secret (ca.key, server.key, ta.key)
- 客户端公共文件在/openvpn/clients/public (myhome.csr, myhome.crt, myphone.csr, myphone.crt, ca.crt)
- 客户端安全文件在/openvpn/clients/secret (myhome.key, myphone.key, ta.key)
现在我们进入OpenVPN服务器配置,首先退出root:
$ sudo vi /usr/local/etc/openvpn/server.conf
# SSL/TLS certificate and keys, PFS enabled by default
ca "/usr/local/etc/openvpn/public/ca.crt"
cert "/usr/local/etc/openvpn/public/server.crt"
dh "/usr/local/etc/openvpn/public/dh4096.pem" # Diffie Helman 4096 bits
key "/usr/local/etc/openvpn/secret/server.key" # RSA 4096 bits
tls-auth "/usr/local/etc/openvpn/secret/ta.key" 0 # TLS 2048 bits for HMAC
cipher AES-256-CBC # AES 256 bits
# Network parameters
port 21600 # as an example, pick your own port
proto udp
dev tun
tls-server
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
# push our DNS server to clients accepting it (will not override a home router DNS configuration
# (with fixed DNS settings). Usefull for mobile phones for instance, where installing
# dnscrypt requires a rooted phone
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo no
# Limits
max-clients 5 # change this value if you plan on connecting from more clients
# Privileges, chroot
chroot /var/openvpn
user _openvpn
group _openvpn
persist-key
persist-tun
# LOG
status openvpn-status.log
verb 4
mute 20
现在可以启动我们的OpenVPN服务器,并且让它在系统启动时自动启动:
$ sudo /usr/local/sbin/openvpn --config /usr/local/etc/openvpn/server.conf --daemon
$ sudo vi /etc/rc.local
/usr/local/sbin/openvpn --config /usr/local/etc/openvpn/server.conf --daemon
你应当用tail -f /var/log/messages 检查OpenVPN是否成功启动,如果有错,回头再检查一下步骤,目录文件的权限是否设置正确?
客户端
安装OpenVPN,按如下配置:
# SSL/TLS certificate and keys
ca "/usr/local/etc/openvpn/ca.crt" # public
cert "/usr/local/etc/openvpn/myhome.crt" # public
key "/usr/local/etc/openvpn/myhome.key" # secret
tls-auth "/usr/local/etc/openvpn/ta.key" 1 # secret
cipher AES-256-CBC
remote-cert-tls server
client
dev tun
proto udp
resolv-retry infinite
nobind
# VPS OpenBSD
remote YOUR_SERVER_IP 21600
# Privileges, chroot
user _openvpn
group _openvpn
chroot /var/empty
persist-key
persist-tun
# LOG
comp-lzo no
verb 3
explicit-exit-notify 5
客户端的密钥必须从服务器通过安全通道复制到客户端,可以使用SCP通过SSH传送,比如如果你要复制服务器端/home/user/vpn的客户端文件,那么从你的Linux/BSD客户端执行:
移动客户端
对于安卓智能手机,可以安装OpenVPN安卓版本,然后进行安全配置,复制下面内容:
remote-cert-tls server
cipher AES-256-CBC
client
dev tun
proto udp
resolv-retry infinite
nobind
remote YOUR_SERVER_IP 21600
comp-lzo no
verb 3
explicit-exit-notify 5
persist-key
persist-tun
# ca.crt below, just a random example. Full extract is above 35 lines
<ca>
-----BEGIN CERTIFICATE-----
ffidLLDKSJskfjf56s/smdjdhQSDOQSLDJLQSJDQSd45454QMDMSQMDMklajzEd4
.
.
.
.
sqd54dLLDKSJskfjf56ssmdjdsqdqsdSDL
-----END CERTIFICATE-----
</ca>
# myphone.crt below, just a random example. Full extract is above 35 lines
<cert>
-----BEGIN CERTIFICATE-----
ffidLLDKSJskfjf56s/smdjdhQSDOQSLDJLQSJDQSd45454QMDMSQMDMklajzEd4
.
.
.
.
sqd54dLLDKSJskfjf56ssmdjdsqdqsdSDL
-----END CERTIFICATE-----
</cert>
# myphone.key below, just a random example. Full extract is above 35 lines
<key>
-----BEGIN CERTIFICATE-----
ffidLLDKSJskfjf56s/smdjdhQSDOQSLDJLQSJDQSd45454QMDMSQMDMklajzEd4
.
.
.
.
sqd54dLLDKSJskfjf56ssmdjdsqdqsdSDL
-----END CERTIFICATE-----
</key>
key-direction 1
# ta.key below, just a random example. Full extract is above 20 lines
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
ffidLLDKSJskfjf56s/smdjdhQSDOQSL
.
.
.
.
sqd54dLLDKSJskfjf56ssmdjdsqdqsdS
-----END OpenVPN Static key V1-----
</tls-auth>
这个配置文件可以命名为myserver.ovpn,必须通过安全通道传送到手机,可以使用 SpiderOak,一种客户端和服务器之间的同步工具,使用USB也是一种方式。