使用OpenBSD架设OpenVPN

  OpenBSD号称最安全的操作系统,我们在OpenBSD上安装OpenVPN,建立个人上网隐私保护最强组合,前面介绍了OpenBSD的安全配置,现在我们其基础上安装OpenVPN,使用easy-rsa包能够更方便建立我们的证书验证CA和其他安全认证。

  我们的服务器安全认证协议到达如下目标:
- CA, 服务器和客户端密钥,4096位RSA
- 使用 4096位Diffie-Hellman进行密钥交换
- HMAC SHA1包认证,使用TLS 2048静态密钥
- AES 256位加密隧道
- 完美向前保密Perfect Forward Secrecy (PFS)

服务器端

  让我们下载包和创建需要的目录:

$ sudo pkg_add openvpn easy-rsa

$ sudo mkdir -p /usr/local/etc/openvpn/{public,secret,clients/{public,secret},easy-rsa/keys}
$ sudo mkdir /usr/local/share/easy-rsa/keys
$ sudo mkdir -p /var/openvpn/tmp

$ cd /usr/local/share/easy-rsa/
$ chmod +x ./*

  你得手工编辑 /usr/local/share/easy-rsa/vars文件,修改KEY_SIZE=1024为KEY_SIZE=2048,编辑/usr/local/share/easy-rsa/build-dh修改2048为406,现在让我们创建我们的CA和密钥,以root登录如下命令:

$ su -
# cd /usr/local/share/easy-rsa/
# cp openssl-1.0.0.cnf ./openssl.cnf
# . ./vars
# ./clean-all

# ./build-ca --keysize 4096
# ./build-key-server --keysize 4096 server
# ./build-key --keysize 4096 myhome
# ./build-key --keysize 4096 myphone
# ./build-dh
# openvpn --genkey --secret ta.key

  好了,已经在服务器和两个客户端端建立证书与密钥,包括Diffie-Hellman参数, 和最后的2048 bits TLS静态密钥都是用于HMAC包授权,现在移动/usr/local/etc/openvpn目录下文件到不同位置:

# cp ./* /usr/local/etc/openvpn/easy-rsa
# ./clean-all
# cd /usr/local/etc/openvpn/easy-rsa/keys

# cp ca.crt /usr/local/etc/openvpn/public
# mv ca.crt /usr/local/etc/openvpn/clients/public
# mv ca.key /usr/local/etc/openvpn/secret
# mv dh4096.pem /usr/local/etc/openvpn/public
# mv server.key /usr/local/etc/openvpn/secret
# mv server.crt /usr/local/etc/openvpn/public

# mv myhome.key /usr/local/etc/openvpn/clients/secret
# mv myhome.c* /usr/local/etc/openvpn/clients/public
# mv myphone.key /usr/local/etc/openvpn/clients/secret
# mv myphone.c* /usr/local/etc/openvpn/clients/public

# cp ta.key /usr/local/etc/openvpn/secret
# mv ta.key /usr/local/etc/openvpn/clients/secret

文件是以下面方式分配:
- 服务器端公共文件在/openvpn/public (ca.crt, dh4096.pem, server.crt)
- 服务器安全文件在/openvpn/secret (ca.key, server.key, ta.key)
- 客户端公共文件在/openvpn/clients/public (myhome.csr, myhome.crt, myphone.csr, myphone.crt, ca.crt)
- 客户端安全文件在/openvpn/clients/secret (myhome.key, myphone.key, ta.key)

现在我们进入OpenVPN服务器配置,首先退出root:

# logout
$ sudo vi /usr/local/etc/openvpn/server.conf
# Server configuration
# SSL/TLS certificate and keys, PFS enabled by default
ca "/usr/local/etc/openvpn/public/ca.crt"
cert "/usr/local/etc/openvpn/public/server.crt"
dh "/usr/local/etc/openvpn/public/dh4096.pem" # Diffie Helman 4096 bits
key "/usr/local/etc/openvpn/secret/server.key" # RSA 4096 bits
tls-auth "/usr/local/etc/openvpn/secret/ta.key" 0 # TLS 2048 bits for HMAC
cipher AES-256-CBC # AES 256 bits

# Network parameters
port 21600 # as an example, pick your own port
proto udp
dev tun
tls-server
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"

# push our DNS server to clients accepting it (will not override a home router DNS configuration 
# (with fixed DNS settings). Usefull for mobile phones for instance, where installing 
# dnscrypt requires a rooted phone
push "dhcp-option DNS 10.8.0.1" 

keepalive 10 120
comp-lzo no

# Limits
max-clients 5 # change this value if you plan on connecting from more clients

# Privileges, chroot
chroot /var/openvpn
user _openvpn
group _openvpn
persist-key
persist-tun

# LOG
status openvpn-status.log
verb 4
mute 20

现在可以启动我们的OpenVPN服务器,并且让它在系统启动时自动启动:

$ sudo chmod -Rf 640 /usr/local/sbin/openvpn
$ sudo /usr/local/sbin/openvpn --config /usr/local/etc/openvpn/server.conf --daemon
$ sudo vi /etc/rc.local
# OpenVPN
/usr/local/sbin/openvpn --config /usr/local/etc/openvpn/server.conf --daemon

你应当用tail -f /var/log/messages 检查OpenVPN是否成功启动,如果有错,回头再检查一下步骤,目录文件的权限是否设置正确?

客户端

  安装OpenVPN,按如下配置:

$ sudo vi /usr/local/etc/openvpn/client.conf
# Client configuration (router, computer)
# SSL/TLS certificate and keys
ca "/usr/local/etc/openvpn/ca.crt" # public
cert "/usr/local/etc/openvpn/myhome.crt" # public
key "/usr/local/etc/openvpn/myhome.key" # secret
tls-auth "/usr/local/etc/openvpn/ta.key" 1 # secret
cipher AES-256-CBC
remote-cert-tls server

client
dev tun
proto udp
resolv-retry infinite
nobind 

# VPS OpenBSD 
remote YOUR_SERVER_IP 21600

# Privileges, chroot
user _openvpn
group _openvpn
chroot /var/empty
persist-key
persist-tun

# LOG
comp-lzo no
verb 3
explicit-exit-notify 5 

客户端的密钥必须从服务器通过安全通道复制到客户端,可以使用SCP通过SSH传送,比如如果你要复制服务器端/home/user/vpn的客户端文件,那么从你的Linux/BSD客户端执行:
$ scp -P your_ssh_port -i id_ed25519 your_remote_user@your_server_ip:/home/user/vpn/*.* ./

移动客户端

  对于安卓智能手机,可以安装OpenVPN安卓版本,然后进行安全配置,复制下面内容:

remote-cert-tls server
cipher AES-256-CBC

client
dev tun
proto udp
resolv-retry infinite
nobind

remote YOUR_SERVER_IP 21600

comp-lzo no
verb 3
explicit-exit-notify 5
persist-key
persist-tun

# ca.crt below, just a random example. Full extract is above 35 lines
<ca>
-----BEGIN CERTIFICATE-----
ffidLLDKSJskfjf56s/smdjdhQSDOQSLDJLQSJDQSd45454QMDMSQMDMklajzEd4
.
.
.
.
sqd54dLLDKSJskfjf56ssmdjdsqdqsdSDL
-----END CERTIFICATE-----
</ca>

# myphone.crt below, just a random example. Full extract is above 35 lines
<cert>
-----BEGIN CERTIFICATE-----
ffidLLDKSJskfjf56s/smdjdhQSDOQSLDJLQSJDQSd45454QMDMSQMDMklajzEd4
.
.
.
.
sqd54dLLDKSJskfjf56ssmdjdsqdqsdSDL
-----END CERTIFICATE-----
</cert>

# myphone.key below, just a random example. Full extract is above 35 lines
<key>
-----BEGIN CERTIFICATE-----
ffidLLDKSJskfjf56s/smdjdhQSDOQSLDJLQSJDQSd45454QMDMSQMDMklajzEd4
.
.
.
.
sqd54dLLDKSJskfjf56ssmdjdsqdqsdSDL
-----END CERTIFICATE-----
</key>

key-direction 1

# ta.key below, just a random example. Full extract is above 20 lines
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
ffidLLDKSJskfjf56s/smdjdhQSDOQSL
.
.
.
.
sqd54dLLDKSJskfjf56ssmdjdsqdqsdS
-----END OpenVPN Static key V1-----
</tls-auth>

这个配置文件可以命名为myserver.ovpn,必须通过安全通道传送到手机,可以使用 SpiderOak,一种客户端和服务器之间的同步工具,使用USB也是一种方式。

 


 

 

 

猜你喜欢