diff --git a/MA-Inhalt.tex b/MA-Inhalt.tex index 437a860..a2859fd 100644 --- a/MA-Inhalt.tex +++ b/MA-Inhalt.tex @@ -227,6 +227,7 @@ Der durch IPsec geschützte Datenverkehr lässt sich daran erkennen, dass in den Für die Freigabe von IPsec-Datenverkehr in einer Firewall sind somit mehrere Regeln notwendig, während die Freigabe von OpenVPN-Verkehr über UDP-Port 1194 deutlich übersichtlicher ausfällt. \paragraph{Benutzerfreundlichkeit} + Platformabhängig - bei OpenVPN eher schwach, da nur die GUI eine andere ist. Bei Strongswan ... Kompilieren? Ansonsten ähnlich. Betriebssystemseitige Konfiguration ist platformabhängig. -> Zertifikate installieren Bei Verzicht auf Strongswan ist die Benutzerfreundlichkeit definitiv platformabhängig. diff --git a/openvpn-config/client.conf b/openvpn-config/client.conf index 486863c..17db893 100644 --- a/openvpn-config/client.conf +++ b/openvpn-config/client.conf @@ -1,50 +1,56 @@ # This is the client configuration client -# No need to bind on specific interfaces, just send udp packets to the openvpn server +# No need to bind on specific interfaces, just send packets to the openvpn server nobind # Send udp packets to port 1194 port 1194 proto udp -# We're using the layer 3 tunnel device +# We're using the virtual network interface on layer 3 dev tun # Specify vpn server remote vpn-test.inform.hs-hannover.de 1194 -# Certificates (relativ path to config file, absolute paths possible if needed) -ca vpnclient/ca.crt -cert vpnclient/jan-philipp.timme@hs-hannover.de.crt -key vpnclient/jan-philipp.timme@hs-hannover.de.key +# Certificates to use. EDIT THIS SECTION to reflect your situation +ca /etc/openvpn/vpnclient/ca.crt +cert /etc/openvpn/vpnclient/jan-philipp.timme@stud.hs-hannover.de.crt +key /etc/openvpn/vpnclient/jan-philipp.timme@stud.hs-hannover.de.key -# Assume tls client role +# Assume client role in tls handshake tls-client # Make sure the server presents a certificate with "server role" +# This way people with proper client certificates are unable to impersonate the server remote-cert-tls server # Specific settings regarding TLS, chiphers and hash algorithms +# DO NOT CHANGE THIS unless you receive explicit instructions to do so cipher AES-256-GCM auth SHA256 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 tls-version-min "1.2" -# Make sure to detect broken sessions +# Reduce connection timeout so connection problems are visible sooner +connect-timeout 20 + +# Notify server on client shutdown/restart events, so old sessions get terminated immediately +# Try to send notification 3 times (because we're using UDP) +explicit-exit-notify 3 + +# Send ping message every ten seconds, expect session loss after 30 seconds of no response keepalive 10 30 -# Use this option to prevent OpenVPN from caching the password of your private key -#auth-nocache +# Enable these if you plan to enable running on reduced privileges +# These options allow to keep the private key and the virtual network device handle in memory +#persist-key +#persist-tun -# These are needed if running with reduced privileges -persist-key -persist-tun - -# Reduced privileges if possible (uncomment and adapt on unix/linux system) -# Note: On some systems, the group is "nobody" instead of "nogroup". +# Reduce privileges after launch (uncomment and adapt on unix/linux system) #user nobody -#group nogroup +#group nobody # Logging settings verb 3 diff --git a/openvpn-config/server.conf b/openvpn-config/server.conf index b820ee7..0987047 100644 --- a/openvpn-config/server.conf +++ b/openvpn-config/server.conf @@ -3,50 +3,51 @@ port 1194 proto udp proto udp6 -# Since we have more than one ip address, this makes openvpn respond with sender addresses +# Since we have more than one ip address, this makes openvpn respond +# with the right sender address multihome -# We're using the layer 3 tunnel device +# We're using the virtual network interface on layer 3 dev tun -# Certificates (relative paths work, too) +# Certificates to use. Paths are relative to config file location. ca inform/ca.crt cert inform/aither.inform.hs-hannover.de.crt key inform/aither.inform.hs-hannover.de.key -# Assume tls server role +# Assume server role in tls handshake tls-server -# Diffie-Hellman parameters +# Diffie-Hellman parameter file dh inform/dh.pem -# Certificate revocation list +# Certificate revocation list location +# Make sure this file is always valid, otherwise OpenVPN refuses to (re)start! crl-verify inform/crl.pem # Make sure the client presents a certificate with "client role" remote-cert-tls client # Allow multiple connections using the same certificate? -# Currently, we do. +# There is no reason to not allow this, so it is allowed. duplicate-cn -# We're using subnet topology +# We're using subnet topology for IPv4 tunnel connectivity topology subnet -# Use this IPv4 range for clients (/16, so we can cope with all possible clients) +# Use this IPv4 range for clients (/16, so we can cope with potential 500 clients) server 10.2.0.0 255.255.0.0 # Use this IPv6 network for clients server-ipv6 2001:638:614:1750::/64 -# Do we need persistence here? -# No, not yet. Probably never. -#ifconfig-pool-persist inform/ipp.txt - -# Make sure the client can still reach the OpenVPN server via its default gateway +# Make sure the client can still reach the OpenVPN server via its IPv4 default gateway +# This is needed because the IPv4 route for DMZ is pushed below, +# which overlaps the OpenVPN server IPv4 address. push "route remote_host 255.255.255.255 net_gateway" # Push routes for local IPv4 networks +# # DMZ push "route 141.71.38.0 255.255.255.0 vpn_gateway" # Inform @@ -68,6 +69,9 @@ push "route 141.71.2.0 255.255.255.0 vpn_gateway" # Push routes for local IPv6 networks # (The vpn_gateway placeholder does not work here.) +# Note: IPv6 routes that overlap the IPv6 address of the OpenVPN server will +# automatically trigger creating a direct route to the OpenVPN server on the client. +# # DMZ push "route-ipv6 2001:638:614:1780::/64 2001:638:614:1750::1" # Inform @@ -79,20 +83,31 @@ push "route-ipv6 2001:638:614:1722::/64 2001:638:614:1750::1" # Cluster push "route-ipv6 2001:638:614:1743::/64 2001:638:614:1750::1" -# Specific settings regarding TLS, chiphers and hash algorithms +# Global settings regarding TLS, chiphers and hash algorithms +# These settings MUST BE CONGRUENT with client configurations. +# If you change these, make sure you update the provided client config file +# and you NOTIFY ALL USERS to update their configuration! cipher AES-256-GCM auth SHA256 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 tls-version-min "1.2" -# Make sure to detect broken sessions +# Disable cipher negotiation on server side +ncp-disable + +# Send ping message every ten seconds, expect session loss after 60 seconds of no response keepalive 10 60 -# These are needed for reduced privileges? Probably yes. +# Notify clients when the server restarts or shuts down. +# Default behaviour: Tell clients to try to connect to the same server again. +explicit-exit-notify 1 + +# Enable these if you plan to enable running on reduced privileges +# These options allow to keep the private key and the virtual network device handle in memory persist-key persist-tun -# Reduced privileges +# Reduce privileges after launch (uncomment and adapt on unix/linux system) user nobody group nogroup @@ -100,5 +115,6 @@ group nogroup verb 3 mute 5 -# Have a status log +# Print a list of active sessions into this file +# This might be helpful if you plan big maintenance status inform/status.log