Installazione di Ocserv – openconnect server vpn

Installazione

yum install autoconf automake gcc libtasn1-devel zlib zlib-devel  trousers trousers-devel gmp-devel gmp xz texinfo libnl-devel libnl  tcp_wrappers-libs tcp_wrappers-devel tcp_wrappers dbus dbus-devel  ncurses-devel pam-devel readline-devel bison bison-devel flex gcc  automake autoconf wget
wget http://www.infradead.org/~tgr/libnl/files/libnl-3.2.25.tar.gz
tar -zxvf nettle-2.7.1.tar.gz
cd nettle-2.7.1
./configure --prefix=/opt/
make && make install
tar -xvf gnutls-3.3.10.tar.xz
cd gnutls-3.3.10
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
NETTLE_CFLAGS="-I/opt/include/" NETTLE_LIBS="-L/opt/lib64/ -lnettle"  HOGWEED_CFLAGS="-I/opt/include" HOGWEED_LIBS="-L/opt/lib64/ -lhogweed"  ./configure --prefix=/opt/
wget http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz
tar xvf libnl-3.2.24.tar.gz
cd libnl-3.2.24
./configure --prefix=/opt/
make && make install
tar -xvf ocserv-0.8.8.tar.xz
cd ocserv-0.8.8
ls
LIBGNUTLS_CFLAGS="-I/opt/include/" LIBGNUTLS_LIBS="-L/opt/lib/ -lgnutls"  LIBNL3_CFLAGS="-I/opt/include" LIBNL3_LIBS="-L/opt/lib/ -lnl-3  -lnl-route-3" ./configure --prefix=/opt/
make && make install
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/

export PATH=$PATH:/opt/bin:/opt/sbin

Configurazione di Ocserv – openconnect server vpn

Generazione dei certificati

mkdir /etc/ocserv/

cd /etc/ocserv/

export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/

export PATH=$PATH:/opt/bin:/opt/sbin

certtool --generate-privkey --outfile ca-key.pem

cat << _EOF_ > ca.tmpl
cn = "VPN CA"
organization = "Provincia di Prato"
serial = 1
expiration_days = 9999
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_

certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
certtool --generate-privkey --outfile server-key.pem

cat << _EOF_ > server.tmpl
cn = "openconnect.provincia.prato.it"
organization = "ProvinciaDiPrato"
expiration_days = 9999
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_

certtool --generate-certificate --load-privkey server-key.pem  --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem  --template server.tmpl --outfile server-cert.pem

certtool --generate-privkey --outfile mpadmin-key.pem

cat << _EOF_ > mpadmin.tmpl
cn = "mpadmin"
unit = "admins"
expiration_days = 9999
signing_key
tls_www_client
_EOF_

certtool --generate-certificate --load-privkey mpadmin-key.pem  --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem  --template mpadmin.tmpl --outfile mpadmin-cert.pem

File di configurazione: ocserv.conf

[root@localhost ocserv]# cat ocserv.conf
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
auth = "certificate"
#auth = "plain[./test1.passwd]"
#auth = "pam"

# A banner to be displayed on clients
banner = "Welcome"

# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
#listen-host = [IP|HOSTNAME]

use-dbus = no

# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 16

# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100

# Limit the number of identical clients (i.e., users connecting multiple times)
# Unset or set to zero for unlimited.
max-same-clients = 2

# TCP and UDP port number
tcp-port = 4444
udp-port = 4444

# Keepalive in seconds
keepalive = 32400

# Dead peer detection in seconds
dpd = 440

# MTU discovery (DPD must be enabled)
try-mtu-discovery = false

# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem

# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem

# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der

# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
# root key).
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt

# The Certificate Authority that will be used
# to verify clients if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem
ca-cert = /etc/ocserv/ca-cert.pem

# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1

# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
#  OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11

# A revocation list of ca-cert is set
#crl = /path/to/crl.pem

# GnuTLS priority string
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"

# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"

# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40

# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2

# Cookie validity time (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-validity = 172800

# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript

# UTMP
use-utmp = true

# PID file
pid-file = /var/run/ocserv.pid

# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot

# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket

# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
# Network settings

device = vpns

# The default domain to be advertised
default-domain = provincia.prato.it

ipv4-network = 172.21.0.0
ipv4-netmask = 255.255.0.0
# Use the keywork local to advertize the local P-t-P address as DNS server
ipv4-dns = 172.21.1.29

# The NBNS server (if any)
#ipv4-nbns = 192.168.2.3

#ipv6-address =
#ipv6-mask =
#ipv6-dns =

# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false

# Leave empty to assign the default MTU of the device
# mtu =

#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0

#
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# with --enable-anyconnect
#

# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml

# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false

######################################################################################

Creo file di start del servizio: ocserv.start

[root@localhost ocserv]# cat ocserv.start
#!/bin/bash
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
export PATH=$PATH:/opt/bin/:/opt/sbin/
iptables -t nat -F
iptables -t nat -A POSTROUTING -j MASQUERADE
ocserv -c /etc/ocserv/ocserv.conf

########################################################################################

RunAs – HowTo Run OpenVPN as a non-admin user in Windows

THANK YOU!!!

http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin.html

Mathias Sundman (mathias@openvpn.se)
2005-02-17
Rev 1.1

Introduction

With the current implementation of the TAP-Win32 driver included with OpenVPN, administrator privileges is required to open the TAP device. This means that openvpn.exe must be executed with administrator privileges. In many situations it’s un recommended to do your day-to-day work logged on with an administrator account. Especially corporate environments often have a policy that users should never have administrator rights even on their local machine. Fortunately there are a few ways to work around this so OpenVPN can be used even in these environments.

Here I present you with two ways to run OpenVPN / OpenVPN GUI as a non-admin user:

1) Use the OpenVPN Service

Included in the OpenVPN / OpenVPN GUI installation package there is a small service wrapper for OpenVPN. This service simply starts all configuration files it finds in the OpenVPN\config folder. If you want your OpenVPN tunnel to always be up, regardless of whether you are logged on or not, you can simply configure the OpenVPN Service to start automatically at boot-time. However it might be more convenient to be able to start and stop the tunnel when you want, which you can do by starting and stopping the service. For more information about the OpenVPN Service see the “Running OpenVPN as a Windows Service” section in INSTALL-win32.

The major disadvantage with this method is that there is no way to supply the OpenVPN Service with the password used to encrypt your private key. This means that you must use an un-encrypted private key when using this method. A way to get around the problem with having your private key lying unprotected on your hard drive is to import it to the MS Certificate Store and use the –cryptoapicert option to load it. Remember that the service is running as “Local System” (by default) so you must import the key/cert into the System account, not your user account. (There is work in progress to allow OpenVPN to access also user account key/cert’s). To load a key/cert into the System accounts CertStore you must use the Certificates MMC Snap-In, not Internet Explorer.

Give a normal user right to control the OpenVPN Service

Normally starting and stopping a service requires administrator privileges, but you can assign a normal user the right to control an individual service. You do this with the subinacl.exe utility included in the Windows Resource Kit. You can also download it here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

To give the user “John” the right to start and stop the OpenVPN service, log on as administrator and run the following command:

subinacl /SERVICE “OpenVPNService” /GRANT=john=TO

You can also give a user right to control a service through the use of Group Policies. See this support article for more info.

Control the OpenVPN service from OpenVPN GUI

A default installation of OpenVPN GUI does not give you any way to control the OpenVPN service. There is however two ways to do this. If you are running as administrator, and just want a convenient way to control the OpenVPN Service, you can enable a hidden menu for this. You enable this by setting the following registry value to “1”:

HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\allow_service

Since OpenVPN GUI 1.0-rc2 there is a special mode called “Service Only” that is suitable for users running without admin privileges. This mode changes the behavior of the “Connect” and “Disconnect” actions to start and stop the OpenVPN service instead of launching openvpn.exe directly, like it usually does. It also hides the “Proxy Settings” menu as it has no effect on the service. To enable this mode set the following registry value to “1”:

HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\service_only

Also remember that a normal user don’t have write access to the OpenVPN\config folder, so he won’t be able to edit the OpenVPN config file or change his password, unless you give him write access to these files. To hide these menu items set the following registry values to “0”:

HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\allow_edit

HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\allow_password

2) Windows “RunAs” feature

Since Windows 2000, there is a feature that allows you to start an application as another user than the currently logged on account. The best way to use this feature is by starting OpenVPN GUI as administrator this way. Since OpenVPN GUI is then running as administrator any number of OpenVPN tunnels can started and stopped as long as OpenVPN GUI is running.

* Keep in mind that by using this feature you are potentially giving your users a way to escalate their privileges to administrator rights. If your main reason for not running as administrator is to protect against malicious code on the web from executing with administrator rights in your computer, then this could be a good way to run OpenVPN GUI, but if your users under no circumstances should be able to run other applications as administrator, you should NOT use this way to run OpenVPN GUI either!

While installing OpenVPN / OpenVPN GUI, make sure to un-check “AutoStart OpenVPN GUI”, as you will need to create your start-up shortcut manually.

Create a “RunAs” short-cut in Windows 2000

  • Create a normal Short-Cut to openvpn-gui.exe (c:\program files\openvpn\bin\openvpn-gui.exe) on the desktop.
  • Right-click the short-cut and select Properties.
  • Check “Run as a different user”.

When you double-click this short-cut, you will now be prompted for the username and password of the user you want to run as. If you want OpenVPN-GUI to auto-start when you logon, move this short-cut to your “Startup” folder on the Start->Programs menu. You will then be prompted for username and password directly every time you log on.

I’m not aware of any way to save the credentials so you don’t have to type them every time in Windows 2000.

Create a “RunAs” short-cut in Windows XP

  • Create a normal Short-Cut to openvpn-gui.exe (c:\program files\openvpn\bin\openvpn-gui.exe) on the desktop.
  • Right-click the short-cut and select Properties.
  • Click “Advanced…”
  • Check “Run with different credentials”.

When you double-click this short-cut, you will now be prompted for the username and password of the user you want to run as. If you want OpenVPN-GUI to auto-start when you logon, move this short-cut to your “Startup” folder on the Start->Programs menu. You will then be prompted for username and password directly every time you log on.

Create a “RunAs” short-cut in Windows XP that saves the administrator password

WARNING: When using this method the user will be able to start ANY application as administrator with the right knowledge.

  • Create a normal Short-Cut to openvpn-gui.exe (c:\program files\openvpn\bin\openvpn-gui.exe) on the desktop.
  • Right-click the short-cut and select Properties.
  • In the Target box, insert the following before the path to openvpn-gui.exe: “runas /savecred /user:administrator “.
  • Double-click the new short-cut, and enter the administrator password.

Next time you run this short-cut, it will start OpenVPN GUI as administrator automatically without prompting you for any credentials. If you want OpenVPN-GUI to auto-start when you logon, move this short-cut to your “Startup” folder on the Start->Programs menu.

Future

There is work in progress to enhance the OpenVPN Service so it can be controlled via a TCP socket. This will allow individual tunnels to started and stopped at will, as well as supplying OpenVPN with the password used to encrypt the private key. OpenVPN GUI 2.0 will be rewritten to make use of this service.