Problems
Until recently, many did not know what it was like to work from home. The pandemic has drastically changed the situation in the world, everyone began to adapt to the circumstances, namely, to the fact that it has become simply unsafe to leave the house. And many had to quickly organize work from home for their employees.
However, the lack of a competent approach in choosing solutions for remote work can lead to irreversible losses. User passwords can be stolen, and this will enable an attacker to connect uncontrollably to the network and IT resources of the enterprise.
That is why the need to create reliable corporate VPN networks has now grown. I'll tell you about reliable, safe ΠΈ simple using a VPN network.
It works according to the IPsec / L2TP scheme, which uses non-retrievable keys and certificates stored on tokens for client authentication, and also transmits data over the network in encrypted form.
As demo stands for configuration, we used a server with CentOS 7 (address: centos.vpn.server.ad) and a client with Ubuntu 20.04, as well as a client with Windows 10.
Description of the system
The VPN will work according to the IPSec + L2TP + PPP scheme. Protocol Point-to-Point Protocol (PPPs) operates at the link layer of the OSI model and provides user authentication and encryption of transmitted data. Its data is encapsulated in the data of the L2TP protocol, which actually provides the creation of a connection in the VPN network, but does not provide authentication and encryption.
L2TP data is encapsulated in the IPSec protocol, which also provides authentication and encryption, but unlike the PPP protocol, authentication and encryption occurs at the device level, not at the user level.
This feature allows you to provide authentication of users only from certain devices. We will use the IPSec protocol as a given and allow user authentication from any device.
User authentication using smart cards will be performed at the PPP protocol level using the EAP-TLS protocol.
More information on how this scheme works can be found in .
Why this scheme meets all three requirements of a good VPN network
- The reliability of this scheme has been tested by time. It has been used to deploy VPN networks since 2000.
- Secure user authentication is provided by the PPP protocol. does not provide a sufficient level of security, tk. for authentication, at best, authentication with a login and password is used. We all know that the login-password can be spied on, picked up or stolen. However, for a long time the developer Π² This protocol has corrected this point and added the ability to use protocols based on asymmetric encryption, such as EAP-TLS, for authentication. In addition, he added the ability to use smart cards for authentication, which made the system more secure.
At the moment, active negotiations are underway to merge these two projects and you can be sure that sooner or later this will happen anyway. So, for example, a patched version of PPP has been in the Fedora repositories for a long time, using secure protocols for authentication. - More recently, only Windows users could use this network, but our colleagues from Moscow State University Vasily Shokov and Alexander Smirnov found and improved it. Together we fixed a lot of bugs and shortcomings in the work of the client, simplified the installation and configuration of the system, even when building from source. The most significant of them are:
- Fixed compatibility issues of the old client with the interface of new versions of openssl and qt.
- Removed transfer of token PIN to pppd via temporary file.
- Fixed incorrect launch of the password request program through the graphical interface. This was done by setting up the correct environment for the xl2tpd service.
- The build of the L2tpIpsecVpn daemon is now co-built with the build of the client itself, making it easier to build and configure.
- For the convenience of development, the Azure Pipelines system is connected to test the correctness of the assembly.
- Added ability to force downgrade in the context of openssl. This is useful for correctly supporting new operating systems where the default security level is set to 2, with VPNs that use certificates that do not meet the security level requirements of this level. This option will be useful for working with already existing old VPN networks.
The corrected version can be found in .
This client supports the use of smart cards for authentication, and also hides as much as possible all the hardships and hardships of setting up this scheme under Linux, making setting up the client as simple and fast as possible.
Of course, for a convenient connection between PPP and the GUI of the client, it was not without additional edits for each of the projects, but nevertheless they managed to be minimized and minimized:
- Fixed
- Fixed . This error did not allow loading from the local /etc/ppp/openssl.cnf configuration file anything other than information about the openssl engines for working with smart cards, which was a serious inconvenience if, for example, in addition to information about the engines, we wanted to set something then more. For example, fix the security level when establishing a connection.
Now you can start setting up.
Server Tuning
Let's install all the necessary packages.
Installing strongswan (IPsec)
First of all, let's configure the firewall for ipsec to work
sudo firewall-cmd --permanent --add-port=1701/{tcp,udp}
sudo firewall-cmd --permanent --add-service=ipsec
sudo firewall-cmd --reloadThen let's install
sudo yum install epel-release ipsec-tools dnf
sudo dnf install strongswanAfter installation, you must configure strongswan (one of the IPSec implementations). To do this, edit the file /etc/strongswan/ipsec.conf :
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=%any
leftprotoport=udp/1701
right=%any
rightprotoport=udp/%any
ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024We will also set a common login password. The shared password must be known to all network participants for authentication. This method is obviously unreliable, because this password can easily become known to individuals to whom we do not want to provide access to the network.
However, even this fact will not affect the security of the network organization, because. the main data encryption and user authentication is carried out by the PPP protocol. But in fairness, it should be noted that strongswan supports more secure technologies for authentication, for example, using private keys. Also in strongswan it is possible to provide authentication using smart cards, but so far a limited number of devices are supported and therefore authentication using Rutoken tokens and smart cards is still difficult. Set a shared password through a file /etc/strongswan/ipsec.secrets:
# ipsec.secrets - strongSwan IPsec secrets file
%any %any : PSK "SECRET_PASSPHRASE"Restart strongswan:
sudo systemctl enable strongswan
sudo systemctl restart strongswanxl2tp installation
sudo dnf install xl2tpdLet's configure it through a file /etc/xl2tpd/xl2tpd.conf:
[global]
force userspace = yes
listen-addr = 0.0.0.0
ipsec saref = yes
[lns default]
exclusive = no
; ΠΎΠΏΡΠ΅Π΄Π΅Π»ΡΠ΅Ρ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΉ Π°Π΄ΡΠ΅Ρ ΡΠ΅ΡΠ²Π΅ΡΠ° Π² Π²ΠΈΡΡΡΠ°Π»ΡΠ½ΠΎΠΉ ΡΠ΅ΡΠΈ
local ip = 100.10.10.1
; Π·Π°Π΄Π°Π΅Ρ Π΄ΠΈΠ°ΠΏΠ°Π·ΠΎΠ½ Π²ΠΈΡΡΡΠ°Π»ΡΠ½ΡΡ
Π°Π΄ΡΠ΅ΡΠΎΠ²
ip range = 100.10.10.1-100.10.10.254
assign ip = yes
refuse pap = yes
require authentication = yes
; Π΄Π°Π½Π½ΡΡ ΠΎΠΏΡΠΈΡ ΠΌΠΎΠΆΠ½ΠΎ ΠΎΡΠΊΠ»ΡΡΠΈΡΡ ΠΏΠΎΡΠ»Π΅ ΡΡΠΏΠ΅ΡΠ½ΠΎΠΉ Π½Π°ΡΡΡΠΎΠΉΠΊΠΈ ΡΠ΅ΡΠΈ
ppp debug = yes
length bit = yes
pppoptfile = /etc/ppp/options.xl2tpd
; ΡΠΊΠ°Π·ΡΠ²Π°Π΅Ρ Π°Π΄ΡΠ΅Ρ ΡΠ΅ΡΠ²Π΅ΡΠ° Π² ΡΠ΅ΡΠΈ
name = centos.vpn.server.adLet's restart the service:
sudo systemctl enable xl2tpd
sudo systemctl restart xl2tpdPPP setup
It is advisable to install the latest version of pppd. To do this, run the following sequence of commands:
sudo yum install git make gcc openssl-devel
git clone "https://github.com/jjkeijser/ppp"
cd ppp
./configure --prefix /usr
make -j4
sudo make installWrite to file /etc/ppp/options.xl2tpd the following (if there are any values, they can be removed):
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 1.1.1.1
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000We issue the root certificate and the server certificate:
#Π΄ΠΈΡΠ΅ΠΊΡΠΎΡΠΈΡ Ρ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ°ΠΌΠΈ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Π΅ΠΉ, Π£Π¦ ΠΈ ΡΠ΅ΡΠ²Π΅ΡΠ°
sudo mkdir /etc/ppp/certs
#Π΄ΠΈΡΠ΅ΠΊΡΠΎΡΠΈΡ Ρ Π·Π°ΠΊΡΡΡΡΠΌΠΈ ΠΊΠ»ΡΡΠ°ΠΌΠΈ ΡΠ΅ΡΠ²Π΅ΡΠ° ΠΈ Π£Π¦
sudo mkdir /etc/ppp/keys
#Π·Π°ΠΏΡΠ΅ΡΠ°Π΅ΠΌ Π»ΡΠ±ΠΎΠΉ Π΄ΠΎΡΡΡΠΏ ΠΊ ΡΡΠΎΠΉ Π΄ΠΈΡΡΠ΅ΠΊΡΠΎΡΠΈΠΈ ΠΊΡΠΎΠΌΠ΅ Π°Π΄ΠΌΠΈΠ½ΠΈΡΡΠ°ΡΠΎΡΠ°
sudo chmod 0600 /etc/ppp/keys/
#Π³Π΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ ΠΊΠ»ΡΡ ΠΈ Π²ΡΠΏΠΈΡΡΠ²Π°Π΅ΠΌ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ Π£Π¦
sudo openssl genrsa -out /etc/ppp/keys/ca.pem 2048
sudo openssl req -key /etc/ppp/keys/ca.pem -new -x509 -out /etc/ppp/certs/ca.pem -subj "/C=RU/CN=L2TP CA"
#Π³Π΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ ΠΊΠ»ΡΡ ΠΈ Π²ΡΠΏΠΈΡΡΠ²Π°Π΅ΠΌ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°Ρ ΡΠ΅ΡΠ²Π΅ΡΠ°
sudo openssl genrsa -out /etc/ppp/keys/server.pem 2048
sudo openssl req -new -out server.req -key /etc/ppp/keys/server.pem -subj "/C=RU/CN=centos.vpn.server.ad"
sudo openssl x509 -req -in server.req -CAkey /etc/ppp/keys/ca.pem -CA /etc/ppp/certs/ca.pem -out /etc/ppp/certs/server.pem -CAcreateserialThus, we are done with the basic server setup. The rest of the server configuration has to do with adding new clients.
Adding a new client
To add a new client to the network, you must add its certificate to the list of trusted for this client.
If the user wants to become a member of the VPN network, he creates a key pair and a certificate request for this client. If the user is trusted, then this request can be signed, and the resulting certificate can be written to the certificate directory:
sudo openssl x509 -req -in client.req -CAkey /etc/ppp/keys/ca.pem -CA /etc/ppp/certs/ca.pem -out /etc/ppp/certs/client.pem -CAcreateserialLet's add a line to the /etc/ppp/eaptls-server file to match the client name and its certificate:
"client" * /etc/ppp/certs/client.pem /etc/ppp/certs/server.pem /etc/ppp/certs/ca.pem /etc/ppp/keys/server.pem *NOTES
In order not to get confused, it is better that: Common Name, certificate file name and user name are unique.
It is also worth checking that the username we are adding does not appear anywhere in other authentication files, otherwise there will be problems with the way the user is authenticated.
The same certificate must be sent back to the user.
Key pair and certificate generation
To successfully authenticate, the client must:
- generate a key pair;
- have a CA root certificate;
- have a certificate for its key pair signed by the root CA.
for Linux client
First, let's generate a key pair on the token and create a certificate request:
#ΠΈΠ΄Π΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΎΡ ΠΊΠ»ΡΡΠ° (ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡ --id) ΠΌΠΎΠΆΠ½ΠΎ Π·Π°ΠΌΠ΅Π½ΠΈΡΡ Π½Π° Π»ΡΠ±ΠΎΠΉ Π΄ΡΡΠ³ΠΎΠΉ.
pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --keypairgen --key-type rsa:2048 -l --id 45
openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:librtpkcs11ecp.so
...
OpenSSL> req -engine pkcs11 -new -key 45 -keyform engine -out client.req -subj "/C=RU/CN=client"Send the appeared application client.req to the CA. After you get a certificate for your key pair, write it to a token with the same id as the key:
pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -l -y cert -w ./client.pem --id 45for Windows and Linux clients (more universal way)
This method is more universal, because. allows you to generate a key and certificate that will be successfully recognized by Windows and Linux users, but it requires a Windows machine to carry out the key generation procedure.
Before generating requests and importing certificates, you must add the root certificate of the VPN network to the trusted list. To do this, open it and select the "Install certificate" option in the window that opens:
In the window that opens, select the installation of a certificate for a local user:
Install the certificate in the CA trusted root certificate store:
After all these actions, we agree with all further points. The system is now set up.
Let's create a cert.tmp file with the following content:
[NewRequest]
Subject = "CN=client"
KeyLength = 2048
KeySpec = "AT_KEYEXCHANGE"
ProviderName = "Microsoft Base Smart Card Crypto Provider"
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG"
RequestType = PKCS10
SMIME = FALSEAfter that, we will generate a key pair and create a certificate request. To do this, open powershell and enter the following command:
certreq.exe -new -pin $PIN .cert.tmp .client.reqSubmit the created client.req claim to your CA and wait for the client.pem certificate to be received. It can be written to a token and added to the Windows certificate store with the following command:
certreq.exe -accept .client.pemIt is worth noting that similar actions can be reproduced using the graphical interface of the mmc program, but this method is more time-consuming and less programmable.
Ubuntu client setup
NOTES
Setting up a client on Linux is currently quite lengthy in time, because. requires building individual programs from source. We will try to ensure that all changes get into the official repositories in the near future.
To provide an IPSec connection to the server, the strongswan package and the xl2tp daemon are used. To simplify connecting to the network using smart cards, we will use the l2tp-ipsec-vpn package, which provides a graphical shell for simplified connection setup.
Let's start assembling the elements in stages, but before that we will install all the necessary packages for the VPN to work directly:
sudo apt-get install xl2tpd strongswan libp11-3Installing software for working with tokens
Install the latest version of the librtpkcs11ecp.so library from , also libraries for working with smart cards:
sudo apt-get install pcscd pcsc-tools opensc libengine-pkcs11-opensslConnect Rutoken and check that it is recognized by the system:
pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O -lInstalling a patched ppp
sudo apt-get -y install git make gcc libssl-dev
git clone "https://github.com/jjkeijser/ppp"
cd ppp
./configure --prefix /usr
make -j4
sudo make installInstalling the L2tpIpsecVpn Client
At the moment, the client also needs to be built from source. This is done using the following sequence of commands:
sudo apt-get -y install git qt5-qmake qt5-default build-essential libctemplate-dev libltdl-dev
git clone "https://github.com/Sander80/l2tp-ipsec-vpn"
cd l2tp-ipsec-vpn
make -j4
sudo make installConfiguring the L2tpIpsecVpn Client
Run the installed client:
After launch, you should have the L2tpIpsecVPN applet open. Right-click on it and configure the connection:
To work with tokens, first of all, we will specify the path of the opensc engine of the OpenSSL engine and the PKCS # 11 library. To do this, open the "Preferences" tab to configure the openssl options:
.
Let's close the OpenSSL settings window and move on to configuring the network. Let's add a new network by clicking on the Add⦠button in the settings panel and enter the network name:
After that, this network will become available in the settings panel. Double-click the right mouse button on the new network to configure it. On the first tab, you need to configure IPsec. Set the server address and pre-shared key:
After that, go to the PPP settings tab and specify the username under which we want to access the network:
After that, open the Properties tab and specify the path to the key, client certificate and CA:
Let's close this tab and perform the final configuration, to do this, open the "IP settings" tab and check the box next to the "Obtain DNS server address automatically" option:
This option will allow the client to receive a private IP address from the server within the network.
After all the settings, close all tabs and restart the client:
Connecting to the network
After the settings, you can connect to the network. To do this, open the applet tab and select the network to which we want to connect:
In the process of establishing a connection, the client will ask us to enter the Rutoken PIN code:
If a notification appears in the status bar that the connection has been successfully established, then the setting was successful:
Otherwise, it is worth investigating why the connection was not established. To do this, you should look at the program log by selecting the "Connection information" command in the applet:
Windows client setup
Setting up a client on Windows is much easier than on Linux. All necessary software is already built into the system.
System Setup
Install all the necessary drivers to work with Rutokens by downloading them from .
Import Root Certificate for Authentication
Download the root certificate of the server and install it in the system. To do this, open it and select the "Install certificate" option in the window that opens:
In the window that opens, select the installation of a certificate for a local user. If you want the certificate to be available to all users on the computer, then you should choose to install the certificate on the local computer:
Install the certificate in the CA trusted root certificate store:
After all these actions, we agree with all further points. The system is now set up.
Setting up a VPN connection
To set up a VPN connection, go to the control panel and select the item to create a new connection.
In the pop-up window, select the option to create a connection to connect to the workplace:
In the next window, select the VPN connection:
and enter the VPN connection details, and also specify the option to use a smart card:
This setup is not complete. It remains to specify a common key for the IPsec protocol, for this we go to the βNetwork Connections Settingsβ tab and then go to the βProperties for this connectionβ tab:
In the window that opens, go to the "Security" tab, specify "L2TP/IPsec Network" as the network type and select "Advanced settings":
In the window that opens, specify the IPsec shared key:
connection
After completing the setup, you can try to connect to the network:
During the connection process, we will be required to enter the PIN code of the token:
We set up a secure VPN network and made sure that it is not difficult.
Acknowledgements
I would like to once again thank our colleagues Vasily Shokov and Alexander Smirnov for the joint work done to simplify the creation of VPN connections for Linux clients.
Source: habr.com