Você está na página 1de 32

Curso 452

Linux Security
Servers in Cloud

Verso 2015_3.0
Servidor OpenVPN

Cenrio

Visto que a empresa DEXTER COURIER possui alguns colaboradores fora do ambiente
corporativo (home-office), ela precisa de uma forma segura para que eles possam
acessar a rede da empresa.

Proposta de soluo

Com a flexibilidade das conexes proporcionadas com Internet hoje em dia, vimos um
crescente aumento de colaboradores que necessitam estar em muitos lugares e ao
mesmo tempo conectados na empresa. Para isto devemos montar uma estrutura de
VPN com autenticao criptografada, elevando assim a segurana dos acessos
externos.

2
IT Experience

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________

3
Objetivos da Aula

Aula 08

Introduo a VPN;

Conhecer os tipos de VPN;

Implementar VPN Host-to-gateway;

Configurar certificado para servidor e clientes;

Revogar certificado na VPN.

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________

4
Servidor OpenVPN

Introduo a VPN:

A VPN (Virtual Private Network) uma rede de comunicao particular,


geralmente utilizando canais de comunicao inseguros, como a "LAN"
ou mesmo a WAN (Internet).

O que torna esta rede de comunicao particular o fato das


ferramentas de "VPN" empregarem mtodos e protocolos de criptografia,
criando um tnel para prover acesso seguro a partes da rede ou mesmo
ligao entre "LAN's" geograficamente separadas.

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
Servidor OpenVPN

Arquiteturas de VPN: Host-to-host:

TUNEL VPN INTERNET TUNEL VPN

HOST HOST

Arquitetura de VPNs

Host-to-host: VPN criada para proteger a comunicao entre dois computadores


especficos.

Utilizada, geralmente, quando pequeno numero de usurios tm que administrar


remotamente um sistema;
Servidor OpenVPN

Arquiteturas de VPN: Gateway-to-gateway:

TUNEL VPN INTERNET TUNEL VPN

NETWORK NETWORK

Arquitetura de VPNs

Gateway-to-gateway: VPN criada para proteger a comunicao entre 2 redes, por


exemplo a rede da matriz de uma companhia interligada a rede de um escritrio da
mesma companhia.
Servidor OpenVPN

Arquiteturas de VPN: Host-to-gateway:

TUNEL VPN INTERNET TUNEL VPN

HOST

GATEWAY
NETWORK

Arquitetura de VPNs

Host-to-gateway: VPN criada para a proteo da conexo entre um ou mais usurios e


uma rede especfica, por exemplo, entre os funcionrios longe da sede da empresa e a
rede da empresa.
Servidor OpenVPN
Servidor: Security

Implementando VPN Host-to-gateway:

1#aptgetinstallopenvpn

2#cpr/etc/openvpn/etc/openvpn.bkp

3#rmrf/etc/openvpn/*

4# cp a /usr/share/doc/openvpn/examples/easyrsa/2.0
/etc/openvpn/

5#cp/etc/openvpn.bpk/updateresolvconf/etc/openvpn/

6#cd/etc/openvpn/2.0;mkdirkeys

7#aptgetinstallopenssl

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
Servidor OpenVPN
Servidor: Security

Implementando VPN Host-to-gateway:

1#vimvars

exportKEY_SIZE=2048
exportKEY_COUNTRY="BR"
exportKEY_PROVINCE="SP"
exportKEY_CITY="SaoPaulo"
exportKEY_ORG="DexterCourier"
exportKEY_OU="TI"
exportKEY_EMAIL="admin@dexter.com.br"
exportKEY_CN="security"
exportKEY_NAME="DexterCA"

10

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
Servidor OpenVPN
Servidor: Security

VPN Host-to-gateway: Criao do CA:

1#sourcevars

2#./cleanall

3#./buildca

....

CountryName(2lettercode)[BR]:(TecleEnter)
StateorProvinceName(fullname)[SP]:(TecleEnter)
LocalityName(eg,city)[SaoPaulo]:(TecleEnter)

11

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
Servidor OpenVPN
Servidor: Security

VPN Host-to-gateway: Criao do CA:

Organization Name (eg, company) [Dexter Courier]:(Tecle


Enter)
OrganizationalUnitName(eg,section)[TI]:(TecleEnter)
CommonName(eg,yournameoryourserver'shostname)[Dexter
CA]:(TecleEnter)
Name[DexterCA]:(TecleEnter)
EmailAddress[admin@dexter.com.br]:(TecleEnter)
StateorProvinceName(fullname)[SP]:(TecleEnter)

12

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
Servidor OpenVPN
Servidor: Security

VPN Host-to-gateway: Certificado do servidor:


1#./buildkeyserversecurity

CountryName(2lettercode)[BR]:(TecleEnter)

StateorProvinceName(fullname)[SP]:(TecleEnter)

LocalityName(eg,city)[SaoPaulo]:(TecleEnterpara)

OrganizationName(eg,company)[DexterCourier]:(TecleEnter)

OrganizationalUnitName(eg,section)[TI]:(TecleEnter)

CommonName(eg,yournameoryourserver'shostname)[server]:
(TecleEnter)

13

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
Servidor OpenVPN
Servidor: Security

VPN Host-to-gateway: Certificado do servidor:


Name[DexterCA]:(TecleEnter)

EmailAddress[admin@dexter.com.br]:(TecleEnter)

Achallengepassword[]:(TecleEnter)

Anoptionalcompanyname[]:(TecleEnter)

Certificate is to be certified until Aug 16 08:41:49 2022 GMT


(3650days)

Signthecertificate?[y/n]:y

1outof1certificaterequestscertified,commit?[y/n]y

14

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
Melhorando a segurana na VPN

Servidor: Security

Para aumentar a segurana na VPN os parmetros Diffie-


Hellman so utilizados para a troca das chaves
criptografadas durante a execuo do OpenVPN.
Use o script abaixo para gerar os parmetros:
1#./builddh

2 #lslkeys/

15

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________

15
Servidor OpenVPN
Servidor: Security

Arquivo de configurao do servidor VPN:

1#vim/etc/openvpn/security.conf

devtun

protoudp

server10.0.0.0255.255.255.0

push"dhcpoptionDNS192.168.200.30"

push"dhcpoptionDNS8.8.8.8"

push"route192.168.200.0255.255.255.0"

push"route192.168.200.128255.255.255.128"

16

Descrio da diretivas:

dev: Habilita suporte ao driver TUN/TAP;

proto: Define qual protocolo o servidor ira escutar na porta;

server : Define uma faixa de endereos IP para a VPN, e permite que o servidor atribua endereos
para os clientes conforme eles se conectam. Esta configurao permite que vrios clientes se
conectem simultaneamente VPN.

push: Permite que o servidor inclua uma regra de roteamento na configurao do cliente no
momento da conexo. A rota sera definida da rede Classe A para rede Classe C.
Servidor OpenVPN
Servidor: Security

Arquivo de configurao do servidor VPN:

port5000

complzo

verb4

keepalive10120

persistkey

persisttun

float

17

Descrio da diretivas:

port: Define a porta que o OpenVPN vai rodar;

comp-lzo: Ativa suporte a compresso;

verb: Nvel para depurao de erros;

keepalive: Envia um ping a cada 10 segundos sem atividade e a VPN reiniciada depois de 120
segundos sem respostas;

persist-key: Assegura que o daemon mantenha as chaves carregadas, quando a VPN


restabelecida depois de uma queda de conexo;

persist-tun: Assegura que o daemon mantenha a interface tun aberta, quando a VPN
restabelecida depois de uma queda de conexo;

float: Permite que o tnel continue aberto mesmo que o endereo IP da outra mquina mude.
Servidor OpenVPN
Servidor: Security

Arquivo de configurao do servidor VPN:

usernobody

groupnogroup

tlsserver

ca/etc/openvpn/2.0/keys/ca.crt

cert/etc/openvpn/2.0/keys/server.crt

key/etc/openvpn/2.0/keys/server.key

dh/etc/openvpn/2.0/keys/dh2048.pem

1 #serviceopenvpnrestart

18

Descrio da diretivas:

user: Remoo dos privilgios de root na conexo VPN para usurio;

group: Remoo dos privilgios de root na conexo VPN para grupo;

tls-server: Ajuda a bloquear ataques DoS e flooding na porta do OpenVPN;

ca: Certificado de autoridade (CA) que usa as bibliotecas do OpenSSL;

cert: Certificado do servidor;

key: have RSA de 2048 do servidor;

dh: Parmetros Diffie-Hellman utilizado para a troca das chaves criptografadas durante a
execuo.
Servidor OpenVPN
Servidor: Security

VPN Host-to-gateway: Certificado do cliente:

1#./buildkeylinuxexterna

CountryName(2lettercode)[BR]:(TecleEnter)
StateorProvinceName(fullname)[SP]:(TecleEnter)
LocalityName(eg,city)[SaoPaulo]:(TecleEnter)
Organization Name (eg, company) [Dexter Courier]:(Tecle
Enter)
OrganizationalUnitName(eg,section)[TI]:(TecleEnter)
Common Name (eg, your name or your server's hostname)
[linuxexterna]:(TecleEnter)

19

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
Servidor OpenVPN
Servidor: Security

VPN Host-to-gateway: Certificado do cliente:

Name[DexterCA]:(TecleEnter)

EmailAddress[admin@dexter.com.br]:linuxexterna@dexter.com.br

Achallengepassword[]:(TecleEnter)

Anoptionalcompanyname[]:(TecleEnter)

Certificate is to be certified until Aug 16 08:41:49 2022 GMT


(3650days)

Signthecertificate?[y/n]:y

1outof1certificaterequestscertified,commit?[y/n]y

20

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
Servidor OpenVPN
Servidor: Security

Arquivo de configurao do cliente VPN:

1#mkdir/root/client

2#vim/root/client/linuxexterna.conf

devtun
protoudp
client
pull
remote200.100.50.99
port5000
complzo

21

Descrio da diretivas:

client: Define que a maquina um cliente VPN;

pull: Define que o cliente aceite configuraes fornecidas pelo servidor; remote : Define o

hostname/IP do servidor VPN (endereo publico);


Servidor OpenVPN
Servidor: Security

Arquivo de configurao do cliente VPN:

verb4

keepalive10120

persistkey

persisttun

float

usernobody

groupnogroup

nscerttypeserver

22

Descrio da diretivas:

dns-cert-type: Indica que certificado foi assinado pelo servidor;


Servidor OpenVPN
Servidor: Security

Arquivo de configurao do cliente VPN:

tlsclient

ca/etc/openvpn/ca.crt

cert/etc/openvpn/linuxexterna.crt

key/etc/openvpn/linuxexterna.key

dh/etc/openvpn/dh2048.pem

scriptsecurity3system

up/etc/openvpn/updateresolvconf

down/etc/openvpn/updateresolvconf

23

Descrio da diretivas:

tls-client: Habilita conexo TLS, ajudando a bloquear ataques DoS e flooding na porta do
OpenVPN;

script-security: Permite executar scripts personalizados.


Servidor OpenVPN
Servidor: Security

Preparando o pacote de configurao do cliente VPN:

1 #cdkeys
2# cp ca.crt dh2048.pem linuxexterna.crt linuxexterna.key
/root/client/

3#cd/root/client/

4#tarczvflinuxexterna.tar.gz*

24

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
Servidor OpenVPN
Servidor: Audit

Liberar acesso dos clientes VPN no DNS da DEXTER:

1#vim/etc/bind/named.conf.options

....

allowquery { 200.100.50.0/24; 192.168.200.0/24;


192.168.200.128/25;10.0.0.0/24;127.0.0.1;};

allowrecursion { 192.168.200.0/24; 192.168.200.128/25;


10.0.0.0/24;200.100.50.0/24;127.0.0.1;};

2#servicebind9restart

25

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
Servidor OpenVPN
Servidor: Linux Externa

Preparando o pacote de configurao do cliente VPN:

1#aptgetinstallopenvpnresolvconf

2#scp200.100.50.99:/root/client/linuxexterna.tar.gz.

3#tarxzvflinuxexterna.tar.gzC/etc/openvpn

4#serviceopenvpnrestart&&serviceresolvconfrestart

5#ifconfigtun0

6# ping c4 10.0.0.1 && ping c4 192.168.200.30 && ping c4

192.168.200.130

7#pingintranet.dexter.com.br

26

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
Servidor OpenVPN

Revogao de certificado no servidor:

A revogao de um certificado um mtodo para invalidar um


certificado previamente assinado, de modo que o mesmo no pode
ser utilizado para fins de autenticao.

Razes tpicas para revogar um certificado de cliente:

A chave privada ao certificado comprometida ou roubada;


O usurio esquece a senha da chave;
Voc precisa encerrar o acesso de um usurio a VPN.

27

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
Servidor OpenVPN
Servidor: Security

Revogao de certificado no servidor:

1#cd/etc/openvpn/2.0

2#sourcevars

3#./revokefulllinuxexterna

4#cpkeys/crl.pem/etc/openvpn/

5#vim/etc/openvpn/server.conf

.....

crlverify/etc/openvpn/crl.pem

6#serviceopenvpnrestart

28

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
Servidor OpenVPN

Qual diretiva utilizada na revogao de certificados no OpenVPN?

A. crl-verify

B. comp-lzo

C. persist-key

D. keepalive

29

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________

29
Servidor OpenVPN

Qual a diretiva utilizada na revogao de certificados no OpenVPN?

A. crl-verify

B. comp-lzo

C. persist-key

D. keepalive

Resposta: alternativa A

30

Anotaes:
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________
_________________________________________________

30
Prximos Passos

Para que voc tenha um melhor aproveitamento do curso,


participes das seguintes atividades disponveis no Netclass:

Executar as tarefas do Practice Lab;


Resolver o Desafio Appliance Lab e postar o resultado no
Frum Temtico;
Responder as questes do Teste de Conhecimento sobre o
contedo visto em aula.

Mos obra!

31