Configuring SSL VPN with Mac OS X and iphone Clients. Configuration tested. Network Diagram

Transcription

1 Configuring SSL VPN with Mac OS X and iphone Clients In this scenario, we will configure the VPN for split tunneling i.e. only client traffic destined for the remote network will go over the VPN tunnel. Configuration tested... 1 Network Diagram... 1 Create the SSL Keys and Certs... 2 Configure the network on the Shield... 4 Configure the Shield SSLVPN settings... 5 Configure the Tunnelblick client for Mac OS X... 8 Configure the OpenVPN Connect client for iphone Configuration tested ITUS Networks Shield Firmware version: RC2 Mode: Router Mac OS X Version: Yosemite ( ) Client: Tunnelblick (build ) iphone Version 8.3 Client: OpenVPN build 177 Network Diagram

2 Create the SSL Keys and Certs This document will walk you through using openssl on the Shield to create the SSL keys and certs. You can skip this section if you already have them. 1. Replace the openssl.cnf file on the Shield with the one posted on the forum (see URL below) by copying it to the Shield /etc/ssl folder. For Linux/Mac users, it s recommended to use scp to copy files to the Shield. For windows users, it s recommended to use winscp ( Openssl.cnf file: 2. Create the CA private key OpenSSL> genrsa - aes256 - out /etc/ssl/private/ca.crt Create the CA cert used to sign client and server certs OpenSSL> req - new - x509 - key /etc/ssl/private/ca.key - out /etc/ssl/certs/ca.crt - days 3650 Here are the values used to create the CA cert: Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some- State]:California Locality Name (eg, city) []:San Jose Organization Name (eg, company) [Internet Widgits Pty Ltd]:ITUS Networks Organizational Unit Name (eg, section) []:Engineering Common Name (e.g. server FQDN or YOUR name) []:ITUS CA server Address []:info@itus.io Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:ITUS Networks 4. Create the Shield server private key OpenSSL> genrsa - aes256 - out /etc/ssl/private/server.key Create the Shield server certificate signing request OpenSSL> req - new - out /etc/ssl/certs/server.csr - key /etc/ssl/private/server.key Here are the values used to create the server signing request:

3 Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some- State]:California Locality Name (eg, city) []:San Jose Organization Name (eg, company) [Internet Widgits Pty Ltd]:ITUS Networks Organizational Unit Name (eg, section) []:Engineering Common Name (e.g. server FQDN or YOUR name) []:sslvpn.itus.io Address Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:ITUS Networks 6. Sign the server signing request with the CA OpenSSL> ca - days in /etc/ssl/certs/server.csr - out /etc/ssl/certs/server.crt - keyfile /etc/ssl/private/ca.key - cert /etc/ssl/certs/ca.crt - policy policy_anything - extensions server 7. Create the Mac OS X client private key OpenSSL> genrsa aes256 - out /etc/ssl/private/mac- client.key Create the Mac OS X certificate signing request OpenSSL> req - new - out /etc/ssl/certs/mac- client.csr - key /etc/ssl/private/mac- client.key Here are the values used to create the Mac client certificate signing request: Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some- State]:California Locality Name (eg, city) []:San Jose Organization Name (eg, company) [Internet Widgits Pty Ltd]:ITUS Networks Organizational Unit Name (eg, section) []:Engineering Common Name (e.g. server FQDN or YOUR name) []:mac_user Address []:info@itus.io Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:ITUS Networks 9. Sign the Mac OS X client signing request with the CA OpenSSL> ca - days in /etc/ssl/certs/mac- client.csr - out /etc/ssl/certs/mac- client.crt - keyfile /etc/ssl/private/ca.key - cert /etc/ssl/certs/ca.crt - policy policy_anything - extensions usr_cert 10. Create the iphone client private key

4 OpenSSL> genrsa aes256 - out /etc/ssl/private/iphone- client.key Create the iphone certificate signing request OpenSSL> req - new - out /etc/ssl/certs/iphone- client.csr - key /etc/ssl/private/iphone- client.key Here are the values used to create the iphone client signing request: Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some- State]:California Locality Name (eg, city) []:San Jose Organization Name (eg, company) [Internet Widgits Pty Ltd]:ITUS Networks Organizational Unit Name (eg, section) []:Engineering Common Name (e.g. server FQDN or YOUR name) []:iphone_user Address []:info@itus.io Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:ITUS Networks 12. Sign the iphone client cert with CA OpenSSL> ca - days in /etc/ssl/certs/iphone- client.csr - out /etc/ssl/certs/iphone- client.crt - keyfile /etc/ssl/private/ca.key - cert /etc/ssl/certs/ca.crt - policy policy_anything - extensions usr_cert 13. Create the DH key and cert OpenSSL> dhparam - out dh2048.pem 2048 For more details on how to create SSL keys and certs, refer to the openvpn documentation: source/documentation/howto.html#pki Configure the network on the Shield Create the VPN interface 1. SSH to the Shield: $ root@ Copy and paste the following commands. root@shield:/# uci set network.vpn0=interface root@shield:/# uci set network.vpn0.ifname=tun0 root@shield:/# uci set network.vpn0.proto=none

5 Allow inbound VPN traffic 1. From the CLI, copy and paste the following commands uci add firewall rule uci set 1].name=Allow- OpenVPN- Inbound uci set 1].target=ACCEPT uci set 1].src=* uci set 1].proto=udp uci set 1].dest_port=1194 Allow OpenVPN tunnel traffic 1. From the CLI, copy and paste the following commands uci add firewall zone uci set 1].name=vpn uci set 1].input=ACCEPT uci set 1].forward=ACCEPT uci set 1].output=ACCEPT uci set 1].network=vpn0 Commit the changes 1. From the CLI, copy and paste the following commands uci commit network /etc/init.d/network reload uci commit firewall /etc/init.d/firewall reload Configure the Shield SSLVPN settings Create a new SSLVPN instance 1. SSH to the Shield: $ root@ Copy and paste the following commands root@shield:/etc/config# echo >> /etc/config/openvpn root@shield:/etc/config# uci set openvpn.sslvpn_server=openvpn root@shield:/etc/config# uci set openvpn.sslvpn_server.enabled=1 root@shield:/etc/config# uci set openvpn.sslvpn_server.dev=tun root@shield:/etc/config# uci set openvpn.sslvpn_server.port=1194 root@shield:/etc/config# uci set openvpn.sslvpn_server.proto=udp root@shield:/etc/config# uci set openvpn.sslvpn_server.keepalive='10 120' root@shield:/etc/config# uci set openvpn.sslvpn_server.log=/tmp/openvpn.log root@shield:/etc/config# uci set openvpn.sslvpn_server.verb=3 root@shield:/etc/config# uci set openvpn.sslvpn_server.server=' ' root@shield:/etc/config# uci set openvpn.sslvpn_server.push='route '

6 uci set openvpn.sslvpn_server.askpass=/etc/openvpn/cert.pass uci commit openvpn Create the password file for the OpenVPN private key 1. From the CLI, enter the following commands. Change password to be the actual pass phrase used for the server.key created earlier. touch /etc/openvpn/cert.pass chmod 600 /etc/openvpn/cert.pass echo password > /etc/openvpn/cert.pass Upload the certs and keys to the new instance 1. Log in to the Shield device using HTTPS 2. Select Services then SSLVPN from the menu 3. Edit the SSLVPN_Server instance 4. Click Switch to advanced configuration 5. Click Cryptography

7 6. Choose ca from the list and click add 7. Select Choose File and upload ca.crt created earlier

8 8. Click Save & Apply when finished. The CA cert is now uploaded 9. Repeat steps 6-8 for dh, cert, and key using dh2048.pem, server.crt, and server.key created earlier 10. Select Overview to return to the SSLVPN overview page and click start to start the SSLVPN_Server service. If the SSLVPN_Server service is already started, click stop and then start to restart it Configure the Tunnelblick client for Mac OS X Install the tunnelblick client for Mac OS X Create the Tunnelblick configuration file

9 1. Create a text file called mac.ovpn with the following entries. Note: the host sslvpn.itus.io needs to resolve to the Shield s WAN IP. Verify- x509- name must match the server certificate common name. dev tun tls- client verify- x509- name sslvpn.itus.io name remote sslvpn.itus.io 1194 pull proto udp reneg- sec 3600 ca /users/marco/ssl/ca.crt cert /users/marco/ssl/mac- client.crt key /users/marco/ssl/mac- client.key 2. Put ca.crt, mac- client.key, mac- client.crt, and mac.ovpn in the /users/marco/ssl/ folder and double- click the mac.ovpn file 3. Select Only Me to install the configuration file. Enter your Mac OS X password when prompted

10 4. Launch the Tunnelblick client and select Connect 5. If the private key is encrypted, you will be prompted to enter the password 6. Once connected, you should be able to access the internal network

11 Configure the OpenVPN Connect client for iphone Install the OpenVPN Connect client from the App Store Create the OpenVPN configuration file 1. Create a text file called iphone.ovpn with the following entries. Note: the host sslvpn.itus.io needs to resolve to the Shield s WAN IP. Verify- x509- name must match the server certificate common name. dev tun tls- client verify- x509- name sslvpn.itus.io name remote sslvpn.itus.io 1194 pull proto udp reneg- sec 3600 ca ca.crt cert iphone- client.crt key iphone- client.key 2. Using itunes Sync, select the iphone device > Apps > OpenVPN > Add in order to upload iphone.ovpn, ca.crt, iphone- client.crt, and iphone- client.key

12 3. In the OpenVPN Connect app, click the plus sign to add the iphone profile. If the private key is encrypted, you will be prompted to enter the password.

13 4. In the OpenVPN Connect client, click the button to connect. Once connected, you should be able to access the internal network.