Configuring SSL VPN with Mac OS X and iphone Clients. Configuration tested. Network Diagram



Similar documents
Yealink Technical White Paper. Contents. About VPN Types of VPN Access VPN Technology... 3 Example Use of a VPN Tunnel...

About VPN Yealink IP Phones Compatible with VPN Installing the OpenVPN Server Configuring the OpenVPN Feature on IP Phones...

Low cost secure VPN MikroTik SSTP over OpenIXP (Indonesian Internet) ASTA INFORMATICS Faisal Reza

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Clearswift Information Governance

NEFSIS DEDICATED SERVER

Virtual Private Network (VPN) Lab

Overview. Author: Seth Scardefield Updated 11/11/2013

Installing an SSL certificate on the InfoVaultz Cloud Appliance

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Self Signed Certificates

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

How to install and run an OpenVPN client on your Windows-based PC

VPN (OpenVPN) Setting Guide. Johnny

Configuring IPsec VPN with a FortiGate and a Cisco ASA

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Connecting an Android to a FortiGate with SSL VPN

Application Note AN1502

Virtual Private Network with OpenVPN

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Generating and Installing SSL Certificates on the Cisco ISA500

Creating Certificate Authorities and self-signed SSL certificates

NAS 323 Using Your NAS as a VPN Server

Access Your Cisco Smart Storage Remotely Via WebDAV

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

ReadyNAS Remote. User Manual. June East Plumeria Drive San Jose, CA USA

How To Industrial Networking

Mise en pratique : installation d'openvpn sur OpenWRT

EventTracker Windows syslog User Guide

How to Connect SSTP VPN from Windows Server 2008/Vista to Vigor2950

SecuritySpy Setting Up SecuritySpy Over SSL

Configuring Global Protect SSL VPN with a user-defined port

Using Client Side SSL Certificate Authentication on the WebMux

Quick Note 040. Create an SSL Tunnel with Certificates on a Digi TransPort WR router using Protocol Switch.

Quick Note 041. Digi TransPort to Digi TransPort VPN Tunnel using OpenSSL certificates.

SSL Insight Certificate Installation Guide

SWITCHBOARD SECURITY

(this is being worked on)

SSL Interception on Proxy SG

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

FUJITSU Cloud IaaS Trusted Public S5 Configuring a Server Load Balancer

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

FreeBSD OpenVPN Server/Routed - Secure Computing Wiki

How To Connect To A University Of Cyprus Vpn 3000 From Your Computer To A Computer With A Password Protected Connection

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

FortiClient SSL VPN Client User s Guide

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

EZ RMC Remote HMI App Application Guide for ios

Zenprise Device Manager 6.1

Connection. to SECON-Server

Network Load Balancing

VPN Quick Configuration Guide. Astaro Security Gateway V8

Hosted Microsoft Exchange Client Setup & Guide Book

BlackBerry Enterprise Service 10. Version: Configuration Guide

Browser-based Support Console

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

HOWTO: How to configure VPN SSL roadwarrior to gateway

e-cert (Server) User Guide For Apache Web Server

Chapter 8 Router and Network Management

Global VPN Client Getting Started Guide

Stealth OpenVPN and SSH Tunneling Over HTTPS

Using the Raspberry Pi to establish a Virtual Private Network (VPN) Connection to a Home Network

Securepoint Security Systems

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Remote Administration

Global VPN Client Getting Started Guide

To enable https for appliance

Clientless SSL VPN Users

Viking VPN Guide Linux/UNIX

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key

Using SonicWALL NetExtender to Access FTP Servers

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Crypto Lab Public-Key Cryptography and PKI

Information Technology Services. Your mailbox is moving to the cloud. Here is what to expect.

VPN: Virtual Private Network Setup Instructions

NAS 322 Connecting Your NAS to a VPN

LoadMaster SSL Certificate Quickstart Guide

SSL-VPN 200 Getting Started Guide

HOWTO: How to configure IPSEC gateway (office) to gateway

Hosted Microsoft Exchange Client Setup & Guide Book

C-more Remote Access with Apple ipad or iphone Tutorial

Implementing a Secure Home Intranet and VPN Solution Using Linux

AN054 SERIAL TO WI-FI (S2W) HTTPS (SSL) AND EAP SECURITY

owncloud Configuration and Usage Guide

Cisco Expressway Certificate Creation and Use

USG40HE Content Filter Customization

Introduction to Mobile Access Gateway Installation

SSL Certificate Based VPN

Quick Note 038. Upgrade Software options and/or VPN Licenses on a Digi Transport router.

Using custom certificates with Spectralink 8400 Series Handsets

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

The steps will take about 4 hours to fully execute, with only about 60 minutes of user intervention. Each of the steps is discussed below.

Transcription:

Configuring SSL VPN with Mac OS X and iphone Clients In this scenario, we will configure the VPN for split tunneling i.e. only client traffic destined for the remote network will go over the VPN tunnel. Configuration tested... 1 Network Diagram... 1 Create the SSL Keys and Certs... 2 Configure the network on the Shield... 4 Configure the Shield SSLVPN settings... 5 Configure the Tunnelblick client for Mac OS X... 8 Configure the OpenVPN Connect client for iphone... 11 Configuration tested ITUS Networks Shield Firmware version: RC2 Mode: Router Mac OS X Version: Yosemite (10.10.3) Client: Tunnelblick 3.5.3 (build 4270.4371) iphone Version 8.3 Client: OpenVPN 1.0.5 build 177 Network Diagram

Create the SSL Keys and Certs This document will walk you through using openssl on the Shield to create the SSL keys and certs. You can skip this section if you already have them. 1. Replace the openssl.cnf file on the Shield with the one posted on the forum (see URL below) by copying it to the Shield /etc/ssl folder. For Linux/Mac users, it s recommended to use scp to copy files to the Shield. For windows users, it s recommended to use winscp (https://winscp.net). Openssl.cnf file: https://packetinspector.org/showthread.php?tid=47&pid=120#pid120 2. Create the CA private key OpenSSL> genrsa - aes256 - out /etc/ssl/private/ca.crt 2048 3. Create the CA cert used to sign client and server certs OpenSSL> req - new - x509 - key /etc/ssl/private/ca.key - out /etc/ssl/certs/ca.crt - days 3650 Here are the values used to create the CA cert: Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some- State]:California Locality Name (eg, city) []:San Jose Organization Name (eg, company) [Internet Widgits Pty Ltd]:ITUS Networks Organizational Unit Name (eg, section) []:Engineering Common Name (e.g. server FQDN or YOUR name) []:ITUS CA server Email Address []:info@itus.io Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:ITUS Networks 4. Create the Shield server private key OpenSSL> genrsa - aes256 - out /etc/ssl/private/server.key 2048 5. Create the Shield server certificate signing request OpenSSL> req - new - out /etc/ssl/certs/server.csr - key /etc/ssl/private/server.key Here are the values used to create the server signing request:

Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some- State]:California Locality Name (eg, city) []:San Jose Organization Name (eg, company) [Internet Widgits Pty Ltd]:ITUS Networks Organizational Unit Name (eg, section) []:Engineering Common Name (e.g. server FQDN or YOUR name) []:sslvpn.itus.io Email Address []:info@itus.io Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:ITUS Networks 6. Sign the server signing request with the CA OpenSSL> ca - days 999 - in /etc/ssl/certs/server.csr - out /etc/ssl/certs/server.crt - keyfile /etc/ssl/private/ca.key - cert /etc/ssl/certs/ca.crt - policy policy_anything - extensions server 7. Create the Mac OS X client private key OpenSSL> genrsa aes256 - out /etc/ssl/private/mac- client.key 2048 8. Create the Mac OS X certificate signing request OpenSSL> req - new - out /etc/ssl/certs/mac- client.csr - key /etc/ssl/private/mac- client.key Here are the values used to create the Mac client certificate signing request: Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some- State]:California Locality Name (eg, city) []:San Jose Organization Name (eg, company) [Internet Widgits Pty Ltd]:ITUS Networks Organizational Unit Name (eg, section) []:Engineering Common Name (e.g. server FQDN or YOUR name) []:mac_user Email Address []:info@itus.io Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:ITUS Networks 9. Sign the Mac OS X client signing request with the CA OpenSSL> ca - days 999 - in /etc/ssl/certs/mac- client.csr - out /etc/ssl/certs/mac- client.crt - keyfile /etc/ssl/private/ca.key - cert /etc/ssl/certs/ca.crt - policy policy_anything - extensions usr_cert 10. Create the iphone client private key

OpenSSL> genrsa aes256 - out /etc/ssl/private/iphone- client.key 2048 11. Create the iphone certificate signing request OpenSSL> req - new - out /etc/ssl/certs/iphone- client.csr - key /etc/ssl/private/iphone- client.key Here are the values used to create the iphone client signing request: Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some- State]:California Locality Name (eg, city) []:San Jose Organization Name (eg, company) [Internet Widgits Pty Ltd]:ITUS Networks Organizational Unit Name (eg, section) []:Engineering Common Name (e.g. server FQDN or YOUR name) []:iphone_user Email Address []:info@itus.io Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:ITUS Networks 12. Sign the iphone client cert with CA OpenSSL> ca - days 999 - in /etc/ssl/certs/iphone- client.csr - out /etc/ssl/certs/iphone- client.crt - keyfile /etc/ssl/private/ca.key - cert /etc/ssl/certs/ca.crt - policy policy_anything - extensions usr_cert 13. Create the DH key and cert OpenSSL> dhparam - out dh2048.pem 2048 For more details on how to create SSL keys and certs, refer to the openvpn documentation: https://openvpn.net/index.php/open- source/documentation/howto.html#pki Configure the network on the Shield Create the VPN interface 1. SSH to the Shield: $ root@10.10.10.10 2. Copy and paste the following commands. root@shield:/# uci set network.vpn0=interface root@shield:/# uci set network.vpn0.ifname=tun0 root@shield:/# uci set network.vpn0.proto=none

Allow inbound VPN traffic 1. From the CLI, copy and paste the following commands root@shield:/# uci add firewall rule root@shield:/# uci set firewall.@rule[- 1].name=Allow- OpenVPN- Inbound root@shield:/# uci set firewall.@rule[- 1].target=ACCEPT root@shield:/# uci set firewall.@rule[- 1].src=* root@shield:/# uci set firewall.@rule[- 1].proto=udp root@shield:/# uci set firewall.@rule[- 1].dest_port=1194 Allow OpenVPN tunnel traffic 1. From the CLI, copy and paste the following commands root@shield:/# uci add firewall zone root@shield:/# uci set firewall.@zone[- 1].name=vpn root@shield:/# uci set firewall.@zone[- 1].input=ACCEPT root@shield:/# uci set firewall.@zone[- 1].forward=ACCEPT root@shield:/# uci set firewall.@zone[- 1].output=ACCEPT root@shield:/# uci set firewall.@zone[- 1].network=vpn0 Commit the changes 1. From the CLI, copy and paste the following commands root@shield:/# uci commit network root@shield:/# /etc/init.d/network reload root@shield:/# uci commit firewall root@shield:/# /etc/init.d/firewall reload Configure the Shield SSLVPN settings Create a new SSLVPN instance 1. SSH to the Shield: $ root@10.10.10.10 2. Copy and paste the following commands root@shield:/etc/config# echo >> /etc/config/openvpn root@shield:/etc/config# uci set openvpn.sslvpn_server=openvpn root@shield:/etc/config# uci set openvpn.sslvpn_server.enabled=1 root@shield:/etc/config# uci set openvpn.sslvpn_server.dev=tun root@shield:/etc/config# uci set openvpn.sslvpn_server.port=1194 root@shield:/etc/config# uci set openvpn.sslvpn_server.proto=udp root@shield:/etc/config# uci set openvpn.sslvpn_server.keepalive='10 120' root@shield:/etc/config# uci set openvpn.sslvpn_server.log=/tmp/openvpn.log root@shield:/etc/config# uci set openvpn.sslvpn_server.verb=3 root@shield:/etc/config# uci set openvpn.sslvpn_server.server='10.8.0.0 255.255.255.0' root@shield:/etc/config# uci set openvpn.sslvpn_server.push='route 10.10.10.0 255.255.255.0'

root@shield:/etc/config# uci set openvpn.sslvpn_server.askpass=/etc/openvpn/cert.pass root@shield:/etc/config# uci commit openvpn Create the password file for the OpenVPN private key 1. From the CLI, enter the following commands. Change password to be the actual pass phrase used for the server.key created earlier. root@shield: touch /etc/openvpn/cert.pass root@shield: chmod 600 /etc/openvpn/cert.pass root@shield: echo password > /etc/openvpn/cert.pass Upload the certs and keys to the new instance 1. Log in to the Shield device using HTTPS 2. Select Services then SSLVPN from the menu 3. Edit the SSLVPN_Server instance 4. Click Switch to advanced configuration 5. Click Cryptography

6. Choose ca from the list and click add 7. Select Choose File and upload ca.crt created earlier

8. Click Save & Apply when finished. The CA cert is now uploaded 9. Repeat steps 6-8 for dh, cert, and key using dh2048.pem, server.crt, and server.key created earlier 10. Select Overview to return to the SSLVPN overview page and click start to start the SSLVPN_Server service. If the SSLVPN_Server service is already started, click stop and then start to restart it Configure the Tunnelblick client for Mac OS X Install the tunnelblick client for Mac OS X Create the Tunnelblick configuration file

1. Create a text file called mac.ovpn with the following entries. Note: the host sslvpn.itus.io needs to resolve to the Shield s WAN IP. Verify- x509- name must match the server certificate common name. dev tun tls- client verify- x509- name sslvpn.itus.io name remote sslvpn.itus.io 1194 pull proto udp reneg- sec 3600 ca /users/marco/ssl/ca.crt cert /users/marco/ssl/mac- client.crt key /users/marco/ssl/mac- client.key 2. Put ca.crt, mac- client.key, mac- client.crt, and mac.ovpn in the /users/marco/ssl/ folder and double- click the mac.ovpn file 3. Select Only Me to install the configuration file. Enter your Mac OS X password when prompted

4. Launch the Tunnelblick client and select Connect 5. If the private key is encrypted, you will be prompted to enter the password 6. Once connected, you should be able to access the internal network

Configure the OpenVPN Connect client for iphone Install the OpenVPN Connect client from the App Store Create the OpenVPN configuration file 1. Create a text file called iphone.ovpn with the following entries. Note: the host sslvpn.itus.io needs to resolve to the Shield s WAN IP. Verify- x509- name must match the server certificate common name. dev tun tls- client verify- x509- name sslvpn.itus.io name remote sslvpn.itus.io 1194 pull proto udp reneg- sec 3600 ca ca.crt cert iphone- client.crt key iphone- client.key 2. Using itunes Sync, select the iphone device > Apps > OpenVPN > Add in order to upload iphone.ovpn, ca.crt, iphone- client.crt, and iphone- client.key

3. In the OpenVPN Connect app, click the plus sign to add the iphone profile. If the private key is encrypted, you will be prompted to enter the password.

4. In the OpenVPN Connect client, click the button to connect. Once connected, you should be able to access the internal network.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information