\\\\\\\\THE REVENGE \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
First I removed several packages, including FreedomBox from DebianBuster
I followed an exemple where the certification authority is on another machine than where the OpenVPN is.Here I use an other LXC container,
lets call it “CertifBuster” or “198.168.1.19”
Then I reinstalled the OpenVPN server on DebianBuster.
This follows the last post starting from ** Misc : installing Freedombox in a LXC **
For installing OpenVPN,I followed the process explained in this document How To Set Up and Configure an OpenVPN Server on Ubuntu 20.04 | DigitalOcean ; I took other sources when in order to solve the numerous problems that occured.
I’m not a professionnal of the domain, I just modestly gathered everething that skilled people did. Thanks for their explanations and pedagogy.
#~…Certification Authority : CertifBuster
I used the graphic interface LXDUI on the host RaspberryHostDebianBased, to clone DebianBuster and male another container “CertifBuster”
on the host :
lxc start CertifBuster
lxc exec CertifBuster – /bin/bash
passwd root
adduser Ramon
apt-get install sudo
usermod -aG sudo Ramon
apt-get install openssh-server openssh-client
sudo apt install easy-rsa
sudo apt install nano
sudo apt-get install ufw
sudo apt-get install rsync
ufw allow openssh
exit
lxc list # → note the IP adress from CertifBuster
from my on the local network (192.168.1.12), I can connect the RaspberryHostDebianBased (192.168.1.16), the LXC container DebianBuster (192.168.1.17) and CertifBuster (192.168.1.19)
ssh Ramon[at]192.168.1.19
public key infrastructure creation
mkdir ~/easy-rsa
ln -s /usr/share/easy-rsa/* ~/easy-rsa/
chmod 700 /home/Ramon/easy-rsa
cd ~/easy-rsa
./easyrsa init-pki
Certification Authoritie creation
in ~/easy-rsa
nano vars
#Input the identification data :
’
set_var EASYRSA_REQ_COUNTRY “ZZ”
set_var EASYRSA_REQ_PROVINCE “ANiceCountry”
set_var EASYRSA_REQ_CITY “BeautifullCity”
set_var EASYRSA_REQ_ORG “RamonTumorapa.PTE-LTD”
set_var EASYRSA_REQ_EMAIL “Ramon.Tumorapa[at]fakemail.zzz”
set_var EASYRSA_REQ_OU “SignedByRamonTumorapaOnlyMasterOnBoardAfterGod”
export KEY_ALTNAMES=“EasyRSA”
’
building the certification authority :
./easyrsa build-ca
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CertifBuster
succes :-).
2 important files :
~/easy-rsa/pki/ca.crt : CA’s public certificate file
~/easy-rsa/pki/private/ca.key : is the private key that the CA uses to sign certificates for servers and clients.
Copy of the public key in an encrypted folder on
scp Ramon[at]192.168.1.19:/home/Ramon/easy-rsa/pki/ca.crt /media/veracrypt1/
then the key is transfered on le DebianBuster
scp /media/veracrypt1/ca.crt Ramon[at]DebianBuster:/home/Ramon/easy-rsa/pki/ca.crt
scp /media/veracrypt1/CertifBuster\ (authorité\ de\ certification)/ca.crt Ramon[at]DebianBuster:/tmp
I have to do in two shots since with the LXD’s MACVLAN option 192.168.1.16 , 192.168.1.17 and 192.168.1.19 can’t communicate each other
then inside DebianBuster
sudo mv /tmp/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
comment : If knew before I would have considered the LXC “virtual machine” instead of LXC container in order to keep everything in an encrypted
file system. LXC virtual machine seems to work on Raspberry Pi 4 using Qemu, but it is recent and currently in development
#~… Back to LXC DebianBuster container : Focus on the installing the OpenVPN
As said, I removed the Freedom Box Package from the container. I want to focus on OpenVPN until it works. Then I’ll backup the container, clone it and install Freedombox in order to see if it performs better.
from Ramon[at]RaspberryHostDebianBased$
lxc exec DebianBuster – /bin/bash
apt-get update
apt-get install openssh-server openssh-client
sudo apt-get install rsync
sudo apt-get install ufw
apt-get install net-tools
apt-get install ethtool
apt-get install bridge-utils
apt-get install nano
apt-get install openvpn network-manager-openvpn
sudo apt install easy-rsa
sudo ufw allow openssh
ssh connection to DebianBuster then create a folder on OpenVPN as non root user : ~/easy-rsa
mkdir ~/easy-rsa
Make a symbolic link between the easy-rsa folder and the above folder
ln -s /usr/share/easy-rsa/* ~/easy-rsa/
Access restriction of ~/easy-rsa on Ramon to sudo
sudo chown Ramon ~/easy-rsa
chmod 700 ~/easy-rsa
build of the Public Key Infrastructure, use
nano vars
for adding the following lines
’
set_var EASYRSA_ALGO “ec”
set_var EASYRSA_DIGEST “sha512”
’
then initialize the Public Key Infrastructure
./easyrsa init-pki
Issue a certificate anfd private key request for the OpenVPN server
cd ~/easy-rsa/
./easyrsa gen-req DebianBuster nopass
Common Name (eg: your user, host, or server name) [DebianBuster]:Ramon_at_DebianBuster
sudo cp /home/Ramon/easy-rsa/pki/private/DebianBuster.key /etc/openvpn/server/
From MyLaptop : export the certificate request to the Certification Autority “CertifBuster”
scp Ramon[at]DebianBuster:/home/Ramon/easy-rsa/pki/reqs/DebianBuster.req /media/veracrypt1/DebianBuster
scp /media/veracrypt1/DebianBuster/DebianBuster.req Ramon[at]192.168.1.19:/tmp
On CertifBuster : import the certification request
cd ~/easy-rsa/
./easyrsa import-req /tmp/DebianBuster.req DebianBuster
validation of the request using “sign-req”, note as second can be either “server” or “client” in this case it is “server”
./easyrsa sign-req server DebianBuster
copie vers DebianBuster, en deux temps :
# Ramon[at]CertifBuster :
scp /home/Ramon/easy-rsa/pki/issued/DebianBuster.crt Ramon[at]192.168.1.12:/media/veracrypt1/DebianBuster/
# Ramon[at]MyLaptop :
scp /media/veracrypt1/DebianBuster/DebianBuster.crt Ramon[at]DebianBuster:/tmp
scp Ramon[at]192.168.1.19:/home/Ramon/easy-rsa/pki/ca.crt /media/veracrypt1/DebianBuster/
scp /media/veracrypt1/DebianBuster/ca.crt Ramon[at]DebianBuster:/tmp
on DebianBuster
sudo mv /tmp/DebianBuster.crt /etc/openvpn/server
sudo mv /tmp/ca.crt /etc/openvpn/server
Configuration of cryptographic material for OpenVPN. An additionnal security level can be added using a tls secret key (OpenVPN tls-crypt).
tls-crypt pre-shared key generation :
cd ~/easy-rsa
sudo openvpn --genkey --secret ta.key
sudo cp ta.key /etc/openvpn/server
Generation of the clients’ pairs of certificates and keys, on the OpenVPN server via SSH on DebianBuster
build a public key infrastructure on the OpenVPN server in order to store the client’s certificates and public keys
mkdir -p ~/client-configs/keys
mkdir -p ~/client-configs/keys
Key generation for MyLaptop
cd ~/easy-rsa
[*>]
./easyrsa gen-req MyLaptop nopass
# options :
# Common Name : Ramon[at]MyLaptop
→ this step can be iterated for all users or clients to connect to your OpenVPN server [<*]
copy of the private keys in the right folder
cp /home/Ramon/easy-rsa/pki/private/*.key ~/client-configs/keys/
transfert of the signature request to CertifBuster from MyLaptop, (Two shots because of MACVLAN)
Ramon[at]MyLaptop
scp Ramon[at]DebianBuster:/home/Ramon/easy-rsa/pki/reqs/.req /media/veracrypt1/Clients
scp /media/veracrypt1/Clients/.req Ramon[at]192.168.1.19:/tmp
On the certification authority :
Ramon[at]CertifBuster
cd ~/easy-rsa
./easyrsa import-req /tmp/MyLaptop.req MyLaptop
.
. {…} All your clients or users keys
.
./easyrsa import-req /tmp/LastTerm.req LastTerm
# signature of each certificate
./easyrsa sign-req client MyLaptop
{…}
transfer back all signed certificates back to DebianBuster
Ramon[at]MyLaptop:~$
scp Ramon[at]192.168.1.19:/home/Ramon/easy-rsa/pki/issued/.crt /media/veracrypt1/Clients/
scp /media/veracrypt1/Clients/.crt Ramon[at]DebianBuster:/tmp
copie all signed certificates in their respective folders
mv /tmp/.crt ~/client-configs/keys/
cp ~/easy-rsa/ta.key ~/client-configs/keys/
sudo cp /etc/openvpn/server/ca.crt ~/client-configs/keys/
sudo chown Ramon.Ramon ~/client-configs/keys/
Check that ca.crt (the certificate of the certification authority), DebianBuster.key (the private key of the OpenVPN server), the ta.key are located in the folder /etc/openvpn/server
otherwise locate them and copy them in this folder. (They might remain in ~/client-configs/keys/ with the last operations)
sudo cp ca.crt /etc/openvpn/server
sudo mv DebianBuster.key /etc/openvpn/server
sudo cp ta.key /etc/openvpn/server
Reduce the acces privileges to the cryptographic files
sudo chmod 640 * # rw pour su & sudo, r pour usr
sudo chmod 600 *.key
Now the Certification Authority can be stop from RaspberryHostDebianBased
LXC stop CertifBuster
OpenVPN’s configuration
The configuration file is adapted from the given “server.conf” exemple
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/server/
sudo gunzip /etc/openvpn/server/server.conf.gz
sudo mv /etc/openvpn/server/server.conf /etc/openvpn/server/DebianBuster.conf
sudo nano /etc/openvpn/server/DebianBuster.conf
# Edition of the configuration's script DebianBuster.conf
# Some options will be changed :
local 192.168.1.17
# beware to input the absolute paths to the certificates
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/DebianBuster.crt
key /etc/openvpn/server/DebianBuster.key # This file should be kept secret
tls-crypt /etc/openvpn/server/ta.key # This file should be kept secret
dh none
topology subnet
client-to-client
# comment the following line "; tls-auth ta.key 0 # This file is secret" and replace it by
tls-crypt /etc/openvpn/server/ta.key
# comment the following line "; cipher AES-256-CBC" and replace it by
cipher AES-256-GCM
auth SHA256
# uncomment
user nobody
group nogroup
# then save [ctrl]+[o] and exit [ctrl]+[x]
tune the network configuration of the OpenVPN server
sudo nano /etc/sysctl.conf
# on active lignes :
net.ipv4.ip_forward = 1
sudo sysctl -p # update and activate the modifications
Firewall config
sudo nano /etc/ufw/before.rules
# insert the following lines in the before.rules file
"
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
"
# then save [ctrl]+[o] and exit [ctrl]+[x]
sudo nano /etc/default/ufw
# insert the following lines
’
DEFAULT_FORWARD_POLICY=“ACCEPT”
’
# then save [ctrl]+[o] and exit [ctrl]+[x]
Add firewall rules :
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
reload UFW with the updated parameters
sudo ufw disable
sudo ufw enable
In case ssh would be blocked log on RaspberryHostDebianBased then open a shell the uing the command “lxc exec DebianBuster – /bin/bash” the “ufw disable”
Next let’s modify the files required for launching OpenVPN at Startup.
sudo nano /etc/default/openvpn
# add the line
AUTOSTART=“DebianBuster”
then save [ctrl]+[o] and exit [ctrl]+[x]
sudo nano /etc/init.d/openvpn
# replace “CONFIG_DIR=/etc/openvpn”
# par
CONFIG_DIR=/etc/openvpn/server
then save [ctrl]+[o] and exit [ctrl]+[x]
sudo nano /lib/systemd/system/openvpn[at].service
# modify the working directory to the one where the DebianBuster.conf is located
WorkingDirectory=/etc/openvpn/server
then save [ctrl]+[o] and exit [ctrl]+[x]
#[*>]-----------------specific to the use of OpenVPN in a LXC container/related to LXD config ---------------------------#
Edit each of the following systemctl files related to openvpn-server by adding the following lines :
[Service]
LimitNPROC=infinity
sudo systemctl edit openvpn-server[at].service
sudo systemctl edit openvpn-client[at].service
sudo systemctl edit openvpn[at].service
sudo systemctl edit openvpn-server[at]DebianBuster.service
sudo systemctl edit openvpn[at]DebianBuster.service
sudo systemctl edit openvpn-client[at]DebianBuster.service
#-----------------specific to the use of OpenVPN in a LXC container/related to LXD config --------------------------[<*]#
next have a try for running the OpenVPN server
sudo systemctl -f enable openvpn-server[at]DebianBuster.service
sudo systemctl start openvpn-server[at]DebianBuster.service
sudo systemctl status openvpn-server[at]DebianBuster.service
At the present time, I still don’t know whether connecting clients to the OpenVPN inside the LXC container will be a success,
but for sure, it’s begining to be likely.
#======================= Client’s configuration infrastructure ================================================================
Each client can have its own configuration. Instead of writting each config file, the tutorial that I followed propose a process where config files are generated with a script
Building of a client configuration infrastructure.
mkdir -p ~/client-configs/files
It starts by adapting the template client’s config file to the server’s parameter
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
nano ~/client-configs/base.conf
# instructions are adapted accordingly with the server’s config file :
remote 192.168.1.17 1194
proto udp
user nobody
group nogroup
# comment the following lines since these will be provided to the client with the config file
;ca ca.crt
;cert client.crt
;key client.key
;tls-auth ta.key 1 # ta.key will be provided to the client with the config file
cipher AES-256-GCM
auth SHA256
key-direction 1
# for clients using resolvconf
; script-security 2
; up /etc/openvpn/update-resolv-conf
; down /etc/openvpn/update-resolv-conf
# for clients using systemd-resolved
; script-security 2
; up /etc/openvpn/update-systemd-resolved
; down /etc/openvpn/update-systemd-resolved
; down-pre
; dhcp-option DOMAIN-ROUTE
to know more about the script, look at the tutorial cited in reference above
nano ~/client-configs/make_config.sh
sudo chmod 700 ~/client-configs/make_config.sh
execution of the script to generate a client’s config file
cd ~/client-configs
./ClientLocal_make_config.sh MyLaptop
copy the configuration to the client computer MyLaptop
scp ~/client-configs/files/MyLaptop.ovpn ramon@MyLaptop:/home/ramon/
# on MyLaptop
sudo apt update
sudo apt install openvpn
# do MyLaptop uses resolved.conf ?
cat /etc/resolv.conf
# nameserver 127.0.0.1 different from 127.0.0.53 --> My Laptop don't use resolved-conf
ls /etc/openvpn
# --> but instead it uses update-resolv-conf . Need to adapt the client's configuration file.
nano ~/client1.ovpn
# for clients using systemd-resolved (un comment the following lines)
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
# Now we try to connect to the Openvpn server From MyLaptop
ramon@MyLaptop:~$ sudo openvpn --config MyLaptop.ovpn
#--> connection success !
# On the RaspberryHostDebianBased, we clone DebianBuster :
# and backup it in a tar.gz file
cd ~
cd Documents/
mkdir LXC
cd LXC
lxc publish DebianBuster --alias=BaseOpenVPN --force
lxc image export BaseOpenVPN
# the file is created in the current folder /home/ramon/Documents/LXC
# it is then renemaed BaseOpenVPN.tar.gz
# The container can be reinstalles using : lxc image import BaseOpenVPN.tar.gz
~~~~~~~~~~ Installation of the Freedombox package ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sudo apt-get install apt-utils
sudo apt-get install freedombox
# modify the firewall configuration
sudo ufw disable
# in order to let MyLaptop acces to the Freedombox's web interface
sudo ufw allow 443/tcp
# reload UFW with the new parameters
sudo ufw disable
sudo ufw enable
sudo ufw status
# Now we can access to the Freedombox on the local network with our web-browser at the adress 198.168.1.17 (depends of your system)
~~~~~~ Hacking the Freedombox in order to connect to connect the OpenVPN server with the certificates generated by CertifBuster ~~~~~~~~~~~~~~~~~
# From MyLaptop, we reinstall OpenVPN from Freedombox
# On RaspberryHostDebianBased, reboot DebianBuster
Ramon@RaspberryHostDebianBased:~/Documents/LXC$ lxc exec DebianBuster -- /bin/bash
root@DebianBuster:~# reboot
# On DebianBuster :
# Ramon@DebianBuster:
cd /etc/openvpn/server
# Backup of the Freedombox OpenVPN-server's config file
sudo cp freedombox.conf freedombox.conf.bck
# Now replace freedombox.conf by the DebianBuster.conf
sudo mv DebianBuster.conf freedombox.conf
sudo reboot
# From MyLaptop's web browser on the local network https://192.168.1.17/plinth/
# it can be check by browsing the OpenVPN App that the server is active.
# From MyLaptop :
Ramon@MyLaptop:~$ sudo openvpn --config MyLaptop.ovpn
# Connection success to TUN0 !
# the VPN tunnel is open,
Ramon@MyLaptop:~$ ssh ramon@10.8.1.1 # connection succes to DebianBuster
Ramon@DebianBuster:~$ ssh ramon@10.8.1.2 # reverse connection succes to MyLaptop
# In order to add new clients, it will be necessary to use the "manual" method of above , instead of using the freedombox interface https://192.168.1.17/plinth/?selected=openvpn
#
~~~~~~~~~~ conclusion for Freedom Box Project ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* It is possible to run an OpenVPn server on a Freedombox set up in a LXC container on a Raspberry Pi 4 4Go and manage the cryptographic stuff
in an independant container.
* Check the startup scripts :
/etc/default/openvpn
/etc/init.d/openvpn
/lib/systemd/system/openvpn[at].service
so that they enable the input of the right address for the openvpn configuration script /etc/openvpn/server/freedombox.conf
* Check that /etc/openvpn/server/freedombox.conf provide the right addresses for the certificates and keys. Providing their absolute path might fix the problem that I encountered.
* LXC allow to separate the Certification Authority from the openvpn server. This might increase the security of the system. Moreover with the possibility to handle LXC virutal machines, running the Certification Autority in a virtual machine using an encrypted file system might provide an additionnal layer of security. The certification authority can be used only while needed, using LXC start/stop, reducing the vulnerability.
* The use of LXC with Freedombox may help to make containers with the degree of privacy wanted by the user, by exemple :
- a trusted level for the backup of the files,
- a "shared" level for communicating between the colleagues/partners for small businesses or individual enterpreneurs using ejabberd, jitsi ...
- a "public" level where the small businesses or individual enterpreneurs can interact with the customers, show their web site.
It would be very cool if the Freedombox project could developp its web interface for that purpose.
* Freedombox team could add an option in the plinth interface to enable the user to customize the OpenVPN config files for both clients and server. By example by providing the templates of theses files and allow the user to manage these templates accordingly.
