start --> start --> RT|vpn gateway
Rothirsch Technologies Hintergrund
Pfeilsymbol zum rauf scrollen der Bilder
Pfeilsymbol zum runter scrollen der Bilder

VPN Gateway

Information

Information
Docdate 2018.06.02
Hardware Banana Pi m64
OperatingSystem Armbian 4.14 nightly build

Goal

In this tutorial we will describe a site2site VPN tunnel connection between to companies using a single-board-computer.

Strongswan

Compile

The bpi-m64 we use in this tutorial has 4 cores. To compile as fast as possible we execute make jobs with 4 cores -j4

Install dependencies

apt update && apt-get -qq -y upgrade
apt -y install build-essential bzip2    

Reboot after upgrade

On my Armbian system I had the problem that I wasn't able to start strongswan after I installed it. It looked like that there were missing modules in the kernel configuration. After a time I found on the Armbian Forum that the only problem was that I had to reboot because apt upgrade did a kernel upgrade. So reboot now.

Compile dependencies (libgmp)

mkdir /opt/gmp_src
cd /opt/
wget ftp://ftp.gmplib.org/pub/gmp-6.1.2/gmp-6.1.2.tar.lz
apt -y install lzip
lzip --decompress *.lz
tar xf *.tar -C /opt/gmp_src --strip-components=1
cd gmp_src
./configure
make -j4
make check
make install

Compile strongswan (latest)

mkdir /opt/strongswan
cd /opt/
wget https://download.strongswan.org/strongswan.tar.bz2
tar xjvf strongswan.tar.bz2 -C /opt/strongswan --strip-components=1
cd strongswan

You can add different functionalities to the strongswan configuration

./configure --prefix=/usr --sysconfdir=/etc

e.g. if you wanna connect Windows 7/10 clients with user and password authentication

./configure --prefix=/usr --sysconfdir=/etc --enable-eap-identity --enable-eap-mschapv2 --enable-md4

You can find different options on the strongswan wiki page: https://wiki.strongswan.org/projects/strongswan/wiki/Autoconf

make -j4
make install

Add startup script to /etc/init.d/strongswan

Create the file /etc/init.d/strongswan and copy the next lines into it.

#! /bin/sh
### BEGIN INIT INFO
# Provides: vpn
# Required-Start: $network $local_fs
# Required-Stop: $network $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Strongswan IPsec services
### END INIT INFO

# Author: Rene Mayrhofer rene@mayrhofer.eu.org

# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="strongswan IPsec services"
NAME=ipsec
DAEMON=/usr/sbin/$NAME
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

#
# Function that starts the daemon/service
#
do_start()
{
  # Return
  # 0 if daemon has been started
  # 1 if daemon was already running
  # 2 if daemon could not be started
  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
      || return 1
  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- start \
      || return 2
}

#
# Function that stops the daemon/service
#
do_stop()
{
  # Return
  # 0 if daemon has been stopped
  # 1 if daemon was already stopped
  # 2 if daemon could not be stopped
  # other if a failure occurred
  # give the proper signal to stop
  start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- stop \
      || return 2
  # but kill if that didn't work
  start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
  RETVAL="$?"
  [ "$RETVAL" = 2 ] && return 2
  # Wait for children to finish too if this is a daemon that forks
  # and if the daemon is only ever run from this initscript.
  # If the above conditions are not satisfied then add some other code
  # that waits for the process to drop all resources that could be
  # needed by services started subsequently. A last resort is to
  # sleep for some time.
  start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
  [ "$?" = 2 ] && return 2
  # Many daemons don't delete their pidfiles when they exit.
  rm -f $PIDFILE
  return "$RETVAL"
}

do_reload() {
  $DAEMON reload
  return 0
}

case "$1" in
  start)
  [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
  do_start
  case "$?" in
      0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
      2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
  esac
  ;;
  stop)
  [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
  do_stop
  case "$?" in
      0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
      2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
  esac
  ;;
  status)
  $DAEMON status
  ;;
  reload|force-reload)
  log_daemon_msg "Reloading $DESC" "$NAME"
  do_reload
  log_end_msg $?
  ;;
  restart)
  log_daemon_msg "Restarting $DESC" "$NAME"
  do_stop
  case "$?" in
    0|1)
      do_start
      case "$?" in
          0) log_end_msg 0 ;;
          1) log_end_msg 1 ;; # Old process is still running
          *) log_end_msg 1 ;; # Failed to start
      esac
      ;;
    *)
      # Failed to stop
      log_end_msg 1
      ;;
  esac
  ;;
  *)
  echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
  exit 3
  ;;
esac

:

Config: /etc/init.d/strongswan

Source:https://github.com/strongswan/strongswan/blob/master/packages/strongswan/debian/strongswan-starter.ipsec.init

Autostart Strongswan

chmod 755 /etc/init.d/strongswan
systemctl enable strongswan

strongswan.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable strongswan
insserv: warning: current start runlevel(s) (empty) of script `strongswan' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `strongswan' overrides LSB defaults (0 1 6).

Output

Now you can reboot or simply restart the strongswan service

service strongswan restart
service strongswan status

$ service strongswan status
● strongswan.service - LSB: Strongswan IPsec services
   Loaded: loaded (/etc/init.d/strongswan; generated; vendor preset: enabled)
   Active: active (running) since Mon 2018-06-04 16:17:02 UTC; 1min 56s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 884 ExecStart=/etc/init.d/strongswan start (code=exited, status=0/SUCCESS)
    Tasks: 18 (limit: 4915)
   CGroup: /system.slice/strongswan.service
           ├─1110 /usr/libexec/ipsec/starter --daemon

Installation done

CA Setup

Goal of this tutorial is to set up a certificate authority. This so called CA creates certificates for your clients which will be used for authenticating connecting clients. Feel free to read more about it on Wikipedia: https://en.wikipedia.org/wiki/Certificate_authority

CA environment

We will use two bpi-m64 SBCs as server on this site.

  • One server (CA) creates and manages certificates 192.168.0.1
  • One server (ipsec Gateway) serves as gateway and has an owncloud instance installed for sharing certificates 192.168.0.2

Installation

Flash armbian to two bpi-m64. You can do it with this tutorial and connect to it with SSH.

We will name the CA as ca and the gateway as gw. Change the name bananpi-m64 in following files

vi /etc/hosts
vi /etc/hostname

Gateway server

Connect with the gateway and install OwnCloud on it.

Create Store

mkdir -p /var/www/html/data/root/files/ca_transfer/
cd /var/www/html/
sudo -u www-data php occ files:scan --all

After then install Strongswan

CA server

Mail

Maybe you have to setup a mailserver first. At least you have to install and configure sSMTP on this server.

User

We'll use an user named ca for the management of the CA.

adduser ca

Adding user `ca' ...
Adding new group `ca' (1001) ...
Adding new user ca' (1001) with groupca' ...
Creating home directory `/home/ca' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for ca
Enter the new value, or press ENTER for the default
    Full Name []:
    Room Number []:
    Work Phone []:
    Home Phone []:
    Other []:
Is the information correct? [Y/n]

Output

Because the user has to install packages later on, we have to add him to the sudoers list

usermod -aG sudo ca

SSH

Add a host config do your /home/ca/.ssh/config so you can connect to the server with ssh gw

mkdir /home/ca/.ssh
vi /home/ca/.ssh/config

Host gw
    User root
    Hostname 192.168.0.2
    Port 22

Also configure the connection to this server so you don't need a password. Described here

Git repository

Download the CA environment from github to the server named ca

apt-get update
apt-get install git
cd /opt/
git clone https://github.com/rothirschtec/RT-Blog-CA.git
chown -R ca: RT-Blog-CA
chmod -R 700 RT-Blog-CA
cd RT-Blog-CA

def_locl.sh

Copy the file central/templates/defaults.sh to def_locl.sh. The def_locl will not be overwritten by a git pull and is ignored in the .gitignore file.

Here you can define

  • mail address from where you will receive mails
  • ownCloud things should be right already
  • the ssh name of your gateway ipsecgw="gw"

CA Config

Create CA

For this tutorial you have to be connected to the ca server (that one you installed in the last tutorial) over ssh. Change to the directory of the git repository you have downloaded.

cd /opt/RT-Blog-CA

Here you can easily create a new CA with the script createCA

./createCA

pwgen: is not installed
uuid-runtime: is not installed
The script found missing dependencies. Install them first.

Output

The first execution informs us about missing dependencies. So we'll install them.

sudo apt install pwgen uuid-runtime

Now we can execute the script again

./createCA

Choose a company domain name (like "domain.local"): domain.local
Using company name: domain.local ...

Choose a shortname for the CA like ca2k: ca1k
Using CA name: ca1k ...

You will now create a subject for your CA. These are information
the strongswan gateway will use to identify the senders and receivers
Additionally this script saves the parameters you choose as default
values for later use.
CA Country (2 Letters): : AT
CA State: : Puxtehude
CA City: : Stadt
CA Company Name: : Testfirma
CA Unit (Company: Server/Client (specific): : TF - Servers (CA 1k)

Your server name like ca.domain.local
CA CommonName: : ca.domain.local
CA nsComment (optional): :

What will the generale liftime of a certificate, created with this CA, be?
You have to reissue any certificate after this periode
The certificate of the CA itself has a lifetime of 3 year (1095 days)
CA Certificate Lifetime (30): : 30
Using Subject: /C=AT/ST=Puxtehude/L=Stadt/O=Testfirma/OU=TF - Servers (CA 1k)/CN=ca.domain.local

A 4096bit key length can result in MTU issues on some ISPs
For higher compatibility, e.g. for mobile devices, use a smaller length like
2048bit but you have to reissue them more often. It's not recommended to use
a key lenght less than 1024bit. For a site to site connection you
should probably use the 4096bit lenght.
Key length (1024|2048|4096): 1024

In some situations VPN clients and servers reading if the Domain name
of the ipsec gateway exists and resolves to the IP Adress of the gateway.
So if you use this parameter wrong your certificates will not authenticate.
Please add 'DNS:' at the beginning if you use a DNS Name.
Please add 'IP:' before the IP if you use a static IP.
Server (IP:... or DNS:...): DNS:gx.domain.local

New password: Iujae3ieeKapah7u

Create CA...
Making CA certificate ...
/C=AT/ST=Puxtehude/L=Stadt/O=Testfirma/OU=TF - Servers (CA 1k)/CN=ca.domain.localGenerating a 1024 bit RSA private key
...............................++++++
............................................................++++++
writing new private key to './demoCA/private/cakey.pem'
-----
Using configuration from /opt/RT-Blog-CA/.tmp/294c1056-9957-4591-8123-ff4e1a717ddf/openssl.cnf
Can't open ./demoCA/index.txt.attr for reading, No such file or directory
281472947608016:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('./demoCA/index.txt.attr','r')
281472947608016:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            f5:69:c5:6b:20:84:88:18
        Validity
            Not Before: Jul 3 13:42:21 2018 GMT
            Not After : Jul 2 13:42:21 2021 GMT
        Subject:
            countryName = AT
            stateOrProvinceName = Puxtehude
            organizationName = Testfirma
            organizationalUnitName = TF - Servers (CA 1k)
            commonName = ca.domain.local
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                8A:F5:15:F2:E7:52:E2:FC:B7:2E:DE:A9:A3:11:22:F5:D6:47:98:4B
            X509v3 Authority Key Identifier:
                keyid:8A:F5:15:F2:E7:52:E2:FC:B7:2E:DE:A9:A3:11:22:F5:D6:47:98:4B
                DirName:/C=AT/ST=Puxtehude/O=Testfirma/OU=TF - Servers (CA 1k)/CN=ca.domain.local
                serial:F5:69:C5:6B:20:84:88:18

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Jul 2 13:42:21 2021 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Move all files and information into destination directory...

Your certificate authority has been created!
All files are in:
/opt/RT-Blog-CA/companies/domain.local/ca1k/

Output

The script tells you anything you have to know. Fill everything out like you want it to be. On this site we have created a CA with following conditions

  • The domain is: domain.local
  • The shortname of the ca is: ca1k
  • This is because we will use a 1024 bit key. But you can name the CA like you want
  • Shortname for your Country: AT
  • State name: Puxtehude
  • City name: Stadt
  • Company name: Testfirma
  • Unitname to use for this certificate: TF - Servers (CA 1k)
  • CommonName (Hostname with domain): ca.domain.local
  • Certificate Lifetime: 30 days
  • Key length: 1024
  • Gateways address. DNS:gx.domain.local

So this is it. You created your first CA.

Certificates

After you have created a CA you can now switch to its directory.

cd companies/domain.local/ca1k # an example

Here you can manage the certificates with one line commands using the script manageCerts. Execute it for further instructions. We start with creating a certificate for the IPSEC gateway.

./manageCerts "recreate" "rene@domain.local" "gwcert" "main"

zip: is not installed
mailutils: is not installed
The script found missing dependencies. Install them first.

Output

We have to install a few dependencies first

sudo apt install zip mailutils

Now we are allowed to create a new "main" certificate for the IPSEC gateway

./manageCerts "recreate" "rene@domain.local" "gwcert" "main"

-> Cacert detected: ca1k

Couldn't find a main certificate!
But will be created in this round...

------------------------
CERT: gwcert
------------------------

-> Use Certificate: 'gwcert.domain.local'
Country: AT
State: Puxtehude
Location: Stadt
Company: Testfirma
Organisation Unit: TF - Servers (IPSEC gateway)
Common Name CN: gx.domain.local
E-Mail cert owner: rene@domain.local

Create new request...
Generating a 1024 bit RSA private key
........................++++++
.++++++
writing new private key to '/opt/RT-Blog-CA/companies/domain.local/ca1k/newkey.pem'
-----

Sign new key...
Using configuration from /opt/RT-Blog-CA/companies/domain.local/ca1k/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            ca:63:4d:e3:6b:b8:42:77
        Validity
            Not Before: Jul 4 08:43:12 2018 GMT
            Not After : Aug 3 08:43:12 2018 GMT
        Subject:
            countryName = AT
            stateOrProvinceName = Puxtehude
            localityName = Stadt
            organizationName = Testfirma
            organizationalUnitName = TF - Servers (IPSEC gateway)
            commonName = gx.domain.local
         X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                ..
            X509v3 Subject Key Identifier:
                83:A0:A6:55:A4:EC:C8:A8:63:0E:D9:15:C0:60:8F:A8:EF:96:98:AB
            X509v3 Authority Key Identifier:
                keyid:A7:17:D9:B6:4C:83:8B:EC:83:FF:22:5C:4F:E6:EA:8C:DC:BD:B0:7F

            X509v3 Subject Alternative Name:
                DNS:gx.domain.local
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
Certificate is to be certified until Aug 3 08:43:12 2018 GMT (30 days)

Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

Move keys and certs to folder...

Generate crl...
show subject of cert...
Zip Password: Fia1eiquOotha0Ix

Request successful

Output

For your Client you can use the same command but you have to leave the "main" at the end.

./manageCerts "recreate" "client@domain.local" "client"

-> Cacert detected: ca1k

------------------------
CERT: client
------------------------

-> Use Certificate: 'client.domain.local'
Country: AT
State: Puxtehude
Location: Stadt
Company: Testfirma
Organisation Unit: TF - Clients (Client 1)
Common Name CN: client1.domain.local
E-Mail cert owner: client@rothirsch.tech

Create new request...
Generating a 1024 bit RSA private key
...........++++++
....................................................++++++
writing new private key to '/opt/RT-Blog-CA/companies/domain.local/ca1k/newkey.pem'
-----

Sign new key...
Using configuration from /opt/RT-Blog-CA/companies/domain.local/ca1k/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            ca:63:4d:e3:6b:b8:42:78
        Validity
            Not Before: Jul 4 09:15:31 2018 GMT
            Not After : Aug 3 09:15:31 2018 GMT
        Subject:
            countryName = AT
            stateOrProvinceName = Puxtehude
            localityName = Stadt
            organizationName = Testfirma
            organizationalUnitName = TF - Clients (Client 1)
            commonName = client1.domain.local
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                ..
            X509v3 Subject Key Identifier:
                82:88:34:DD:CA:38:0E:CD:69:F4:05:EC:31:F2:94:C2:A7:D1:4E:F7
            X509v3 Authority Key Identifier:
                keyid:A7:17:D9:B6:4C:83:8B:EC:83:FF:22:5C:4F:E6:EA:8C:DC:BD:B0:7F

            X509v3 Subject Alternative Name:
                DNS:gx.domain.local
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
Certificate is to be certified until Aug 3 09:15:31 2018 GMT (30 days)

Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

Move keys and certs to folder...

Generate crl...
show subject of cert...
p12 convertion...
Zip Password: bohChee9eePook8v
Sending mail to user...

| Request successful

Output

Strongswan