OpenVPN on OpenBSD

Installation (NOT COMPLETE)

1) Installation through http://www.openbsdsupport.org/openvpn-on-openbsd.html 2) Use of our ansible playbook found on devops reepo (plays/openbsd-openvpn.yml)

Important files and directories (inside /etc/openvpn)

• server_tun0.conf => The configuration file of the OpenVPN server
• ETS_VPN_add_client.sh => Script used to create a certificate and .ovpn file for the given client (takes client name as parameter)
• ccd => Directory which holds client specific configuration to be pushed to clients (currently holds the IP address of the client). Each file is named after the client name
• client_confs => Holds all clients’ .ovpn files (as generated by ETS_VPN_add_client.sh)
• easy-rsa-pki/private => Holds clients’ private keys
• easy-rsa-pki/issued => Holds clients’ certificates
• private => Holds OpenVPN server, CA and TLS-AUTH private keys
• certs => Holds OpenVPN server and CA certificates

Administering

• Creating a client:
  • /etc/openvpn/ETS_VPN_add_client.sh
  • Create a file inside /etc/openvpn/ccd/
• Managing OpenVPN server and connections at runtime: telnet 127.0.0.1 11195
• Log locations
  • /var/log/openvpn/openvpn.log (OpenVPN server logs)
  • /var/log/openvpn/openvpn-status.log (lists current connections)
• OpenVPN server start-up location: /etc/hostname.em0
• OpenVPN server “chroot”: /var/openvpn/chrootjail
• OpenVPN server by user _openvpn

Things to keep in mind when setting up a standalone VPN server for echoCTF

• On VPN server: Use different network for VPN than the offense network setup on the GW
• On VPN server: In order to access the offense network, add one more route on the server_tun0.conf file (e.g. push “route 10.10.0.0 255.255.0.0”)
• On echoCTF GW: Allow the VPN network to access the offence network (/etc/red-pf.conf)
• On echoCTF GW: Add route towards the VPN network (through the offense vether)

Server Configuration example

########## SERVER CONF ##########
# SERVER CERT CONF
ca /etc/openvpn/certs/echoCTF-OVPN-CA.crt
cert /etc/openvpn/certs/echoCTF-OVPN-Server.crt
key /etc/openvpn/private/echoCTF-OVPN-Server.key
dh /etc/openvpn/dh.pem

# SERVER GENERAL CONF
local 172.16.10.64
writepid /var/run/openvpn.pid
ifconfig-pool-persist /var/openvpn/ipp.txt
tls-auth /etc/openvpn/private/vpn-ta.key 0 # This file is secret
replay-persist /etc/openvpn/replay-persist-file
max-clients 500
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
proto udp4  #or use udp if works better
port 1194
management 127.0.0.1 11195 /etc/openvpn/private/mgmt.pwd
daemon openvpn
chroot /var/openvpn/chrootjail
crl-verify /etc/openvpn/crl.pem
float
persist-key
persist-tun
user _openvpn
group _openvpn

#Additional authorization options - needs to be configured - read further before enabling this
;auth-user-pass-verify /var/openvpn/custom-simple-auth via-env
;script-security 3
keepalive 10 120
comp-lzo
verb 3

# Allow multiple client with the same certificate
duplicate-cn
# Enable running of scripts upon client connect/disconnect
script-security 2

########## END SERVER CONF ##########

########## TUN & CLIENT CONF ##########
dev tun0
server 10.11.0.0 255.255.0.0

push "route 10.0.0.0 255.255.0.0"
push "route 10.10.0.0 255.255.0.0"
push "route 10.10.255.254 255.255.255.255"

client-config-dir /etc/openvpn/ccd

# Script to run upon client connect and disconnect
#up "/etc/openvpn/etsctf_client_up.sh"
#client-disconnect "/etc/openvpn/etsctf_client_down.sh"

########## END TUN&CLIENT CONF ######