DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 6th July 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I *think* so, but it's only a guess. As I understand, each tun(4) interface is a separate communications connection between the network protocol stack in the kernel and a userland program. Two programs ... two tun devices.
Reply With Quote
Old 8th July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Hi again,

So I was trying to setup OpenVPN last night (using certificate) and I'm sure more configuration must be required before I run the commands outlined in the 'HOWTO'

http://openvpn.net/index.php/open-so...howto.html#pki


Code:
. ./vars
ksh: ./vars[29]: /root/ovpn/whichopensslcnf: not found
If I open the vars file I can see the line referencing the 'whichopensslcnf' file. If I change to openssl.cnf which does exist I get the following errors.

Code:
. ./vars
/root/ovpn/openssl.cnf[10]: HOME: not found
/root/ovpn/openssl.cnf[11]: RANDFILE: not found
/root/ovpn/openssl.cnf[12]: openssl_conf: not found
/root/ovpn/openssl.cnf[17]: oid_section: not found
/root/ovpn/openssl.cnf[18]: engines: not found
/root/ovpn/openssl.cnf[37]: default_ca: not found
/root/ovpn/openssl.cnf[42]: dir: not found
/root/ovpn/openssl.cnf[43]: certs: not found
/root/ovpn/openssl.cnf[44]: crl_dir: not found
/root/ovpn/openssl.cnf[45]: database: not found
/root/ovpn/openssl.cnf[46]: new_certs_dir: not found
/root/ovpn/openssl.cnf[48]: certificate: not found
/root/ovpn/openssl.cnf[49]: serial: not found
/root/ovpn/openssl.cnf[50]: crl: not found
/root/ovpn/openssl.cnf[51]: private_key: not found
/root/ovpn/openssl.cnf[52]: RANDFILE: not found
/root/ovpn/openssl.cnf[54]: x509_extensions: not found
/root/ovpn/openssl.cnf[60]: default_days: not found
/root/ovpn/openssl.cnf[61]: 30: not found
/root/ovpn/openssl.cnf[62]: default_md: not found
/root/ovpn/openssl.cnf[63]: preserve: not found
...
...
Goes on...
I'm also concerned if there are any "pass phrases" or something that I need to change so they are "unique" from defaults. I've edited the last 5 lines for country...etc.

Any idea what I'm missing?

Thanks!
Reply With Quote
Old 8th July 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Have you looked at this, yet?

http://blog.innerewut.de/2005/07/04/...2-0-on-openbsd
Reply With Quote
Old 8th July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

I had actually. The command's seem pretty much the same as provided by OpenVPN's guide.

I do notice he issues init-config on his OpenBSD which does not exist or exist in the "UNIX" install instructions on OpenVPN's site.

From their site:
Code:
Generate the master Certificate Authority (CA) certificate & key

In this section we will generate a master CA certificate/key, a server certificate/key, and certificates/keys for 3 separate clients.

For PKI management, we will use a set of scripts bundled with OpenVPN.

If you are using Linux, BSD, or a unix-like OS, open a shell and cd to the easy-rsa subdirectory of the OpenVPN distribution. If you installed OpenVPN from an RPM file, the easy-rsa directory can usually be found in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn-2.0 (it's best to copy this directory to another location such as /etc/openvpn, before any edits, so that future OpenVPN package upgrades won't overwrite your modifications). If you installed from a .tar.gz file, the easy-rsa directory will be in the top level directory of the expanded source tree.

If you are using Windows, open up a Command Prompt window and cd to \Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files):

    init-config

Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.

Next, initialize the PKI. On Linux/BSD/Unix:

    . ./vars
    ./clean-all
    ./build-ca

On Windows:

    vars
    clean-all
    build-ca
Any idea?

Thanks!
Reply With Quote
Old 9th July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Did you source openVPN from packages, or going from source?

Code:
# export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.5/packages/i386/
# pkg_add -iv openvpn-2.1rc15
/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 9th July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Hi all,

So I've managed to get the PKI and server installed/up and running. My issue above was that I was not properly pointing to where I moved the RSA files. I had not realized this needed to be done. (did it even say that in the guide?)

Anyway Everything seems to be "working" with the exception that I cannot fully connect. I'm connecting from Windows and I get prompted for my password (enabled certificate password) and all that. Only now it just sits there saying "connecting..." I'm using OpenVPN w/ OpenVPN GUI.

A snippet of my logs on the Windows machine.
Code:
Thu Jul 09 13:59:38 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jul 09 13:59:38 2009 TLS Error: TLS handshake failed
Thu Jul 09 13:59:38 2009 TCP/UDP: Closing socket
Thu Jul 09 13:59:38 2009 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 09 13:59:38 2009 Restart pause, 2 second(s)
Thu Jul 09 13:59:40 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Jul 09 13:59:40 2009 Re-using SSL/TLS context
Thu Jul 09 13:59:40 2009 LZO compression initialized
Thu Jul 09 13:59:40 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Jul 09 13:59:40 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Jul 09 13:59:40 2009 Local Options hash (VER=V4): '81620525'
Thu Jul 09 13:59:40 2009 Expected Remote Options hash (VER=V4): '296pdylj'
Thu Jul 09 13:59:40 2009 UDPv4 link local: [undef]
Thu Jul 09 13:59:40 2009 UDPv4 link remote: "correct_ip":1194
I imagine it's to do with TLS but I don't recall even enabling this. Any ideas?

Thanks!
Reply With Quote
Old 10th July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Please include your session config file, but I suspect it has to do with the following two directives...

Code:
tls-server
tls-auth /etc/ovpn/keys/tls-auth.key 0
tls-server, as a variant of server mode, allows for MANY tls clients. tls mode is not needed -- depending on your many-to-one or not userland -- but for the want of two correct params is recommended.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 10th July 2009 at 12:49 AM.
Reply With Quote
Old 14th July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Hi again,

Thanks for all your help. Sorry for the delay in response.

I've since been able to get connected to my VPN. I think the issue was that I was not starting OpenVPN properly.

I have a few 'new' issues however.

1. OpenVPN does not seem to start when I reboot my system.

rc.local
Code:
openvpn --daemon --config /etc/openvpn/server.conf
2. Once connected I do not seem to be able to go any where except for the net block used for my VPN. I gather this has to do with routes however if I SSH into the VPN server, I can ping internal network resources fine.

3. On a side note. I use pppoe but it does not reconnect should it get disconnected unless the system is rebooted. Anyway to resolve?

rc.local
Code:
/usr/sbin/ppp -ddial pppoe

Thanks for your help!
Reply With Quote
Old 17th July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Any ideas?
Reply With Quote
Old 17th July 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by plexter View Post
OpenVPN does not seem to start when I reboot my system....
Change rc.local to use the explicit path to the executable in /usr/local/sbin. That directory might not be in init(8)'s $PATH when rc.local get's executed.
Quote:
Once connected I do not seem to be able to go any where except for the net block used for my VPN. I gather this has to do with routes however if I SSH into the VPN server, I can ping internal network resources fine.
Since you have not shared your server and client configurations, your guess is as good as any other. Compare the output of "route -n show -inet" both as a VPN and non-VPN user. If you are using a virtual IP address pool for VPN users, take note of the routing to that subnet.
Quote:
...I use pppoe but it does not reconnect should it get disconnected unless the system is rebooted. Anyway to resolve?
Maybe, maybe not. But no one will be able to assist unless you post your configuration and the error messages you receive when you attempt to restart.
Reply With Quote
Old 23rd July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Hi jggimi,

Thanks for your help!

"/usr/local/sbin" seems to have worked!

As far as my routes go that seems to be working again now. I've re: done some other portions of my network so the problem was probably elsewhere. :P

For PPPoE I do not receive any error messages. My problem is if the line should disconnect without user interaction. I would like to to automatically try and reconnect.

Configuration below:
Code:
default:
 set log Phase Chat IPCP CCP tun command
 set redial 15 0
 set reconnect 15 10000
 set server /var/run/ppp.sock "" 0177

pppoe:
  set device "!/usr/sbin/pppoe -i rxl0"
  disable acfcomp protocomp
  deny acfcomp
  set mtu max 1492
  set mru max 1492
  set speed sync
  disable lqr
  set cd 5
  set dial
  set login
  set timeout 0
  set authname ************
  set authkey ************
  add! default HISADDR
  enable dns
  enable mssfixup
Also is it possible to set what the default gateway will be for pppoe?

Thanks for your help!
Reply With Quote
Old 23rd July 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by plexter View Post
...I use pppoe but it does not reconnect should it get disconnected unless the system is rebooted....
Quote:
Originally Posted by plexter View Post
...I do not receive any error messages. My problem is if the line should disconnect without user interaction. I would like to to automatically try and reconnect....
  1. I'm confused by your problem description. Exactly what happens when your connection fails? It's not clear what your symptoms are, or, what you've tried. Please post specific symptoms and any diagnostic information you've gathered. Here are some completely-made-up possibilities, showing the level of problem detail I'm requesting:

    "pppoe exits. Attempts to start it again cause an immediate exit. No pppoe or ppp processes appear in ps(1) lists. Destroying tun0 and restarting cause the tun to reappear, but then pppoe/ppp exit immediately again."


    "ppp goes into a loop -- kill -9 fails to stop it. top(1) shows it consuming all available cpu."

  2. Did you set up a ppp log per the ppp(8) man page? If so, what are the contents of that log?
  3. Have you looked through /var/log/daemon and /var/log/messages for messages that may not have appeared on the console? If so, what are the applicable contents?
Quote:
...Also is it possible to set what the default gateway will be for pppoe?
According to pppoe(8), route configuration information is in ppp(8). And it's true, there is plenty of discussion of routing settings within that man page. In particular, look at the "add default HISADDR" discussion.
Reply With Quote
Old 23rd July 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Anyone else notice the interface rxl0 in his configuration file? that doesn't look right.
Reply With Quote
Old 23rd July 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

That might be a copy/paste error. Since there is no rxl(4), an invalid interface should cause pppoe to fail to connect 100% of the time, not just after a line-drop.
Reply With Quote
Old 27th July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Okay let me start over.

My issue has nothing to do with an error message or crashing per-say.

I'm talking about having PPPoE reconnect automatically when there is no connection already made.

Example: I reset my interfaces /etc/netsh or pull the ethernet cable out temporarily and put it back, something that would result in losing the physical connection. I find that PPPoE does not regain it's connection. "redial the connection once the -path- is restored"

If, on say a router, I were to pull the ethernet cable and put it back after a short while the connection to the internet would be restored. (assuming there was nothing preventing the connection) -I would like the same scenario to occur on OpenBSD.

Also I have noticed PF fails when I reboot my system. I believe this is because TUN is not up yet. Would there be a way to work around this? Or do I have to put all my ext_if with ($ext_if)?

Regarding specifying the route.
I've tried many combination's of the below

Code:
set ifaddr myip gateway 255.255.255.255 0.0.0.0
I always seem to be left with no connection. (PPP does run fine though) I do seem to get the correct IP without the line and the internet does work when omitting the line. However the gateway tends to be somewhat randomly assigned. I was told from my ISP that I should be connecting to a particular one (since the IP is static) and I would like to try it since my connection seems rather pour since switching from my hardware appliance to OpenBSD.

Hope that helps!
Thanks!
Reply With Quote
Old 27th July 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by plexter View Post
... I'm talking about having PPPoE reconnect automatically when there is no connection already made.
I don't understand that sentence. If there is no pre-existing connection, then there's nothing to reconnect on failure.
Quote:
Example: I reset my interfaces /etc/netsh or pull the ethernet cable out temporarily and put it back, something that would result in losing the physical connection. I find that PPPoE does not regain it's connection. "redial the connection once the -path- is restored"
1. There is no "/etc/netsh" file in this OS.
2. When you are pulling cables, you are changing the physical infrastructure. The pppoe protocol is point-to-point over Ethernet. When you physically disturb the underlying Ethernet layer, more is going on then simply a drop of the PPP connection.
Quote:
If, on say a router, I were to pull the ethernet cable and put it back after a short while the connection to the internet would be restored. (assuming there was nothing preventing the connection) -I would like the same scenario to occur on OpenBSD.
Then set up a cron(8) script that runs every few minutes, checks line status, discovers an outage caused by your yanking cables, and attempts a restart.
Quote:
Also I have noticed PF fails when I reboot my system. I believe this is because TUN is not up yet. Would there be a way to work around this? Or do I have to put all my ext_if with ($ext_if)?
Parentheses are used for dynamic IP addresses, not dynamically created pseudo NICs. To have the OS create a tun(4) interface at boot time, you can use something similar to:
# echo up > /etc/hostname.tun0
Quote:
Regarding specifying the route.
I've tried many combination's of the below...
That isn't helpful to our diagnosis. Try several steps:
  • Connect without specifying a default route in your ppp.conf. Examine the output of $ route -n show -inet. If you need a default route at that point, try adding it with the route(8) command. Examine the route table before/after.
  • Connect with specifying a default route in your ppp.conf. Examine the output of $ route -n show -inet.
  • Lather, rinse, repeat.
If you need further assistance after that, post your routing table, before you begin issuing routing commands, and after, and the commands you executed,too.
Quote:
...However the gateway tends to be somewhat randomly assigned. I was told from my ISP that I should be connecting to a particular one (since the IP is static) and I would like to try it since my connection seems rather pour since switching from my hardware appliance to OpenBSD.
You have described a gateway at the other end of your PPP connection that changes. That gateway address MUST be your default route. Each time that remote address changes .... so must your default route.
Reply With Quote
Old 27th July 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Quote:
I don't understand that sentence. If there is no pre-existing connection, then there's nothing to reconnect on failure.
I'll try again. Basically I would like OpenBSD to always try and make a connection. If the system is started = make pppoe connection; if the line breaks/disconnects/restarts = reconnect right away and continue to try until it is successful. In the end OpenBSD/ppp should ALWAYS try and make sure it HAS a connection.

Quote:
There is no "/etc/netsh" file in this OS.
Sorry I meant netstart

Quote:
Then set up a cron(8) script that runs every few minutes, checks line status, discovers an outage caused by your yanking cables, and attempts a restart.
Would you have an example? I have not determined how to check if the pppoe connection is active. I can tell if it has an IP address but that is all.

Quote:
Parentheses are used for dynamic IP addresses, not dynamically created pseudo NICs. To have the OS create a tun(4) interface at boot time, you can use something similar to:

# echo up > /etc/hostname.tun0
Thanks I will try that.

Quote:
Connect without specifying a default route in your ppp.conf. Examine the output of $ route -n show -inet. If you need a default route at that point, try adding it with the route(8) command. Examine the route table before/after.
Quote:
I do seem to get the correct IP without the line and the internet does work when omitting the line.
As said if I don't hard code anything the internet does work and I am assigned the correct IP. The default route is assigned the "dynamic" gateway.

Quote:
You have described a gateway at the other end of your PPP connection that changes. That gateway address MUST be your default route. Each time that remote address changes .... so must your default route.
Correct -which does happen. However I do not get assigned the static gateway that was assigned to me. Hence I would like to hard code it to see if my performance increases. As of yet I seem to get no connection whenever the "proper" gateway is set.

I'm limited at this time to make any changes since I risk loosing the connection. If you feel I should still try the changes listed earlier, I can do so later.


Thanks for your help!
Reply With Quote
Old 27th July 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by plexter View Post
Would you have an example? I have not determined how to check if the pppoe connection is active. I can tell if it has an IP address but that is all.
I don't use pppoe or ppp. So I don't know what your symptoms of "down" are. If pppoe and ppp cease operation, then your script can use pgrep(1) to determine if one or the other are running. If the daemons continue to run, your script could use your routing table (assuming the link drops), or ping(1), to determine if the network is operational.

My recommendation is to stop yanking on cables.

You can write a script myriad ways. Here are three examples, depending on what fails when you pull a cable.

Testing with pgrep:

#!/bin/sh
pgrep ppp > /dev/null || return
[your restarting script begins here...]

Testing with routing. No default route = link down:

#!/bin/sh
route -n show inet | grep default > /dev/null && return
[your restarting script begins here

Testing with ping:

#!/bin/sh
ping -c 1 [an external IP] > /dev/null || return
[your restarting script begins here... I'd use the most recent default gateway for the ping test, above, obtained from a route command]
Quote:
As of yet I seem to get no connection whenever the "proper" gateway is set.
I think you may misunderstand routing. The routing table requires directly addressable IP addresses. If the "proper" gateway is not on an addressable subnet or at the far end of the ppp connection, you break your routing table when you use it.
Reply With Quote
Old 27th July 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

OpenBSD has a kernel pppoe(4) and userland pppoe(8), you are currently using the userland implementation.

Both man pages are detailed, and contain example configurations.

The kernel client might be better at maintaining and re-establishing a link if the connection fails, if either by a remote error.. or cable yanking.. if not, you could use the ifstated(4) daemon to monitor the pppoe(4) interface. [0]

One other option may be the "enable lqr / accept lqr" option(s) for userland pppoe, according to the description.. "Enable and accept link quality requests, which can be used to detect whether the link has gone down."

I hope this helps, but please.. for the sake of the kittens... don't yank cables.
Reply With Quote
Old 27th July 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

ifstated is a *great* idea, BSDfan. However, its use will depend on the type of errors plextor creates when he mucks up his network.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help with NAT setup Quaxo OpenBSD Installation and Upgrading 6 27th January 2009 08:03 PM
DJ Setup tad1214 FreeBSD General 8 21st July 2008 01:50 PM
Remote Access to File Server Oko OpenBSD Security 7 23rd June 2008 05:17 PM
How To Setup WPA? warriors OpenBSD General 8 15th June 2008 04:39 PM
postfix setup Demodog General software and network 12 11th June 2008 07:43 PM


All times are GMT. The time now is 09:53 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick