|
|
| 1. rida: |
1. rida: |
| − | ===Sissejuhatus===
| |
| | | | |
| − | OpenVPN lahendust saab seadistada käima selliselt, et kasutaja autentimiseks kasutatakse tema Eesti ID-kaardi isikutuvastuse ehk autentimise sertifikaati. Esitatud juhtumil on süsteemi kasutajad kõik Eesti ID-kaardi omanikud, kusjuures ei kontrollita tühistusnimekirju ega muud sellist ja lahendus ei ole tõenäoliselt otseselt kasutatav.
| |
| − |
| |
| − | ====OpenVPN server Debianil====
| |
| − |
| |
| − | Serveri poolel sobib kasutada nt sellist seadistusfaili
| |
| − |
| |
| − | port 1194
| |
| − | proto udp
| |
| − | dev tun0
| |
| − | ca /etc/openvpn/SK-CA.pem
| |
| − | cert /etc/openvpn/vpn.loomaaed.tartu.ee-cert.pem
| |
| − | key /etc/openvpn/vpn.loomaaed.tartu.ee-key.pem
| |
| − |
| |
| − | dh /etc/openvpn/dh2048.pem
| |
| − | server 172.16.1.0 255.255.255.0
| |
| − | ifconfig-pool-persist /tmp/ipp.txt
| |
| − | keepalive 10 120
| |
| − | comp-lzo
| |
| − | user nobody
| |
| − | group nogroup
| |
| − | persist-key
| |
| − | persist-tun
| |
| − | status /var/log/openvpn-status.log
| |
| − | verb 3
| |
| − |
| |
| − | Kus SK-CA.pem faili on ühendatud kokku neli sertifikaati, neid saab kopeerida Sertifitseerimiskeskuse kodulehehelt, www.sk.ee
| |
| − |
| |
| − | # cat KLASS3-SK.PEM.pem ESTEID-SK-2007.PEM.pem JUUR-SK.PEM.pem > /etc/openvpn/SK-CA.pem
| |
| − |
| |
| − | kusjuures vpn.loomaaed.tartu.ee-cert.pem ja vpn.loomaaed.tartu.ee-key.pem vastavad SK poolt väljastatud nö serveri sertifikaadile.
| |
| − |
| |
| − | SK on väljastanud KLASS3-SK ja ESTEID-SK-2007 serifikaadid oma juursertifikaadi JUUR-SK suhtes; kasutajate ID-kaartidel olevad sertifikaadid on väljastatud ESTEID-SK-2007 suhtes ning nö serverite sertifikaate väljastatakse KLASS3-SK suhtes.
| |
| − |
| |
| − | ====OpenVPN klint Debianil====
| |
| − |
| |
| − | Selleks, et OpenVPN klient saaks ennast autentida ID-kaardi abil VPN kasutajana peab kliendi arvutis olema tehtud Eesti ID-kaardi kasutamiseks vajalikud ettevalmistused, nt nii nagu on kirjeldatud palas http://kuutorvaja.eenet.ee/wiki/Eesti_ID-kaardi_kasutamine_Debianiga
| |
| − |
| |
| − | Ettevalmistuste edukuse kontrollimiseks sobib öelda nt
| |
| − |
| |
| − | # openvpn --show-pkcs11-ids /usr/lib/opensc-pkcs11.so
| |
| − |
| |
| − | The following objects are available for use.
| |
| − | Each object shown below may be used as parameter to
| |
| − | --pkcs11-id option please remember to use single quote mark.
| |
| − |
| |
| − | Certificate
| |
| − | DN: /C=EE/O=ESTEID/OU=authentication/CN=OOLBERG,IMRE,37003212713/SN=OOLBERG/GN=IMRE/serialNumber=37003212713
| |
| − | Serial: 48843168
| |
| − | Serialized id: AS\x20Sertifitseerimiskeskus/PKCS\x20\x2315\x20SCard/A0055728/ID\x2Dkaart\x20\x28PIN1\x2C\x20Isikutuvastus\x29/01
| |
| − |
| |
| − | Certificate
| |
| − | DN: /C=EE/O=ESTEID/OU=digital signature/CN=OOLBERG,IMRE,37003212713/SN=OOLBERG/GN=IMRE/serialNumber=37003212713
| |
| − | Serial: 48843169
| |
| − | Serialized id: AS\x20Sertifitseerimiskeskus/PKCS\x20\x2315\x20SCard/A0055728/ID\x2Dkaart\x20\x28PIN2\x2C\x20Allkirjastamine\x29/02
| |
| − |
| |
| − | Kliendi poolel sobib kasutada nt sellist seadistusfaili, \ märgid on varjestatud
| |
| − |
| |
| − | client
| |
| − | dev tun
| |
| − | proto udp
| |
| − | remote 192.168.10.199
| |
| − | resolv-retry infinite
| |
| − | nobind
| |
| − | persist-key
| |
| − | persist-tun
| |
| − | ca /etc/openvpn/SK-CA.pem
| |
| − |
| |
| − | pkcs11-providers /usr/lib/opensc-pkcs11.so
| |
| − | pkcs11-id "AS\\x20Sertifitseerimiskeskus/PKCS\\x20\\x2315\\x20SCard/A0055728/ID\\x2Dkaart\\x20\\x28PIN1\\x2C\\x20Isikutuvastus\\x29/01"
| |
| − |
| |
| − | comp-lzo
| |
| − | verb 3
| |
| − |
| |
| − | ====Kasutamine====
| |
| − |
| |
| − | Eesti-ID kaardi kasutamisel esitatakse serveri poolel selline logi, muu hulgas võib tähele panna, et kasutatakse 1024 bit võtmeid
| |
| − |
| |
| − | # openvpn --config openvpn.conf
| |
| − | Sun Apr 26 09:03:34 2009 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
| |
| − | Sun Apr 26 09:03:34 2009 Diffie-Hellman initialized with 2048 bit key
| |
| − | Sun Apr 26 09:03:34 2009 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
| |
| − | Sun Apr 26 09:03:34 2009 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
| |
| − | Sun Apr 26 09:03:34 2009 ROUTE default_gateway=192.168.10.254
| |
| − | Sun Apr 26 09:03:34 2009 TUN/TAP device tun0 opened
| |
| − | Sun Apr 26 09:03:34 2009 TUN/TAP TX queue length set to 100
| |
| − | Sun Apr 26 09:03:34 2009 /sbin/ifconfig tun0 172.16.1.1 pointopoint 172.16.1.2 mtu 1500
| |
| − | Sun Apr 26 09:03:34 2009 /sbin/route add -net 172.16.1.0 netmask 255.255.255.0 gw 172.16.1.2
| |
| − | Sun Apr 26 09:03:34 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
| |
| − | Sun Apr 26 09:03:34 2009 GID set to nogroup
| |
| − | Sun Apr 26 09:03:34 2009 UID set to nobody
| |
| − | Sun Apr 26 09:03:34 2009 Socket Buffers: R=[124928->131072] S=[124928->131072]
| |
| − | Sun Apr 26 09:03:34 2009 UDPv4 link local (bound): [undef]:1194
| |
| − | Sun Apr 26 09:03:34 2009 UDPv4 link remote: [undef]
| |
| − | Sun Apr 26 09:03:34 2009 MULTI: multi_init called, r=256 v=256
| |
| − | Sun Apr 26 09:03:34 2009 IFCONFIG POOL: base=172.16.1.4 size=62
| |
| − | Sun Apr 26 09:03:34 2009 IFCONFIG POOL LIST
| |
| − | Sun Apr 26 09:03:34 2009 Initialization Sequence Completed
| |
| − |
| |
| − | Sun Apr 26 09:09:02 2009 MULTI: multi_create_instance called
| |
| − | Sun Apr 26 09:09:02 2009 192.168.10.101:44287 Re-using SSL/TLS context
| |
| − | Sun Apr 26 09:09:02 2009 192.168.10.101:44287 LZO compression initialized
| |
| − | Sun Apr 26 09:09:02 2009 192.168.10.101:44287 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
| |
| − | Sun Apr 26 09:09:02 2009 192.168.10.101:44287 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
| |
| − | Sun Apr 26 09:09:02 2009 192.168.10.101:44287 Local Options hash (VER=V4): '530fdded'
| |
| − | Sun Apr 26 09:09:02 2009 192.168.10.101:44287 Expected Remote Options hash (VER=V4): '41690919'
| |
| − | Sun Apr 26 09:09:02 2009 192.168.10.101:44287 TLS: Initial packet from 192.168.10.101:44287, sid=c50c829f 8e240ecc
| |
| − | Sun Apr 26 09:09:13 2009 192.168.10.101:44287 VERIFY OK: depth=2, /emailAddress=pki@sk.ee/C=EE/O=AS_Sertifitseerimiskeskus/CN=Juur-SK
| |
| − | Sun Apr 26 09:09:13 2009 192.168.10.101:44287 VERIFY OK: depth=1, /C=EE/O=AS_Sertifitseerimiskeskus/OU=ESTEID/CN=ESTEID-SK_2007
| |
| − | Sun Apr 26 09:09:13 2009 192.168.10.101:44287 VERIFY OK: depth=0, /C=EE/O=ESTEID/OU=authentication/CN=OOLBERG_IMRE_37003212713/SN=OOLBERG /GN=IMRE/serialNumber=37003212713
| |
| − | Sun Apr 26 09:09:13 2009 192.168.10.101:44287 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
| |
| − | Sun Apr 26 09:09:13 2009 192.168.10.101:44287 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
| |
| − | Sun Apr 26 09:09:13 2009 192.168.10.101:44287 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
| |
| − | Sun Apr 26 09:09:13 2009 192.168.10.101:44287 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
| |
| − | Sun Apr 26 09:09:13 2009 192.168.10.101:44287 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
| |
| − | Sun Apr 26 09:09:13 2009 192.168.10.101:44287 [OOLBERG_IMRE_37003212713] Peer Connection Initiated with 192.168.10.101:44287
| |
| − | Sun Apr 26 09:09:13 2009 OOLBERG_IMRE_37003212713/192.168.10.101:44287 MULTI: Learn: 172.16.1.6 -> OOLBERG_IMRE_37003212713/192.168.10.101:44287
| |
| − | Sun Apr 26 09:09:13 2009 OOLBERG_IMRE_37003212713/192.168.10.101:44287 MULTI: primary virtual IP for OOLBERG_IMRE_37003212713/192.168.10.101:44287: 172.16.1.6
| |
| − | Sun Apr 26 09:09:14 2009 OOLBERG_IMRE_37003212713/192.168.10.101:44287 PUSH: Received control message: 'PUSH_REQUEST'
| |
| − | Sun Apr 26 09:09:14 2009 OOLBERG_IMRE_37003212713/192.168.10.101:44287 SENT CONTROL [OOLBERG_IMRE_37003212713]: 'PUSH_REPLY,route 172.16.1.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.1.6 172.16.1.5' (status=1)
| |
| − |
| |
| − | ning kliendi poolel selline, mõned ID-kaardi kasutamisega seotud veateated on eemaldatud
| |
| − |
| |
| − | # openvpn --config openvpn.conf
| |
| − | Sun Apr 26 12:07:12 2009 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
| |
| − | Sun Apr 26 12:07:12 2009 PKCS#11: Adding PKCS#11 provider '/usr/lib/opensc-pkcs11.so'
| |
| − | Sun Apr 26 12:07:17 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
| |
| − | Sun Apr 26 12:07:17 2009 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
| |
| − | [opensc-pkcs11] pkcs11-global.c:176:C_Initialize: C_Initialize(): Cryptoki already initialized
| |
| − | Sun Apr 26 12:07:18 2009 LZO compression initialized
| |
| − | Sun Apr 26 12:07:18 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
| |
| − | Sun Apr 26 12:07:18 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
| |
| − | Sun Apr 26 12:07:18 2009 Local Options hash (VER=V4): '41690919'
| |
| − | Sun Apr 26 12:07:18 2009 Expected Remote Options hash (VER=V4): '530fdded'
| |
| − | Sun Apr 26 12:07:18 2009 Socket Buffers: R=[111616->131072] S=[111616->131072]
| |
| − | Sun Apr 26 12:07:18 2009 UDPv4 link local: [undef]
| |
| − | Sun Apr 26 12:07:18 2009 UDPv4 link remote: 192.168.10.199:1194
| |
| − | Sun Apr 26 12:07:18 2009 TLS: Initial packet from 192.168.10.199:1194, sid=eef2a782 22a5670e
| |
| − | Sun Apr 26 12:07:18 2009 VERIFY OK: depth=2, /emailAddress=pki@sk.ee/C=EE/O=AS_Sertifitseerimiskeskus/CN=Juur-SK
| |
| − | Sun Apr 26 12:07:18 2009 VERIFY OK: depth=1, /emailAddress=pki@sk.ee/C=EE/O=AS_Sertifitseerimiskeskus/OU=Sertifitseerimisteenused/serialNumber=1/CN=KLASS3-SK
| |
| − | Sun Apr 26 12:07:18 2009 VERIFY OK: depth=0, /CN=vpn.loomaaed.tartu.ee/O=Tartu Loomaaed/L=Tartu/ST=Tartu/C=EE
| |
| − |
| |
| − | Enter ID-kaart (PIN1, Isikutuvastus) token Password:
| |
| − |
| |
| − | Sun Apr 26 12:07:29 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
| |
| − | Sun Apr 26 12:07:29 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
| |
| − | Sun Apr 26 12:07:29 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
| |
| − | Sun Apr 26 12:07:29 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
| |
| − | Sun Apr 26 12:07:29 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
| |
| − | Sun Apr 26 12:07:29 2009 [www.ria.ee] Peer Connection Initiated with 192.168.10.199:1194
| |
| − | Sun Apr 26 12:07:30 2009 SENT CONTROL [vpn.loomaaed.tartu.ee]: 'PUSH_REQUEST' (status=1)
| |
| − | Sun Apr 26 12:07:30 2009 PUSH: Received control message: 'PUSH_REPLY,route 172.16.1.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.1.6 172.16.1.5'
| |
| − | Sun Apr 26 12:07:30 2009 OPTIONS IMPORT: timers and/or timeouts modified
| |
| − | Sun Apr 26 12:07:30 2009 OPTIONS IMPORT: --ifconfig/up options modified
| |
| − | Sun Apr 26 12:07:30 2009 OPTIONS IMPORT: route options modified
| |
| − | Sun Apr 26 12:07:30 2009 ROUTE default_gateway=192.168.10.254
| |
| − | Sun Apr 26 12:07:30 2009 TUN/TAP device tun1 opened
| |
| − | Sun Apr 26 12:07:30 2009 TUN/TAP TX queue length set to 100
| |
| − | Sun Apr 26 12:07:30 2009 /sbin/ifconfig tun1 172.16.1.6 pointopoint 172.16.1.5 mtu 1500
| |
| − | [opensc-pkcs11] pkcs11-global.c:176:C_Initialize: C_Initialize(): Cryptoki already initialized
| |
| − | Sun Apr 26 12:07:30 2009 /sbin/route add -net 172.16.1.1 netmask 255.255.255.255 gw 172.16.1.5
| |
| − | [opensc-pkcs11] pkcs11-global.c:176:C_Initialize: C_Initialize(): Cryptoki already initialized
| |
| − | Sun Apr 26 12:07:30 2009 Initialization Sequence Completed
| |
