diff --git a/nextbox/backup-restore.rst b/nextbox/backup-restore.rst index 359de6fdec..46e7bb3419 100644 --- a/nextbox/backup-restore.rst +++ b/nextbox/backup-restore.rst @@ -13,7 +13,7 @@ To enable backup and restore onto a storage device please follow these steps: (currently *ext* and *xfs* are supported). 2. Attach the storage device to your NextBox to any of the USB ports and *remember to use an external - power supply* (:ref:`more information`) + power supply* `more information `_ 3. Once attached you will see the storage(s) inside "Storage Management" below "Available Storages" @@ -65,6 +65,5 @@ the upgrade process for Nextcloud. is not identical to the current one. -.. _Nextcloud WebDAV documentation: https://docs.nextcloud.com/server/20/user_manual/en/files/access_webdav.html diff --git a/nextbox/faq/generic.rst b/nextbox/faq/generic.rst index 92e16eca43..c56ee5b4c9 100644 --- a/nextbox/faq/generic.rst +++ b/nextbox/faq/generic.rst @@ -38,7 +38,6 @@ Generic FAQ and passwords are on a high level, either with long-random passwords or a 2-Factor-Authentification supported login method with e.g., a Nitrokey FIDO2.** -.. _faq-nextbox-generic-ssh: **Q:** What do all the ssh-related "warnings" mean? Once you set up your ssh-access, you make yourself technically responsible for diff --git a/nextbox/faq/hardware.rst b/nextbox/faq/hardware.rst index 2adb820765..dd2988ce91 100644 --- a/nextbox/faq/hardware.rst +++ b/nextbox/faq/hardware.rst @@ -2,8 +2,7 @@ Hardware FAQ ============ -.. _usb-power-supply: -.. _faq-nextbox-hardware-usb-power-supply: + **Q:** Why must I not connect external hard-drives without an external power-supply to my NextBox? The Raspberry Pi 4 Model B can only supply 1.2A of power through USB (see @@ -62,13 +61,8 @@ Hardware FAQ No, the Raspberry PI 4B has the RAM component soldered onto the mainboard, thus it cannot be replaced/extended. -.. _USB Documentation: https://www.raspberrypi.org/documentation/hardware/raspberrypi/usb/README.md +.. _USB Documentation: https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#universal-serial-bus-usb .. _NextBox' GitHub: https://github.com/Nitrokey/nextbox-board -.. _nextbox.local: http://nextbox.local .. _External storage support: https://docs.nextcloud.com/server/20/admin_manual/configuration_files/external_storage_configuration_gui.html -.. _RPi Power Supply: https://www.raspberrypi.org/documentation/hardware/raspberrypi/power/README.md -.. _typical bare-board power consumption: https://www.raspberrypi.org/documentation/hardware/raspberrypi/power/README.md -.. _Putty Documentation: https://www.ssh.com/academy/ssh/putty/public-key-authentication -.. _Nextcloud WebDAV documentation: https://docs.nextcloud.com/server/20/user_manual/en/files/access_webdav.html - +.. _RPi Power Supply: https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#power-supply diff --git a/nextbox/faq/nextcloud.rst b/nextbox/faq/nextcloud.rst index 643c75466d..552837eb45 100644 --- a/nextbox/faq/nextcloud.rst +++ b/nextbox/faq/nextcloud.rst @@ -41,20 +41,12 @@ Nextcloud FAQ **Q:** Why is my Nextcloud not loading properly, instead I get a white page and a `.htaccess` error? This usually is an indication that the OS has unmounted/detached the internal hard-drive due to an low-power-incident. Please make sure you read and - understood :ref:`USB power`. In most + understood `USB power `_. In most cases doing a power-cycle (unplug the USB-C connector, wait 5secs and plug it in again) should resolve this. **Make sure no additional USB devices are connected during this procedure.** -.. _USB Documentation: https://www.raspberrypi.org/documentation/hardware/raspberrypi/usb/README.md -.. _NextBox' GitHub: https://github.com/Nitrokey/nextbox-board -.. _nextbox.local: http://nextbox.local -.. _External storage support: https://docs.nextcloud.com/server/20/admin_manual/configuration_files/external_storage_configuration_gui.html -.. _RPi Power Supply: https://www.raspberrypi.org/documentation/hardware/raspberrypi/power/README.md -.. _typical bare-board power consumption: https://www.raspberrypi.org/documentation/hardware/raspberrypi/power/README.md -.. _Putty Documentation: https://www.ssh.com/academy/ssh/putty/public-key-authentication -.. _Nextcloud WebDAV documentation: https://docs.nextcloud.com/server/20/user_manual/en/files/access_webdav.html diff --git a/nextbox/faq/remote-access.rst b/nextbox/faq/remote-access.rst index f5144733a5..cbc0c11d4b 100644 --- a/nextbox/faq/remote-access.rst +++ b/nextbox/faq/remote-access.rst @@ -61,13 +61,6 @@ Remote Access FAQ -.. _USB Documentation: https://www.raspberrypi.org/documentation/hardware/raspberrypi/usb/README.md -.. _NextBox' GitHub: https://github.com/Nitrokey/nextbox-board -.. _nextbox.local: http://nextbox.local -.. _External storage support: https://docs.nextcloud.com/server/20/admin_manual/configuration_files/external_storage_configuration_gui.html -.. _RPi Power Supply: https://www.raspberrypi.org/documentation/hardware/raspberrypi/power/README.md -.. _typical bare-board power consumption: https://www.raspberrypi.org/documentation/hardware/raspberrypi/power/README.md -.. _Putty Documentation: https://www.ssh.com/academy/ssh/putty/public-key-authentication .. _Nextcloud WebDAV documentation: https://docs.nextcloud.com/server/20/user_manual/en/files/access_webdav.html diff --git a/nextbox/faq/software.rst b/nextbox/faq/software.rst index f57644a1e0..7019cb4b36 100644 --- a/nextbox/faq/software.rst +++ b/nextbox/faq/software.rst @@ -30,13 +30,6 @@ Software FAQ .. _Launchpad NextBox: https://launchpad.net/~nitrokey/+archive/ubuntu/nextbox/+packages -.. _USB Documentation: https://www.raspberrypi.org/documentation/hardware/raspberrypi/usb/README.md -.. _NextBox' GitHub: https://github.com/Nitrokey/nextbox-board -.. _nextbox.local: http://nextbox.local -.. _External storage support: https://docs.nextcloud.com/server/20/admin_manual/configuration_files/external_storage_configuration_gui.html -.. _RPi Power Supply: https://www.raspberrypi.org/documentation/hardware/raspberrypi/power/README.md -.. _typical bare-board power consumption: https://www.raspberrypi.org/documentation/hardware/raspberrypi/power/README.md .. _Putty Documentation: https://www.ssh.com/academy/ssh/putty/public-key-authentication -.. _Nextcloud WebDAV documentation: https://docs.nextcloud.com/server/20/user_manual/en/files/access_webdav.html diff --git a/nextbox/hardware-overview.rst b/nextbox/hardware-overview.rst index dc613c51e9..8d2369f949 100644 --- a/nextbox/hardware-overview.rst +++ b/nextbox/hardware-overview.rst @@ -49,9 +49,9 @@ the different connectors and interfaces is given. 4. The **RJ45 - 1GbE Ethernet** connector connects your NextBox with your home network and shall stay connected at all times. -5. **Free USB 3 - Type A Slot**, please see :ref:`Hardware FAQ` +5. **Free USB 3 - Type A Slot**, please see `Hardware FAQ`_ 6. **Reserved USB 3 - Type A Slot**, used for the internal hard-disk. *Never remove this connector!* -7. **2x Free USB 2 - Type A Slots**, please see :ref:`Hardware FAQ` +7. **2x Free USB 2 - Type A Slots**, please see `Hardware FAQ`_ .. hint:: Using a hard-drive with an external power supply you can use any of the available USB slots. Keep in mind that the data transfer bandwidth for @@ -75,3 +75,5 @@ the different connectors and interfaces is given. + +.. _Hardware FAQ: faq/hardware.html#why-must-i-not-connect-external-hard-drives-without-an-external-power-supply-to-my-nextbox \ No newline at end of file diff --git a/nextbox/remote/walkthrough.rst b/nextbox/remote/walkthrough.rst index 55faeee745..952513dd8d 100644 --- a/nextbox/remote/walkthrough.rst +++ b/nextbox/remote/walkthrough.rst @@ -180,4 +180,3 @@ If you encounter problems, please read the other articles inside the .. _TLS: https://en.wikipedia.org/wiki/Transport_Layer_Security .. _HTTPS: https://en.wikipedia.org/wiki/HTTPS .. _CA: https://en.wikipedia.org/wiki/Certificate_authority -.. _Let's Encrypt: https://en.wikipedia.org/wiki/Let%27s_Encrypt diff --git a/nitropc/qubes/gpu-install.rst b/nitropc/qubes/gpu-install.rst index 5784c9bd9b..ef908a29c5 100644 --- a/nitropc/qubes/gpu-install.rst +++ b/nitropc/qubes/gpu-install.rst @@ -29,18 +29,18 @@ Create a Windows Qube 2. Install the Qubes Windows Tools, in dom0 : ``sudo qubes-dom0-update qubes-windows-tools-4.1.69`` when asked press ``y`` and enter. -.. note:: - Please see the `security implication `__ of installing QWT. + .. note:: + Please see the `security implication `__ of installing QWT. 3. Make the install script executable, in dom0 : ``sudo chmod +x /install.sh`` 4. Launch the install script, in dom0 : ``/install.sh`` -If you see this message : ``[+] Installation complete!`` then you can continue. + If you see this message : ``[+] Installation complete!`` then you can continue. -At this point the script created a new Qube called windows-mgmt now we will dowload the ISO to create the Windows Qube. + At this point the script created a new Qube called windows-mgmt now we will dowload the ISO to create the Windows Qube. -To do so we need to copy the ``~/qvm-create-windows-qube/windows/isos/mido.sh`` script from the windows-mgmt Qube inside a disposable Qube with internet connectivity. + To do so we need to copy the ``~/qvm-create-windows-qube/windows/isos/mido.sh`` script from the windows-mgmt Qube inside a disposable Qube with internet connectivity. 5. Start a new DVM (disposable) Qube and give it at least 10 GB of private storage. @@ -48,23 +48,23 @@ To do so we need to copy the ``~/qvm-create-windows-qube/windows/isos/mido.sh`` 7. Once the script is copied launch it, in dispXXX : ``./QubesIncoming/windows-mgmt/mido.sh win10x64`` -.. note:: - In this guide we install Windows 10 but other Windows versions are available you can list them by using ``./QubesIncoming/windows-mgmt/mido.sh`` + .. note:: + In this guide we install Windows 10 but other Windows versions are available you can list them by using ``./QubesIncoming/windows-mgmt/mido.sh`` 8. If you get a success message then you will need to copy the dowloaded ISO from the DVM to the windows-mgmt Qube, in dispXXXX : ``qvm-copy QubesIncoming/windows-mgmt/win10x64.iso`` and choose the windows-mgmt Qube. -Once copied you can close your DVM Qube. + Once copied you can close your DVM Qube. 9. In the windows-mgmt Qube : ``mv QubesIncoming/dispXXXX/win10x64.iso qvm-create-windows-qube/windows/isos/`` (replace 'dispXXXX' with the name of the disposable Qube you created). 10. Then in dom0 : ``qvm-create-windows-qube -n sys-firewall -oy -i win10x64.iso -a win10x64-pro.xml work-win10`` -.. note:: - You can pre-install any package from `this site `__. - E.g: ``qvm-create-windows-qube -n sys-firewall -oyp firefox,notepadplusplus,office365proplus -i win10x64.iso -a win10x64-pro.xml work-win10`` + .. note:: + You can pre-install any package from `this site `__. + E.g: ``qvm-create-windows-qube -n sys-firewall -oyp firefox,notepadplusplus,office365proplus -i win10x64.iso -a win10x64-pro.xml work-win10`` -If the script stops or if it get stuck retry until you see this message: ``[+] Completed successfully!`` + If the script stops or if it get stuck retry until you see this message: ``[+] Completed successfully!`` 11. Now you will need to attach your GPU to the Windows Qube, to do so go to the Qube Manager and the Windows 10 Qube options (make sure that the Qube is shut down), under the Devices tab select your graphic card and pass it to the right then click on the ``Configure strict reset for PCI devices`` then select your card and click ``OK`` @@ -99,46 +99,46 @@ Debian 7. ``sudo apt install nvidia-driver dbus-x11`` -Now you will need to create 3 differents files: + Now you will need to create 3 differents files: -screen.conf:: + screen.conf:: - Section "Device" - Identifier "GPU" + Section "Device" + Identifier "GPU" - # name of the driver to use. Can be "amdgpu", "nvidia", or something else - Driver "nvidia" + # name of the driver to use. Can be "amdgpu", "nvidia", or something else + Driver "nvidia" - # The BusID value will change after each qube reboot. - BusID "PCI:0:8:0" - EndSection + # The BusID value will change after each qube reboot. + BusID "PCI:0:8:0" + EndSection - Section "Screen" - Identifier "GPU screen" - Device "GPU" - EndSection + Section "Screen" + Identifier "GPU screen" + Device "GPU" + EndSection -xorgX1.sh:: + xorgX1.sh:: - #!/bin/bash + #!/bin/bash - binary=${1:?binary required} + binary=${1:?binary required} - # Find the correct BusID of the AMD GPU, then set it in the Xorg configuration file - pci=$(lspci | grep "VGA" | grep -E "NVIDIA|AMD/ATI" | cut -d " " -f 1 | cut -d ":" -f 2 | cut -d "." -f 1 | cut -d "0" -f 2) - sed -i 's/"PCI:[^"]*"/"PCI:0:'$pci':0"/g' /home/user/screen.conf + # Find the correct BusID of the AMD GPU, then set it in the Xorg configuration file + pci=$(lspci | grep "VGA" | grep -E "NVIDIA|AMD/ATI" | cut -d " " -f 1 | cut -d ":" -f 2 | cut -d "." -f 1 | cut -d "0" -f 2) + sed -i 's/"PCI:[^"]*"/"PCI:0:'$pci':0"/g' /home/user/screen.conf - # Start the Xorg server for the X screen number 1. - # The X screen n°0 is already used for QubesOS integration - sudo startx "$binary" -- :1 -config /home/user/screen.conf + # Start the Xorg server for the X screen number 1. + # The X screen n°0 is already used for QubesOS integration + sudo startx "$binary" -- :1 -config /home/user/screen.conf -xfce.sh:: + xfce.sh:: - #!/bin/bash - sleep 5 && sudo setxkbmap -display :1 fr & - /bin/sudo -u user PULSE_SERVER=unix:/run/user/1000/pulse/native bash -c 'sudo xhost + local:;/usr/bin/startxfce4' + #!/bin/bash + sleep 5 && sudo setxkbmap -display :1 fr & + /bin/sudo -u user PULSE_SERVER=unix:/run/user/1000/pulse/native bash -c 'sudo xhost + local:;/usr/bin/startxfce4' 8. ``sudo chmod +x xorgX1.sh xfce.sh`` diff --git a/pro/gpa.rst b/pro/gpa.rst index 922ef64a9f..dfea076432 100644 --- a/pro/gpa.rst +++ b/pro/gpa.rst @@ -7,49 +7,49 @@ This document describes how to use Gnu Privacy Assistant (GPA) to set up the Nit 2. Start GPA and select the Card Manager; either by pressing the icon at the top or by choosing Card Manager in the Windows menu. -.. figure:: /pro/images/gpa/1.png - :alt: img1 + .. figure:: /pro/images/gpa/1.png + :alt: img1 3. The window of the Card Manager will appear. Enter your salutation, name and optional other information. While doing so you might be asked to enter the admin PIN. -.. figure:: /pro/images/gpa/2.png - :alt: img2 + .. figure:: /pro/images/gpa/2.png + :alt: img2 4. Confirm this window and enter the admin PIN in the next window. -.. figure:: /pro/images/gpa/3.png - :alt: img3 + .. figure:: /pro/images/gpa/3.png + :alt: img3 5. In the Card Manager window you might need to scroll down until you see the buttons to change the PINs. The term PIN is used interchangeable with "password". Press the first button "Change PIN" in order to change the user password. Read and confirm the following information window. -.. figure:: /pro/images/gpa/4.png - :alt: img4 + .. figure:: /pro/images/gpa/4.png + :alt: img4 6. Choose and enter your own PIN with a minimum length of six characters. This PIN is required for the daily usage of the Nitrokey. -.. figure:: /pro/images/gpa/5.png - :alt: img5 + .. figure:: /pro/images/gpa/5.png + :alt: img5 7. Go back to the Card Manager window in step three. This time you choose the third button Change PIN in order to change the admin PIN. The admin PIN is required to change the information on the Nitrokey and to change the cryptographic keys. Proceed as described in steps four and five. 8. After changing both the user and the admin PIN, you are back in the Card Manager window. Select "Generate key" in the "Card" menu. -.. figure:: /pro/images/gpa/6.png - :alt: img6 + .. figure:: /pro/images/gpa/6.png + :alt: img6 9. Enter your name and e-mail address. You should keep "backup" enabled in order to create a backup file of your cryptographic keys. Optionally you might select an expiration date for your cryptographic keys. -.. figure:: /pro/images/gpa/7.png - :alt: img7 + .. figure:: /pro/images/gpa/7.png + :alt: img7 10. Wait until the keys are generated successfully. -.. figure:: /pro/images/gpa/8.png - :alt: img8 + .. figure:: /pro/images/gpa/8.png + :alt: img8 11. Enter a strong passphrase for your backup keys. We strongly recommend to store the backup file on a separate storage(e.g. CD-ROM) and on a safe location. -.. figure:: /pro/images/gpa/9.png - :alt: img9 + .. figure:: /pro/images/gpa/9.png + :alt: img9 Congratulations, your Nitrokey is now ready to use. Please see the `applications `__ section for further information of its usage. diff --git a/pro/linux/disk-encryption-luks.rst b/pro/linux/disk-encryption-luks.rst index 4f21b6c3b5..30ef297953 100644 --- a/pro/linux/disk-encryption-luks.rst +++ b/pro/linux/disk-encryption-luks.rst @@ -48,59 +48,58 @@ Instructions 1. Install dependencies -.. code-block:: bash + .. code-block:: bash - $ sudo apt install scdaemon opensc gnupg2 + $ sudo apt install scdaemon opensc gnupg2 2. Create smartcard-luks directory -.. code-block:: bash + .. code-block:: bash - $ mkdir smartcard-luks && cd smartcard-luks + $ mkdir smartcard-luks && cd smartcard-luks 3. Download the smartcard-luks-script -.. code-block:: bash + .. code-block:: bash - $ wget https://raw.githubusercontent.com/daringer/smartcard-key-luks/main/smartcard-key-luks - $ sudo chmod +x smartcard-key-luks + $ wget https://raw.githubusercontent.com/daringer/smartcard-key-luks/main/smartcard-key-luks + $ sudo chmod +x smartcard-key-luks 4. Export the public key -To export your public key from GnuPG’s keyring: + To export your public key from GnuPG’s keyring: -.. code-block:: bash + .. code-block:: bash - $ gpg2 --armor --export KeyID > pubkey.asc + $ gpg2 --armor --export KeyID > pubkey.asc -If you already have uploaded a public key to a keyserver (or have it stored -somewhere else), you should retrieve it in the way you are most comfortable -with, and proceed to step 5. + If you already have uploaded a public key to a keyserver (or have it stored + somewhere else), you should retrieve it in the way you are most comfortable + with, and proceed to step 5. 5. Determine and verify the correct LUKS device name for your root-partition: -.. code-block:: bash + .. code-block:: bash - $ cat /etc/crypttab - # if there is only one entry, you want the 1st column of this entry + $ cat /etc/crypttab + # if there is only one entry, you want the 1st column of this entry -.. hint:: - Usually this should be something like `nvme0n1p3_crypt` (for NitroPC) or - `sda3_crypt` (for NitroPads). You can and should crosscheck that the UUID - referred inside `/etc/crypttab` is the designated partition by checking the - symbolic link inside `/dev/disks/by-uuid/`. + .. hint:: + Usually this should be something like `nvme0n1p3_crypt` (for NitroPC) or + `sda3_crypt` (for NitroPads). You can and should crosscheck that the UUID + referred inside `/etc/crypttab` is the designated partition by checking the + symbolic link inside `/dev/disks/by-uuid/`. 6. Execute the script with the luks device name (e.g., `nvme0n1p3_crypt`) and `pubkey.asc` as arguments. -.. code-block:: bash - + .. code-block:: bash - $ sudo ./smartcard-key-luks nvme0n1p3_crypt pubkey.asc + $ sudo ./smartcard-key-luks nvme0n1p3_crypt pubkey.asc Once, you run the script with the OpenPGP public key as argument, it automatically sets up a new LUKS secret, encrypts it against that public key, diff --git a/pro/linux/hard-disk-encryption.rst b/pro/linux/hard-disk-encryption.rst index f9f5aa740a..cab92c4900 100644 --- a/pro/linux/hard-disk-encryption.rst +++ b/pro/linux/hard-disk-encryption.rst @@ -69,46 +69,46 @@ Initialization 1. Create a key file with random data: -.. code-block:: bash + .. code-block:: bash - $ dd bs=64 count=1 if=/dev/urandom of=keyfile + $ dd bs=64 count=1 if=/dev/urandom of=keyfile 2. Encrypt the key file and use the User-ID of your Nitrokey -.. code-block:: bash + .. code-block:: bash - $ gpg --encrypt keyfile + $ gpg --encrypt keyfile 3. Remove the key file in clear text: -.. code-block:: bash + .. code-block:: bash - $ rm keyfile # you may want to use 'wipe' or 'shred' to securely delete the keyfile + $ rm keyfile # you may want to use 'wipe' or 'shred' to securely delete the keyfile 4. Create mount point: -.. code-block:: bash + .. code-block:: bash - $ mkdir ~/.cryptdir ~/cryptdir + $ mkdir ~/.cryptdir ~/cryptdir 5. Create the actual encryption folder -.. code-block:: bash + .. code-block:: bash - $ gpg -d keyfile.gpg | encfs -S ~/.cryptdir ~/cryptdir - # There may appears an error message about missing permission of fusermount - # This message can be ignored + $ gpg -d keyfile.gpg | encfs -S ~/.cryptdir ~/cryptdir + # There may appears an error message about missing permission of fusermount + # This message can be ignored 6. Unmount the new file system: -.. code-block:: bash + .. code-block:: bash - $ fusermount -u ~/cryptdir + $ fusermount -u ~/cryptdir Usage ''''' @@ -116,16 +116,16 @@ Usage 1. Mount encrypted file system and enter PIN of Nitrokey: -.. code-block:: bash + .. code-block:: bash - $ gpg -d keyfile.gpg | encfs -S ~/.cryptdir ~/cryptdir + $ gpg -d keyfile.gpg | encfs -S ~/.cryptdir ~/cryptdir 2. After usage, unmount the file system: -.. code-block:: bash + .. code-block:: bash - $ fusermount -u ~/cryptdir + $ fusermount -u ~/cryptdir Storage Encryption on GNU+Linux with ECryptFS --------------------------------------------- @@ -137,39 +137,39 @@ See `these `__ instructions: 1. Import the certificate and key to the Nitrokey -.. code-block:: bash + .. code-block:: bash - # Warning: This will delete existing keys on your Nitrokey! - $ pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key user@example.com.p12 --format pkcs12 --auth-id 3 --verify-pin + # Warning: This will delete existing keys on your Nitrokey! + $ pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key user@example.com.p12 --format pkcs12 --auth-id 3 --verify-pin 2. Create the file ~/.ecryptfsrc.pkcs11: -.. code-block:: bash + .. code-block:: bash - $ editor ~/.ecryptfsrc.pkcs11 + $ editor ~/.ecryptfsrc.pkcs11 3. Enter this content: -.. code-block:: bash + .. code-block:: bash - $ pkcs11-log-level=5 pkcs11-provider1,name=name,library=/usr/lib/opensc-pkcs11.so,cert-private=true - $ openvpn --show-pkcs11-ids path to opensc-pkcs11 module - Certificate - DN: /description=Iv4IQpLO02Mnix9i/CN=user@example.com/emailAddress=user@example.com - Serial: 066E04 - Serialized id: ZeitControl/PKCS\x2315\x20emulated/000500000c7f/OpenPGP\x20card\x20\x28User\x20PIN\x29/03 + $ pkcs11-log-level=5 pkcs11-provider1,name=name,library=/usr/lib/opensc-pkcs11.so,cert-private=true + $ openvpn --show-pkcs11-ids path to opensc-pkcs11 module + Certificate + DN: /description=Iv4IQpLO02Mnix9i/CN=user@example.com/emailAddress=user@example.com + Serial: 066E04 + Serialized id: ZeitControl/PKCS\x2315\x20emulated/000500000c7f/OpenPGP\x20card\x20\x28User\x20PIN\x29/03 4. Copy the serialized id for later usage: -.. code-block:: bash + .. code-block:: bash - $ ecryptfs-manager - # This will show list option. Choose option "Add public key to keyring" - # Choose pkcs11-helper - # Enter the serialized ID of step 3 to PKCS#11 ID. + $ ecryptfs-manager + # This will show list option. Choose option "Add public key to keyring" + # Choose pkcs11-helper + # Enter the serialized ID of step 3 to PKCS#11 ID. Alternatively, try `ESOSI `__ or follow these steps using OpenSC and OpenVPN. diff --git a/pro/linux/openvpn-easyrsa.rst b/pro/linux/openvpn-easyrsa.rst index 8629026ffd..c43491fc62 100644 --- a/pro/linux/openvpn-easyrsa.rst +++ b/pro/linux/openvpn-easyrsa.rst @@ -61,80 +61,80 @@ Server side 1. Install OpenVPN ^^^^^^^^^^^^^^^^^^ -1. First we need to enable IP Forwarding by editing ``/etc/sysctl.conf`` file + 1. First we need to enable IP Forwarding by editing ``/etc/sysctl.conf`` file -.. code-block:: bash + .. code-block:: bash - $ editor /etc/sysctl.conf + $ editor /etc/sysctl.conf -2. Uncomment or edit accordingly the following line + 2. Uncomment or edit accordingly the following line -.. code-block:: bash + .. code-block:: bash - net.ipv4.ip_forward=1 + net.ipv4.ip_forward=1 -3. Close after saving it, and enter this command + 3. Close after saving it, and enter this command -.. code-block:: bash + .. code-block:: bash - $ sysctl -p + $ sysctl -p -Once IP forwarding is done, we will need to download the latest release of OpenvPN for our Debian 10 server, according to `these instructions `__: + Once IP forwarding is done, we will need to download the latest release of OpenvPN for our Debian 10 server, according to `these instructions `__: -4. Change to root and download the GPG key that signed the package + 4. Change to root and download the GPG key that signed the package -.. code-block:: bash + .. code-block:: bash - $ sudo -s - # wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add - + $ sudo -s + # wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add - -5. Add the URL of the adequate OpenVPN packages to the ``sources.list`` file + 5. Add the URL of the adequate OpenVPN packages to the ``sources.list`` file -.. code-block:: bash + .. code-block:: bash - # echo "deb http://build.openvpn.net/debian/openvpn/release/2.5 buster main" > /etc/apt/sources.list.d/openvpn-aptrepo.list - # exit + # echo "deb http://build.openvpn.net/debian/openvpn/release/2.5 buster main" > /etc/apt/sources.list.d/openvpn-aptrepo.list + # exit -We downloaded OpenVPN 2.5 as “password prompt” requires at least OpenVPN `version -2.4.8 `__ to login. + We downloaded OpenVPN 2.5 as “password prompt” requires at least OpenVPN `version + 2.4.8 `__ to login. -6. Next we download OpenVPN + 6. Next we download OpenVPN -.. code-block:: bash + .. code-block:: bash - $ sudo apt install openvpn + $ sudo apt install openvpn -If you want to check the version, it possible by calling ``--version`` -and print the following: + If you want to check the version, it possible by calling ``--version`` + and print the following: -.. code-block:: bash + :: - $ sudo openvpn --version - OpenVPN 2.5_beta3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 1 2020 - library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 - Originally developed by James Yonan - Copyright (C) 2002-2018 OpenVPN Inc - Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no \ enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes \ enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no \ enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no \ enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no \ enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes \ with_mem_check=no with_sysroot=no + $ sudo openvpn --version + OpenVPN 2.5_beta3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 1 2020 + library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 + Originally developed by James Yonan + Copyright (C) 2002-2018 OpenVPN Inc + Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no \ enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes \ enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no \ enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no \ enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no \ enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes \ with_mem_check=no with_sysroot=no 2. Install Easy-RSA ^^^^^^^^^^^^^^^^^^^ To build the PKI, we will download the latest version of Easy-RSA on the server and client machines. To get the latest release, go to the `Releases page on the official EasyRSA GitHub project `__, copy the download link for the file ending in ``.tgz``, and then paste it into the following command: -1. Download the latest release + 1. Download the latest release -.. code-block:: bash + .. code-block:: bash - $ cd ~ - wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz + $ cd ~ + wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz -2. Extract the tarball + 2. Extract the tarball -.. code-block:: bash + .. code-block:: bash - $ cd ~ - $ tar xvf EasyRSA-3.0.7.tgz - $ mv EasyRSA-3.0.7/ easyrsa/ # rename folder + $ cd ~ + $ tar xvf EasyRSA-3.0.7.tgz + $ mv EasyRSA-3.0.7/ easyrsa/ # rename folder 3. Create a PKI for OpenVPN server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -143,240 +143,239 @@ Before you can create your OpenVPN server’s private key and certificate, you n To build a PKI directory on your OpenVPN server, you’ll need to populate a file called ``vars`` with some default values. -1. Create a ``vars`` file + 1. Create a ``vars`` file -.. code-block:: bash + .. code-block:: bash - $ touch ~/easyrsa/vars - $ cd easyrsa/ - $ editor vars + $ touch ~/easyrsa/vars + $ cd easyrsa/ + $ editor vars -2. Once the file is opened, paste in the following two lines + 2. Once the file is opened, paste in the following two lines -.. code-block:: bash + .. code-block:: bash - set_var EASYRSA_ALGO "ec" - set_var EASYRSA_DIGEST "sha512" + set_var EASYRSA_ALGO "ec" + set_var EASYRSA_DIGEST "sha512" -These are the only two lines that you need in this ``vars`` file on your OpenVPN server since it will not be used as a Certificate Authority. They will ensure that your private keys and certificate requests are configured to use Elliptic Curve Cryptography (ECC) to generate keys, and secure signatures for your clients and OpenVPN server. + These are the only two lines that you need in this ``vars`` file on your OpenVPN server since it will not be used as a Certificate Authority. They will ensure that your private keys and certificate requests are configured to use Elliptic Curve Cryptography (ECC) to generate keys, and secure signatures for your clients and OpenVPN server. -In regards to the choice of the cryptographic algorithms, I follow the model in `this tutorial `__, and you can customize these according to your specific needs. + In regards to the choice of the cryptographic algorithms, I follow the model in `this tutorial `__, and you can customize these according to your specific needs. -3. Initialize the PKI + 3. Initialize the PKI -Once you have populated the ``vars`` file you can proceed with creating the PKI directory. To do so, run the easyrsa script with the init-pki option: + Once you have populated the ``vars`` file you can proceed with creating the PKI directory. To do so, run the easyrsa script with the init-pki option: -.. code-block:: bash + .. code-block:: bash - $ ./easyrsa init-pki + $ ./easyrsa init-pki -After you’ve initialized your PKI on the OpenVPN server, you are ready to move on to the next step, which is creating an OpenVPN server certificate request and private key. + After you’ve initialized your PKI on the OpenVPN server, you are ready to move on to the next step, which is creating an OpenVPN server certificate request and private key. 4. Create ``server.req`` and ``server.key`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Now that your OpenVPN server has all the prerequisites installed, the next step is to generate a key pair composed of a private key (to keep secret), and a Certificate Signing Request (``.csr``) on your OpenVPN server. + Now that your OpenVPN server has all the prerequisites installed, the next step is to generate a key pair composed of a private key (to keep secret), and a Certificate Signing Request (``.csr``) on your OpenVPN server. -In general terms, on systems where we generate a key and request, these files are left unencrypted by using the ``nopass`` argument, since servers usually need to start up without any password input. This generates an *unencrypted key*, so mind *protect its access and file permissions* carefully. + In general terms, on systems where we generate a key and request, these files are left unencrypted by using the ``nopass`` argument, since servers usually need to start up without any password input. This generates an *unencrypted key*, so mind *protect its access and file permissions* carefully. -.. tip:: + .. tip:: - Configuration notes from OpenVPN: + Configuration notes from OpenVPN: - 1. The server, and each client, must have their own cert and key - file. The server and all clients will use the same CA file. - 2. Server certificate should have the following: + 1. The server, and each client, must have their own cert and key + file. The server and all clients will use the same CA file. + 2. Server certificate should have the following: - - ``keyUsage: digitalSignature, keyEncipherment`` + - ``keyUsage: digitalSignature, keyEncipherment`` - - ``extendedKeyUsage: serverAuth`` + - ``extendedKeyUsage: serverAuth`` -1. Create the signing request for the server + 1. Create the signing request for the server -Navigate to the ``~/easyrsa`` directory on your OpenVPN Server as your non-root user, and enter the following commands: + Navigate to the ``~/easyrsa`` directory on your OpenVPN Server as your non-root user, and enter the following commands: -.. code-block:: bash + .. code-block:: bash - $ cd easyrsa/ - $ ./easyrsa gen-req server nopass + $ cd easyrsa/ + $ ./easyrsa gen-req server nopass -This will create a private key for the server and a certificate request file called ``server.req``. + This will create a private key for the server and a certificate request file called ``server.req``. -Once you have a signed certificate, you’ll transfer it back to the OpenVPN server. + Once you have a signed certificate, you’ll transfer it back to the OpenVPN server. -2. Copy the key to the OpenVPN server directory + 2. Copy the key to the OpenVPN server directory -.. code-block:: bash + .. code-block:: bash - $ sudo cp /home/admin/EasyRSA/pki/private/server.key /etc/openvpn/server/ + $ sudo cp /home/admin/EasyRSA/pki/private/server.key /etc/openvpn/server/ -After completing these steps, you have successfully created a private key for your OpenVPN server. You have also generated a Certificate Signing Request for the OpenVPN server. + After completing these steps, you have successfully created a private key for your OpenVPN server. You have also generated a Certificate Signing Request for the OpenVPN server. -.. tip:: + .. tip:: - File extensions for certificate signing requests + File extensions for certificate signing requests - The file extension that is adopted by the CA and HSM tutorial - indicates the creation of a ``.csr`` file, however Easy-RSA creates - certificate signing requests with a ``.req`` extension. + The file extension that is adopted by the CA and HSM tutorial + indicates the creation of a ``.csr`` file, however Easy-RSA creates + certificate signing requests with a ``.req`` extension. - We will use interchangeably both extensions, while making sure that - we transfer the right files to the Certificate Authority, and - generate a final certificate with a ``.crt`` extension. + We will use interchangeably both extensions, while making sure that + we transfer the right files to the Certificate Authority, and + generate a final certificate with a ``.crt`` extension. -In the next section of this guide, we will sign a ``.req`` file with our CA on deployed on the HSM 2 device. For this purpose, I will use a dedicated machine to sign the requests. + In the next section of this guide, we will sign a ``.req`` file with our CA on deployed on the HSM 2 device. For this purpose, I will use a dedicated machine to sign the requests. 5. Sign and retrieve ``server.crt`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The following instructions require the transfer of the ``server.req`` -(or ``server.csr``) file to the CA system. + The following instructions require the transfer of the ``server.req`` + (or ``server.csr``) file to the CA system. -The transfer itself is not security sensitive, though it is wise to verify if the received file matches the sender’s copy, if the transport is untrusted. + The transfer itself is not security sensitive, though it is wise to verify if the received file matches the sender’s copy, if the transport is untrusted. -In order to go through these steps, I will extensively rely on `these instructions `_, to sign the certificate signing requests, once we generated them with Easy-RSA. + In order to go through these steps, I will extensively rely on `these instructions `_, to sign the certificate signing requests, once we generated them with Easy-RSA. -5.1. Sign the ``server.req`` file -''''''''''''''''''''''''''''''''' + 1. Sign the ``server.req`` file -On the local machine dedicated to access the HSM, we will use the tools provided by Opensc 0.20 in order to sign the ``.req`` file, and send it back to the OpenVPN server. We assume we have transferred the file from the server machine to the CA machine. + On the local machine dedicated to access the HSM, we will use the tools provided by Opensc 0.20 in order to sign the ``.req`` file, and send it back to the OpenVPN server. We assume we have transferred the file from the server machine to the CA machine. -First we start by plugging the HSM Nitrokey, and enter this instruction for listing the keys available. + First we start by plugging the HSM Nitrokey, and enter this instruction for listing the keys available. -1. Query the list of available devices + 1. Query the list of available devices -.. code-block:: bash + .. code-block:: bash - $ p11tool --list-all + $ p11tool --list-all - **(Required step)** If this is the first time you sign a certificate with the CA, you might want to retrieve the URI of the CA’s private key from the HSM, and include it in the config file. + **(Required step)** If this is the first time you sign a certificate with the CA, you might want to retrieve the URI of the CA’s private key from the HSM, and include it in the config file. -- The key’s URI should be in this format: + .. note:: + The key’s URI should be in this format: -.. code-block:: bash + .. code-block:: bash - pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private + pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private -2. Create ``openvpn/`` directory under ``certificate-authority/`` + 2. Create ``openvpn/`` directory under ``certificate-authority/`` -.. code-block:: bash + .. code-block:: bash - $ mkdir/opt/certificate-authority/ - $ cd /opt/certificate-authority/ + $ mkdir/opt/certificate-authority/ + $ cd /opt/certificate-authority/ -3. Sign the ``server.req`` + 3. Sign the ``server.req`` -.. code-block:: bash + .. code-block:: bash - $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in server.req -out /home/user/pki/issued/server.crt + $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in server.req -out /home/user/pki/issued/server.crt -5.2. Retrieve the ``server.crt`` file to the server machine -''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + 2. Retrieve the ``server.crt`` file to the server machine -1. Transfer the signed certificates to the server + 1. Transfer the signed certificates to the server -From the CA machine, copy the files ``server.crt`` and ``chain.crt`` to the OpenVPN server. In this example we will use the ``scp`` command as following: + From the CA machine, copy the files ``server.crt`` and ``chain.crt`` to the OpenVPN server. In this example we will use the ``scp`` command as following: -.. code-block:: bash + .. code-block:: bash - $ scp openvpn/{server.crt,chain.crt} admin@your_openvpnserver_ip:/tmp + $ scp openvpn/{server.crt,chain.crt} admin@your_openvpnserver_ip:/tmp -2. Place the certificates on the server’s directory + 2. Place the certificates on the server’s directory -.. code-block:: bash + .. code-block:: bash - $ mv /tmp/{server.crt,chain.crt} /etc/openvpn/server + $ mv /tmp/{server.crt,chain.crt} /etc/openvpn/server -.. warning:: + .. warning:: - CA Certificate and ``chain.crt`` + CA Certificate and ``chain.crt`` - In the above, the CA returns the signed sever certificate, and - includes the CA certificate ``CA.crt`` which is the ``chain.crt`` - file. This can be done over an insecure channel, though the client is - encouraged to confirm if the received ``chain.crt`` is valid, if the - transport is untrusted. + In the above, the CA returns the signed sever certificate, and + includes the CA certificate ``CA.crt`` which is the ``chain.crt`` + file. This can be done over an insecure channel, though the client is + encouraged to confirm if the received ``chain.crt`` is valid, if the + transport is untrusted. - It is possible to rename the file ``chain.crt`` file to ``CA.crt`` on - the target machine, however we will use ``chain.crt`` in the next - instructions. + It is possible to rename the file ``chain.crt`` file to ``CA.crt`` on + the target machine, however we will use ``chain.crt`` in the next + instructions. 6. Configure the OpenVPN server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -A connection that uses TLS requires multiple `certificates and keys for authentication `__. Now that we issued and signed those, we can place them in the right directories. The breakdown of the certificates and keys that must be located at the root directory are the following: + A connection that uses TLS requires multiple `certificates and keys for authentication `__. Now that we issued and signed those, we can place them in the right directories. The breakdown of the certificates and keys that must be located at the root directory are the following: -.. code-block:: bash + :: - OpenVPN server + OpenVPN server - - The root certificate file (CA.crt or chain.crt in our setup) - - Server certificate - - Server key - - Diffie Hellman Parameters (optional) + - The root certificate file (CA.crt or chain.crt in our setup) + - Server certificate + - Server key + - Diffie Hellman Parameters (optional) -On your OpenVPN server, now you can create the configuration file ``server.conf`` with your favorite text editor. The file can be configured according to your needs, while we make sure to change the server certificate and key sections according the names you chose for the your the files we signed: + On your OpenVPN server, now you can create the configuration file ``server.conf`` with your favorite text editor. The file can be configured according to your needs, while we make sure to change the server certificate and key sections according the names you chose for the your the files we signed: -.. code-block:: bash + .. code-block:: bash - # OpenVPN Server Certificate - CA, server key and certificate - ca chain.crt - cert server.crt - key server.key + # OpenVPN Server Certificate - CA, server key and certificate + ca chain.crt + cert server.crt + key server.key -Here is the configuration file we can use for testing these instructions: + Here is the configuration file we can use for testing these instructions: -.. code-block:: bash + .. code-block:: bash - port 1194 - proto udp - dev tun - ca ca.crt - cert server.crt - key server.key # This file should be kept secret - dh dh.pem - server 10.8.0.0 255.255.255.0 - push "redirect-gateway def1 bypass-dhcp" - push "dhcp-option DNS 208.67.222.222" - push "dhcp-option DNS 208.67.220.220" - keepalive 10 120 - tls-auth ta.key 0 # This file is secret - cipher AES-256-CBC - user nobody - group nogroup - persist-key - persist-tun - status /var/log/openvpn/openvpn-status.log - log /var/log/openvpn/openvpn.log - log-append /var/log/openvpn/openvpn.log - verb 3 - explicit-exit-notify 1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - -To test if the configuration functions properly, we can use this command: + port 1194 + proto udp + dev tun + ca ca.crt + cert server.crt + key server.key # This file should be kept secret + dh dh.pem + server 10.8.0.0 255.255.255.0 + push "redirect-gateway def1 bypass-dhcp" + push "dhcp-option DNS 208.67.222.222" + push "dhcp-option DNS 208.67.220.220" + keepalive 10 120 + tls-auth ta.key 0 # This file is secret + cipher AES-256-CBC + user nobody + group nogroup + persist-key + persist-tun + status /var/log/openvpn/openvpn-status.log + log /var/log/openvpn/openvpn.log + log-append /var/log/openvpn/openvpn.log + verb 3 + explicit-exit-notify 1 + tls-version-min 1.2 # Lower boundary for TLS version + tls-version-max 1.2 # Higher boundary for TLS version -.. code-block:: bash + To test if the configuration functions properly, we can use this command: + + .. code-block:: bash - $ sudo openvpn --server --config server.conf + $ sudo openvpn --server --config server.conf 7. Start the OpenVPN service on the server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Enable the OpenVPN service by adding it to systemctl, and start it using these commands: + Enable the OpenVPN service by adding it to systemctl, and start it using these commands: -.. code-block:: bash + .. code-block:: bash - $ sudo systemctl -f enable openvpn@server - $ sudo systemctl start openvpn@server + $ sudo systemctl -f enable openvpn@server + $ sudo systemctl start openvpn@server -To Double check if the OpenVPN service is active use this command: + To Double check if the OpenVPN service is active use this command: -.. code-block:: bash + .. code-block:: bash - $ sudo systemctl status openvpn@server + $ sudo systemctl status openvpn@server -The OpenVPN should be running at this point. + The OpenVPN should be running at this point. -------------- @@ -386,298 +385,298 @@ Client side configuration 1. Install OpenVPN and Easy-RSA ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -1. Install the software + 1. Install the software -We can use directly ``dnf install`` to install OpenVPN 2.4.9 and Easy-RSA 3.0.7 + We can use directly ``dnf install`` to install OpenVPN 2.4.9 and Easy-RSA 3.0.7 -.. code-block:: bash + .. code-block:: bash - $ sudo dnf install openvpn easy-rsa + $ sudo dnf install openvpn easy-rsa -2. Then we create as non-root a directory for Easy RSA called ``Easy-RSA`` + 2. Then we create as non-root a directory for Easy RSA called ``Easy-RSA`` -.. code-block:: bash + .. code-block:: bash - $ mkdir ~/easyrsa + $ mkdir ~/easyrsa -3. And link it to the Easy RSA package we just installed + 3. And link it to the Easy RSA package we just installed -.. code-block:: bash + .. code-block:: bash - $ ln -s /usr/share/easy-rsa/3/* ~/easyrsa/ + $ ln -s /usr/share/easy-rsa/3/* ~/easyrsa/ 2. Create a PKI for the OpenVPN client ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In the same manner we created a PKI on the OpenVPN server, we will create a PKI using Easy-RSA on the client side. + In the same manner we created a PKI on the OpenVPN server, we will create a PKI using Easy-RSA on the client side. 3. Create a ``client.req`` and ``client.key`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In the same manner we issued the key pair on the sever, we generate a key pair for the client which will be composed of the ``client.req`` -file and the ``client.key`` file. The latter must be kept secret on the client machine. + In the same manner we issued the key pair on the sever, we generate a key pair for the client which will be composed of the ``client.req`` + file and the ``client.key`` file. The latter must be kept secret on the client machine. 4. Sign ``client.req`` and issue the ``client.crt`` file ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -To transfer the ``client.req`` file to the CA machine, we will use the same method as we did for the ``server.req`` file. + To transfer the ``client.req`` file to the CA machine, we will use the same method as we did for the ``server.req`` file. -Once transferred, on the CA machine we sign the certificate signing request file with this command + Once transferred, on the CA machine we sign the certificate signing request file with this command -.. code-block:: bash + .. code-block:: bash - $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in client.req -out /home/user/pki/issued/client.crt + $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in client.req -out /home/user/pki/issued/client.crt 5. Import ``client.crt`` on the Nitrokey from the CA machine ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -After creating the ``client.crt`` file, we plug the Nitrokey Pro 2 device in the CA machine, and import the ``.crt`` to the Pro 2 device using this command: + After creating the ``client.crt`` file, we plug the Nitrokey Pro 2 device in the CA machine, and import the ``.crt`` to the Pro 2 device using this command: -.. code-block:: bash + .. code-block:: bash - $ pkcs15-init --store-certificate client.crt --id 3 + $ pkcs15-init --store-certificate client.crt --id 3 -You can see if the key is effectively stored on the Nitrokey using this command: + You can see if the key is effectively stored on the Nitrokey using this command: -.. code-block:: bash + .. code-block:: bash - $ pkcs15-tool -c + $ pkcs15-tool -c -Or alternatively + Or alternatively -.. code-block:: bash + .. code-block:: bash - $ pkcs11-tool --list-objects + $ pkcs11-tool --list-objects -Fore more commands you can refer to the `OpenSC wiki `__. + Fore more commands you can refer to the `OpenSC wiki `__. 6. Retrieve the ``chain.crt`` file from the CA machine ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -While we keep the ``client.crt``\ stored on the nitrokey Pro 2 device, we must retrieve the ``chain.crt`` file on the client machine, and store it in the adequate directory. We may use ``scp`` as in the method explained in the server section of this guide. + While we keep the ``client.crt``\ stored on the nitrokey Pro 2 device, we must retrieve the ``chain.crt`` file on the client machine, and store it in the adequate directory. We may use ``scp`` as in the method explained in the server section of this guide. 7. Configure the client to interact with the Nitrokey ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Now back on the client machine, we will plug the Nitrokey Pro and use it to establish the VPN connection with the server. In general terms, a connection that uses TLS requires multiple certificates and keys for authentication: + Now back on the client machine, we will plug the Nitrokey Pro and use it to establish the VPN connection with the server. In general terms, a connection that uses TLS requires multiple certificates and keys for authentication: -.. code-block:: bash + :: - OpenVPN client - - The root certificate file (`chain.crt`) - - Client certificate - - Client key + OpenVPN client + - The root certificate file (`chain.crt`) + - Client certificate + - Client key -For this guide we can the following ``client.conf`` file, and add the required options to it accordingly: + For this guide we can the following ``client.conf`` file, and add the required options to it accordingly: -.. code-block:: bash + .. code-block:: bash - client - dev tun - proto udp - remote 1194 - resolv-retry infinite - nobind - user nobody - group nobody - persist-key - persist-tun - ca ca.crt - remote-cert-tls server - cipher AES-256-CBC - verb 3 - redirect-gateway def1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - -1. Determine the correct object - -Each PKCS#11 provider can support multiple devices. In order to view the available object list you can use the following command: + client + dev tun + proto udp + remote 1194 + resolv-retry infinite + nobind + user nobody + group nobody + persist-key + persist-tun + ca ca.crt + remote-cert-tls server + cipher AES-256-CBC + verb 3 + redirect-gateway def1 + tls-version-min 1.2 # Lower boundary for TLS version + tls-version-max 1.2 # Higher boundary for TLS version -.. code-block:: bash + 1. Determine the correct object - $ openvpn --show-pkcs11-ids /usr/lib64/pkcs11/opensc-pkcs11.so + Each PKCS#11 provider can support multiple devices. In order to view the available object list you can use the following command: - The following objects are available for use. - Each object shown below may be used as parameter to + .. code-block:: bash - --pkcs11-id option please remember to use single quote mark. + $ openvpn --show-pkcs11-ids /usr/lib64/pkcs11/opensc-pkcs11.so - Certificate - DN: CN=client - Serial: E53DA75C5B8F1518F520BCEF0128C09F - Serialized id: pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03 + The following objects are available for use. + Each object shown below may be used as parameter to -Each certificate/private key pair have unique ``Serialized id`` string. The serialized id string of the requested certificate should be specified, in the configuration file. We can do this by adding the ``pkcs11-id`` option using single quote marks. + --pkcs11-id option please remember to use single quote mark. -.. code-block:: bash + Certificate + DN: CN=client + Serial: E53DA75C5B8F1518F520BCEF0128C09F + Serialized id: pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03 - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + Each certificate/private key pair have unique ``Serialized id`` string. The serialized id string of the requested certificate should be specified, in the configuration file. We can do this by adding the ``pkcs11-id`` option using single quote marks. -2. Add retrieved Serialized ID to the configuration file + .. code-block:: bash -Using your favorite text editor, open the server.conf file, and add the following lines, while taking care to insert your own ``Serialized id``: + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' -.. code-block:: bash + 2. Add retrieved Serialized ID to the configuration file - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + Using your favorite text editor, open the server.conf file, and add the following lines, while taking care to insert your own ``Serialized id``: -For additional `settings related to OpenVPN `__ authentication, you may also add few lines to handle key maganagement, although it is optional. + .. code-block:: bash -.. note:: + pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - Click to view the code + For additional `settings related to OpenVPN `__ authentication, you may also add few lines to handle key maganagement, although it is optional. - .. code-block:: bash + .. note:: - # nitrokey config - - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - # pkcs11-pin-cache 300 - # daemon - # auth-retry nointeract - # management-hold - # management-signal - # management 127.0.0.1 8888 - # management-query-passwords - pkcs11-cert-private 1 # Prompt for PIN + Click to view the code -Optional step - + .. code-block:: bash -If you need to test the configuration, with and without the token on the Nitrokey, you may add lines to the same ``client.conf`` and comment/uncomment the relevant lines according to your needs: + # nitrokey config + + pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + # pkcs11-pin-cache 300 + # daemon + # auth-retry nointeract + # management-hold + # management-signal + # management 127.0.0.1 8888 + # management-query-passwords + pkcs11-cert-private 1 # Prompt for PIN -.. note:: + Optional step + - Click to view the code + If you need to test the configuration, with and without the token on the Nitrokey, you may add lines to the same ``client.conf`` and comment/uncomment the relevant lines according to your needs: - .. code-block:: bash + .. note:: - # non_nitrokey login - - # cert client.crt - # key client.key - # tls-auth ta.key 1 + Click to view the code -3. Configure the OpenVPN client + .. code-block:: bash -The final configuration file ``client.conf`` should look like this one: + # non_nitrokey login + + # cert client.crt + # key client.key + # tls-auth ta.key 1 -.. code-block:: bash + 3. Configure the OpenVPN client - client - dev tun - proto udp - remote 1194 - resolv-retry infinite - nobind - user nobody - group nobody - persist-key - persist-tun - ca ca.crt - remote-cert-tls server - cipher AES-256-CBC - verb 3 - redirect-gateway def1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - - # nitrokey login - - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - # pkcs11-pin-cache 300 - # daemon - # auth-retry nointeract - # management-hold - # management-signal - # management 127.0.0.1 8888 - # management-query-passwords - pkcs11-cert-private 1 # Prompt for PIN - - # OR - - # non_nitrokey login - - # cert client.crt - # key client.key - # tls-auth ta.key 1 - -4. Known issues - -There are some known issues related to OpenVPN login with OpenSC. Please consult these issues `here `__. + The final configuration file ``client.conf`` should look like this one: + + .. code-block:: bash + + client + dev tun + proto udp + remote 1194 + resolv-retry infinite + nobind + user nobody + group nobody + persist-key + persist-tun + ca ca.crt + remote-cert-tls server + cipher AES-256-CBC + verb 3 + redirect-gateway def1 + tls-version-min 1.2 # Lower boundary for TLS version + tls-version-max 1.2 # Higher boundary for TLS version + + # nitrokey login + + pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + # pkcs11-pin-cache 300 + # daemon + # auth-retry nointeract + # management-hold + # management-signal + # management 127.0.0.1 8888 + # management-query-passwords + pkcs11-cert-private 1 # Prompt for PIN + + # OR + + # non_nitrokey login + + # cert client.crt + # key client.key + # tls-auth ta.key 1 + + 4. Known issues + + There are some known issues related to OpenVPN login with OpenSC. Please consult these issues `here `__. 8. Start the OpenVPN client ^^^^^^^^^^^^^^^^^^^^^^^^^^^ -1. Start the OpenVPN service on the client + 1. Start the OpenVPN service on the client -Enable the OpenVPN service, and start it using these commands: + Enable the OpenVPN service, and start it using these commands: -.. code-block:: bash + .. code-block:: bash - $ sudo systemctl -f enable openvpn-server@server.service - $ sudo systemctl start openvpn-server@server.service + $ sudo systemctl -f enable openvpn-server@server.service + $ sudo systemctl start openvpn-server@server.service -To double check if the OpenVPN service is active use this command: + To double check if the OpenVPN service is active use this command: -.. code-block:: bash + .. code-block:: bash - $ sudo systemctl status openvpn-server@server.service + $ sudo systemctl status openvpn-server@server.service -2. Enter your User PIN + 2. Enter your User PIN -When executing OpenVPN client, Nitrokey’s PIN needs to be entered: + When executing OpenVPN client, Nitrokey’s PIN needs to be entered: -.. code-block:: bash + :: - $ sudo openvpn --client --config client.conf - Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 - Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 - Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' - Enter User PIN (OpenPGP card) token Password: ****** + $ sudo openvpn --client --config client.conf + Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 + Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 + Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' + Enter User PIN (OpenPGP card) token Password: ****** -.. warning:: - - Unfortunately OpenVPN doesn’t seem to be able to establish a handshake and stops at an error as reported `here `__, `here `__ and `here `__ + .. warning:: + + Unfortunately OpenVPN doesn’t seem to be able to establish a handshake and stops at an error as reported `here `__, `here `__ and `here `__ -.. code-block:: bash - - This is what the error output looks like: - - $ sudo openvpn --client --config client.conf - Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 - Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 - Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' - Enter User PIN (OpenPGP card) token Password: ******`` - Fri Sep 11 17:42:12 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]18.157.180.240:1194`` - Fri Sep 11 17:42:12 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]`` - Fri Sep 11 17:42:12 2020 UDP link local: (not bound) - Fri Sep 11 17:42:12 2020 UDP link remote: [AF_INET]18.157.180.240:1194 - Fri Sep 11 17:42:12 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay - Fri Sep 11 17:42:12 2020 TLS: Initial packet from [AF_INET]18.157.180.240:1194, sid=d79690cf 9e38ce89 - Fri Sep 11 17:42:12 2020 VERIFY OK: depth=1, CN=server_CA - Fri Sep 11 17:42:12 2020 VERIFY KU OK - Fri Sep 11 17:42:12 2020 Validating certificate extended key usage - Fri Sep 11 17:42:12 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication - Fri Sep 11 17:42:12 2020 VERIFY EKU OK - Fri Sep 11 17:42:12 2020 VERIFY OK: depth=0, CN=server - Fri Sep 11 17:42:12 2020 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib - Fri Sep 11 17:42:12 2020 TLS_ERROR: BIO read tls_read_plaintext error - Fri Sep 11 17:42:12 2020 TLS Error: TLS object -> incoming plaintext read error - Fri Sep 11 17:42:12 2020 TLS Error: TLS handshake failed - Fri Sep 11 17:42:12 2020 SIGUSR1[soft,tls-error] received, process restarting - Fri Sep 11 17:42:12 2020 Restart pause, 5 second(s) - -In some reported cases it does not prompt for a PIN on the terminal. One workaround would be to use to use this command to login with the PIN: + :: + + This is what the error output looks like: -.. code-block:: bash + $ sudo openvpn --client --config client.conf + Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 + Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 + Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' + Enter User PIN (OpenPGP card) token Password: ******`` + Fri Sep 11 17:42:12 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]18.157.180.240:1194`` + Fri Sep 11 17:42:12 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]`` + Fri Sep 11 17:42:12 2020 UDP link local: (not bound) + Fri Sep 11 17:42:12 2020 UDP link remote: [AF_INET]18.157.180.240:1194 + Fri Sep 11 17:42:12 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay + Fri Sep 11 17:42:12 2020 TLS: Initial packet from [AF_INET]18.157.180.240:1194, sid=d79690cf 9e38ce89 + Fri Sep 11 17:42:12 2020 VERIFY OK: depth=1, CN=server_CA + Fri Sep 11 17:42:12 2020 VERIFY KU OK + Fri Sep 11 17:42:12 2020 Validating certificate extended key usage + Fri Sep 11 17:42:12 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication + Fri Sep 11 17:42:12 2020 VERIFY EKU OK + Fri Sep 11 17:42:12 2020 VERIFY OK: depth=0, CN=server + Fri Sep 11 17:42:12 2020 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib + Fri Sep 11 17:42:12 2020 TLS_ERROR: BIO read tls_read_plaintext error + Fri Sep 11 17:42:12 2020 TLS Error: TLS object -> incoming plaintext read error + Fri Sep 11 17:42:12 2020 TLS Error: TLS handshake failed + Fri Sep 11 17:42:12 2020 SIGUSR1[soft,tls-error] received, process restarting + Fri Sep 11 17:42:12 2020 Restart pause, 5 second(s) + + In some reported cases it does not prompt for a PIN on the terminal. One workaround would be to use to use this command to login with the PIN: + + :: - $ telnet 8888 password 'User PIN (OpenPGP card) token' + $ telnet 8888 password 'User PIN (OpenPGP card) token' -Alternatively, you could `recompile OpenVPN `__ client with systemd support disabled, and it will prompt you for the PIN as expected. + Alternatively, you could `recompile OpenVPN `__ client with systemd support disabled, and it will prompt you for the PIN as expected. -Another option, would be to login to your OpenVPN instance with the Viscosity client which provides a better user experience especially for entering the PIN. + Another option, would be to login to your OpenVPN instance with the Viscosity client which provides a better user experience especially for entering the PIN. diff --git a/pro/windows/openvpn-easyrsa.rst b/pro/windows/openvpn-easyrsa.rst index cd7df30537..5131a6e41c 100644 --- a/pro/windows/openvpn-easyrsa.rst +++ b/pro/windows/openvpn-easyrsa.rst @@ -61,322 +61,320 @@ Server side 1. Install OpenVPN ^^^^^^^^^^^^^^^^^^ -1. First we need to enable IP Forwarding by editing ``/etc/sysctl.conf`` file + 1. First we need to enable IP Forwarding by editing ``/etc/sysctl.conf`` file -.. code-block:: bash + .. code-block:: bash - $ editor /etc/sysctl.conf + $ editor /etc/sysctl.conf -2. Uncomment or edit accordingly the following line + 2. Uncomment or edit accordingly the following line -.. code-block:: bash + .. code-block:: bash - net.ipv4.ip_forward=1 + net.ipv4.ip_forward=1 -3. Close after saving it, and enter this command + 3. Close after saving it, and enter this command -.. code-block:: bash + .. code-block:: bash - $ sysctl -p + $ sysctl -p -Once IP forwarding is done, we will need to download the latest release of OpenvPN for our Debian 10 server, according to `these instructions `__: + Once IP forwarding is done, we will need to download the latest release of OpenvPN for our Debian 10 server, according to `these instructions `__: -4. Change to root and download the GPG key that signed the package + 4. Change to root and download the GPG key that signed the package -.. code-block:: bash + .. code-block:: bash - $ sudo -s - # wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add - + $ sudo -s + # wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - -5. Add the URL of the adequate OpenVPN packages to the ``sources.list`` file + 5. Add the URL of the adequate OpenVPN packages to the ``sources.list`` file -.. code-block:: bash + .. code-block:: bash - # echo "deb http://build.openvpn.net/debian/openvpn/release/2.5 buster main" > /etc/apt/sources.list.d/openvpn-aptrepo.list - # exit + # echo "deb http://build.openvpn.net/debian/openvpn/release/2.5 buster main" > /etc/apt/sources.list.d/openvpn-aptrepo.list + # exit -We downloaded OpenVPN 2.5 as “password prompt” requires at least OpenVPN `version -2.4.8 `__ to login. + We downloaded OpenVPN 2.5 as “password prompt” requires at least OpenVPN `version + 2.4.8 `__ to login. -6. Next we download OpenVPN + 6. Next we download OpenVPN -.. code-block:: bash + .. code-block:: bash - $ sudo apt install openvpn + $ sudo apt install openvpn -If you want to check the version, it possible by calling ``--version`` -and print the following: + If you want to check the version, it possible by calling ``--version`` + and print the following: -.. code-block:: bash + :: - $ sudo openvpn --version - OpenVPN 2.5_beta3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 1 2020 - library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 - Originally developed by James Yonan - Copyright (C) 2002-2018 OpenVPN Inc - Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no \ enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes \ enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no \ enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no \ enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no \ enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes \ with_mem_check=no with_sysroot=no + $ sudo openvpn --version + OpenVPN 2.5_beta3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 1 2020 + library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 + Originally developed by James Yonan + Copyright (C) 2002-2018 OpenVPN Inc + Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no \ enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes \ enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no \ enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no \ enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no \ enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes \ with_mem_check=no with_sysroot=no 2. Install Easy-RSA ^^^^^^^^^^^^^^^^^^^ -To build the PKI, we will download the latest version of Easy-RSA on the server and client machines. To get the latest release, go to the `Releases page on the official EasyRSA GitHub project `__, copy the download link for the file ending in ``.tgz``, and then paste it into the following command: + To build the PKI, we will download the latest version of Easy-RSA on the server and client machines. To get the latest release, go to the `Releases page on the official EasyRSA GitHub project `__, copy the download link for the file ending in ``.tgz``, and then paste it into the following command: -1. Download the latest release + 1. Download the latest release -.. code-block:: bash + .. code-block:: bash - $ cd ~ - wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz + $ cd ~ + $ wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz -2. Extract the tarball + 2. Extract the tarball -.. code-block:: bash + .. code-block:: bash - $ cd ~ - $ tar xvf EasyRSA-3.0.7.tgz - $ mv EasyRSA-3.0.7/ easyrsa/ # rename folder + $ cd ~ + $ tar xvf EasyRSA-3.0.7.tgz + $ mv EasyRSA-3.0.7/ easyrsa/ # rename folder 3. Create a PKI for OpenVPN server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Before you can create your OpenVPN server’s private key and certificate, you need to create a local Public Key Infrastructure directory on your OpenVPN server. You will use this directory to manage the server and clients’ certificate requests, instead of making them directly on your CA server. + Before you can create your OpenVPN server’s private key and certificate, you need to create a local Public Key Infrastructure directory on your OpenVPN server. You will use this directory to manage the server and clients’ certificate requests, instead of making them directly on your CA server. -To build a PKI directory on your OpenVPN server, you’ll need to populate a file called ``vars`` with some default values. + To build a PKI directory on your OpenVPN server, you’ll need to populate a file called ``vars`` with some default values. -1. Create a ``vars`` file + 1. Create a ``vars`` file -.. code-block:: bash + .. code-block:: bash - $ touch ~/easyrsa/vars - $ cd easyrsa/ - $ editor vars + $ touch ~/easyrsa/vars + $ cd easyrsa/ + $ editor vars -2. Once the file is opened, paste in the following two lines + 2. Once the file is opened, paste in the following two lines -.. code-block:: bash + .. code-block:: bash - set_var EASYRSA_ALGO "ec" - set_var EASYRSA_DIGEST "sha512" + set_var EASYRSA_ALGO "ec" + set_var EASYRSA_DIGEST "sha512" -These are the only two lines that you need in this ``vars`` file on your OpenVPN server since it will not be used as a Certificate Authority. They will ensure that your private keys and certificate requests are configured to use Elliptic Curve Cryptography (ECC) to generate keys, and secure signatures for your clients and OpenVPN server. + These are the only two lines that you need in this ``vars`` file on your OpenVPN server since it will not be used as a Certificate Authority. They will ensure that your private keys and certificate requests are configured to use Elliptic Curve Cryptography (ECC) to generate keys, and secure signatures for your clients and OpenVPN server. -In regards to the choice of the cryptographic algorithms, I follow the model in `this tutorial `__, and you can customize these according to your specific needs. + In regards to the choice of the cryptographic algorithms, I follow the model in `this tutorial `__, and you can customize these according to your specific needs. -3. Initialize the PKI + 3. Initialize the PKI -Once you have populated the ``vars`` file you can proceed with creating the PKI directory. To do so, run the easyrsa script with the init-pki option: + Once you have populated the ``vars`` file you can proceed with creating the PKI directory. To do so, run the easyrsa script with the init-pki option: -.. code-block:: bash + .. code-block:: bash - $ ./easyrsa init-pki + $ ./easyrsa init-pki -After you’ve initialized your PKI on the OpenVPN server, you are ready to move on to the next step, which is creating an OpenVPN server certificate request and private key. + After you’ve initialized your PKI on the OpenVPN server, you are ready to move on to the next step, which is creating an OpenVPN server certificate request and private key. 4. Create ``server.req`` and ``server.key`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Now that your OpenVPN server has all the prerequisites installed, the next step is to generate a key pair composed of a private key (to keep secret), and a Certificate Signing Request (``.csr``) on your OpenVPN server. + Now that your OpenVPN server has all the prerequisites installed, the next step is to generate a key pair composed of a private key (to keep secret), and a Certificate Signing Request (``.csr``) on your OpenVPN server. -In general terms, on systems where we generate a key and request, these files are left unencrypted by using the ``nopass`` argument, since servers usually need to start up without any password input. This generates an *unencrypted key*, so mind *protect its access and file permissions* carefully. + In general terms, on systems where we generate a key and request, these files are left unencrypted by using the ``nopass`` argument, since servers usually need to start up without any password input. This generates an *unencrypted key*, so mind *protect its access and file permissions* carefully. -.. tip:: + .. tip:: - Configuration notes from OpenVPN: + Configuration notes from OpenVPN: - 1. The server, and each client, must have their own cert and key - file. The server and all clients will use the same CA file. - 2. Server certificate should have the following: + 1. The server, and each client, must have their own cert and key + file. The server and all clients will use the same CA file. + 2. Server certificate should have the following: - - ``keyUsage: digitalSignature, keyEncipherment`` + - ``keyUsage: digitalSignature, keyEncipherment`` - - ``extendedKeyUsage: serverAuth`` + - ``extendedKeyUsage: serverAuth`` -1. Create the signing request for the server + 1. Create the signing request for the server -Navigate to the ``~/easyrsa`` directory on your OpenVPN Server as your non-root user, and enter the following commands: + Navigate to the ``~/easyrsa`` directory on your OpenVPN Server as your non-root user, and enter the following commands: -.. code-block:: bash + .. code-block:: bash - $ cd easyrsa/ - $ ./easyrsa gen-req server nopass + $ cd easyrsa/ + $ ./easyrsa gen-req server nopass -This will create a private key for the server and a certificate request file called ``server.req``. + This will create a private key for the server and a certificate request file called ``server.req``. -Once you have a signed certificate, you’ll transfer it back to the OpenVPN server. + Once you have a signed certificate, you’ll transfer it back to the OpenVPN server. -2. Copy the key to the OpenVPN server directory + 2. Copy the key to the OpenVPN server directory -.. code-block:: bash + .. code-block:: bash - $ sudo cp /home/admin/EasyRSA/pki/private/server.key /etc/openvpn/server/ + $ sudo cp /home/admin/EasyRSA/pki/private/server.key /etc/openvpn/server/ -After completing these steps, you have successfully created a private key for your OpenVPN server. You have also generated a Certificate Signing Request for the OpenVPN server. + After completing these steps, you have successfully created a private key for your OpenVPN server. You have also generated a Certificate Signing Request for the OpenVPN server. -.. tip:: + .. tip:: - File extensions for certificate signing requests + File extensions for certificate signing requests - The file extension that is adopted by the CA and HSM tutorial - indicates the creation of a ``.csr`` file, however Easy-RSA creates - certificate signing requests with a ``.req`` extension. + The file extension that is adopted by the CA and HSM tutorial + indicates the creation of a ``.csr`` file, however Easy-RSA creates + certificate signing requests with a ``.req`` extension. - We will use interchangeably both extensions, while making sure that - we transfer the right files to the Certificate Authority, and - generate a final certificate with a ``.crt`` extension. + We will use interchangeably both extensions, while making sure that + we transfer the right files to the Certificate Authority, and + generate a final certificate with a ``.crt`` extension. -In the next section of this guide, we will sign a ``.req`` file with our CA on deployed on the HSM 2 device. For this purpose, I will use a dedicated machine to sign the requests. + In the next section of this guide, we will sign a ``.req`` file with our CA on deployed on the HSM 2 device. For this purpose, I will use a dedicated machine to sign the requests. 5. Sign and retrieve ``server.crt`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The following instructions require the transfer of the ``server.req`` -(or ``server.csr``) file to the CA system. + The following instructions require the transfer of the ``server.req`` + (or ``server.csr``) file to the CA system. -The transfer itself is not security sensitive, though it is wise to verify if the received file matches the sender’s copy, if the transport is untrusted. + The transfer itself is not security sensitive, though it is wise to verify if the received file matches the sender’s copy, if the transport is untrusted. -In order to go through these steps, I will extensively rely on `these instructions `_, to sign the certificate signing requests, once we generated them with Easy-RSA. + In order to go through these steps, I will extensively rely on `these instructions `_, to sign the certificate signing requests, once we generated them with Easy-RSA. -5.1. Sign the ``server.req`` file -''''''''''''''''''''''''''''''''' + 1. Sign the ``server.req`` file -On the local machine dedicated to access the HSM, we will use the tools provided by Opensc 0.20 in order to sign the ``.req`` file, and send it back to the OpenVPN server. We assume we have transferred the file from the server machine to the CA machine. + On the local machine dedicated to access the HSM, we will use the tools provided by Opensc 0.20 in order to sign the ``.req`` file, and send it back to the OpenVPN server. We assume we have transferred the file from the server machine to the CA machine. -First we start by plugging the HSM Nitrokey, and enter this instruction for listing the keys available. + First we start by plugging the HSM Nitrokey, and enter this instruction for listing the keys available. -1. Query the list of available devices + 1. Query the list of available devices -.. code-block:: bash + :: - $ p11tool --list-all + $ p11tool --list-all - **(Required step)** If this is the first time you sign a certificate with the CA, you might want to retrieve the URI of the CA’s private key from the HSM, and include it in the config file. + **(Required step)** If this is the first time you sign a certificate with the CA, you might want to retrieve the URI of the CA’s private key from the HSM, and include it in the config file. -- The key’s URI should be in this format: + - The key’s URI should be in this format: -.. code-block:: bash + :: - pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private + pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%E0%16%1C%C8%B6%F5%D6%6A%C6%83%5E%CD%EC%B6%23%FC%05%06%A6%75;object=root;type=private -2. Create ``openvpn/`` directory under ``certificate-authority/`` + 2. Create ``openvpn/`` directory under ``certificate-authority/`` -.. code-block:: bash + .. code-block:: bash - $ mkdir/opt/certificate-authority/ - $ cd /opt/certificate-authority/ + $ mkdir/opt/certificate-authority/ + $ cd /opt/certificate-authority/ -3. Sign the ``server.req`` + 3. Sign the ``server.req`` -.. code-block:: bash + .. code-block:: bash - $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in server.req -out /home/user/pki/issued/server.crt + $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in server.req -out /home/user/pki/issued/server.crt -5.2. Retrieve the ``server.crt`` file to the server machine -''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + 2. Retrieve the ``server.crt`` file to the server machine -1. Transfer the signed certificates to the server + 1. Transfer the signed certificates to the server -From the CA machine, copy the files ``server.crt`` and ``chain.crt`` to the OpenVPN server. In this example we will use the ``scp`` command as following: + From the CA machine, copy the files ``server.crt`` and ``chain.crt`` to the OpenVPN server. In this example we will use the ``scp`` command as following: -.. code-block:: bash + .. code-block:: bash - $ scp openvpn/{server.crt,chain.crt} admin@your_openvpnserver_ip:/tmp + $ scp openvpn/{server.crt,chain.crt} admin@your_openvpnserver_ip:/tmp -2. Place the certificates on the server’s directory + 2. Place the certificates on the server’s directory -.. code-block:: bash + .. code-block:: bash - $ mv /tmp/{server.crt,chain.crt} /etc/openvpn/server + $ mv /tmp/{server.crt,chain.crt} /etc/openvpn/server -.. warning:: + .. warning:: - CA Certificate and ``chain.crt`` + CA Certificate and ``chain.crt`` - In the above, the CA returns the signed sever certificate, and - includes the CA certificate ``CA.crt`` which is the ``chain.crt`` - file. This can be done over an insecure channel, though the client is - encouraged to confirm if the received ``chain.crt`` is valid, if the - transport is untrusted. + In the above, the CA returns the signed sever certificate, and + includes the CA certificate ``CA.crt`` which is the ``chain.crt`` + file. This can be done over an insecure channel, though the client is + encouraged to confirm if the received ``chain.crt`` is valid, if the + transport is untrusted. - It is possible to rename the file ``chain.crt`` file to ``CA.crt`` on - the target machine, however we will use ``chain.crt`` in the next - instructions. + It is possible to rename the file ``chain.crt`` file to ``CA.crt`` on + the target machine, however we will use ``chain.crt`` in the next + instructions. 6. Configure the OpenVPN server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -A connection that uses TLS requires multiple `certificates and keys for authentication `__. Now that we issued and signed those, we can place them in the right directories. The breakdown of the certificates and keys that must be located at the root directory are the following: + A connection that uses TLS requires multiple `certificates and keys for authentication `__. Now that we issued and signed those, we can place them in the right directories. The breakdown of the certificates and keys that must be located at the root directory are the following: -.. code-block:: bash + :: - OpenVPN server + OpenVPN server - - The root certificate file (CA.crt or chain.crt in our setup) - - Server certificate - - Server key - - Diffie Hellman Parameters (optional) + - The root certificate file (CA.crt or chain.crt in our setup) + - Server certificate + - Server key + - Diffie Hellman Parameters (optional) -On your OpenVPN server, now you can create the configuration file ``server.conf`` with your favorite text editor. The file can be configured according to your needs, while we make sure to change the server certificate and key sections according the names you chose for the your the files we signed: + On your OpenVPN server, now you can create the configuration file ``server.conf`` with your favorite text editor. The file can be configured according to your needs, while we make sure to change the server certificate and key sections according the names you chose for the your the files we signed: -.. code-block:: bash + .. code-block:: bash - # OpenVPN Server Certificate - CA, server key and certificate - ca chain.crt - cert server.crt - key server.key + # OpenVPN Server Certificate - CA, server key and certificate + ca chain.crt + cert server.crt + key server.key -Here is the configuration file we can use for testing these instructions: + Here is the configuration file we can use for testing these instructions: -.. code-block:: bash + .. code-block:: bash - port 1194 - proto udp - dev tun - ca ca.crt - cert server.crt - key server.key # This file should be kept secret - dh dh.pem - server 10.8.0.0 255.255.255.0 - push "redirect-gateway def1 bypass-dhcp" - push "dhcp-option DNS 208.67.222.222" - push "dhcp-option DNS 208.67.220.220" - keepalive 10 120 - tls-auth ta.key 0 # This file is secret - cipher AES-256-CBC - user nobody - group nogroup - persist-key - persist-tun - status /var/log/openvpn/openvpn-status.log - log /var/log/openvpn/openvpn.log - log-append /var/log/openvpn/openvpn.log - verb 3 - explicit-exit-notify 1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - -To test if the configuration functions properly, we can use this command: + port 1194 + proto udp + dev tun + ca ca.crt + cert server.crt + key server.key # This file should be kept secret + dh dh.pem + server 10.8.0.0 255.255.255.0 + push "redirect-gateway def1 bypass-dhcp" + push "dhcp-option DNS 208.67.222.222" + push "dhcp-option DNS 208.67.220.220" + keepalive 10 120 + tls-auth ta.key 0 # This file is secret + cipher AES-256-CBC + user nobody + group nogroup + persist-key + persist-tun + status /var/log/openvpn/openvpn-status.log + log /var/log/openvpn/openvpn.log + log-append /var/log/openvpn/openvpn.log + verb 3 + explicit-exit-notify 1 + tls-version-min 1.2 # Lower boundary for TLS version + tls-version-max 1.2 # Higher boundary for TLS version -.. code-block:: bash + To test if the configuration functions properly, we can use this command: - $ sudo openvpn --server --config server.conf + .. code-block:: bash + + $ sudo openvpn --server --config server.conf 7. Start the OpenVPN service on the server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Enable the OpenVPN service by adding it to systemctl, and start it using these commands: + Enable the OpenVPN service by adding it to systemctl, and start it using these commands: -.. code-block:: bash + .. code-block:: bash - $ sudo systemctl -f enable openvpn@server - $ sudo systemctl start openvpn@server + $ sudo systemctl -f enable openvpn@server + $ sudo systemctl start openvpn@server -To Double check if the OpenVPN service is active use this command: + To Double check if the OpenVPN service is active use this command: -.. code-block:: bash + .. code-block:: bash - $ sudo systemctl status openvpn@server + $ sudo systemctl status openvpn@server -The OpenVPN should be running at this point. + The OpenVPN should be running at this point. -------------- @@ -386,291 +384,291 @@ Client side configuration 1. Install OpenVPN and Easy-RSA ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -1. Install the software + 1. Install the software -We can use directly ``dnf install`` to install OpenVPN 2.4.9 and Easy-RSA 3.0.7 + We can use directly ``dnf install`` to install OpenVPN 2.4.9 and Easy-RSA 3.0.7 -.. code-block:: bash + .. code-block:: bash - $ sudo dnf install openvpn easy-rsa + $ sudo dnf install openvpn easy-rsa -2. Then we create as non-root a directory for Easy RSA called ``Easy-RSA`` + 2. Then we create as non-root a directory for Easy RSA called ``Easy-RSA`` -.. code-block:: bash + .. code-block:: bash - $ mkdir ~/easyrsa + $ mkdir ~/easyrsa -3. And link it to the Easy RSA package we just installed + 3. And link it to the Easy RSA package we just installed -.. code-block:: bash + .. code-block:: bash - $ ln -s /usr/share/easy-rsa/3/* ~/easyrsa/ + $ ln -s /usr/share/easy-rsa/3/* ~/easyrsa/ 2. Create a PKI for the OpenVPN client ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In the same manner we created a PKI on the OpenVPN server, we will create a PKI using Easy-RSA on the client side. + In the same manner we created a PKI on the OpenVPN server, we will create a PKI using Easy-RSA on the client side. 3. Create a ``client.req`` and ``client.key`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In the same manner we issued the key pair on the sever, we generate a key pair for the client which will be composed of the ``client.req`` -file and the ``client.key`` file. The latter must be kept secret on the client machine. + In the same manner we issued the key pair on the sever, we generate a key pair for the client which will be composed of the ``client.req`` + file and the ``client.key`` file. The latter must be kept secret on the client machine. 4. Sign ``client.req`` and issue the ``client.crt`` file ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -To transfer the ``client.req`` file to the CA machine, we will use the same method as we did for the ``server.req`` file. + To transfer the ``client.req`` file to the CA machine, we will use the same method as we did for the ``server.req`` file. -Once transferred, on the CA machine we sign the certificate signing request file with this command + Once transferred, on the CA machine we sign the certificate signing request file with this command -.. code-block:: bash + .. code-block:: bash - $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in client.req -out /home/user/pki/issued/client.crt + $ openssl ca -config sign_server_csrs.ini -engine pkcs11 -keyform engine -days 375 -notext -md sha512 -create_serial -in client.req -out /home/user/pki/issued/client.crt 5. Import ``client.crt`` on the Nitrokey from the CA machine ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -After creating the ``client.crt`` file, we plug the Nitrokey Pro 2 device in the CA machine, and import the ``.crt`` to the Pro 2 device using this command: + After creating the ``client.crt`` file, we plug the Nitrokey Pro 2 device in the CA machine, and import the ``.crt`` to the Pro 2 device using this command: -.. code-block:: bash + .. code-block:: bash - $ pkcs15-init --store-certificate client.crt --id 3 + $ pkcs15-init --store-certificate client.crt --id 3 -You can see if the key is effectively stored on the Nitrokey using this command: + You can see if the key is effectively stored on the Nitrokey using this command: -.. code-block:: bash + .. code-block:: bash - $ pkcs15-tool -c + $ pkcs15-tool -c -Or alternatively + Or alternatively -.. code-block:: bash + .. code-block:: bash - $ pkcs11-tool --list-objects + $ pkcs11-tool --list-objects -Fore more commands you can refer to the `OpenSC wiki `__. + Fore more commands you can refer to the `OpenSC wiki `__. 6. Retrieve the ``chain.crt`` file from the CA machine ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -While we keep the ``client.crt``\ stored on the nitrokey Pro 2 device, we must retrieve the ``chain.crt`` file on the client machine, and store it in the adequate directory. We may use ``scp`` as in the method explained in the server section of this guide. + While we keep the ``client.crt``\ stored on the nitrokey Pro 2 device, we must retrieve the ``chain.crt`` file on the client machine, and store it in the adequate directory. We may use ``scp`` as in the method explained in the server section of this guide. 7. Configure the client to interact with the Nitrokey ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Now back on the client machine, we will plug the Nitrokey Pro and use it to establish the VPN connection with the server. In general terms, a connection that uses TLS requires multiple certificates and keys for authentication: + Now back on the client machine, we will plug the Nitrokey Pro and use it to establish the VPN connection with the server. In general terms, a connection that uses TLS requires multiple certificates and keys for authentication: -.. code-block:: bash + :: - OpenVPN client - - The root certificate file (`chain.crt`) - - Client certificate - - Client key + OpenVPN client + - The root certificate file (`chain.crt`) + - Client certificate + - Client key -For this guide we can the following ``client.conf`` file, and add the required options to it accordingly: + For this guide we can the following ``client.conf`` file, and add the required options to it accordingly: -.. code-block:: bash + .. code-block:: bash - client - dev tun - proto udp - remote 1194 - resolv-retry infinite - nobind - user nobody - group nobody - persist-key - persist-tun - ca ca.crt - remote-cert-tls server - cipher AES-256-CBC - verb 3 - redirect-gateway def1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - -1. Determine the correct object - -Each PKCS#11 provider can support multiple devices. In order to view the available object list you can use the following command: + client + dev tun + proto udp + remote 1194 + resolv-retry infinite + nobind + user nobody + group nobody + persist-key + persist-tun + ca ca.crt + remote-cert-tls server + cipher AES-256-CBC + verb 3 + redirect-gateway def1 + tls-version-min 1.2 # Lower boundary for TLS version + tls-version-max 1.2 # Higher boundary for TLS version -.. code-block:: bash + 1. Determine the correct object - $ openvpn --show-pkcs11-ids /usr/lib64/pkcs11/opensc-pkcs11.so + Each PKCS#11 provider can support multiple devices. In order to view the available object list you can use the following command: - The following objects are available for use. - Each object shown below may be used as parameter to + .. code-block:: bash - --pkcs11-id option please remember to use single quote mark. + $ openvpn --show-pkcs11-ids /usr/lib64/pkcs11/opensc-pkcs11.so - Certificate - DN: CN=client - Serial: E53DA75C5B8F1518F520BCEF0128C09F - Serialized id: pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03 + The following objects are available for use. + Each object shown below may be used as parameter to -Each certificate/private key pair have unique ``Serialized id`` string. The serialized id string of the requested certificate should be specified, in the configuration file. We can do this by adding the ``pkcs11-id`` option using single quote marks. + --pkcs11-id option please remember to use single quote mark. -.. code-block:: bash + Certificate + DN: CN=client + Serial: E53DA75C5B8F1518F520BCEF0128C09F + Serialized id: pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03 - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + Each certificate/private key pair have unique ``Serialized id`` string. The serialized id string of the requested certificate should be specified, in the configuration file. We can do this by adding the ``pkcs11-id`` option using single quote marks. -2. Add retrieved Serialized ID to the configuration file + .. code-block:: bash -Using your favorite text editor, open the server.conf file, and add the following lines, while taking care to insert your own ``Serialized id``: + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' -.. code-block:: bash + 2. Add retrieved Serialized ID to the configuration file - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + Using your favorite text editor, open the server.conf file, and add the following lines, while taking care to insert your own ``Serialized id``: -For additional `settings related to OpenVPN `__ authentication, you may also add few lines to handle key maganagement, although it is optional. + .. code-block:: bash -.. note:: + pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - Click to view the code + For additional `settings related to OpenVPN `__ authentication, you may also add few lines to handle key maganagement, although it is optional. - .. code-block:: bash + .. note:: - # nitrokey config - - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - # pkcs11-pin-cache 300 - # daemon - # auth-retry nointeract - # management-hold - # management-signal - # management 127.0.0.1 8888 - # management-query-passwords - pkcs11-cert-private 1 # Prompt for PIN + Click to view the code -Optional step - + .. code-block:: bash -If you need to test the configuration, with and without the token on the Nitrokey, you may add lines to the same ``client.conf`` and comment/uncomment the relevant lines according to your needs: + # nitrokey config + + pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + # pkcs11-pin-cache 300 + # daemon + # auth-retry nointeract + # management-hold + # management-signal + # management 127.0.0.1 8888 + # management-query-passwords + pkcs11-cert-private 1 # Prompt for PIN -.. note:: + Optional step + - Click to view the code + If you need to test the configuration, with and without the token on the Nitrokey, you may add lines to the same ``client.conf`` and comment/uncomment the relevant lines according to your needs: - .. code-block:: bash + .. note:: - # non_nitrokey login - - # cert client.crt - # key client.key - # tls-auth ta.key 1 + Click to view the code -3. Configure the OpenVPN client + .. code-block:: bash -The final configuration file ``client.conf`` should look like this one: + # non_nitrokey login + + # cert client.crt + # key client.key + # tls-auth ta.key 1 -.. code-block:: bash + 3. Configure the OpenVPN client - client - dev tun - proto udp - remote 1194 - resolv-retry infinite - nobind - user nobody - group nobody - persist-key - persist-tun - ca ca.crt - remote-cert-tls server - cipher AES-256-CBC - verb 3 - redirect-gateway def1 - tls-version-min 1.2 # Lower boundary for TLS version - tls-version-max 1.2 # Higher boundary for TLS version - - # nitrokey login + The final configuration file ``client.conf`` should look like this one: - pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so - pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' - # pkcs11-pin-cache 300 - # daemon - # auth-retry nointeract - # management-hold - # management-signal - # management 127.0.0.1 8888 - # management-query-passwords - pkcs11-cert-private 1 # Prompt for PIN - - # OR + .. code-block:: bash - # non_nitrokey login + client + dev tun + proto udp + remote 1194 + resolv-retry infinite + nobind + user nobody + group nobody + persist-key + persist-tun + ca ca.crt + remote-cert-tls server + cipher AES-256-CBC + verb 3 + redirect-gateway def1 + tls-version-min 1.2 # Lower boundary for TLS version + tls-version-max 1.2 # Higher boundary for TLS version + + # nitrokey login - # cert client.crt - # key client.key - # tls-auth ta.key 1 + pkcs11-providers /usr/lib64/pkcs11/opensc-pkcs11.so + pkcs11-id 'pkcs11:model=pkcs11:model=PKCS%NNNN%20emulated;token=User%20PIN%20%28OpenPGP%20card%29;manufacturer=ZeitControl;serial=000NNNNNN;id=%03' + # pkcs11-pin-cache 300 + # daemon + # auth-retry nointeract + # management-hold + # management-signal + # management 127.0.0.1 8888 + # management-query-passwords + pkcs11-cert-private 1 # Prompt for PIN + + # OR -4. Configure OpenVPN + # non_nitrokey login -In order to establish a handshake, you must configure OpenSSL included in OpenVPN. + # cert client.crt + # key client.key + # tls-auth ta.key 1 -Create the directory ``ssl`` in ``C:\Program Files\OpenVPN`` and create file ``openssl.cnf`` with the following content : + 4. Configure OpenVPN - openssl_conf = default_conf - - [ default_conf ] - ssl_conf = ssl_sect + In order to establish a handshake, you must configure OpenSSL included in OpenVPN. - [ ssl_sect ] - system_default = ssl_default_sect + Create the directory ``ssl`` in ``C:\Program Files\OpenVPN`` and create file ``openssl.cnf`` with the following content : - [ ssl_default_sect ] - SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512:RSA+SHA384:ECDSA+SHA384:RSA+SHA256:ECDSA+SHA256 - MaxProtocol = TLSv1.2 - MinProtocol = TLSv1.2 + openssl_conf = default_conf + + [ default_conf ] + ssl_conf = ssl_sect + [ ssl_sect ] + system_default = ssl_default_sect -With this modification, you will not have error as reported `here `__, `here `__ and `here `__ + [ ssl_default_sect ] + SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512:RSA+SHA384:ECDSA+SHA384:RSA+SHA256:ECDSA+SHA256 + MaxProtocol = TLSv1.2 + MinProtocol = TLSv1.2 + With this modification, you will not have error as reported `here `__, `here `__ and `here `__ -5. Known issues -There are some known issues related to OpenVPN login with OpenSC. Please consult these issues `here `__. + + 5. Known issues + + There are some known issues related to OpenVPN login with OpenSC. Please consult these issues `here `__. 8. Start the OpenVPN client ^^^^^^^^^^^^^^^^^^^^^^^^^^^ -1. Start the OpenVPN service on the client + 1. Start the OpenVPN service on the client -Enable the OpenVPN service, and start it using these commands: + Enable the OpenVPN service, and start it using these commands: -.. code-block:: bash + .. code-block:: bash - $ sudo systemctl -f enable openvpn-server@server.service - $ sudo systemctl start openvpn-server@server.service + $ sudo systemctl -f enable openvpn-server@server.service + $ sudo systemctl start openvpn-server@server.service -To double check if the OpenVPN service is active use this command: + To double check if the OpenVPN service is active use this command: -.. code-block:: bash + .. code-block:: bash - $ sudo systemctl status openvpn-server@server.service + $ sudo systemctl status openvpn-server@server.service -2. Enter your User PIN + 2. Enter your User PIN -When executing OpenVPN client, Nitrokey’s PIN needs to be entered: + When executing OpenVPN client, Nitrokey’s PIN needs to be entered: -.. code-block:: bash + :: - $ sudo openvpn --client --config client.conf - Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 - Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 - Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' - Enter User PIN (OpenPGP card) token Password: ****** + $ sudo openvpn --client --config client.conf + Fri Sep 11 17:42:01 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020 + Fri Sep 11 17:42:01 2020 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 + Fri Sep 11 17:42:01 2020 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/opensc-pkcs11.so' + Enter User PIN (OpenPGP card) token Password: ****** -In some reported cases it does not prompt for a PIN on the terminal. One workaround would be to use to use this command to login with the PIN: + In some reported cases it does not prompt for a PIN on the terminal. One workaround would be to use to use this command to login with the PIN: -.. code-block:: bash + :: - $ telnet 8888 password 'User PIN (OpenPGP card) token' + $ telnet 8888 password 'User PIN (OpenPGP card) token' -Alternatively, you could `recompile OpenVPN `__ client with systemd support disabled, and it will prompt you for the PIN as expected. + Alternatively, you could `recompile OpenVPN `__ client with systemd support disabled, and it will prompt you for the PIN as expected. -Another option, would be to login to your OpenVPN instance with the Viscosity client which provides a better user experience especially for entering the PIN. + Another option, would be to login to your OpenVPN instance with the Viscosity client which provides a better user experience especially for entering the PIN. diff --git a/pro/windows/openvpn-viscosity.rst b/pro/windows/openvpn-viscosity.rst index 2eba770d17..62bddd0fb8 100644 --- a/pro/windows/openvpn-viscosity.rst +++ b/pro/windows/openvpn-viscosity.rst @@ -39,15 +39,15 @@ Usage 1. Start Viscosity and create a new connection “openVPN” (you can name it as you wish) -.. figure:: ./images/openvpn-viscosity/viscosity-1.jpg - :alt: img1 - :scale: 75 + .. figure:: ./images/openvpn-viscosity/viscosity-1.jpg + :alt: img1 + :scale: 75 2. Right click on the connection and click edit -.. figure:: ./images/openvpn-viscosity/viscosity-2.jpg - :alt: img2 - :scale: 75 + .. figure:: ./images/openvpn-viscosity/viscosity-2.jpg + :alt: img2 + :scale: 75 3. Add your server’s IP address and configure the port according to your configuration. @@ -57,36 +57,36 @@ Usage 5. Select the CA file for your connection -Optional: Select the ``ta.key`` in the ``TLS-Auth`` section + Optional: Select the ``ta.key`` in the ``TLS-Auth`` section -.. figure:: ./images/openvpn-viscosity/viscosity-3.jpg - :alt: img3 - :scale: 75 + .. figure:: ./images/openvpn-viscosity/viscosity-3.jpg + :alt: img3 + :scale: 75 6. Click the Add button next to the Providers field and select the ``PKCS#11`` module for your Nitrokey. Multiple providers can be specified, and for instance we will use ``OpenSC``. -On macOS, the most common location for modules to be found is in the -/usr/lib directory. Please refer to the documentation included with your driver software for the location to use. OpenSC’s module can be found at ``/Library/OpenSC/lib/opensc-pkcs11.so`` + On macOS, the most common location for modules to be found is in the + /usr/lib directory. Please refer to the documentation included with your driver software for the location to use. OpenSC’s module can be found at ``/Library/OpenSC/lib/opensc-pkcs11.so`` -On Windows, the most common location for libraries is either in ``C:\Program Files`` or ``C:\Windows\System32``. OpenSC libraries are generally located at ``C:\Program Files\OpenSC Project\OpenSC\pkcs11``. There may be more than one library available here, you can try each one or simply add both. + On Windows, the most common location for libraries is either in ``C:\Program Files`` or ``C:\Windows\System32``. OpenSC libraries are generally located at ``C:\Program Files\OpenSC Project\OpenSC\pkcs11``. There may be more than one library available here, you can try each one or simply add both. 7. Choose a retrieval method from the Retrieval drop down menu -.. figure:: ./images/openvpn-viscosity/viscosity-4.jpg - :alt: img4 + .. figure:: ./images/openvpn-viscosity/viscosity-4.jpg + :alt: img4 -- If only one Nitrokey will ever be used on this computer, select - ``Use certificate name below``. If the Nitrokey is currently - connected to the computer, click the ``Detect`` button for Viscosity - to automatically fill in the Name field. Otherwise this field can be - completed manually. + - If only one Nitrokey will ever be used on this computer, select + ``Use certificate name below``. If the Nitrokey is currently + connected to the computer, click the ``Detect`` button for Viscosity + to automatically fill in the Name field. Otherwise this field can be + completed manually. -- If in doubt, or if more than one Nitrokey may be used (i.e. multiple - users), then select ``Prompt for certificate name``. + - If in doubt, or if more than one Nitrokey may be used (i.e. multiple + users), then select ``Prompt for certificate name``. -If ``Prompt for certificate name`` was selected, Viscosity will automatically detect the required key on the Nitrokey, using the specified PKCS#11 module/s. Select from any of the found devices, or enter the name of the ``serialized id`` to use manually. Again, the user should be prompted for a password/PIN if required. + If ``Prompt for certificate name`` was selected, Viscosity will automatically detect the required key on the Nitrokey, using the specified PKCS#11 module/s. Select from any of the found devices, or enter the name of the ``serialized id`` to use manually. Again, the user should be prompted for a password/PIN if required. 8. Click the Save button and connect from your the main interface diff --git a/software/nk-app2/keepassxc.rst b/software/nk-app2/keepassxc.rst index acff562d7d..8ea9fe7735 100644 --- a/software/nk-app2/keepassxc.rst +++ b/software/nk-app2/keepassxc.rst @@ -1,6 +1,5 @@ KeePassXC ========= -.. _keepassxc: These instructions describe how to protect and encrypt a `KeePassXC `__ password database with Nitrokey 3. @@ -18,23 +17,23 @@ First Step: Generate a HMAC Secret With the Nitrokey App 2 4. Click on ``ADD`` to create a new credential 5. Select ``HMAC`` from the algorithm drop-down menu -.. note:: + .. note:: - - The credential is automatically named in ``HmacSlot2``. - - No extra attributes can be saved for the HMAC credential. - - The HMAC secret must be *exactly 20 bytes* long and in *Base32* format. That is exactly 32 characters. - - It is possible to save exactly one HMAC secret on a Nitrokey 3. + - The credential is automatically named in ``HmacSlot2``. + - No extra attributes can be saved for the HMAC credential. + - The HMAC secret must be *exactly 20 bytes* long and in *Base32* format. That is exactly 32 characters. + - It is possible to save exactly one HMAC secret on a Nitrokey 3. 6. To generate a secret, there is a button in the field on the right-hand. It is also possible to enter your own secret, as long as it is compliant. -.. warning:: + .. warning:: - The database can no longer be unlocked if the Nitrokey 3 is lost or unavailable! Thus, you may want to set up a second Nitrokey 3 with the same HMAC secret as a backup device. + The database can no longer be unlocked if the Nitrokey 3 is lost or unavailable! Thus, you may want to set up a second Nitrokey 3 with the same HMAC secret as a backup device. - .. important:: + .. important:: - The secret can **only** be seen before saving. If the KeePassXC database is to be used with another Nitrokey 3, the HMAC secret must be copied which is **only** possible **before saving** the credential. + The secret can **only** be seen before saving. If the KeePassXC database is to be used with another Nitrokey 3, the HMAC secret must be copied which is **only** possible **before saving** the credential. 7. Click on ``SAVE`` to save the credential diff --git a/software/nk-app2/pin.rst b/software/nk-app2/pin.rst index afbe63b66c..2c6580249d 100644 --- a/software/nk-app2/pin.rst +++ b/software/nk-app2/pin.rst @@ -1,6 +1,5 @@ PIN Settings for FIDO2 and OTP in the Nitrokey App 2 ==================================================== -.. _pinsettings: These instructions describe how to set or change the PINs for FIDO2 and OTP in the `Nitrokey App 2 `__.