A VPN is a system that establishes a private network across a public network, such as the Internet
Use in Dev Server
OSE launched a single staging/dev server in Hetzner Cloud in 2019. For security reasons it's imperative that this server is locked-down and sitting *behind* a VPN.
Important Files & Directories
For more information about our vpn configuration, please see the following files & directories on the
How to connect to the VPN
sudo, passing it your client config file.
cd openvpn sudo openvpn client.conf
You will be prompted for two credentials:
Enter Auth Password:- This is your 2FA 6-digit token that changes every 30 seconds. Get it from your 2FA FLOSS TOTP app-of-choice.
Enter Private Key Password:- This is the passphrase you used to symmetrically encrypt your OpenVPN client RSA certificate when you were first setup with access to the OSE VPN. Check your personal password database.
Developers: How to request access to the dev VPN
This section is intended for the OSE Developer that requires access to the developer VPN and would like to make a request for access to the OSE sysadmin.
In order to connect to our vpn, you should install the following prerequisite software on your laptop/workstation.
sudo apt-get install openvpn openresolv openssl
or try apt-get install -f for dependency issues
Now generate a RSA certificate and certificate signing request. This will prompt you for a passphrase. Choose something long, unique, and memorable (ideally generate a ~30 character random passphrase and store it to an offline password DB such as keepass).
You will have to type this passphrase every time you connect to the VPN in the future.
cd $HOME mkdir openvpn cd openvpn openssl req -new -newkey rsa:4096 -keyout `whoami`.key -out `whoami`.csr
Note: The information supplied above is about you
- Enter the country, province, and city where you usually reside.
- The "Organization Name" is probably "Open Source Ecology" unless you're a contractor for another organization.
- Use "Organizational Unit Name" to describe the work you do for OSE, such as "Ops", "Hardware", "Marketing", etc.
- Type your first and last name for "Common Name".
- Type your email address for OSE correspondence for "Email Address".
All of these fields are, in fact, optional except "Common Name" and "Email Address".
Finally, send an email to the OSE Sysadmin requesting a meeting for you to get setup and trained with VPN access to the OSE VPN. Be sure to include an thorough explanation of why you need access to the VPN or your request may be denied.
Sysadmin: How to grant access to the dev VPN
This section is intended for the OSE sysadmin and will describe the process of granting access to the developer VPN for OSE developers.
First, make sure that the user requesting access to the dev VPN has a valid reason to need this access. Iff the request is valid, then proceed:
On the OSE Development server, create a OS-level user for the developer requesting VPN access, and add their ssh public key to their
user@ose:~$ ssh osedev1 Last login: Tue Dec 3 12:40:51 2019 from 22.214.171.124 [maltfield@osedev1 ~]$ sudo su - Last login: Mon Dec 2 15:21:42 CET 2019 on pts/17 [root@osedev1 ~]# adduser marcin [root@osedev1 ~]# gpasswd -a marcin sshaccess [root@osedev1 ~]# mkdir /home/marcin/.ssh/ [root@osedev1 ~]# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDMiIUel3xYyxuiXAj82PzoJDwRczrEpDgUoRI4W9ceL5FqVcY38Go9q3SF2Nx0FEj+IdCUXc08lyy6ZPUbPcKvscFxWeue4aMM62ikzNxmhGBdjqgT3q3wpJgyjTXmt9AJcglcAm9mcQffSUi3RD9KDlCyc/T923eZdaLAkW/BMhjuOZqY90tjGqs/r/kxN0gf4vI24NMFL/41ct7OMKVnNNsjIpQtceX9fCOCumAx53OdtJEcp46TvzevZk2987Zn0VsONznvVCJ0kmm8B0RJxwIfmiLM73f+reo0pv+sSc2rU7SrpzLfPWLFcM7pkJQc3HtLnktl5form3flp+EkI7fr7348r8A7W+QIifjXk66ohJReDni9H/S4JSX2L1lf8LfJKSHtAqrFRWSPp22MKre5hiH0IybED6XZfz59HT0cgMK2iNcPRj/J+hEbBM0f4zZu62PUad7rr1JI4Vv078/ROaD47fykicxYhauI4R71J1YucSj/vekXf17x3xlO+u8ucSeUhdpMuIAa3Yk16bXsrwo4nIdcApC6rwfNiQDK8Ecx6+M6pV6z+dII4OMHvEYWw92wWJZfIyk7emvAoataqp3DfI0DQagPNBo2ieEZYLvNYny+X9hf6faZ6trsGnR4GfN83PEt3ZfmoEoyTVB2POiBdM8a1GNTlEasQ== marcin@Precision-M6500" >> /home/marcin/.ssh/authorized_keys [root@osedev1 ~]# chown -R marcin:marcin /home/marcin/.ssh [root@osedev1 ~]# chmod -R 0600 /home/marcin/.ssh [root@osedev1 ~]# chmod 0700 /home/marcin/.ssh [root@osedev1 ~]#
Now have the user scp their CSR (generated using the instructions above) to their home directory on the OSE Development server.
marcin@Precision-M6500:~$ scp -P 32415 $HOME/openvpn/`whoami`.csr firstname.lastname@example.org:
As root on the OSE Development Server, cd into the easy-rsa directory, and import the OSE Developer's CSR
[root@osedev1 ~]# cd /usr/share/easy-rsa/3 [root@osedev1 3]# ./easyrsa import-req /home/marcin/marcin.csr marcin Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 The request has been successfully imported with a short name of: marcin You may now use this name to perform signing operations on this request. [root@osedev1 3]#
Before signing their cert, make sure that they entered a valid
emailAddress field. It is extremely important for auditing and future maintenance that all authorized keys signed by our OpenVPN CA are associated with a specific individual.
emailAddressfield is missing or incorrect, do not proceed. Instead, tell the user to generate a new CSR with valid entries for
[root@osedev1 3]# ./easyrsa show-req marcin Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Showing req details for 'marcin'. This file is stored at: /usr/share/easy-rsa/3/pki/reqs/marcin.req Certificate Request: Data: Version: 0 (0x0) Subject: countryName = US stateOrProvinceName = Missouri organizationName = Open Source Ecology commonName = Marcin Jakubowski emailAddress = email@example.com Attributes: a0:00 [root@osedev1 3]#
After verifying the validity of the
emailAddress above, sign the OSE Developer's CSR.
Note that you'll need to enter the CA passphrase, which is stored in the OSE shared Keepass DB under title "openvpn CA".
[root@osedev1 3]# ./easyrsa sign-req client marcin Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 1080 days: subject= countryName = US stateOrProvinceName = Missouri organizationName = Open Source Ecology commonName = Marcin Jakubowski emailAddress = firstname.lastname@example.org Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /usr/share/easy-rsa/3/pki/safessl-easyrsa.cnf Enter pass phrase for /usr/share/easy-rsa/3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :ASN.1 12:'Missouri' organizationName :ASN.1 12:'Open Source Ecology' commonName :ASN.1 12:'Marcin Jakubowski' emailAddress :IA5STRING:'email@example.com' Certificate is to be certified until Nov 17 14:20:36 2022 GMT (1080 days) Write out database with 1 new entries Data Base Updated Certificate created at: /usr/share/easy-rsa/3/pki/issued/marcin.crt [root@osedev1 3]#
Now prepare an openvpn directory to be downloaded by the OSE Developer in their home directory.
[root@osedev1 3]# mkdir /home/marcin/openvpn [root@osedev1 3]# cp pki/issued/marcin.crt /home/marcin/openvpn/ [root@osedev1 3]# cp pki/private/ta.key /home/marcin/openvpn/ [root@osedev1 3]# cp pki/ca.crt /home/marcin/openvpn/ [root@osedev1 3]# cd /home/marcin/openvpn/ [root@osedev1 openvpn]# mv ../*.csr . [root@osedev1 openvpn]# ls ca.crt marcin.crt ta.key marcin.csr [root@osedev1 openvpn]#
Create a file named 'username.txt' with the username that matches the OS username on the OSE Development server for the OSE Developer. This will be passed to the google-authenticator PAM module to authenticate the user via 2FA.
[root@osedev1 openvpn]# echo "marcin" > username.txt [root@osedev1 openvpn]# ls ca.crt marcin.crt ta.key marcin.csr username.txt
Create the OpenVPN client config file
cat << EOF > client.conf client dev tun proto udp remote 126.96.36.199 1194 resolv-retry infinite nobind verb 3 # Try to preserve some state across restarts. persist-key persist-tun # security/hardening ca ca.crt cert marcin.crt key marcin.key tls-auth ta.key 1 cipher AES-256-GCM tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 # dns for staging remote-cert-tls server script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf # 2fa auth-user-pass username.txt auth-nocache reneg-sec 0 EOF
Set the permissions and create a tarball for the OSE Developer to scp down to their workstation.
[root@osedev1 openvpn]# pwd /home/marcin/openvpn [root@osedev1 openvpn]# cd .. [root@osedev1 marcin]# chown -R marcin:marcin openvpn [root@osedev1 marcin]# chmod -R 0600 openvpn [root@osedev1 marcin]# chmod 0400 openvpn/ca.crt [root@osedev1 marcin]# chmod 0400 openvpn/marcin.key [root@osedev1 marcin]# chmod 0400 openvpn/ta.key [root@osedev1 marcin]# chmod 0700 openvpn [root@osedev1 marcin]# [root@osedev1 marcin]# tar -czf openvpn.tar.gz openvpn/* [root@osedev1 marcin]# ls openvpn openvpn.tar.gz [root@osedev1 marcin]# chown marcin:marcin openvpn.tar.gz [root@osedev1 marcin]# chmod 0600 openvpn.tar.gz
Have the OSE Developer download and extract this tarball into their home directory so its files are added to their existing 'openvpn' direcotry, where their encrypted private key file (
marcin.key) is already stored.
marcin@Precision-M6500:~$ scp -P 32415 firstname.lastname@example.org:openvpn.tar.gz . openvpn.tar.gz 100% 6864 32.1KB/s 00:00 marcin@Precision-M6500:~$ ls openvpn user.csr user.key marcin@Precision-M6500:~$ tar -xzvf openvpn.tar.gz openvpn/ca.crt openvpn/client.conf openvpn/marcin.crt openvpn/ta.key openvpn/marcin.csr openvpn/username.txt marcin@Precision-M6500:~$ ls openvpn ca.crt client.conf marcin.crt ta.key marcin.csr marcin.key username.txt marcin@Precision-M6500:~$ chown -R `whoami`:`whoami` openvpn marcin@Precision-M6500:~$
Finally, have the user ssh into the dev server, generate a 2FA TOTP secret key, and scan it into their 2FA FLOSS app-of-choice.
marcin@Precision-M6500:~$ ssh -p 32415 email@example.com [marcin@osedev1 ~]$ google-authenticator --time-based --disallow-reuse --issuer "vpn.opensourceecology.org" --label "`whoami`@osedev1" --emergency-codes=1 --window-size=8 --rate-limit=2 --rate-time=30
Now the OSE Developer should be able to Connect to the VPN.
Make sure that the OSE Developer immediately makes a secure backup of:
- Their openvpn dir
- Their openvpn certificate decryption password
- Their 2FA app's secret keys
Ideally, OSE would have a single rack of colocated hardware at a datacenter near FeF. As campuses pop-up, we could provision new racks at new datacenters that peer with each-other over time, if needed.
The reality is that we have a dedicated server in Falkenstein, Germany; a cloud instance at a different DC in Falkenstein; a physical office in Missouri, USA that will likely have servers in the future; and developers (some with their own servers) all over the world -- which begs the question: how do you architect a VPN with this hodge-podge of geographically dispersed servers & clients?
Certainly a hub-and-spoke  openvpn model is possible, but that introduces a single-point-of-failure.
A better option would be a decentralized mesh-style VPN solution, such as ZeroTier.