Feature #1763
VPN
Status: | CLOSED | Start date: | 08/28/2013 | |
---|---|---|---|---|
Priority: | Normal | Due date: | 09/16/2013 | |
Assignee: | - | % Done: | 100% | |
Category: | nethserver-vpn | |||
Target version: | v6.4-beta2 | |||
Resolution: | NEEDINFO: | No |
Description
Support VPNs.
Possibile types:- OpenVPN
- IPSEC
- PPTP
Related issues
Associated revisions
First import. Refs #1763
Add scripts and web UI for certificate management. Refs #1763
Move certificate management to nethserver-vpn package. Refs #1763
English translation: fix typo. Refs #1763
pki-vpn-gencert: check if certificate already exists, change mode and owner to private key file. Refs #1763
pki-vpn-revoke: check if certificate is already revoked. Refs #1763
web ui: validate certificate CN using username validator. Refs #1763
Huge refactor: create unified Account tab under VPN module. Refs #1763
web ui: add download action, signal nethserver-vpn-* events. Refs #1763
Allow empty fields in create Account UI. Refs #1763
Network address and mask are optional. Fixed also the AccountType and
User fields validators.
web ui: update translations. Refs #1763
Added VPN group. Refs #1763
History
#1 Updated by Filippo Carletti over 8 years ago
I'd drop PPTP, it's insecure and often filtered by carriers.
Probably, IPsec is the protocol of choice. See: http://wiki.strongswan.org/projects/strongswan/wiki/Windows7
#2 Updated by Giacomo Sanchietti over 8 years ago
- Target version changed from ~FUTURE to v6.4-beta2
#3 Updated by Giacomo Sanchietti almost 8 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
#4 Updated by Giacomo Sanchietti almost 8 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#6 Updated by Giacomo Sanchietti almost 8 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
- certificate management with web UI
- web ui plugin to enable/disable VPN access for system users
See nethserver-vpn for more information.
#7 Updated by Giacomo Sanchietti almost 8 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-vpn-1.0.0-1.ns6.noarch.rpm
- try to enable/disable VPN access for an existing (or new) user and check the value of
VPNClientAccess
prop values changes accordingly - create a certificate and check all files are created inside
/var/lib/nethserver/certs/
directory: <index>.pem, <name>.crt, <name>.key, <name>.csr - revoke a certificate and check it is no more valid in
/var/lib/nethserver/certs/certindex
file
- If the user tries to create a certificate with an already existing name, there are two scenarios:
- if the previous certificate is expired, the system will create a new one without error (the old one will not be visible inside the table view)
- if the previous certificate is still valid, the system will silently fail: no new certificate is created
- Revoked certificates will be not deleted
- The certificate name is not validated (which rules can we apply?)
#8 Updated by Davide Principi almost 8 years ago
- Assignee set to Davide Principi
- Estimated time set to 4.00
#9 Updated by Davide Principi almost 8 years ago
- Assignee deleted (
Davide Principi) - NEEDINFO changed from No to Yes
Test 1 PASS
Try to enable/disable VPN access for an existing (or new) user and check the value of VPNClientAccess prop values changes accordingly
Created new user01
with defaults:
# db accounts show user01 user01=user City= Company= Department= FirstName=Primo LastName=Utente PhoneNumber= Street= Uid=5000 __state=active
Enabled "VPN access":
# db accounts show user01 user01=user City= Company= Department= FirstName=Primo LastName=Utente PhoneNumber= Shell=/usr/libexec/openssh/sftp-server Street= Uid=5000 VPNClientAccess=yes __state=active
Disabled "VPN access":
# db accounts show user01 user01=user City= Company= Department= FirstName=Primo LastName=Utente PhoneNumber= Shell=/usr/libexec/openssh/sftp-server Street= Uid=5000 VPNClientAccess=no __state=active
Test 2 NEEDINFO, FAILED
Create a certificate and check all files are created inside /var/lib/nethserver/certs/ directory: <index>.pem, <name>.crt, <name>.key, <name>.csr
Files are there, BUT..:
ll /var/lib/nethserver/certs/cert??.* -rw-r--r--. 1 root root 0 Aug 30 10:38 /var/lib/nethserver/certs/cert01.crt -rw-r--r--. 1 root root 1070 Aug 30 10:38 /var/lib/nethserver/certs/cert01.csr -rw-r--r--. 1 root root 1704 Aug 30 10:38 /var/lib/nethserver/certs/cert01.key
... But are world-readable. Is that correct?
Moreover, I'd prefer to divide the files into two sets/dirs:- CA-related files (e.g.
/var/lib/nethserver/vpn/
) - certificates (e.g.
/var/lib/nethserver/vpn/certs/
)
Also the script exits with code 1. In /var/log/messages:
Aug 30 11:04:47 davidep2 httpd-admin: [ERROR] NethServer\Module\VPN\Certificates\Create: /usr/bin/sudo /usr/libexec/nethserver/pki-vpn-gencert davide01 command failed
Launching it on the command line:
# /usr/bin/sudo /usr/libexec/nethserver/pki-vpn-gencert davide02 [...] # echo $? 1
Test 3 FAIL
Revoke a certificate and check it is no more valid in /var/lib/nethserver/certs/certindex file
Seems OK, but somtimes the revocation fails.
# /usr/libexec/nethserver/pki-vpn-revoke cert07 Using configuration from /var/lib/nethserver/certs/ca.cnf unable to load certificate 140340791342920:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE Using configuration from /var/lib/nethserver/certs/ca.cnf # echo $? 1
It happens that a *.crt
file has a zero-length. I don't know why it is empty and how to reproduce.
# ll /var/lib/nethserver/certs/cert07.* -rw-r--r--. 1 root root 0 Aug 30 11:04 /var/lib/nethserver/certs/cert07.crt -rw-r--r--. 1 root root 1070 Aug 30 11:04 /var/lib/nethserver/certs/cert07.csr -rw-r--r--. 1 root root 1704 Aug 30 11:04 /var/lib/nethserver/certs/cert07.key
About NOTES:
The certificate name is not validated (which rules can we apply?)
I've tried to create a certificate with name "../db/prova":
# ll /var/lib/nethserver/db total 24 -rw-r-----. 1 root admin 410 Aug 30 10:29 accounts -rw-r-----. 1 root admin 2235 Aug 30 10:23 configuration -rw-r-----. 1 root admin 409 Aug 29 09:00 networks -rw-r--r--. 1 root root 1387 Aug 30 10:54 prova.crt -rw-r--r--. 1 root root 1078 Aug 30 10:54 prova.csr -rw-r--r--. 1 root root 1704 Aug 30 10:54 prova.key
A name validator is mandatory!
#10 Updated by Davide Principi almost 8 years ago
- Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
#11 Updated by Giacomo Sanchietti almost 8 years ago
- Assignee set to Giacomo Sanchietti
... But are world-readable. Is that correct?
Only crt files should be world readable. All the rest will be readable only from root user and admin group.
Also the script exits with code 1. In /var/log/messages:[...]
The script fails if user tries to generate a certificate with a name of a valid and already existing certificate.
Revoke a certificate and check it is no more valid in /var/lib/nethserver/certs/certindex file
Seems OK, but somtimes the revocation fails.[...]
I'll try to reproduce it.
A name validator is mandatory!
I agree. We can use username validator.
#12 Updated by Giacomo Sanchietti almost 8 years ago
- Status changed from TRIAGED to ON_DEV
- % Done changed from 20 to 30
- web ui: validate certificate CN using username validator
- pki-vpn-revoke: check if certificate is already revoked
- pki-vpn-gencert: check if certificate already exists, change mode and owner to private key file (mode 0640, root:admin). Also fix wrong exit code.
#13 Updated by Giacomo Sanchietti almost 8 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#14 Updated by Giacomo Sanchietti almost 8 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- NEEDINFO changed from Yes to No
New package in nethserver-testing: nethserver-vpn-1.0.0-3.0git91b39fa4.ns6.noarch.rpm
Re-check test 2 and 3.
#15 Updated by Davide Principi almost 8 years ago
- Assignee set to Davide Principi
#16 Updated by Davide Principi almost 8 years ago
- Due date set to 09/16/2013
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - Start date set to 08/28/2013
- % Done changed from 70 to 90
VERIFIED
#17 Updated by Davide Principi almost 8 years ago
- Status changed from VERIFIED to ON_QA
- % Done changed from 90 to 70
Verify modifications since nethserver-vpn|0ce2c20a
#18 Updated by Davide Principi almost 8 years ago
In nethserver-testing:
nethserver-vpn-1.0.0-25.0git7a115920.ns6.noarch
nethserver-ipsec-0.0.5-1.ns6.noarch
#19 Updated by Davide Principi almost 8 years ago
- Assignee set to Davide Principi
#20 Updated by Davide Principi almost 8 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 90
VERIFIED
nethserver-vpn-1.0.0-27.0git3d3df062.ns6.noarch
nethserver-openvpn-0.0.1-37.0git7154fc0c.ns6.noarch
#21 Updated by Davide Principi almost 8 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-vpn-1.1.0-1.ns6.noarch.rpm