Feature #1763

VPN

Added by Giacomo Sanchietti over 8 years ago. Updated almost 8 years ago.

Status:CLOSEDStart date:08/28/2013
Priority:NormalDue date:09/16/2013
Assignee:-% Done:

100%

Category:nethserver-vpn
Target version:v6.4-beta2
Resolution: NEEDINFO:No

Description

Support VPNs.

Possibile types:
  • OpenVPN
  • IPSEC
  • PPTP

Related issues

Related to NethServer 6 - Feature #1956: VPN: support for OpenVPN roadwarrior CLOSED
Related to NethServer 6 - Feature #1957: VPN: support IPsec/L2TP CLOSED 09/17/2013 09/20/2013
Related to NethServer 6 - Feature #1958: VPN: add support for OpenVPN net2net CLOSED
Related to NethServer 6 - Feature #1766: SSL CA manager CLOSED

Associated revisions

Revision cdb78f4f
Added by Giacomo Sanchietti almost 8 years ago

First import. Refs #1763

Revision 84b5ef09
Added by Giacomo Sanchietti almost 8 years ago

Add scripts and web UI for certificate management. Refs #1763

Revision 6aeb3b75
Added by Giacomo Sanchietti almost 8 years ago

Move certificate management to nethserver-vpn package. Refs #1763

Revision 5138cf56
Added by Giacomo Sanchietti almost 8 years ago

English translation: fix typo. Refs #1763

Revision d113155a
Added by Giacomo Sanchietti almost 8 years ago

pki-vpn-gencert: check if certificate already exists, change mode and owner to private key file. Refs #1763

Revision 426c541d
Added by Giacomo Sanchietti almost 8 years ago

pki-vpn-revoke: check if certificate is already revoked. Refs #1763

Revision 91b39fa4
Added by Giacomo Sanchietti almost 8 years ago

web ui: validate certificate CN using username validator. Refs #1763

Revision 0ce2c20a
Added by Giacomo Sanchietti almost 8 years ago

Huge refactor: create unified Account tab under VPN module. Refs #1763

Revision 85f4399e
Added by Giacomo Sanchietti almost 8 years ago

pki-vpn-gencert: create pkcs12 file. Refs #1763 #1957

Revision 4d9524fb
Added by Giacomo Sanchietti almost 8 years ago

web ui: add download action, signal nethserver-vpn-* events. Refs #1763

Revision 97ea329a
Added by Davide Principi almost 8 years ago

Allow empty fields in create Account UI. Refs #1763

Network address and mask are optional. Fixed also the AccountType and
User fields validators.

Revision 7a115920
Added by Davide Principi almost 8 years ago

Removed IPsec client configuration. Refs #1763 #1957

IPsec "client" configuration is still not supported: we accept L2TP
roadwarriors only.

Revision 3d3df062
Added by Giacomo Sanchietti almost 8 years ago

web ui: update translations. Refs #1763

Revision 88c47542
Added by Davide Principi almost 8 years ago

Added VPN group. Refs #1763

History

#1 Updated by Filippo Carletti over 8 years ago

I'd drop PPTP, it's insecure and often filtered by carriers.
Probably, IPsec is the protocol of choice. See: http://wiki.strongswan.org/projects/strongswan/wiki/Windows7

#2 Updated by Giacomo Sanchietti over 8 years ago

  • Target version changed from ~FUTURE to v6.4-beta2

#3 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#4 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#6 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60
Created a new package nethserver-vpn. The package contains:
  • certificate management with web UI
  • web ui plugin to enable/disable VPN access for system users

See nethserver-vpn for more information.

#7 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing repository:
  • nethserver-vpn-1.0.0-1.ns6.noarch.rpm
Test cases:
  1. try to enable/disable VPN access for an existing (or new) user and check the value of VPNClientAccess prop values changes accordingly
  2. create a certificate and check all files are created inside /var/lib/nethserver/certs/ directory: <index>.pem, <name>.crt, <name>.key, <name>.csr
  3. revoke a certificate and check it is no more valid in /var/lib/nethserver/certs/certindex file
Notes:
  • If the user tries to create a certificate with an already existing name, there are two scenarios:
    • if the previous certificate is expired, the system will create a new one without error (the old one will not be visible inside the table view)
    • if the previous certificate is still valid, the system will silently fail: no new certificate is created
  • Revoked certificates will be not deleted
  • The certificate name is not validated (which rules can we apply?)

#8 Updated by Davide Principi almost 8 years ago

  • Assignee set to Davide Principi
  • Estimated time set to 4.00

#9 Updated by Davide Principi almost 8 years ago

  • Assignee deleted (Davide Principi)
  • NEEDINFO changed from No to Yes

Test 1 PASS

Try to enable/disable VPN access for an existing (or new) user and check the value of VPNClientAccess prop values changes accordingly

Created new user01 with defaults:

    # db accounts show user01
user01=user
    City=
    Company=
    Department=
    FirstName=Primo
    LastName=Utente
    PhoneNumber=
    Street=
    Uid=5000
    __state=active

Enabled "VPN access":

# db accounts show user01
user01=user
    City=
    Company=
    Department=
    FirstName=Primo
    LastName=Utente
    PhoneNumber=
    Shell=/usr/libexec/openssh/sftp-server
    Street=
    Uid=5000
    VPNClientAccess=yes
    __state=active

Disabled "VPN access":

# db accounts show user01
user01=user
    City=
    Company=
    Department=
    FirstName=Primo
    LastName=Utente
    PhoneNumber=
    Shell=/usr/libexec/openssh/sftp-server
    Street=
    Uid=5000
    VPNClientAccess=no
    __state=active

Test 2 NEEDINFO, FAILED

Create a certificate and check all files are created inside /var/lib/nethserver/certs/ directory: <index>.pem, <name>.crt, <name>.key, <name>.csr

Files are there, BUT..: 

     ll /var/lib/nethserver/certs/cert??.*
-rw-r--r--. 1 root root    0 Aug 30 10:38 /var/lib/nethserver/certs/cert01.crt
-rw-r--r--. 1 root root 1070 Aug 30 10:38 /var/lib/nethserver/certs/cert01.csr
-rw-r--r--. 1 root root 1704 Aug 30 10:38 /var/lib/nethserver/certs/cert01.key

... But are world-readable. Is that correct?

Moreover, I'd prefer to divide the files into two sets/dirs:
  • CA-related files (e.g. /var/lib/nethserver/vpn/)
  • certificates (e.g. /var/lib/nethserver/vpn/certs/)

Also the script exits with code 1. In /var/log/messages:

Aug 30 11:04:47 davidep2 httpd-admin: [ERROR] NethServer\Module\VPN\Certificates\Create: /usr/bin/sudo /usr/libexec/nethserver/pki-vpn-gencert davide01 command failed

Launching it on the command line:

    # /usr/bin/sudo /usr/libexec/nethserver/pki-vpn-gencert davide02
[...]
    # echo $?
1

Test 3 FAIL

Revoke a certificate and check it is no more valid in /var/lib/nethserver/certs/certindex file

Seems OK, but somtimes the revocation fails.

    # /usr/libexec/nethserver/pki-vpn-revoke cert07
Using configuration from /var/lib/nethserver/certs/ca.cnf
unable to load certificate
140340791342920:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
Using configuration from /var/lib/nethserver/certs/ca.cnf
    # echo $?
1

It happens that a *.crt file has a zero-length. I don't know why it is empty and how to reproduce.

    # ll /var/lib/nethserver/certs/cert07.*
-rw-r--r--. 1 root root    0 Aug 30 11:04 /var/lib/nethserver/certs/cert07.crt
-rw-r--r--. 1 root root 1070 Aug 30 11:04 /var/lib/nethserver/certs/cert07.csr
-rw-r--r--. 1 root root 1704 Aug 30 11:04 /var/lib/nethserver/certs/cert07.key

About NOTES:

The certificate name is not validated (which rules can we apply?)

I've tried to create a certificate with name "../db/prova": 

    # ll /var/lib/nethserver/db
total 24
-rw-r-----. 1 root admin  410 Aug 30 10:29 accounts
-rw-r-----. 1 root admin 2235 Aug 30 10:23 configuration
-rw-r-----. 1 root admin  409 Aug 29 09:00 networks
-rw-r--r--. 1 root root  1387 Aug 30 10:54 prova.crt
-rw-r--r--. 1 root root  1078 Aug 30 10:54 prova.csr
-rw-r--r--. 1 root root  1704 Aug 30 10:54 prova.key

A name validator is mandatory!

#10 Updated by Davide Principi almost 8 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20

#11 Updated by Giacomo Sanchietti almost 8 years ago

  • Assignee set to Giacomo Sanchietti

... But are world-readable. Is that correct?

Only crt files should be world readable. All the rest will be readable only from root user and admin group.

Also the script exits with code 1. In /var/log/messages:[...]

The script fails if user tries to generate a certificate with a name of a valid and already existing certificate.

Revoke a certificate and check it is no more valid in /var/lib/nethserver/certs/certindex file

Seems OK, but somtimes the revocation fails.[...]

I'll try to reproduce it.

A name validator is mandatory!

I agree. We can use username validator.

#12 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from TRIAGED to ON_DEV
  • % Done changed from 20 to 30
Updates:
  • web ui: validate certificate CN using username validator
  • pki-vpn-revoke: check if certificate is already revoked
  • pki-vpn-gencert: check if certificate already exists, change mode and owner to private key file (mode 0640, root:admin). Also fix wrong exit code.

#13 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#14 Updated by Giacomo Sanchietti almost 8 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
  • NEEDINFO changed from Yes to No

New package in nethserver-testing: nethserver-vpn-1.0.0-3.0git91b39fa4.ns6.noarch.rpm

Re-check test 2 and 3.

#15 Updated by Davide Principi almost 8 years ago

  • Assignee set to Davide Principi

#16 Updated by Davide Principi almost 8 years ago

  • Due date set to 09/16/2013
  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • Start date set to 08/28/2013
  • % Done changed from 70 to 90

VERIFIED

#17 Updated by Davide Principi almost 8 years ago

  • Status changed from VERIFIED to ON_QA
  • % Done changed from 90 to 70

Verify modifications since nethserver-vpn|0ce2c20a

#18 Updated by Davide Principi almost 8 years ago

In nethserver-testing:
nethserver-vpn-1.0.0-25.0git7a115920.ns6.noarch
nethserver-ipsec-0.0.5-1.ns6.noarch

#19 Updated by Davide Principi almost 8 years ago

  • Assignee set to Davide Principi

#20 Updated by Davide Principi almost 8 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED

nethserver-vpn-1.0.0-27.0git3d3df062.ns6.noarch
nethserver-openvpn-0.0.1-37.0git7154fc0c.ns6.noarch

#21 Updated by Davide Principi almost 8 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-vpn-1.1.0-1.ns6.noarch.rpm

Also available in: Atom PDF