Pages

Tuesday, 24 September 2019

invpn

Installing InVPN

================



InVPN requires you to have Qt installed, with OpenSSL support.



It also requires your kernel to have the tun module enabled and loaded. If

properly loaded, a /dev/net/tun device should exist. If not, try to

modprobe tun, and if still unsuccessful, recompile your kernel.



Once everything is ready you can compile InVPN by running the following

commands:



$ tar xjf invpn-x.y.z.tar.bz2

$ cd invpn-x.y.z

$ qmake

$ make

...

$ make install

...



This will install the /usr/sbin/invpn file.



Now that you have invpn installed, you will need to generate a configuration

file and some SSL keys.







Configuring InVPN - the SSL keys

================================



InVPN uses the SSL protocol to communicate between nodes, however rather than

trusting all CA on the world, we trust only one CA, which is the one created by

the maintainer of the network (probably you). This CA will allow you to sign

requests from nodes wishing to join the network, so its private key should be

kept secure.

There is a ton of documentation online on how to create a SSL CA, and we also

provide an example on the source tarball (in "conf", remember to edit

"tibanne.cnf" to put your own details, and you'll get keys for two clients).



Anyway if you are still in the InVPN source root, here are some helpful

commands.







* Step 1: Generate a CA (needed only once)

------------------------------------------



CA stands for Certificate Authority. By providing your CA certificate to each

node as a CA, those nodes will know they can trust any other node whose

certificate has been signed by the same CA. Note that you can actually give

more than one CA as authoritative to InVPN instances, meaning those nodes will

actually accept both authorities. You can also make more complex configurations

with chains (have one master CA, intermediate CA, and final certificates) but

we won't be covering this here.



This step is done with only two commands. First, generate a private key and a

signature request:



$ openssl req -config conf/tibanne.cnf -newkey rsa:4096 -nodes -keyout invpn_ca.key -out invpn_ca.req

(fill details so it matches you. What you write there has no technical

reprecussion)



Then self-sign to generate the CA certificate (we make it valid for 6000 days

here, up to you to choose another value):



$ openssl x509 -req -signkey invpn_ca.key -extfile conf/tibanne.cnf -set_serial 0 -extensions v3_ca -days 6000 -in invpn_ca.req -out invpn_ca.crt



Now you have three files:



* invpn_ca.req: Useless, you can remove it now

* invpn_ca.crt: That's the certificate of your CA. You will need to copy it to

your nodes. You can publish it, if you want too.

* invpn_ca.key: This is your CA's private key. Keep it in the most secure place

as anyone having a copy of this file could join your VPN and/or

cause a lot of damage.





* Step 2: Generate a node certificate (for each node)

-----------------------------------------------------



Now that you have your CA, each of your node will need a ceritificate issued by

your own CA.

The recommanded way is of course to never copy the node private key outside of

the node. SSL makes this easy thanks to certificate signing requests. Let's see

how this goes step by step.



First, run this on the node:



$ openssl req -config conf/tibanne.cnf -newkey rsa:4096 -nodes -keyout invpn.key -out invpn.req

You can put the details you want, except for "Common Name (eg, YOUR name)

[CA]", which should be the mac address for this node. Example:

Common Name (eg, YOUR name) [CA]: 02:50:56:00:00:01



Now that you have a private key and a certificate signature request on your

node, copy the certificate signature request to your CA host (best if not an

online system in terms of security and use something like an USB key), then:



$ openssl x509 -req -CA invpn_ca.crt -CAkey invpn_ca.key -extfile conf/tibanne.cnf -CAcreateserial -extensions v3_notca -days 365 -in invpn.req -out invpn.crt



You can now return invpn.crt (and invpn_ca.crt) to the node, and your node

will be ready for use!





Configuring InVPN - the config file

===================================



Now that your node is ready to be recognized by other nodes thanks to its new

certificate, you need some configuration.



First, let's make sure we have at least those 3 files:



* invpn.crt: The certificate for the client (gen. by the CA, Step 2.2)

* invpn.key: The private key for the client (gen. by the client, Step 2.1)

* invpn_ca.crt: The CA (Step 1)



The configuration file itself is actually easy. Assuming you put all of this in

the /etc/invpn/ directory (that you need to create yourself), you can then

create a configuration file that would look like this:



[ssl]

key=/etc/invpn/invpn.key

cert=/etc/invpn/invpn.crt

ca=/etc/invpn/invpn_ca.crt

[network]

port=47741

cache=/etc/invpn/invpn.cache



The [ssl] part should only contain key, cert and ca. The ca file can contain

more than one certificate concatenated (if many CA).



The [network] part supports the following options:



* port: the port to listen to. Once set you shouldn't change it on a node

* cache: The cache file where known nodes are recorded

* init: An initial node to connect to when the cache is empty. It should be the

address of a node you know you're going to keep for a long time. The

value is written in the format macaddr@ip:port, so it would look like:

02:50:56:00:00:01@192.168.0.1:47441

* no_incoming: Prevent other hosts from connecting to this host (ie. if behind

a NAT, setting this option will avoid a lot of useless traffic)

* no_relay: Set this for low traffic nodes that you want to take part in the

network anyway. Also good for non permanent nodes. This implies

no_incoming too so no incoming connection will be received either.

The main idea behind this option is to use it on a laptop you use

to connect to the network from times to times. from https://github.com/MagicalTux/invpn/blob/master/INSTALL

https://github.com/MagicalTux/invpn

No comments:

Post a Comment