wiki:secure_network
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
wiki:secure_network [2018/05/04 16:31] bdu fixed links |
— (current) | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== VPN clients ====== | ||
| - | The Wirnet iBTS firmware comes with strongSwan and OpenVPN clients pre-installed. The credentials however need to be stored in a very specific way, described in this page. | ||
| - | |||
| - | The instructions listed on this page are applicable for the latest firmware release only. Be sure to check the instructions [[wiki:secure_network_legacy|for older firmware releases]]. | ||
| - | |||
| - | <note warning> | ||
| - | The pre-installed OpenVPN and strongSwan clients have been modified to work with the secure storage only. You cannot use them without this feature. | ||
| - | </note> | ||
| - | |||
| - | ===== Overview ===== | ||
| - | |||
| - | The steps to make the VPN work are the following: | ||
| - | |||
| - | - Setup a PKI (Public Key Infrastructure) to be able to produce secrets. | ||
| - | - Generate secrets for the gateways to connect, in the PKCS#12 format. | ||
| - | - Write the main VPN configuration file (must match the server configuration). | ||
| - | - Write the ProvenCore specific configuration file. | ||
| - | - Cipher the ProvenCore specific configuration file. | ||
| - | - Cipher the P12 file. | ||
| - | - Initialize the TrustZone. | ||
| - | - Upload the ProvenCore specific ciphered configuration file to the TrustZone. | ||
| - | - Upload the ciphered P12 file to the TrustZone. | ||
| - | - Start the VPN client using the main VPN configuration file. | ||
| - | |||
| - | <note tip>All the ''pnr_uploader'' commands return with a status. If the status is different from ''0'', this is a failure. Stop and ensure you followed all the steps before you continue.</note> | ||
| - | |||
| - | ===== General information ===== | ||
| - | |||
| - | Wirnet iBTS embeds the TrustZone security feature provided by ARM microprocessors. | ||
| - | TrustZone technology is used to run trusted boot and a trusted OS to create a Trusted Execution Environment. | ||
| - | |||
| - | The Wirnet iBTS trusted OS is ProvenCore, from Prove&Run. | ||
| - | |||
| - | The firmware comes with two VPN clients: strongSwan (IPSec) and OpenVPN. These clients are modified to be able to read the secrets (passwords, keys, certificates, etc.) from that hardware-backed secure storage. This means that the sensitive data is encrypted and stored in a memory that cannot be read from the userland or even the kernel. The only way the data can be extracted is through the use of the embedded VPN clients, which are compiled using a dedicated library provided by //ProvenCore//. | ||
| - | |||
| - | <note warning> | ||
| - | Please ensure the server version matches the client version. | ||
| - | |||
| - | For example, if the embedded client version is OpenVPN 2.3.14, please ensure the server uses a compatible version (if possible, the same). | ||
| - | |||
| - | You can check the version with: | ||
| - | <code bash>openvpn --version</code> | ||
| - | |||
| - | Or: | ||
| - | <code bash>ipsec --version</code> | ||
| - | </note> | ||
| - | |||
| - | All the secrets management on KerOS firmware starting with 3.1.7 version is handled by //ProvenCore// for OpenVPN/strongSwan. | ||
| - | |||
| - | <note info> | ||
| - | The //TrustZone// in the Wirnet iBTS is composed of five blocks, each having its dedicated purpose: | ||
| - | |||
| - | * Block 0: ''ipsec.secrets'' config file | ||
| - | * Block 2: OpenVPN config file | ||
| - | * Block 10: Client certificate (OpenVPN) | ||
| - | * Block 20: Client certificate (IPsec) | ||
| - | </note> | ||
| - | |||
| - | ===== Step by step guide ===== | ||
| - | |||
| - | Here are some examples that can be used to setup a whole VPN infrastructure: | ||
| - | |||
| - | - [[wiki:vpn_pki|VPN - PKI management]]: VPN server setup | ||
| - | - [[wiki:vpn_server|VPN server configuration]]: VPN server configuration | ||
| - | - [[wiki:vpn_client|Setting up the VPN client]]: VPN client configuration | ||
| - | - [[wiki:vpn_start|Running the application / using a secret]]: VPN client startup | ||
wiki/secure_network.1525444318.txt.gz · Last modified: 2019/01/17 10:01 (external edit)
