wiki:secure_network_legacy
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |||
|
wiki:secure_network_legacy [2018/08/14 16:22] ghi removed |
— (current) | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== VPN clients ====== | ||
| - | Here are the instructions for the VPN configuration for older firmware versions. | ||
| - | |||
| - | ===== Firmware v2.0.4 ===== | ||
| - | |||
| - | <note important>Only OpenVPN feature is available. IPsec is not available. </note> | ||
| - | |||
| - | The OpenVPN binary on the gateway is slightly modified to work with //ProvenCore//. The concept is to have all the security information managed in the secure world. | ||
| - | |||
| - | In your ''openvpn.conf'' file you must not use the options: ''auth-user-pass''. Indeed, the security (password) information is managed by //ProvenCore// in the trusted execution environment. | ||
| - | |||
| - | ==== Prerequisites ==== | ||
| - | |||
| - | - On server side: you need to have an OpenVPN server (version 2.3.11, or matching the OpenVPN version on the board) properly configured with server certificate. | ||
| - | - On client side: you need to have OpenVPN Client configuration file matching server configuration, a client certificate matching server certificate and the client certificate password written in a file named ''password''. | ||
| - | |||
| - | <note info> | ||
| - | * Traces are displayed in the serial terminal (available with a debug probe) but not in a SSH terminal. | ||
| - | * Certificate installation traces are displayed once, only the first time after a reboot. | ||
| - | </note> | ||
| - | |||
| - | ==== TrustZone mounting ==== | ||
| - | |||
| - | <code bash> | ||
| - | cd /user/ | ||
| - | mkdir trustzone/ | ||
| - | mount -t tzfs tzfs trustzone/ | ||
| - | mkdir -p trustzone/etc/openvpn/ | ||
| - | </code> | ||
| - | |||
| - | ==== File copy from host to target ==== | ||
| - | |||
| - | <code bash> | ||
| - | scp client-openvpn.conf root@192.168.0.x:/user/ | ||
| - | scp password root@192.168.0.x:/user/ | ||
| - | scp OpenVpnClientCert.p12 root@192.168.0.x:/user/ | ||
| - | </code> | ||
| - | |||
| - | Be sure to replace ''192.168.0.x'' with the IP address of the Wirnet™ iBTS. | ||
| - | ==== Copy OpenVPN config ==== | ||
| - | |||
| - | <code bash> | ||
| - | cp /user/client-openvpn.conf /etc/openvpn/ | ||
| - | </code> | ||
| - | |||
| - | ==== Copy sensitive information to the TrustZone ==== | ||
| - | |||
| - | Copy the certificate and all the CA information to the TrustZone in P12 archive format. | ||
| - | |||
| - | <note info> | ||
| - | Command results are displayed in the debug probe (serial) terminal only, not displayed in a SSH terminal. | ||
| - | </note> | ||
| - | |||
| - | Reboot the Wirnet™ iBTS to initialize the TrustZone logger. | ||
| - | |||
| - | # cp OpenVpnClientCert.p12 trustzone/etc/openvpn/ | ||
| - | Loaded 11 ELFs from archive... | ||
| - | Parsed init/build/init with header at 0x40124800 | ||
| - | Parsed init/build/hello with header at 0x4012ba00 | ||
| - | Parsed uart/build/uart with header at 0x40132c00 | ||
| - | Parsed fs/build/fs with header at 0x4013a000 | ||
| - | Parsed mmc/build/mmc with header at 0x4014b800 | ||
| - | Parsed mmc/build/mmc-test with header at 0x40155600 | ||
| - | Parsed ree/build/ree with header at 0x4015cc00 | ||
| - | Parsed syield/build/syield with header at 0x40164400 | ||
| - | Parsed help/build/help with header at 0x4016b600 | ||
| - | Parsed shell/build/shell with header at 0x40172a00 | ||
| - | Parsed openvpn/build/openvpn with header at 0x4017ae00 | ||
| - | | ||
| - | | ||
| - | -=-=-=- ProvenCore Kernel -=-=-=- | ||
| - | | ||
| - | Copyright (c) 2014-2016, Prove & Run and/or its affiliates. All rights reserved. | ||
| - | | ||
| - | Booted 1 core in supervisor mode. | ||
| - | | ||
| - | | ||
| - | [ 137.198532] tz: provencore returned 0xbf000000 | ||
| - | Starting OpenVPN driver ... (pid=0x90009,nr=9) | ||
| - | Starting MMC driver... (pid=0xb000b, nr=11) | ||
| - | Starting REE driver... (pid=0xa000a, nr=10) | ||
| - | Starting FS driver... (pid=0x80008, nr=8) | ||
| - | Starting Init process... (pid=0x40004, nr=4) | ||
| - | [info] [ree] ree shared buffer successfully mapped: addr=0x30000000, pages=256 | ||
| - | [info] [fs] map ree physbuf | ||
| - | [info] [ree] initialised ring buffer with 512 slots | ||
| - | [info] [fs] mount MMC on drive 0: (mmc:) | ||
| - | [info] [ree] successfully registered SGI | ||
| - | [ 137.622891] tzfs: push file /etc/openvpn/OpenVpnClientCert.p12 (4412 / 4412 bytes) | ||
| - | [info] [fs] check drive 0: | ||
| - | [info] [fs] successfully uploaded new version for /etc/openvpn/OpenVpnClientCert.p12 | ||
| - | [ 137.970990] tzfs: successfully uploaded file | ||
| - | |||
| - | ==== Copy the password file ==== | ||
| - | |||
| - | <note info>This is the password of the P12 archive.</note> | ||
| - | |||
| - | The ''password'' file is in the form: | ||
| - | |||
| - | <code ini>/etc/openvpn/OpenVpnClientCert.p12 PASSWORD</code> | ||
| - | |||
| - | To install it, run: | ||
| - | |||
| - | <code bash> | ||
| - | cp /user/password trustzone/etc/openvpn/ | ||
| - | </code> | ||
| - | |||
| - | Sample output (debug probe only): | ||
| - | <code> | ||
| - | [ 146.172188] tzfs: push file /etc/openvpn/password (42 / 42 bytes) | ||
| - | [info] [fs] successfully uploaded new version for /etc/openvpn/password | ||
| - | [ 146.459796] tzfs: successfully uploaded file | ||
| - | </code> | ||
| - | |||
| - | ==== Configure the firewall ==== | ||
| - | |||
| - | Add the following iptables rules: by default, only UDP port 1194 needs to be open: | ||
| - | |||
| - | iptables -t filter -A OUTPUT -p udp --dport 1194 -j ACCEPT | ||
| - | |||
| - | This rule is enough since the rule ''iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT'' is already present in the default firewall configuration. | ||
| - | |||
| - | ==== Start OpenVPN client ==== | ||
| - | |||
| - | <code bash> | ||
| - | openvpn /etc/openvpn/client-openvpn.conf | ||
| - | </code> | ||
| - | |||
| - | Sample output (the TrustZone traces are not displayed over SSH, only on the debug probe): | ||
| - | <code> | ||
| - | [ 887.477787] tz: miscdev open pid:920 | ||
| - | Thu Aug 4 07:37:00 2016 OpenVPN ERR_put_error SSL routine2.3.11 arm-poky-linux-gnueabi [SSL] [LZO] [EPOLL] [MH] [IPv6] built on Jul 27 2016 | ||
| - | Thu Aug 4 07:37:00 2016 library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09 | ||
| - | s SSL3_CTX_CTRL called a function you should not call s3_lib.c 2466 | ||
| - | ERR_put_error asn1 encoding routines ASN1_get_object too long asn1/asn1_lib.c 143 | ||
| - | ERR_put_error PKCS12 routines PKCS12_parse mac verify failure pkcs12/p12_kiss.c 115 | ||
| - | ERR_put_error x509 certificate routines X509_check_private_key key values mismatch x509/x509_cmp.c 355 | ||
| - | ERR_put_error x509 certificate routines X509_check_private_key key values mismatch x509/x509_cmp.c 355 | ||
| - | Thu Aug 4 07:37:01 2016 Socket BSSL state (connect): uffers: R=[163840->163840] S=[163840->163840] | ||
| - | Thu Aug 4 07:37:01 2016 UDPv4 link local: [undef] | ||
| - | Thu Aug 4 07:37:01 2016 UDPv4 link remote: [AF_INET]164.132.103.11:1194 | ||
| - | before/connect initialization | ||
| - | SSL state (connect): unknown state | ||
| - | Thu Aug 4 07:37:01 2016 TLS: Initial packet from [AF_INET]164.132.103.11:1194, sid=12c41a89 7837c19f | ||
| - | SSL state (connect): SSLv3 read server hello A | ||
| - | VERIFY OK: depth=2, CN=KerlinkRootCA | ||
| - | VERIFY OK: depth=1, CN=OpenVPNCA | ||
| - | VERIFY OK: depth=0, CN=OpenVpnServerCert | ||
| - | SSL state (connect): SSLv3 read server certificate A | ||
| - | SSL state (connect): SSLv3 read server key exchange A | ||
| - | SSL state (connect): SSLv3 read server certificate request A | ||
| - | SSL state (connect): SSLv3 read server done A | ||
| - | SSL state (connect): SSLv3 write client certificate A | ||
| - | SSL state (connect): SSLv3 write client key exchange A | ||
| - | SSL state (connect): SSLv3 write certificate verify A | ||
| - | SSL state (connect): SSLv3 write change cipher spec A | ||
| - | SSL state (connect): SSLv3 write finished A | ||
| - | SSL state (connect): SSLv3 flush data | ||
| - | SSL state (connect): SSLv3 read finished A | ||
| - | Thu Aug 4 07:37:05 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key | ||
| - | Thu Aug 4 07:37:05 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication | ||
| - | Thu Aug 4 07:37:05 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key | ||
| - | Thu Aug 4 07:37:05 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication | ||
| - | Thu Aug 4 07:37:05 2016 [] Peer Connection Initiated with [AF_INET]164.132.103.11:1194 | ||
| - | Thu Aug 4 07:37:08 2016 SENT CONTROL [UNDEF]: 'PUSH_REQUEST' (status=1) | ||
| - | Thu Aug 4 07:37:08 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 | ||
| - | 10.8.0.5' | ||
| - | Thu Aug 4 07:37:08 2016 OPTIONS IMPORT: timers and/or timeouts modified | ||
| - | Thu Aug 4 07:37:08 2016 OPTIONS IMPORT: --ifconfig/up options modified | ||
| - | Thu Aug 4 07:37:08 2016 OPTIONS IMPORT: route options modified | ||
| - | Thu Aug 4 07:37:08 2016 TUN/TAP device tun0 opened | ||
| - | Thu Aug 4 07:37:08 2016 TUN/TAP TX queue length set to 100 | ||
| - | Thu Aug 4 07:37:08 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 | ||
| - | Thu Aug 4 07:37:08 2016 /sbin/ip link set dev tun0 up mtu 1500 | ||
| - | Thu Aug 4 07:37:08 2016 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 | ||
| - | Thu Aug 4 07:37:08 2016 /sbin/ip route add 164.132.103.11/32 via 192.168.4.4 | ||
| - | Thu Aug 4 07:37:08 2016 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5 | ||
| - | Thu Aug 4 07:37:08 2016 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5 | ||
| - | Thu Aug 4 07:37:08 2016 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5 | ||
| - | Thu Aug 4 07:37:08 2016 Initialization Sequence Completed | ||
| - | </code> | ||
| - | |||
| - | ===== Firmware v1.x ===== | ||
| - | |||
| - | The feature is not available. | ||
wiki/secure_network_legacy.1534256547.txt.gz · Last modified: 2019/01/17 10:01 (external edit)
