Setups
General information
Wirnet™ iBTS information
Wirnet™ iFemtoCell information
Wirnet™ iFemtoCell-evolution information
Wirnet™ iStation information
System management
Network management
LoRa Features
KerOS customization
Support and resources
Sidebar
wiki:secure_network_legacy
This is an old revision of the document!
Table of Contents
VPN clients
Here are the instructions for the VPN configuration for older firmware versions.
Firmware v2.0.4
Only OpenVPN feature is available. IPsec is not available.
The OpenVPN binary on the gateway is slightly modified to work with ProvenCore. The concept is to have all the security information managed in the secure world.
In your openvpn.conf file you must not use the options: auth-user-pass. Indeed, the security (password) information is managed by ProvenCore in the trusted execution environment.
Prerequisites
- On server side: you need to have an OpenVPN server (version 2.3.11, or matching the OpenVPN version on the board) properly configured with server certificate.
- On client side: you need to have OpenVPN Client configuration file matching server configuration, a client certificate matching server certificate and the client certificate password written in a file named
password.
- Traces are displayed in the serial terminal (available with a debug probe) but not in a SSH terminal.
- Certificate installation traces are displayed once, only the first time after a reboot.
TrustZone mounting
cd /user/ mkdir trustzone/ mount -t tzfs tzfs trustzone/ mkdir -p trustzone/etc/openvpn/
File copy from host to target
scp client-openvpn.conf root@192.168.0.x:/user/ scp password root@192.168.0.x:/user/ scp OpenVpnClientCert.p12 root@192.168.0.x:/user/
Be sure to replace 192.168.0.x with the IP address of the Wirnet™ iBTS.
Copy OpenVPN config
cp /user/client-openvpn.conf /etc/openvpn/
Copy sensitive information to the TrustZone
Copy the certificate and all the CA information to the TrustZone in P12 archive format.
Command results are displayed in the debug probe (serial) terminal only, not displayed in a SSH terminal.
Reboot the Wirnet™ iBTS to initialize the TrustZone logger.
# cp OpenVpnClientCert.p12 trustzone/etc/openvpn/ Loaded 11 ELFs from archive... Parsed init/build/init with header at 0x40124800 Parsed init/build/hello with header at 0x4012ba00 Parsed uart/build/uart with header at 0x40132c00 Parsed fs/build/fs with header at 0x4013a000 Parsed mmc/build/mmc with header at 0x4014b800 Parsed mmc/build/mmc-test with header at 0x40155600 Parsed ree/build/ree with header at 0x4015cc00 Parsed syield/build/syield with header at 0x40164400 Parsed help/build/help with header at 0x4016b600 Parsed shell/build/shell with header at 0x40172a00 Parsed openvpn/build/openvpn with header at 0x4017ae00 -=-=-=- ProvenCore Kernel -=-=-=- Copyright (c) 2014-2016, Prove & Run and/or its affiliates. All rights reserved. Booted 1 core in supervisor mode. [ 137.198532] tz: provencore returned 0xbf000000 Starting OpenVPN driver ... (pid=0x90009,nr=9) Starting MMC driver... (pid=0xb000b, nr=11) Starting REE driver... (pid=0xa000a, nr=10) Starting FS driver... (pid=0x80008, nr=8) Starting Init process... (pid=0x40004, nr=4) [info] [ree] ree shared buffer successfully mapped: addr=0x30000000, pages=256 [info] [fs] map ree physbuf [info] [ree] initialised ring buffer with 512 slots [info] [fs] mount MMC on drive 0: (mmc:) [info] [ree] successfully registered SGI [ 137.622891] tzfs: push file /etc/openvpn/OpenVpnClientCert.p12 (4412 / 4412 bytes) [info] [fs] check drive 0: [info] [fs] successfully uploaded new version for /etc/openvpn/OpenVpnClientCert.p12 [ 137.970990] tzfs: successfully uploaded file
Copy the password file
This is the password of the P12 archive.
The password file is in the form:
/etc/openvpn/OpenVpnClientCert.p12 PASSWORD
To install it, run:
cp /user/password trustzone/etc/openvpn/
Sample output (debug probe only):
[ 146.172188] tzfs: push file /etc/openvpn/password (42 / 42 bytes) [info] [fs] successfully uploaded new version for /etc/openvpn/password [ 146.459796] tzfs: successfully uploaded file
Configure the firewall
Add the following iptables rules: by default, only UDP port 1194 needs to be open:
iptables -t filter -A OUTPUT -p udp --dport 1194 -j ACCEPT
This rule is enough since the rule iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT is already present in the default firewall configuration.
Start OpenVPN client
openvpn /etc/openvpn/client-openvpn.conf
Sample output (the TrustZone traces are not displayed over SSH, only on the debug probe):
[ 887.477787] tz: miscdev open pid:920 Thu Aug 4 07:37:00 2016 OpenVPN ERR_put_error SSL routine2.3.11 arm-poky-linux-gnueabi [SSL] [LZO] [EPOLL] [MH] [IPv6] built on Jul 27 2016 Thu Aug 4 07:37:00 2016 library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09 s SSL3_CTX_CTRL called a function you should not call s3_lib.c 2466 ERR_put_error asn1 encoding routines ASN1_get_object too long asn1/asn1_lib.c 143 ERR_put_error PKCS12 routines PKCS12_parse mac verify failure pkcs12/p12_kiss.c 115 ERR_put_error x509 certificate routines X509_check_private_key key values mismatch x509/x509_cmp.c 355 ERR_put_error x509 certificate routines X509_check_private_key key values mismatch x509/x509_cmp.c 355 Thu Aug 4 07:37:01 2016 Socket BSSL state (connect): uffers: R=[163840->163840] S=[163840->163840] Thu Aug 4 07:37:01 2016 UDPv4 link local: [undef] Thu Aug 4 07:37:01 2016 UDPv4 link remote: [AF_INET]164.132.103.11:1194 before/connect initialization SSL state (connect): unknown state Thu Aug 4 07:37:01 2016 TLS: Initial packet from [AF_INET]164.132.103.11:1194, sid=12c41a89 7837c19f SSL state (connect): SSLv3 read server hello A VERIFY OK: depth=2, CN=KerlinkRootCA VERIFY OK: depth=1, CN=OpenVPNCA VERIFY OK: depth=0, CN=OpenVpnServerCert SSL state (connect): SSLv3 read server certificate A SSL state (connect): SSLv3 read server key exchange A SSL state (connect): SSLv3 read server certificate request A SSL state (connect): SSLv3 read server done A SSL state (connect): SSLv3 write client certificate A SSL state (connect): SSLv3 write client key exchange A SSL state (connect): SSLv3 write certificate verify A SSL state (connect): SSLv3 write change cipher spec A SSL state (connect): SSLv3 write finished A SSL state (connect): SSLv3 flush data SSL state (connect): SSLv3 read finished A Thu Aug 4 07:37:05 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Aug 4 07:37:05 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Aug 4 07:37:05 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Aug 4 07:37:05 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Aug 4 07:37:05 2016 [] Peer Connection Initiated with [AF_INET]164.132.103.11:1194 Thu Aug 4 07:37:08 2016 SENT CONTROL [UNDEF]: 'PUSH_REQUEST' (status=1) Thu Aug 4 07:37:08 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' Thu Aug 4 07:37:08 2016 OPTIONS IMPORT: timers and/or timeouts modified Thu Aug 4 07:37:08 2016 OPTIONS IMPORT: --ifconfig/up options modified Thu Aug 4 07:37:08 2016 OPTIONS IMPORT: route options modified Thu Aug 4 07:37:08 2016 TUN/TAP device tun0 opened Thu Aug 4 07:37:08 2016 TUN/TAP TX queue length set to 100 Thu Aug 4 07:37:08 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Aug 4 07:37:08 2016 /sbin/ip link set dev tun0 up mtu 1500 Thu Aug 4 07:37:08 2016 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 Thu Aug 4 07:37:08 2016 /sbin/ip route add 164.132.103.11/32 via 192.168.4.4 Thu Aug 4 07:37:08 2016 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5 Thu Aug 4 07:37:08 2016 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5 Thu Aug 4 07:37:08 2016 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5 Thu Aug 4 07:37:08 2016 Initialization Sequence Completed
Firmware v1.x
The feature is not available.
wiki/secure_network_legacy.1534256547.txt.gz · Last modified: 2019/01/17 10:01 (external edit)
