Last active
February 26, 2017 07:44
-
-
Save zipcode/c694878d95454a450b34491daea8b2de to your computer and use it in GitHub Desktop.
ipsec with certificates playthrough
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
New instance somewhere in the cloud, using Ubuntu: | |
#cloud-config | |
packages: | |
- strongswan | |
package_upgrade: true | |
Create root cert locally: | |
openssl req -x509 -newkey rsa:4096 -days 90 -subj "/CN=ginko-rootca.zip.sexy" -out root.crt | |
Create openssl.cnf locally: | |
cat > openssl.cnf << EOF | |
[ usr_cert ] | |
basicConstraints=CA:FALSE | |
nsComment = "OpenSSL Generated Certificate" | |
subjectKeyIdentifier=hash | |
authorityKeyIdentifier=keyid,issuer | |
subjectAltName=email:move | |
EOF | |
Create server key on server: | |
openssl genrsa -out server.pem 2048 | |
openssl req -new -subj "/CN=ginko.do.zip.sexy" -key server.pem -out server.req | |
Copy server.req to local machine. Sign: | |
openssl x509 -req -CAcreateserial -days 90 -in server.req -CAkey privkey.pem -CA root.crt -out server.crt -extensions usr_cert -extfile <(cat openssl.cnf <(echo "subjectAltName=DNS:ginko.do.zip.sexy")) | |
Copy server.crt and root.crt to server. Emplace files: | |
mv server.crt /etc/ipsec.d/certs/server.crt | |
mv server.pem /etc/ipsec.d/private/server.pem | |
mv root.crt /etc/ipsec.d/cacerts/root.crt | |
echo ": RSA server.pem" > /etc/ipsec.secrets | |
cat > /etc/ipsec.conf << EOF | |
ca root | |
cacert=root.crt | |
auto=add | |
conn vpn | |
auto=add | |
keyexchange=ikev2 | |
leftauth=pubkey | |
leftcert=server.crt | |
leftid="@ginko.do.zip.sexy" | |
leftsendcert=always | |
leftsubnet=0.0.0.0/0 | |
rightauth=pubkey | |
rightca="CN=ginko-rootca.zip.sexy" | |
rightdns=8.8.8.8 | |
rightsourceip=10.0.98.0/24 | |
EOF | |
ipsec restart | |
cat > /tmp/nat.rules << EOF | |
# NAT rules | |
*nat | |
:POSTROUTING ACCEPT [0:0] | |
-A POSTROUTING -s 10.0.98.0/24 -o eth0 -j MASQUERADE | |
COMMIT | |
EOF | |
cat > /tmp/filter.rules << EOF | |
# Pass encapsulated packets | |
-A ufw-before-forward -s 10.0.98.0/24 -m policy --pol ipsec --dir in -j ACCEPT | |
-A ufw-before-forward -d 10.0.98.0/24 -m policy --pol ipsec --dir out -j ACCEPT | |
EOF | |
sed -i "1 r /tmp/nat.rules" /etc/ufw/before.rules | |
sed -i "/^# End required lines$/r /tmp/filter.rules" /etc/ufw/before.rules | |
sed -i 's|^#\(net/ipv4/ip_forward=1\)|\1|' /etc/ufw/sysctl.conf | |
ufw allow proto udp to any port 500 | |
ufw allow proto udp to any port 4500 | |
ufw allow proto ah to any | |
ufw allow proto esp to any | |
ufw allow ssh | |
ufw enable | |
Create a user certificate on local machine: | |
export PASS=`dd if=/dev/random of=/dev/stdout bs=1 count=10 | base64` | |
openssl req -newkey rsa:2048 -new -subj "/CN=ipad@ginko.do.zip.sexy/emailAddress=ipad@ginko.do.zip.sexy" -keyout user.pem -out user.req -passout env:PASS | |
openssl x509 -req -CAcreateserial -days 90 -in user.req -CAkey privkey.pem -CA root.crt -out user.crt -extensions usr_cert -extfile openssl.cnf | |
openssl pkcs12 -export -certfile root.crt -out user.p12 -inkey user.pem -in user.crt -passin env:PASS | |
MacOS/iOS note: apple is REAL finicky about what it does. Make sure you install the both root CA and the user cert or it'll barf and it *won't even fucking log anywhere to tell you why*. All that shit about Alternative Subject Names above is ALSO because Apple hates you. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment