-
Notifications
You must be signed in to change notification settings - Fork 9
/
log-makeca.txt
executable file
·188 lines (150 loc) · 9.37 KB
/
log-makeca.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
Build a prescriptive strongSwan CA for iOS, Windows, and Linux devices
** You will be asked a series of configuration questions
You will be prompted before any changes are made to your system
** The CA requires a domain name
If you have a registered domain name to use for the VPN, use that
If not, you can use a name of your choice
NOTE: This must be a DNS name, not an IP address
Domain Name to use [noname.com]:
** Configuring strongSwan for host FQDN p83.noname.com
** 'vpnaddr' is the DNS name or IP address that VPN clients use when connecting to the VPN Server
Use your externally available DNS name if you have one, otherwise use your Internet IP address
vpnaddr for your VPN [p83.noname.com]:
** 'vpndev' is the network device that will be connected to the Internet
If your system has:
One network device: Use that device
> 1 network device: Use the device that is or will be connected to the Internet
either directly or indirectly through a router
Network device that will be connected to the Internet [eth0]:
** 'landev' is the network device that is connected to the local LAN
If your system has:
One network device: Use that device
> 1 network device: Use the device that is not 'eth0'
Network device that will be connected to the local LAN [eth0]:
** VPN Server IP configuration
** 'myipaddr' Local LAN IP Address
If your system has:
One network device: Use the IP Address of that device
> 1 network device: Use the IP Address of 'eth0'
VPN Server Local LAN IP Address [192.168.92.224]:
** 'mysubnet' is the Local LAN Subnet
If you have multiple network adapters this is the subnet of the adapter
connected to the LAN network (eth0) rather than
the adapter connected to the Internet (eth0)
VPN Server Local LAN Subnet [192.168.92.0/24]:
** The Subnet for VPN Clients is a virtual subnet used between
the VPN Server and Clients. It must not be used on your network
and requires iptables configuration, which will be created
by this script (although you'll need to enable it)
Subnet for VPN Clients [10.1.10.0/24]:
** The DNS Server should be a DNS Server on your network
This can be your router (if so configured) or another DNS Server
DNS Server for connected VPN Clients [192.168.92.1]:
** 'cnsuffix' is a naming string only used in user certs
(e.g., username-device-p83@cnsuffix)
It is used by iOS for additional Cert validation
and will be visible for strongSwan connections in the system log
cnsuffix for your CA [myvpn.net]:
** 'webdir' is the directory in the file system where certs will be shared via your web server
webdir for your system [/var/www/html/vpn]: % Directory /var/www/html/vpn does not exist. Be sure to create it before using pistrong --mail
** 'weburl' is the URL that will be used in emails to users with their certs
weburl for your system [http://p83.noname.com/vpn]:
** Configure the SAN Key (remoteid) and VPN Cert name for iOS, Windows, and Linux users
The VPN Cert name prefix is important because it helps you retain your sanity
The remoteid identifies the connection to strongSwan, and is assigned to users when they are added
The defaults are acceptable, but you may change them if you wish
VPN Cert name prefix for iOS VPN Cert [ios]: VPN SAN key for iOS users [ios.noname.com]: VPN Cert name prefix for Windows VPN Cert [windows]: VPN SAN key for Windows users [windows.noname.com]: VPN Cert name prefix for Linux VPN Cert [linux]: VPN SAN key for Linux users [linux.noname.com]:
** The default secondary VPN SAN Key is 'p83.noname.com'
You can add additional SAN Keys if desired
Additional Secondary VPN SAN Key(s) []:
** This script will now create:
Connection Config: /etc/swanctl/conf.d/pistrong-CAServerConnection.conf
CA Cert: strongSwanCACert.pem
VPN Cert for iOS: ios-strongSwanVPNCert.pem with VPN SAN key 'ios.noname.com'
VPN Cert for Windows: windows-strongSwanVPNCert.pem with VPN SAN key 'windows.noname.com'
VPN Cert for Linux: linux-strongSwanVPNCert.pem with VPN SAN key 'linux.noname.com'
For VPN Server LAN IP 192.168.92.224 subnet 192.168.92.0/24 with VPN Client DNS servers 192.168.92.1
The VPN will use virtual subnet 10.1.10.0/24 for VPN Clients
Each VPN cert will have 'p83.noname.com' as secondary VPN SAN key(s)
The default VPN Server Address is 'p83.noname.com'
This can be changed on a per-user basis on the 'sudo pistrong add' command for a single user
using the --vpnaddr new-vpn-address switch
(You might want to do this, for example, if you're using an IP address to connect externally
but also want to test connecting to the VPN server from your internal network)
See https://github.com/gitbls/pistrong/blob/master/README.md
for additional VPN Server IP Address considerations
See 'sudo pistrong config --list' for a list of all the pistrong configuration parameters
and make any changes necessary for your configuration
** If you'd like to change anything, answer N to the next question and restart the script
Do you want to continue [y/N]? Creating strongSwan CA for host p83.noname.com in /etc/swanctl
Creating CA Key (/etc/swanctl/private/strongSwanCAKey.pem)
Create self-signed CA Cert (/etc/swanctl/x509ca/strongSwanCACert.pem)
subject: "C=US, O=p83-strongSwan, CN=strongSwan p83 Root CA"
issuer: "C=US, O=p83-strongSwan, CN=strongSwan p83 Root CA"
validity: not before Jun 24 11:10:07 2021, ok
not after Jun 22 11:10:07 2031, ok (expires in 3650 days)
serial: 46:23:4e:e5:50:77:7f:9f
flags: CA CRLSign self-signed
subjkeyId: 3f:f7:c1:bf:b2:17:de:b9:27:48:d9:6b:0f:c2:0f:7e:4e:9e:b4:8f
pubkey: RSA 4096 bits
keyid: 32:f1:ab:7d:d8:f0:f7:d1:4d:61:9e:36:01:20:fc:f9:54:d0:3d:80
subjkey: 3f:f7:c1:bf:b2:17:de:b9:27:48:d9:6b:0f:c2:0f:7e:4e:9e:b4:8f
Create VPN Host Key (/etc/swanctl/private/ios-strongSwanVPNKey.pem)
Create VPN Host Cert (/etc/swanctl/x509/ios-strongSwanVPNCert.pem)
with VPN SAN key(s) ios.noname.com,p83.noname.com
subject: "C=US, O=p83-strongSwan, CN=p83.noname.com"
issuer: "C=US, O=p83-strongSwan, CN=strongSwan p83 Root CA"
validity: not before Jun 24 11:10:16 2021, ok
not after Jun 22 11:10:16 2031, ok (expires in 3650 days)
serial: 37:e5:17:6a:ac:c2:7f:50
altNames: ios.noname.com, p83.noname.com
flags: serverAuth ikeIntermediate
authkeyId: 3f:f7:c1:bf:b2:17:de:b9:27:48:d9:6b:0f:c2:0f:7e:4e:9e:b4:8f
subjkeyId: ab:5f:20:c6:97:34:bf:36:e3:b1:9e:c6:4e:dc:9e:7d:f7:c6:cd:fa
pubkey: RSA 4096 bits
keyid: 67:c4:72:0c:0b:b6:3b:a4:9a:a2:8e:15:fe:d1:38:09:d7:3c:28:85
subjkey: ab:5f:20:c6:97:34:bf:36:e3:b1:9e:c6:4e:dc:9e:7d:f7:c6:cd:fa
Create VPN Host Key (/etc/swanctl/private/windows-strongSwanVPNKey.pem)
Create VPN Host Cert (/etc/swanctl/x509/windows-strongSwanVPNCert.pem)
with VPN SAN key(s) windows.noname.com,p83.noname.com
subject: "C=US, O=p83-strongSwan, CN=p83.noname.com"
issuer: "C=US, O=p83-strongSwan, CN=strongSwan p83 Root CA"
validity: not before Jun 24 11:10:24 2021, ok
not after Jun 22 11:10:24 2031, ok (expires in 3650 days)
serial: 02:3f:68:e1:42:63:b9:6a
altNames: windows.noname.com, p83.noname.com
flags: serverAuth ikeIntermediate
authkeyId: 3f:f7:c1:bf:b2:17:de:b9:27:48:d9:6b:0f:c2:0f:7e:4e:9e:b4:8f
subjkeyId: af:e7:79:1d:70:72:23:5f:e9:6f:ba:59:cf:e6:91:2b:ca:b9:1d:bc
pubkey: RSA 4096 bits
keyid: 06:78:6e:7e:16:fe:1c:61:a1:a9:57:f4:ae:68:39:d9:0b:f6:75:de
subjkey: af:e7:79:1d:70:72:23:5f:e9:6f:ba:59:cf:e6:91:2b:ca:b9:1d:bc
Create VPN Host Key (/etc/swanctl/private/linux-strongSwanVPNKey.pem)
Create VPN Host Cert (/etc/swanctl/x509/linux-strongSwanVPNCert.pem)
with VPN SAN key(s) linux.noname.com,p83.noname.com
subject: "C=US, O=p83-strongSwan, CN=p83.noname.com"
issuer: "C=US, O=p83-strongSwan, CN=strongSwan p83 Root CA"
validity: not before Jun 24 11:10:27 2021, ok
not after Jun 22 11:10:27 2031, ok (expires in 3649 days)
serial: 1f:60:97:ba:33:04:e7:95
altNames: linux.noname.com, p83.noname.com
flags: serverAuth ikeIntermediate
authkeyId: 3f:f7:c1:bf:b2:17:de:b9:27:48:d9:6b:0f:c2:0f:7e:4e:9e:b4:8f
subjkeyId: ab:13:a3:24:a7:d6:85:34:9d:82:4c:fd:ef:78:a5:9d:45:98:c9:6c
pubkey: RSA 4096 bits
keyid: d9:ea:67:21:f3:cb:b7:a8:d5:1a:cc:dd:3a:57:45:fc:52:90:88:53
subjkey: ab:13:a3:24:a7:d6:85:34:9d:82:4c:fd:ef:78:a5:9d:45:98:c9:6c
When adding iOS users apply --remoteid ios.noname.com
When adding Windows users apply --remoteid windows.noname.com
When adding Linux users apply --remoteid linux.noname.com --linux
Your strongSwan CA is configured
Creating /etc/swanctl/pistrong/CA-iptables with firewall rules
** I have created the service pistrong-iptables-load, but it is not enabled
** If you have another way to load iptables, you must add the code from /etc/swanctl/pistrong/CA-iptables to it
** Otherwise you must 'sudo systemctl enable --now pistrong-iptables-load'
Creating /etc/swanctl/conf.d/pistrong-CAServerConnection.conf with the new VPN Server definitions
** Next steps:
* Ensure that the firewall rules in /etc/swanctl/pistrong/CA-iptables are correct
* Review https://github.com/gitbls/pistrong/blob/master/README.md#firewall-considerations
* Establish port forwarding on your router to IP 192.168.92.224 for UDP ports 500 and 4500
* Set up a mail server and web server if you want to email cert information to users