Creare una VPN in Lan usando un client Dell Sonicwall NetExtender

From RVM Wiki
Jump to navigation Jump to search

Lo scopo è installare il client command line netExtender come daemon su un gateway, per condividere in Lan la VPN ssl.

In questo esempio i parametri di connessione sono:

  • server=vpn.example.com:4443
  • username=UN
  • password=UN-1234
  • domain=mydomain

Installazione client

  • Installare le dipendenze:
sudo apt-get install ppp
  • Prelevare il client 32 bit direttamente dal sito vpn del cliente, oppure la versione 64 bit collegandosi con un browser da una macchina linux 64 da:
cd /tmp
wget https://sslvpn.demo.sonicwall.com/NetExtender.Linux.8.1.789.x86_64.tgz
  • Scompattarlo:
cd /tmp
tar xvzf NetExtender.Linux.8.1.789.x86_64.tgz
  • Installarlo:
cd netExtenderClient
sudo ./install

Connessione manuale

  • Lanciare una connessione manuale come root (non usare sudo, salva il profilo nella hom dello user unprivileged):
sudo -i
/usr/sbin/netExtender -u UN -p UN-1234 -d mydomain vpn.example.com:4433
  • Chiederà conferma del certificato,e poi si loggherà:
NetExtender for Linux - Version 8.1.789
Dell SonicWALL
Copyright (c) 2016 Dell

Connecting to vpn.example.com:4433...
There is a problem with the site's security certificate. 
Warning: self signed certificate
Do you want to proceed? (Y:Yes, N:No, V:View Certificate)y

Connected.
Logging in...
Login successful.
Version header not found
SSL Connection is ready
Using SSL Encryption Cipher 'ECDHE-RSA-AES256-GCM-SHA384'
Using new PPP frame encoding mechanism
Using PPP async mode (chosen by server) 
Connecting tunnel...
Client IP Address: 1.2.3.4
You now have access to the following 6 remote networks:
    1.2.3.4/255.255.255.0
    192.168.14.0/255.255.255.0
    192.168.11.0/255.255.255.0
    192.168.12.0/255.255.255.0
    192.168.1.0/255.255.255.0
    192.168.10.0/255.255.255.0
NetExtender connected successfully. Type "Ctrl-c" to disconnect...
  • Verificare quali sono i DNS specifici che imposta la VPN, che serviranno poi per configurare il server DNS sul server:
cat /etc/resolv.conf
  • Interromprere con CTRL-C
  • Prelevare il certificato:
openssl s_client -servername vpn.example.com  -connect vpn.example.com:4433 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/vpn.example.com.crt
  • Aggiungerlo alla cert chain:
cat /tmp/vpn.example.com.crt >> /root/.netExtenderCerts/PUB_CERT/ca-bundle.crt
  • Riprovare la connessione: non deve più chiedere conferma del certificato:
 /usr/sbin/netExtender -u UN -p UN-1234 -d mydomain vpn.example.com:4433

NetExtender for Linux - Version 8.1.789
Dell SonicWALL
Copyright (c) 2016 Dell

Connecting to vpn.example.com:4433...
Connected.
Logging in...
Login successful.
Version header not found
SSL Connection is ready
Using SSL Encryption Cipher 'ECDHE-RSA-AES256-GCM-SHA384'
Using new PPP frame encoding mechanism
Using PPP async mode (chosen by server) 
Connecting tunnel...
Client IP Address: 1.2.3.4
You now have access to the following 6 remote networks:
    1.2.3.4/255.255.255.0
    192.168.14.0/255.255.255.0
    192.168.11.0/255.255.255.0
    192.168.12.0/255.255.255.0
    192.168.1.0/255.255.255.0
    192.168.10.0/255.255.255.0
NetExtender connected successfully. Type "Ctrl-c" to disconnect...

Creazione dello script init.d

  • Creare lo script:
sudoedit /etc/init.d/netextender

#! /bin/sh

### BEGIN INIT INFO
# Provides:		netextender
# Required-Start:	$remote_fs $syslog
# Required-Stop:	$remote_fs $syslog
# Default-Start:	2 3 4 5
# Default-Stop:		
# Short-Description:	NetExtender VPN Daemon
### END INIT INFO

set -e

export HOME="/root"

# /etc/init.d/netextender: start and stop the NetExtender daemon

test -x /usr/sbin/netExtender || exit 0

umask 022

. /lib/lsb/init-functions

if test -f /etc/default/netextender; then
    . /etc/default/netextender
	NETEXT_OPTS=" --dns-only-local -u ${NETEXT_USERNAME} -p ${NETEXT_PASSWORD} -d ${NETEXT_DOMAIN} ${NETEXT_SERVER}"
else
	log_action_msg "Default file not present. Aborting" || true
	exit 0
fi

if [ -n "$2" ]; then
    NETEXT_OPTS="$NETEXT_OPTS $2"
fi

# Are we running from init?
run_by_init() {
    ([ "$previous" ] && [ "$runlevel" ]) || [ "$runlevel" = S ]
}

export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"

case "$1" in
  start)
	log_daemon_msg "Starting NetExtender daemon" "netextender" || true
	if start-stop-daemon --start --background --exec /usr/sbin/netExtender -- ${NETEXT_OPTS}; then
	    log_end_msg 0 || true
	else
	    log_end_msg 1 || true
	fi
	;;
  stop)
	log_daemon_msg "Stopping Netextender daemon" "netextender" || true
	if start-stop-daemon --stop --retry 30 --exec /usr/sbin/netExtender -- ${NETEXT_OPTS}; then
	    log_end_msg 0 || true
	else
	    log_end_msg 1 || true
	fi
	;;


  *)
	log_action_msg "Usage: /etc/init.d/netectender {start|stop}" || true
	exit 1
esac

exit 0
  • Renderlo eseguibile
sudo chmod +x /etc/init.d/netextender
  • Creare il file di configurazione:
sudoedit /etc/default/netextender

NETEXT_USERNAME="UN"
NETEXT_PASSWORD="UN12345"
NETEXT_DOMAIN="mydomain"
NETEXT_SERVER="vpn.example.com:4443"
  • Sistemare le permission:
sudo chmod 600 /etc/default/netextender
  • Se si usa systemctl, abilitare lo script:
sudo systemctl enable netextender
  • Provare:
sudo /etc/init.d/netextender start
  • Verificare il funzionamento della VPN
  • Stoppare:
sudo /etc/init.d/netextender stop
  • Verificare il NON funzionamento della VPN
  • Abilitare la partenza automatica in caso si usi sysv:
sudo update-rc.d defaults netextender

Abilitazione DNS stubbing

Se si vuole che il DNS sul gateway inoltri le query per i domini VPN ai DNS specifici, impostare come stub i DNS della VPN

Vedi Inoltrare le query per un particolare dominio ad un DNS particolare

Abilitazione NAT

  • Molto probabilmente bisognerà attivare il nat verso le network configurate sulle VPN:
   NETEXT_NETS="192.168.1.0/24 192.168.10.0/24"
   for SUBNET in $NETEXT_NETS
   do
        $IPTABLES -t nat -A POSTROUTING \
           -d $SUBNET -o ppp0 \
           -j MASQUERADE 
   done

Riferimenti

Retrieved from "https://kb.rvmgroup.it/index.php?title=Creare_una_VPN_in_Lan_usando_un_client_Dell_Sonicwall_NetExtender&oldid=9513"