Yubico Forum
https://forum.yubico.com/

[HOW TO] Building a YubiX VM with OpenVPN
https://forum.yubico.com/viewtopic.php?f=31&t=1424
Page 1 of 2

Author:  jerichod505 [ Thu Jul 10, 2014 4:06 pm ]
Post subject:  [HOW TO] Building a YubiX VM with OpenVPN

Requirements: Ubuntu Server 12.04, YubiX software stack, OpenVPN, VMWare (or VirtualBox), Yubikey
Description: This how to walks you through the process of setting up a YubiX VM with an OpenVPN access server.
Attached File: yubix_vm_howto_v2c.pdf

Folks:

One of the struggles I had in getting started with YubiX was not having one document that walked me through the installation, setup, and testing of the YubiKey and the YubiX software. This how-to attempts to address that issue by providing detailed steps to setup, configure, and test a virtual machine that provides the following functions:
    A YubiKey authorization infrastructure (yubiauth)
    A YubiKey local key store (yubiksm)
    A YubiKey One Time Password (OTP) validation server (yubval) - optionally you can use the YubiKey Cloud Validation
    A freeRADIUS infrastructure
    An OpenVPN Access Server

This how-to walks you through the steps necessary to build this VM, including building the base operating system, installing the YubiX and OpenVPN software, and then configuring and testing it all. You have the choice of using the YubiKey cloud OTP validation service, or configuring the VM to perform the validation locally.

Hopefully this will be useful to folks. Comments, suggestions and updates are welcome. Contact me through the forum, or you can email me at my forum handle at gmail dot com.

-j505

Attachments:
yubix_vm_howto_v2c.pdf [934.5 KiB]
Downloaded 620 times

Author:  Tom [ Mon Jul 14, 2014 8:35 am ]
Post subject:  Re: [HOW TO] Building a YubiX VM with OpenVPN

Thanks for this guide.

Author:  rcota [ Thu Aug 28, 2014 11:39 pm ]
Post subject:  Re: [HOW TO] Building a YubiX VM with OpenVPN

This helps tremendously and is very thorough , however I have a VPN client already so I'm not sure what i can and cant rule out of your tut.
But you've pointed me in a better direction then any Yubix tutorials so i have to say thank you for putting this together.
Do any Yubix tutorials even exist?

Author:  jerichod505 [ Tue Sep 02, 2014 6:42 pm ]
Post subject:  Re: [HOW TO] Building a YubiX VM with OpenVPN

rcota:
re: existing VPN client - i am trying to understand your question a bit better so i can give you a useful answer. when you say you have a vpn client already, do you mean the client AND the server? like for instance are you using a juniper VPN server, which delivers a java client? to my way of thinking the VPN client and server are pretty much a matched pair. as long as the VPN server can be configured to use RADIUS, and the VPN client will pass a long enough password (the static password + the yubikey OTP), then everything should be able to work ok. sections 4.3 and 6 will be different for the specific VPN server.

i have used the YubiX VM with an external hardware VPN server, so if that is of interest to folks i can write up an addendum to the document.

as for yubikey's documentation - well, i cant say - except i found it lacking as well, so i wrote my own :}

jerichod505.

Author:  FlorinAndrei [ Wed Sep 03, 2014 2:56 am ]
Post subject:  Re: [HOW TO] Building a YubiX VM with OpenVPN

This is very useful, thank you.

I've a question. Page 15 states:

Quote:
To make the encrypted version, run the gpg utility with the options shown below. Note that '16405BDA' is the ID of the ksm key we made a few steps prior.


Where do you get that from? Is it from "gpg --list-keys"? If so, is it from the line that begins with "pub", or the one that begins with "sub"?

Author:  rcota [ Wed Sep 03, 2014 3:26 pm ]
Post subject:  Re: [HOW TO] Building a YubiX VM with OpenVPN

its going to be the pub. and even easier its just above that the "gpg: key 4AFCB3D9 marked as ultimately trusted public and secret key created and signed." for example

Author:  FlorinAndrei [ Wed Sep 03, 2014 6:48 pm ]
Post subject:  Re: [HOW TO] Building a YubiX VM with OpenVPN

What is the rationale for using GPG as an intermediate step?

I went into the DB and did a "SELECT * FROM ykksm.yubikeys" and the information there was more or less the same as what's in the keyXXXX.txt file. So, presumably, one could do an "INSERT INTO ykksm.yubikeys VALUES ..." directly from the .txt file.

Is GPG meant to be just a separate, secure data store for the key stuff? (kind of like a secure backup)

Author:  rcota [ Wed Sep 03, 2014 8:42 pm ]
Post subject:  Re: [HOW TO] Building a YubiX VM with OpenVPN

i believe it is the method for encrypting the data. its the step that adds encryption to the file.
Theres got to be a tool or Gui method to do this for several hundred yubi keys, for now Im just looking on a successful 1!

Author:  jerichod505 [ Sat Sep 27, 2014 12:57 am ]
Post subject:  Re: [HOW TO] Building a YubiX VM with OpenVPN

folks: after upgrading to the latest version of python-yubiauth on this VM i found that apache would not start.

I received and 'Invalid command '<IfVersion' ' error when apache tried to start.

please see the link below for a discussion on how I fixed this:
viewtopic.php?f=31&t=1455#p5597

let me know if anybody else has this same issue - i need to update the howto to reflect turning the mod_version on in apache if that is the case.

--j505.

Author:  sajeeveka [ Thu Apr 02, 2015 6:41 pm ]
Post subject:  Re: [HOW TO] Building a YubiX VM with OpenVPN

I am not able o download this doc.

Page 1 of 2 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/