Configuring a SSL/TLS VPN with OpenVPN

openvpn is a vpn solution that implements connections for the layer 2 or 3, using the SSL/TLS protocol stack. Configuring a vpn SSL/TLS is a good idea and enhance the security of our communications due to the data cipher using the pki infraestructure (pair public/private key) and the verification and authentication of the data. Some advantages of the use openvpn are:

  • Not necessary a static ip address for the server.

  • The virtual interfaces used by the vpn may be filtered by iptables.

  • Easy configuration.

  • No problems with NAT, the server and the client may be in a LAN with a router using NAT.

  • A single port used for the connectivity with the server, by default use 1194/udp.

Basically we can configure openvpn of two ways:

  • tun (layer 3): simulate a point to point connection using IP protocol.

  • tap (layer 2): simulate a virtual ethernet adapter. This method may encapsulate other protocols different than IP.

The method used in this post is tun, and the addressing configured here is:

- VPN client: LAN: 192.168.0.0/24 –> NAT (public IP address)

- VPN server: (public ip address) –> LAN 172.20.0.0/16

- VPN network: 10.0.0.0/24

The objective is create a vpn from the client to the vpn server using his public ip address to connect for the LAN 172.20.0.0/16, for this we’ll encapsulate the packages using the virtual network created by the vpn 10.0.0.0/24.

OpenVPNFlows

OpenVPN server
- Install openvpn:

# apt-get install openvpn
- Copying openvpn easy rsa scripts to the openvpn default config directory:

# cp -rp /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa
- Update the variables used by the scripts to create the certificates with our own information:

# vi /etc/openvpn/easy-rsa/vars
 
export KEY_COUNTRY="ES"
export KEY_PROVINCE="BCN"
export KEY_CITY="Barcelona"
export KEY_ORG="opentodo.net"
export KEY_EMAIL="ivan@opentodo.net"
 
- Create a new CA to sign the new certificates for the vpn:


# cd /etc/openvpn/easy-rsa/
# chmod +x vars
# source ./vars
# ./clean-all
# ./build-ca
 
- Generate a certificate and private key for the server:

# ./build-key-server opentodo-vpn
- Generate a certificate and private key for the vpn client:

# ./build-key vpn-client
- Generate diffie hellman parameters:

# ./build-dh
 
- Copying the keys generated for the openvpn server to the directory /etc/openvpn/:

# cp ca.key ca.crt dh1024.pem opentodo-vpn.crt opentodo-vpn.key /etc/openvpn/

- Configuring the vpn server config file:

# cd /usr/share/doc/openvpn/examples/sample-config-files/
# gunzip server.conf.gz
# cp server.conf /etc/openvpn/


# vi /etc/openvpn/server.conf
 
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
;proto tcp
proto udp
dev tun
ca ca.crt
cert opentodo-vpn.crt
key opentodo-vpn.key
dh dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.0.0.0 255.255.255.0
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
push "route 172.20.0.0 255.255.0.0"
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
 
Basically with this configuration we create the vpn with the virtual network 10.0.0.0/24 and route to the local network 172.20.0.0/16 for the clients, setting up the parameter push route. The ip address provided to the clients are saved in the file /etc/openvpn/ipp.txt.
- Enabling routing:

# vi /etc/sysctl.conf
 
net.ipv4.ip_forward=1
 
# sysctl -p
 
- Starting openvpn daemon:

# /etc/init.d/openvpn start
 
OpenVPN client
- Install openvpn:

# apt-get install openvpn
- Copying the key and certificates for the client:

# scp root@vpn-server:/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/
# scp root@vpn-server:/etc/openvpn/easy-rsa/keys/vpn-client.crt /etc/openvpn/
# scp root@vpn-server:/etc/openvpn/easy-rsa/keys/vpn-client.key /etc/openvpn/
 
- Edit the configuration for the client with the name of the certificates, key and the ip address of the server:

# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
# vi /etc/openvpn/client.conf
 
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote vpn-server 1194
 
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert vpn-client.crt
key vpn-client.key
 
- Starting openvpn daemon:

# /etc/init.d/openvpn start
 
- Checking if the LAN of the remote vpn is accessible by the client:
vpn-client
Sources
http://openvpn.net/index.php/open-source/documentation/howto.html#install
http://openvpn.net/index.php/open-source/documentation.html

Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

CLEANING UP THE ZABBIX DATABASE

My Zabbix database size increased a lot in the last few months and since my disk was running out space, I decided to clean up the old events from the database. Looking at the database tables, the biggest one was  history_uint , which holds the items history data – over 400 millions of records and over 30 Gb of disk space before the clean up. Since deleting the old records from this table directly would be a very slow process, I decided to create a new table and insert the latest records from the  history_uint  table and then just replace the old table with a new one. Since this is not an offical procedure, use it at your own risk. Environment: Zabbix v2.2 MySql 5.1 – InnoDB with  innodb_file_per_table=ON Step 1 – Stop the Zabbix server Step 2 – Open your favourite MySQL client and create a new table CREATE TABLE  history_uint_new  LIKE  history_uint; Step 3 – Insert the latest records from the  history_uint  table to the...
Đọc thêm

[Resolved] Amazon EC2 Redhat 7 using 6GB for the root space

Hình ảnh
I create new server with 10GB of HDD, but when i check on the command line, the root space only show 6GB. I'm using t2.micto and Redhat 7.0, disk type: XFS. - xvda1: boot partition - xvda2: root partition Fix Step: We have instance A with the volume VA. 1) Stop the current instace A 2) Snapshot the current volume VA of the instance A 3) Start the instance A 4) Create new volume with 25GB by using the snapshot of volume VA then we have new volume VB 5) Attach the new volume VB to the instance A as default (/dev/sdf) 6) From the ssh console, i use the lsblk command to list the disk. # lsblk 7) Using the xfs_repair to repair the /dev/xvdf2 ( yum install xfsprogs) # xfs_repair /dev/xvdf2 8) Continue as the image below 9) Remove the /dev/xvdf2, remember the start of this disk then we will create the new one with the same. 10) Using XFS command to repair the /dev/xvdf2 again. # xfs_repair /dev/xvdf2 11) Use the lsblk co...
Đọc thêm

Connect to a different port with SQL Server Management Studio

Hình ảnh
Microsoft's SQL Server Management Studio will connect by default to port 1433 and there's nowhere in the connect dialog to specify a different port from the default. To connect using a different port specify the servername, a comma, and then the port number as shown in this post. Connect using a different port using a comma The connection dialog in the SQL Server Management Studio client is shown in the screenshot below. Normally you would just type the server name into field but to specify a different port use a comma then the port number. The example screenshot above shows " 192.168.50.166\SQLSERVER2012 " as the instance name and "port" where the port would be. 192.168.50.166\SQLSERVER2012,1343 Then specify the login credentials, click the connect button, and assuming everything is correct it should then connect to the SQL Server. Setup specific port for SQL Server: Link: http://msdn.microsoft.com/en-us/library/ms177440.aspx
Đọc thêm