OpenVPN

By OK -
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04
VPN services are implemented with a number of different protocols, such as Point-to-Point Tunneling Protocol (PPTP), Layer two tunneling protocol (L2TP), IPSec, and SSL. In this recipe, we will set up a free VPN server, OpenVPN. OpenVPN is an open source SSL VPN solution and provides a wide range of configurations. OpenVPN can be configured to use either TCP or UDP protocols. In this recipe, we will set up OpenVPN with its default UDP port 1194.


/usr/share/easy-rsa

 ubuntu@ubuntu:/usr/share/easy-rsa$ ll
total 128
drwxr-xr-x   2 root root  4096 Dec 25 12:45 ./
drwxr-xr-x 311 root root 12288 Dec 25 12:45 ../
-rwxr-xr-x   1 root root   119 Nov  8  2013 build-ca*
-rwxr-xr-x   1 root root   352 Nov  8  2013 build-dh*
-rwxr-xr-x   1 root root   188 Nov  8  2013 build-inter*
-rwxr-xr-x   1 root root   163 Nov  8  2013 build-key*
-rwxr-xr-x   1 root root   157 Nov  8  2013 build-key-pass*
-rwxr-xr-x   1 root root   249 Nov  8  2013 build-key-pkcs12*
-rwxr-xr-x   1 root root   268 Nov  8  2013 build-key-server*
-rwxr-xr-x   1 root root   213 Nov  8  2013 build-req*
-rwxr-xr-x   1 root root   158 Nov  8  2013 build-req-pass*
-rwxr-xr-x   1 root root   449 Nov  8  2013 clean-all*
-rwxr-xr-x   1 root root  1471 Nov  8  2013 inherit-inter*
-rwxr-xr-x   1 root root   302 Nov  8  2013 list-crl*
-rw-r--r--   1 root root  7859 Jan  7  2014 openssl-0.9.6.cnf
-rw-r--r--   1 root root  8416 Jan  7  2014 openssl-0.9.8.cnf
-rw-r--r--   1 root root  8313 Jan  7  2014 openssl-1.0.0.cnf
-rwxr-xr-x   1 root root 13246 Jan  7  2014 pkitool*
-rwxr-xr-x   1 root root  1035 Jan  7  2014 revoke-full*
-rwxr-xr-x   1 root root   178 Nov  8  2013 sign-req*
-rw-r--r--   1 root root  2077 Nov  8  2013 vars
-rwxr-xr-x   1 root root   740 Nov  8  2013 whichopensslcnf*



How to do it…

  1. Install OpenVPN with the following command:
    $ sudo apt-get update
$ sudo apt-get install openvpn easy-rsa
  2. Now, set up your own certification authority and generate certificate and keys for the OpenVPN server.
  3. Next, we need to edit the OpenVPN files that are owned by the root user, and the build-ca script needs root access while writing new keys. Temporarily, change to root account using sudo su:
    $ sudo su
    Copy the Easy-RSA directory to /etc/openvpn:
    # cp -r /usr/share/easy-rsa  /etc/openvpn/
  4. Now edit /etc/openvpn/easy-rsa/vars and change the variables to match your environment:
      export KEY_COUNTRY="US"
  export KEY_PROVINCE="ca"
  export KEY_CITY="your city"
  export KEY_ORG="your Company"
  export KEY_EMAIL="you@company.com"
  export KEY_CN="MyVPN"
  export KEY_NAME="MyVPN"
  export KEY_OU="MyVPN"

  5. export KEY_ALTNAMES="something"
  6. Generate a Master certificate with the following commands:
    # cd /etc/openvpn/easy-vars
# source vars
# ./clean-all
# ./build-ca
  7. Next, generate a certificate and private key for the server. Replace the server name with the name of your server:
    # ./build-key-server servername
  8. Press the Enter key when prompted for the password and company name.
  9. When asked for signing the certificate, enter y and then press the Enter key.
  10. Build Diffie Hellman parameters for the OpenVPN server:
    # ./build-dh
Copy all the generated keys and certificates to /etc/openvpn:
# cp /etc/openvpn/easy-rsa/keys/{servername.crt, servername.key, ca.crt, dh2048.pem} /etc/openvpn

# cp /etc/openvpn/easy-rsa/keys/servername.crt /etc/openvpn
# cp /etc/openvpn/easy-rsa/keys/servername.key /etc/openvpn
# cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn
# cp /etc/openvpn/easy-rsa/keys/dh2048.pem /etc/openvpnr
  1. Next, generate a certificate for the client with the following commands:
    # cd /etc/openvpn/easy-rsa
# source vars
# ./build-key clientname
  2. Copy the generated key, certificate, and server certificate to the client system. Use a secure transfer mechanism such as SCP:
    /etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/clientname.crt
/etc/openvpn/easy-rsa/keys/clientname.key
  3. Now, configure the OpenVPN server. Use the sample configuration files provided by OpenVPN:
    $ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
  4. Open server.conf in your favorite editor:
    # nano /etc/openvpn/server.conf
  5. Make sure that the certificate and key path are properly set:

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/servername.crt
key /etc/openvpn/easy-rsa/keys/servername.key  # This file should be kept secret

  1. Enable clients to redirect their web traffic through a VPN server. Uncomment the following line:
    push "redirect-gateway def1 bypass-dhcp"
  2. To protect against DNS leaks, push DNS settings to VPN clients and uncomment the following lines:
    push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
  3. The preceding lines point to OpenDNS servers. You can set them to any DNS server of your choice.
  4. Lastly, set OpenVPN to run with unprivileged user and group and uncomment the following lines:
    user nobody
group nogroup
  5. Optionally, you can enable compression on the VPN link. Search and uncomment the following line:
    comp-lzo
  6. Save the changes and exit the editor.
  7. Next, edit /etc/sysctl to enable IP forwarding. Find and uncomment the following line by removing the hash, #, in front of it:
    #net.ipv4.ip_forward=1
  8. Update sysctl settings with the following command:
    # sysctl -p
  9. Now start the server. You should see an output similar to the following:
    # service openvpn start
 * Starting virtual private network daemon(s)
 *   Autostarting VPN 'server'
  10. When it starts successfully, OpenVPN creates a new network interface named tun0. This can be checked with the ifconfig command:
    # ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
  11. If the server does not start normally, you can check the logs at /var/log/syslog. It should list all the steps completed by the OpenVPN service.
root@ubuntu:/etc/openvpn/easy-rsa/keys# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

How it works…

OpenVPN is the open source VPN solution. It is a traffic-tunneling protocol that works in client-server mode. You might already know that VPN is widely used to create a private and secure network connection between two endpoints. It is generally used to access your servers or access office systems from your home. The other popular use of VPN servers is to protect your privacy by routing your traffic through a VPN server. OpenVPN needs two primary components, namely a server and a client. The preceding recipe installs the server component. When the OpenVPN service is started on the OpenVPN host, it creates a new virtual network interface, a tun device named tun0. On the client side, OpenVPN provides the client with tools that configure the client with a similar setup by creating a tap device on the client's system.
Once the client is configured with a server hostname or IP address, a server certificate, and client keys, the client initiates a virtual network connection using a tap device on client to a tun device on the server. The provided keys and certificate are used to cross-check server authenticity and then authenticate itself. As the session is established, all network traffic on the client system is routed or tunneled via a tap network interface. All the external services that are accessed by the OpenVPN client, and you get to see the requests as if they are originated from the OpenVPN server and not from the client. Additionally, the traffic between the server and client is encrypted to provide additional security.

There's more…

In this recipe we have installed and configured OpenVPN server. To use the VPN service from your local system you will need a VPN client tool.
Following are the steps to install and configure VPN client on Ubuntu systems:
  1. Install the OpenVPN client with a similar command the one we used to install the server:
    $ sudo apt-get update
$ sudo apt-get install openvpn
  2. Copy the sample client.conf configuration file:
    $ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
  3. Copy the certificates and keys generated for this client:
    $ scp user@yourvpnserver:/etc/openvpn/easy-rsa/keys/client1.key /etc/openvpn
  4. You can use other tools such as SFTP or WinSCP on the Windows systems.
  5. Now edit client.conf, enable client mode, and specify the server name or address:
    client
remote your.vpnserver.com 1194
remote 192.168.40.130 1194
 
ca /home/ubuntu2/ca.crt
cert /home/ubuntu2/ubuntu2.crt
key /home/ubuntu2/ubuntu2.key
  6. Make sure that you have set the correct path for keys copied from the server.
  7. Now save the configuration file and start the OpenVPN server:
    $ service openvpn start
  8. This should create the tun0 network interface:
    $ ifconfig tun0
  9. Check the new routes created by VPN:
    10. $ netstat -rnubuntu2@ubuntu2:~$ ifconfig tun0
    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
    inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
    ubuntu2@ubuntu2:~$ ip route
    default via 192.168.40.2 dev eth0 proto static 
    10.8.0.1 via 10.8.0.5 dev tun0 
    10.8.0.5 dev tun0 proto kernel scope link src 
    10.8.0.6 192.168.40.0/24 dev eth0 proto kernel scope link src 192.168.40.129 metric 1

  1. You can test your VPN connection with any What's My IP service. You can also take a DNS leak test with online DNS leak tests.
    For Windows and Mac OS systems, OpenVPN provides respective client tools. You need an OpenVPN profile with the .ovpn extension. A template can be found with the OpenVPN client you are using or on the server under OpenVPN examples. The following is the complete path:
    /usr/share/doc/openvpn/examples/sample-config-files/client.conf

NOTE

Note that OpenVPN provides a web-based admin interface to manage VPN clients. This is a commercial offering that provides an easy-to-use admin interface to manage OpenVPN settings and client certificates.


Comments

Post a Comment

Popular posts from this blog

HAproxy logging

By OK -
ubuntu@ubuntu:/etc/haproxy$ cat /etc/rsyslog.d/haproxy.conf # Create an additional socket in haproxy's chroot in order to allow logging via # /dev/log to chroot'ed HAProxy processes $ModLoad imudp $UDPServerRun 514 local0.* -/var/log/haproxy-0.log local1.* -/var/log/haproxy-1.log ### keep logs in localhost ## $AddUnixListenSocket /var/lib/haproxy/dev/log ------------------- ubuntu@ubuntu:/etc/haproxy$ cat /etc/haproxy/haproxy.cfg global chroot /var/lib/haproxy user haproxy group haproxy log 127.0.0.1   local0         log 127.0.0.1   local1 notice daemon frontend www     bind 192.168.40.128:8282    # haproxy public IP     default_backend as-backend    # backend used backend as-backend    balance leastconn    mode http  server as1 192.168.40.128:8082 check    # application srv 1 defaults log global mode http option httplog option dontlognull         contimeout 5000    
Read more

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all

By OK -
Redhat recommends us to add  _netdev  option for NFS file system in /etc/fstab. So that they can be mounted after starting the networking service. Alternative ways to refer to partitions: Label : LABEL=label Network ID Samba : //server/share NFS : server:/share SSHFS : sshfs#user@server:/share Device : /dev/sdxy (not recommended) Example #1 //192.168.1.134/share_name /mnt/share_name cifs username=server_user,password=server_password,_netdev 0 0 ^ Path to your share ^ Mountpoint ^ Username ^ Password ^ See note A Note A: The  _netdev  options makes sure the mount is only attempted AFTER a network connection has been established. Example #2 10.10.10.1:/vol1/fs1 /data nfs defaults,_netdev 0 0 ============================ [root@localhost ~]# firewall-cmd --list-all public   target: default   icmp-block-inversion: no   interfaces:   sources:   services: dhcpv6-client high-availability ssh   ports:   protocols:   masquera
Read more

teamcity Automatic Agent Start under Linux

By OK -
Automatic Agent Start under Linux To run agent automatically on the machine boot under Linux, configure daemon process with the  agent.sh start  command to start it and  agent.sh stop  command to stop it. Refer to an example procedure below: 1. Navigate to the services start/stop services scripts directory: cd /etc/init.d/ 2. Open the build agent service script: sudo vim buildAgent 3. Paste the following into the file : #!/bin/sh ### BEGIN INIT INFO # Provides: TeamCity Build Agent # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start build agent daemon at boot time # Description: Enable service provided by daemon. ### END INIT INFO #Provide the correct user name: USER="agentuser" case "$1" in start) su - $USER -c "cd BuildAgent/bin ; ./agent.sh start" ;; stop) su - $USER -c "cd BuildAgent/bin ; ./agent.
Read more