OpenVPN

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04


VPN services are implemented with a number of different protocols, such as Point-to-Point Tunneling Protocol (PPTP), Layer two tunneling protocol (L2TP), IPSec, and SSL. In this recipe, we will set up a free VPN server, OpenVPN. OpenVPN is an open source SSL VPN solution and provides a wide range of configurations. OpenVPN can be configured to use either TCP or UDP protocols. In this recipe, we will set up OpenVPN with its default UDP port 1194.


/usr/share/easy-rsa

ubuntu@ubuntu:/usr/share/easy-rsa$ ll
total 128
drwxr-xr-x   2 root root  4096 Dec 25 12:45 ./
drwxr-xr-x 311 root root 12288 Dec 25 12:45 ../
-rwxr-xr-x   1 root root   119 Nov  8  2013 build-ca*
-rwxr-xr-x   1 root root   352 Nov  8  2013 build-dh*
-rwxr-xr-x   1 root root   188 Nov  8  2013 build-inter*
-rwxr-xr-x   1 root root   163 Nov  8  2013 build-key*
-rwxr-xr-x   1 root root   157 Nov  8  2013 build-key-pass*
-rwxr-xr-x   1 root root   249 Nov  8  2013 build-key-pkcs12*
-rwxr-xr-x   1 root root   268 Nov  8  2013 build-key-server*
-rwxr-xr-x   1 root root   213 Nov  8  2013 build-req*
-rwxr-xr-x   1 root root   158 Nov  8  2013 build-req-pass*
-rwxr-xr-x   1 root root   449 Nov  8  2013 clean-all*
-rwxr-xr-x   1 root root  1471 Nov  8  2013 inherit-inter*
-rwxr-xr-x   1 root root   302 Nov  8  2013 list-crl*
-rw-r--r--   1 root root  7859 Jan  7  2014 openssl-0.9.6.cnf
-rw-r--r--   1 root root  8416 Jan  7  2014 openssl-0.9.8.cnf
-rw-r--r--   1 root root  8313 Jan  7  2014 openssl-1.0.0.cnf
-rwxr-xr-x   1 root root 13246 Jan  7  2014 pkitool*
-rwxr-xr-x   1 root root  1035 Jan  7  2014 revoke-full*
-rwxr-xr-x   1 root root   178 Nov  8  2013 sign-req*
-rw-r--r--   1 root root  2077 Nov  8  2013 vars
-rwxr-xr-x   1 root root   740 Nov  8  2013 whichopensslcnf*



How to do it…

  1. Install OpenVPN with the following command:
    $ sudo apt-get update
    $ sudo apt-get install openvpn easy-rsa
    
  2. Now, set up your own certification authority and generate certificate and keys for the OpenVPN server.
  3. Next, we need to edit the OpenVPN files that are owned by the root user, and the build-ca script needs root access while writing new keys. Temporarily, change to root account using sudo su:
    $ sudo su
    
    Copy the Easy-RSA directory to /etc/openvpn:
    # cp -r /usr/share/easy-rsa  /etc/openvpn/
    
  4. Now edit /etc/openvpn/easy-rsa/vars and change the variables to match your environment:
      export KEY_COUNTRY="US"
      export KEY_PROVINCE="ca"
      export KEY_CITY="your city"
      export KEY_ORG="your Company"
      export KEY_EMAIL="you@company.com"
      export KEY_CN="MyVPN"
      export KEY_NAME="MyVPN"
      export KEY_OU="MyVPN"
    
  5. export KEY_ALTNAMES="something"
  6. Generate a Master certificate with the following commands:
    # cd /etc/openvpn/easy-vars
    # source vars
    # ./clean-all
    # ./build-ca
    
  7. Next, generate a certificate and private key for the server. Replace the server name with the name of your server:
    # ./build-key-server servername
    
  8. Press the Enter key when prompted for the password and company name.
  9. When asked for signing the certificate, enter y and then press the Enter key.
  10. Build Diffie Hellman parameters for the OpenVPN server:
    # ./build-dh
    
Copy all the generated keys and certificates to /etc/openvpn:
# cp /etc/openvpn/easy-rsa/keys/{servername.crt, servername.key, ca.crt, dh2048.pem} /etc/openvpn

# cp /etc/openvpn/easy-rsa/keys/servername.crt /etc/openvpn
# cp /etc/openvpn/easy-rsa/keys/servername.key /etc/openvpn
# cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn
# cp /etc/openvpn/easy-rsa/keys/dh2048.pem /etc/openvpnr
  1. Next, generate a certificate for the client with the following commands:
    # cd /etc/openvpn/easy-rsa
    # source vars
    # ./build-key clientname
    
  2. Copy the generated key, certificate, and server certificate to the client system. Use a secure transfer mechanism such as SCP:
    /etc/openvpn/ca.crt
    /etc/openvpn/easy-rsa/keys/clientname.crt
    /etc/openvpn/easy-rsa/keys/clientname.key
    
  3. Now, configure the OpenVPN server. Use the sample configuration files provided by OpenVPN:
    $ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
    
  4. Open server.conf in your favorite editor:
    # nano /etc/openvpn/server.conf
    
  5. Make sure that the certificate and key path are properly set:

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/servername.crt
key /etc/openvpn/easy-rsa/keys/servername.key  # This file should be kept secret

  1. Enable clients to redirect their web traffic through a VPN server. Uncomment the following line:
    push "redirect-gateway def1 bypass-dhcp"
    
  2. To protect against DNS leaks, push DNS settings to VPN clients and uncomment the following lines:
    push "dhcp-option DNS 208.67.222.222"
    push "dhcp-option DNS 208.67.220.220"
    
  3. The preceding lines point to OpenDNS servers. You can set them to any DNS server of your choice.
  4. Lastly, set OpenVPN to run with unprivileged user and group and uncomment the following lines:
    user nobody
    group nogroup
    
  5. Optionally, you can enable compression on the VPN link. Search and uncomment the following line:
    comp-lzo
    
  6. Save the changes and exit the editor.
  7. Next, edit /etc/sysctl to enable IP forwarding. Find and uncomment the following line by removing the hash, #, in front of it:
    #net.ipv4.ip_forward=1
    
  8. Update sysctl settings with the following command:
    # sysctl -p
    
  9. Now start the server. You should see an output similar to the following:
    # service openvpn start
     * Starting virtual private network daemon(s)
     *   Autostarting VPN 'server'
    
  10. When it starts successfully, OpenVPN creates a new network interface named tun0. This can be checked with the ifconfig command:
    # ifconfig tun0
    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
              inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
    
  11. If the server does not start normally, you can check the logs at /var/log/syslog. It should list all the steps completed by the OpenVPN service.
root@ubuntu:/etc/openvpn/easy-rsa/keys# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

How it works…

OpenVPN is the open source VPN solution. It is a traffic-tunneling protocol that works in client-server mode. You might already know that VPN is widely used to create a private and secure network connection between two endpoints. It is generally used to access your servers or access office systems from your home. The other popular use of VPN servers is to protect your privacy by routing your traffic through a VPN server. OpenVPN needs two primary components, namely a server and a client. The preceding recipe installs the server component. When the OpenVPN service is started on the OpenVPN host, it creates a new virtual network interface, a tun device named tun0. On the client side, OpenVPN provides the client with tools that configure the client with a similar setup by creating a tap device on the client's system.
Once the client is configured with a server hostname or IP address, a server certificate, and client keys, the client initiates a virtual network connection using a tap device on client to a tun device on the server. The provided keys and certificate are used to cross-check server authenticity and then authenticate itself. As the session is established, all network traffic on the client system is routed or tunneled via a tap network interface. All the external services that are accessed by the OpenVPN client, and you get to see the requests as if they are originated from the OpenVPN server and not from the client. Additionally, the traffic between the server and client is encrypted to provide additional security.

There's more…

In this recipe we have installed and configured OpenVPN server. To use the VPN service from your local system you will need a VPN client tool.
Following are the steps to install and configure VPN client on Ubuntu systems:
  1. Install the OpenVPN client with a similar command the one we used to install the server:
    $ sudo apt-get update
    $ sudo apt-get install openvpn
    
  2. Copy the sample client.conf configuration file:
    $ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
    
  3. Copy the certificates and keys generated for this client:
    $ scp user@yourvpnserver:/etc/openvpn/easy-rsa/keys/client1.key /etc/openvpn
    
  4. You can use other tools such as SFTP or WinSCP on the Windows systems.
  5. Now edit client.conf, enable client mode, and specify the server name or address:
    client
    remote your.vpnserver.com 1194
    remote 192.168.40.130 1194
     
    ca /home/ubuntu2/ca.crt
    cert /home/ubuntu2/ubuntu2.crt
    key /home/ubuntu2/ubuntu2.key
  6. Make sure that you have set the correct path for keys copied from the server.
  7. Now save the configuration file and start the OpenVPN server:
    $ service openvpn start
    
  8. This should create the tun0 network interface:
    $ ifconfig tun0
    
  9. Check the new routes created by VPN:
  10. $ netstat -rnubuntu2@ubuntu2:~$ ifconfig tun0
    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
    inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
    ubuntu2@ubuntu2:~$ ip route
    default via 192.168.40.2 dev eth0 proto static 
    10.8.0.1 via 10.8.0.5 dev tun0 
    10.8.0.5 dev tun0 proto kernel scope link src 
    10.8.0.6 192.168.40.0/24 dev eth0 proto kernel scope link src 192.168.40.129 metric 1

  1. You can test your VPN connection with any What's My IP service. You can also take a DNS leak test with online DNS leak tests.
    For Windows and Mac OS systems, OpenVPN provides respective client tools. You need an OpenVPN profile with the .ovpn extension. A template can be found with the OpenVPN client you are using or on the server under OpenVPN examples. The following is the complete path:
    /usr/share/doc/openvpn/examples/sample-config-files/client.conf
    

NOTE

Note that OpenVPN provides a web-based admin interface to manage VPN clients. This is a commercial offering that provides an easy-to-use admin interface to manage OpenVPN settings and client certificates.


Comments

Popular posts from this blog

HAproxy logging

teamcity Automatic Agent Start under Linux

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all