Setting up a VPN server On a CentOS 7 server

Setting up a VPN server

——-《Mastering CentOS 7 Linux Server》

OpenVPN is an opensource software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.As a requirement for this section, we are in need for a CentOS 7 server with the capacity to install some packages and make some changes to the network configuration files (internet and root access). At a later stage, we may need to create some authentication certificates. We will cover how to do that too.First, we will start with the installation of the required packages. And before we do that, OpenVPN isn’t available in the default CentOS standard repository, so we need to add the EPEL repository that contains the popular additionalpackages:

$  sudo  yum  install epel-release

After this command is done, we can start OpenVPN. We also need to install an RSA generator to generate the SSL key pairs that we will use to secure the VPN connection:

$ sudo yum install openvpn easy-rsa

By the end of the execution of the command, the OpenVPN and the easy-rsa are successfully installed on the system.

Now we move to the configuration part of the OpenVPN. Since OpenVPN has an example of a configuration file in its documentation directory, we are going to use the server.conf file as our initial configuration and build on that. To do so, we need to copy it to the /etc directory:

$   sudo    cp   /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf  /etc/openvpn/

Then we can edit it to suit our needs:

$  sudo  nano  /etc/openvpn/server.conf

After opening the file, we need to remove some commented lines and make some little changes as follows (using nano to look for the lines to change, we should use Ctrl + w, then type the word we are looking for).First, we need to set the RSA encryption length to be 2048 bytes, so we need to make sure that the option line that indicates the filename is going to be used like this.

dh  dh2048.pem

Note

Some articles suggest that a DH key with 1024 bytes is vulnerable, so we recommend using a DH key with 2048 bytes or more for better security. The vulnerability is called Logjam and for more details, you can read more about it at: http://sourceforge.net/p/openvpn/mailman/message/34132515/

Then we need to uncomment the line push  redirect-gateway  def1  bypass-dhcp””,which tells the client to redirect all traffic to OpenVPN.

Next we need to set a DNS server to the client, since it will not be able to use the one provided by the ISP. Again, I will go with the Google DNS 8.8.8.8 and 8.8.4.4:

push “dhcp-option DNS 8.8.8.8 push “dhcp-option DNS 8.8.4.4

Finally, to lead a smooth run for the OpenVPN, we need to run it through no privileges first. To do so we need to run it through a user and group called nobody:

user  nobody group nobody

Then save the file and exit.

By now, the configuration part of the OpenVPN service is done. We’ll move on to the certificate and key generation part, where we need to create some script using Easy RSA. We start by creating a directory of Easy RSA in the configuration folder of the OpenVPN:

$  sudo  mkdir  -p  /etc/openvpn/easy-rsa/keys

Then we need to populate the folder with the predefined scripts of Easy RSA that generate keys and certificates:

$  sudo  cp  -rf  /usr/share/easy-rsa/2.0/*  /etc/openvpn/easy-rsa/

To perform an easy VPN setup, we will start by typing our information once and for all in the vars file:

$  sudo  nano  /etc/openvpn/easy-rsa/vars

We are basically changing the lines that start with export  KEY_ to update their values to match the ones of the organization desired, and at some point we may need to uncomment them:

export KEY_COUNTRY=”UK” export  KEY_PROVINCE=”GL” export  KEY_CITY=”London” export    KEY_ORG=”City-Center”

export KEY_EMAIL=”user@packt.co.uk export KEY_OU=”PacktPublishing”

# X509 Subject Field export  KEY_NAME=”server”

export KEY_CN=”openvpn.packt.co.uk”

Then save the file and exit.

The field KEY_NAME represents the name of the files .key and .crt.

The field KEY_CN is where we should put the domain or the sub-domain that leads to our VPN server.

To make sure that no issues arise during our use of the OpenSSL configuration file due to a version update, we will remove the version from the filename:

$   sudo   cp   /etc/openvpn/easy-rsa/openssl-1.0.0.cnf   /etc/openvpn/easy- rsa/openssl.cnf

Now we move to the creation of certificate and keys creation. We need to be in the

/etc/openvpn/easy-ras folder to run the scripts:

$   cd   /etc/openvpn/easy-rsa

Then we start the source in the variables:

$ sudo source ./vars

After that we clean any old generated keys and certificates:

$  sudo  ./cleanall

Then we build the certification authority, which has its information already defined as default options:

$  sudo  ./buildca

Now we create the keys and certificates for our VPN server. We skip the challenge password phase by pressing Enter. Then we make sure to validate by typing Y for the last step:

$   sudo   ./build-key-server   server

When running this command, we should see the following message if it is running correctly:

Check that the request matches the signature Signature ok

The  Subject’s  Distinguished  Name  is  as  follows

countryName                         :PRINTABLE:’UK’

stateOrProvinceName        :PRINTABLE:’GL’

localityName                          :PRINTABLE:’London’

organizationName                :PRINTABLE:’City-Center’

organizationalUnitName:PRINTABLE:’PacktPublishing

commonName                       :PRINTABLE:’server’

name                                         :PRINTABLE:’server’

emailAddress                         :IA5STRING:’user@packt.co.uk’

Also, we need to generate the Diffie-Hellman (dh) key exchange. This may take a while longer, as compared to the other commands:

$  sudo  ./build-dh

After finishing this step, we will have all our keys and certificates ready. We need to copy them so they can be used by our OpenVPN service:

$   cd   /etc/openvpn/easy-rsa/keys

$  sudo  cp  dh2048.pem  ca.crt  server.crt  server.key  /etc/openvpn

All the clients of this VPN server need certificates to get authenticated. So we need to

share those keys and certificates with the desired clients. It is best to generate separate keys for each client that needs to connect.

For this example, we will only generate keys for one client:

$   cd   /etc/openvpn/easy-rsa

$  sudo  ./build-key  client

With this step, we can say that we are done with the certificates.

Now for the routing step. We will do the routing configuration using iptables directly without the need of using firewalld.

If we want to only use the iptables configuration, we will first make sure that its services are installed:

$  sudo  yum  install  iptablesservices

Then disable the firewalld service:

$  sudo  systemctl  mask  firewalld

$  sudo  systemctl  enable  iptables

$  sudo  systemctl  stop  firewalld

$  sudo  systemctl  start  iptables

$  sudo  iptables  –flush

Then we add the rule to iptables that does the forwarding of the routing to the OpenVPN subnet:

$ sudo iptables t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE

$   sudo   iptables-save   >   /etc/sysconfig/iptables

Then we need to enable IP forwarding in sysctl by editing the file sysctl.conf:

$  sudo  nano  /etc/sysctl.conf Then add the following line: net.ipv4.ip_forward    =    1

Finally, restart the network service so this configuration can take effect:

$ sudo systemctl restart network.service

We can now start the OpenVPN service, but before we do this, we need to add it to

systemctl:

$ sudo systemctl f enable openvpn@server.service

Then we can start the service:

$ sudo systemctl start openvpn@server.service

If we want to check whether the service is running, we can use the command systemctl:

$  sudo  systemctl  status  openvpn@server.service

We should see this message with the activity status active (running):

openvpn@server.service OpenVPN Robust And Highly Flexible Tunneling Application  On  server

Loaded:  loaded  (/usr/lib/systemd/system/openvpn@.service;  enabled) Active:  active  (running)  since  Thu  2015-07-30  15:54:52  CET;  25s  ago

After this check, we can say that our VPN server configuration is done. We can now go to the client configuration regardless of the operating system. We need to copy the certificates and the keys from the server. We need to copy these three files:

/etc/openvpn/easy-rsa/keys/ca.crt

/etc/openvpn/easy-rsa/keys/client.crt

/etc/openvpn/easy-rsa/keys/client.key

There are a variety of tools to copy these files from the server to any client. The easiest one is scp, the shell copy command between two Unix machines. For Windows machines we can use folder sharing tools such as Samba, or we can use another tool equivalent to SCP called WinSCP.

From the client machine, we start by copying the desired files:

$   scp   user@openvpn.packt.co.uk:/etc/openvpn/easy-rsa/keys/ca.crt     /home/user/

$  scp    user@openvpn.packt.co.uk:/etc/openvpn/easy-rsa/keys/client.crt    /home/user/

$  scp    user@openvpn.packt.co.uk:/etc/openvpn/easy-rsa/keys/client.key   /home/user/

After the copying is done we should create a file, client.ovpn, which is a configuration file for the OpenVPN client that helps set up the client to get connected to the VPN network provided by the server. The file should contain the following:

client

dev tun

proto udp

remote server.packt.co.uk 1194

resolv-retry    infinite

nobind

persist-key

persist-tun

comp-lzo

verb 3

ca  /home/user/ca.crt

cert   /home/user/client.crt

key /home/user/client.key

We need to make sure that the first line contains the name of the client typed in the keys and certificate. After this, remote should be the public IP address of the server or its domain address. In the end, the correct location of the three client files should be copied from the server.

The file client.ovpn could be used with multiple VPN clients (OpenVPN client for Linux, Tunnelblick for MAC OS X, OpenVPN Community Edition Binaries for Windows) to get them configured to connect to the VPN.

On a CentOS 7 server we will use the OpenVPN client. To use this configuration, we use the command openvpn –config:

$  sudo  openvpn  –config  ~/path/to/client.ovpn

By getting the client connected to the VPN server, we can confirm that our VPN service is working well.

发表评论

电子邮件地址不会被公开。 必填项已用*标注