Setting up a VPN server
——-《Mastering CentOS 7 Linux Server》
OpenVPN is an opensource software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.As a requirement for this section, we are in need for a CentOS 7 server with the capacity to install some packages and make some changes to the network configuration files (internet and root access). At a later stage, we may need to create some authentication certificates. We will cover how to do that too.First, we will start with the installation of the required packages. And before we do that, OpenVPN isn’t available in the default CentOS standard repository, so we need to add the EPEL repository that contains the popular additionalpackages:
$ sudo yum install epel-release
After this command is done, we can start OpenVPN. We also need to install an RSA generator to generate the SSL key pairs that we will use to secure the VPN connection:
$ sudo yum install openvpn easy-rsa
By the end of the execution of the command, the OpenVPN and the easy-rsa are successfully installed on the system.
Now we move to the configuration part of the OpenVPN. Since OpenVPN has an example of a configuration file in its documentation directory, we are going to use the server.conf file as our initial configuration and build on that. To do so, we need to copy it to the /etc directory:
$ sudo cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
Then we can edit it to suit our needs:
$ sudo nano /etc/openvpn/server.conf
After opening the file, we need to remove some commented lines and make some little changes as follows (using nano to look for the lines to change, we should use Ctrl + w, then type the word we are looking for).First, we need to set the RSA encryption length to be 2048 bytes, so we need to make sure that the option line that indicates the filename is going to be used like this.
Some articles suggest that a DH key with 1024 bytes is vulnerable, so we recommend using a DH key with 2048 bytes or more for better security. The vulnerability is called Logjam and for more details, you can read more about it at: http://sourceforge.net/p/openvpn/mailman/message/34132515/
Then we need to uncomment the line push redirect-gateway def1 bypass-dhcp””,which tells the client to redirect all traffic to OpenVPN.
Next we need to set a DNS server to the client, since it will not be able to use the one provided by the ISP. Again, I will go with the Google DNS 126.96.36.199 and 188.8.131.52:
push “dhcp-option DNS 184.108.40.206“ push “dhcp-option DNS 220.127.116.11“
Finally, to lead a smooth run for the OpenVPN, we need to run it through no privileges first. To do so we need to run it through a user and group called nobody:
user nobody group nobody
Then save the file and exit.
By now, the configuration part of the OpenVPN service is done. We’ll move on to the certificate and key generation part, where we need to create some script using Easy RSA. We start by creating a directory of Easy RSA in the configuration folder of the OpenVPN:
$ sudo mkdir -p /etc/openvpn/easy-rsa/keys
Then we need to populate the folder with the predefined scripts of Easy RSA that generate keys and certificates:
$ sudo cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
To perform an easy VPN setup, we will start by typing our information once and for all in the vars file:
$ sudo nano /etc/openvpn/easy-rsa/vars
We are basically changing the lines that start with export KEY_ to update their values to match the ones of the organization desired, and at some point we may need to uncomment them:
export KEY_COUNTRY=”UK” export KEY_PROVINCE=”GL” export KEY_CITY=”London” export KEY_ORG=”City-Center”
export KEY_EMAIL=”firstname.lastname@example.org“ export KEY_OU=”PacktPublishing”
# X509 Subject Field export KEY_NAME=”server”
Then save the file and exit.
The field KEY_NAME represents the name of the files .key and .crt.
The field KEY_CN is where we should put the domain or the sub-domain that leads to our VPN server.
To make sure that no issues arise during our use of the OpenSSL configuration file due to a version update, we will remove the version from the filename:
$ sudo cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy- rsa/openssl.cnf
Now we move to the creation of certificate and keys creation. We need to be in the
/etc/openvpn/easy-ras folder to run the scripts:
$ cd /etc/openvpn/easy-rsa
Then we start the source in the variables:
$ sudo source ./vars
After that we clean any old generated keys and certificates:
$ sudo ./clean–all
Then we build the certification authority, which has its information already defined as default options:
$ sudo ./build–ca
Now we create the keys and certificates for our VPN server. We skip the challenge password phase by pressing Enter. Then we make sure to validate by typing Y for the last step:
$ sudo ./build-key-server server
When running this command, we should see the following message if it is running correctly:
Check that the request matches the signature Signature ok
The Subject’s Distinguished Name is as follows
Also, we need to generate the Diffie-Hellman (dh) key exchange. This may take a while longer, as compared to the other commands:
$ sudo ./build-dh
After finishing this step, we will have all our keys and certificates ready. We need to copy them so they can be used by our OpenVPN service:
$ cd /etc/openvpn/easy-rsa/keys
$ sudo cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
All the clients of this VPN server need certificates to get authenticated. So we need to
share those keys and certificates with the desired clients. It is best to generate separate keys for each client that needs to connect.
For this example, we will only generate keys for one client:
$ cd /etc/openvpn/easy-rsa
$ sudo ./build-key client
With this step, we can say that we are done with the certificates.
Now for the routing step. We will do the routing configuration using iptables directly without the need of using firewalld.
If we want to only use the iptables configuration, we will first make sure that its services are installed:
$ sudo yum install iptables–services
Then disable the firewalld service:
$ sudo systemctl mask firewalld
$ sudo systemctl enable iptables
$ sudo systemctl stop firewalld
$ sudo systemctl start iptables
$ sudo iptables –flush
Then we add the rule to iptables that does the forwarding of the routing to the OpenVPN subnet:
$ sudo iptables –t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
$ sudo iptables-save > /etc/sysconfig/iptables
Then we need to enable IP forwarding in sysctl by editing the file sysctl.conf:
$ sudo nano /etc/sysctl.conf Then add the following line: net.ipv4.ip_forward = 1
Finally, restart the network service so this configuration can take effect:
$ sudo systemctl restart network.service
We can now start the OpenVPN service, but before we do this, we need to add it to
$ sudo systemctl –f enable email@example.com
Then we can start the service:
$ sudo systemctl start firstname.lastname@example.org
If we want to check whether the service is running, we can use the command systemctl:
$ sudo systemctl status email@example.com
We should see this message with the activity status active (running):
firstname.lastname@example.org – OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled) Active: active (running) since Thu 2015-07-30 15:54:52 CET; 25s ago
After this check, we can say that our VPN server configuration is done. We can now go to the client configuration regardless of the operating system. We need to copy the certificates and the keys from the server. We need to copy these three files:
There are a variety of tools to copy these files from the server to any client. The easiest one is scp, the shell copy command between two Unix machines. For Windows machines we can use folder sharing tools such as Samba, or we can use another tool equivalent to SCP called WinSCP.
From the client machine, we start by copying the desired files:
$ scp email@example.com:/etc/openvpn/easy-rsa/keys/ca.crt /home/user/
$ scp firstname.lastname@example.org:/etc/openvpn/easy-rsa/keys/client.crt /home/user/
$ scp email@example.com:/etc/openvpn/easy-rsa/keys/client.key /home/user/
After the copying is done we should create a file, client.ovpn, which is a configuration file for the OpenVPN client that helps set up the client to get connected to the VPN network provided by the server. The file should contain the following:
remote server.packt.co.uk 1194
We need to make sure that the first line contains the name of the client typed in the keys and certificate. After this, remote should be the public IP address of the server or its domain address. In the end, the correct location of the three client files should be copied from the server.
The file client.ovpn could be used with multiple VPN clients (OpenVPN client for Linux, Tunnelblick for MAC OS X, OpenVPN Community Edition Binaries for Windows) to get them configured to connect to the VPN.
On a CentOS 7 server we will use the OpenVPN client. To use this configuration, we use the command openvpn –config:
$ sudo openvpn –config ~/path/to/client.ovpn
By getting the client connected to the VPN server, we can confirm that our VPN service is working well.