VPN

    Install OpenVPN in a Centos 7 Virtual Machine   

OpenVPN Lab continued from Page 1

Install the EPEL Repositories

========================

To install OpenVPN you will need the EPEL repositories

13. Using yum install EPEL

    yum install epel-release

Disable firewalld and use iptables

===========================

14. Centos 7 has the new firewalld dynamic firewall daemon installed by default. Firewalld has many new updated and advanced features that you would want in a firewall, however if you are more familiar with the iptables firewall service you can disable firewalld and use iptables. The following commands assume root access through su.

   systemctl stop firewalld

   systemctl disable firewalld

   yum install iptables-services   //iptables should already be installed, if not then type y to install.

   systemctl enable iptables

   systemctl start iptables

   systemctl status iptables

   systemctl stop iptables

   Stop iptables with the intention of configuring it later in the lab.

Install and Configure the OpenVPN Server

===================================

15. Install OpenVPN server

   yum install openvpn

16. Copy the sample OpenVPN server configuration file to the /etc/openvpn folder

   cd /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/

   ls

   cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn

17. Edit the OpenVPN server.conf file 

   cd /etc/openvpn

   nano server.conf

             edit -> uncomment the following lines and change the DNS server addresses

                   push "redirect-gateway def1 bypass-dhcp"

                   push "dhcp-option DNS 8.8.8.8"

                   push "dhcp-option DNS 8.8.4.4"

                   user nobody

                   group nobody

Install Easy-RSA to create certificate of authority, server certificates, and keys

================================================================

18. Install easy-rsa to handle encryption, certificates, and keys

   yum install easy-rsa

   mkdir -p /etc/openvpn/easy-rsa/keys

   cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

19. Change the variables file in the easy-rsa folder

   nano /etc/openvpn/easy-rsa/vars

         edit -> change the following lines (the following settings are just my example settings)

           export KEY_COUNTRY="US"

           export KEY_PROVINCE="OR"

           export KEY_CITY="Portland"

           export KEY_ORG="danscourses"

           export KEY_EMAIL=" webadmin@danscentos-s2.danscourses.com"

           export KEY_OU="danscourses"

20. Build your security your server security certificates and keys. You will accept the default settings.

   cd /etc/openvpn/easy-rsa

   source ./vars

   ./clean-all

   ./build-ca

   ./build-key-server $( hostname )

   ./build-dh

21. Copy your server certificates and keys to the openvpn folder

   cd /etc/openvpn/easy-rsa/keys

   cp ca.crt danscentos-s2.crt danscentos-s2.key dh2048.pem /etc/openvpn

Start the OpenVPN Server

===================== 

22. Restore SE Linux security context and create symbolic link for systemd 

   restorecon -Rv /etc/openvpn

   ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service

23. Edit the OpenVPN server.conf file and change the names of the server certificate and server key, to match the certificates and keys that you created. Save the file and exit.   

   cd /etc/openvpn

   nano server.conf

        in server.conf change the following lines:

              cert server.crt

              key server.key    # This file should be kept secret

        replace the word "server" with your server's hostname which should be the name of your server certificate and key files:

              cert danscentos-s2.crt

              key danscentos-s2.key    # This file should be kept secret

24. Start the OpenVPN server 

   systemctl -f enable openvpn@server.service

   systemctl start openvpn@server.service

   systemctl status openvpn@server.service

 

Video Tutorial

 

OpenVPN Lab continued from Page 2

Build the client keys using easy-rsa

=============================

You can build separate client keys for each client you wish to allow to connect to your server.

25. Navigate to the easy-rsa directory and build your client keys.

   cd /etc/openvpn/easy-rsa

   source ./vars

   ./build-key myclient

Copy the client keys to the client's computer

=====================================

26. Change directories to the keys folder and verify your client keys. You should see files named myclient.crt and myclient.key

   cd /etc/openvpn/easy-rsa/keys

   ls

27. Copy the files ca.crt, myclient.crt, and myclient.key to the remote client computer using a flash drive, emailing the files or using an SSH/SCP client like Filezilla. To copy the files using Filezilla you will may first need to copy the files to a folder like Documents that does not require root access and then change the file permissions on myclient.key so that group and public have read access. The client computer used to connect to the OpenVPN server can be a computer running Windows, Linux, or OSX.

   cp ca.crt myclient.crt myclient.key /home/student/Documents

   cd /home/student/Documents

   ls -l   

   chmod 644 myclient.key   

Now from a remote computer you can use a program like Filezilla to copy the files from the server.

 

Create the client OpenVPN configuration file used to connect to the server

=============================================================

28. Using a text editor like nano in Linux or notepad in Windows create the text file myclient.ovpn and place it in the same directory as the ca.crt, myclient.crt, and myclient.key files that you copied from the Centos 7 server.

   nano myclient.ovpn

add the following lines.:

client

dev tun

proto udp

remote <centos server ip address> 1194

resolv-retry infinite

nobind

persist-key

persist-tun

comp-lzo

verb 3

ca ca.crt

cert myclient.crt

key myclient.key

auth-user-pass

 

On the server, enable Centos 7 to forward packets through its network interfaces

==================================================================

29. Use sysctl to allow IP packet forwarding. Add the following line to the sysctl.conf file

   nano /etc/sysctl.conf

         edit -> net.ipv4.ip_forward = 1

   sysctl -p

 

Enable the OpenVPN pam authentication module to add user authentication

==============================================================

30. Using the OpenVPN auth-pam module the OpenVPN server can authenticate using the Linux system users. To do this you will need to create a PAM service file:

   touch /etc/pam.d/openvpn

   nano /etc/pam.d/openvpn

       then add the following two lines:

             auth    required    pam_unix.so    shadow    nodelay

             account required    pam_unix.so

31. Add the following line to the end of the OpenVPN server.conf file

   nano /etc/openvpn/server.conf

             plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn     

On the server, add and uncomment two lines in the OpenVPN server.conf file

=============================================================== 

32. In server.conf add a line to push a route to the server's inside LAN network and uncomment a line to allow client to client communication between tunneled users

   cd /etc/openvpn

   nano server.conf

       add/uncomment the following two lines:

            push "route 192.168.10.0 255.255.255.0"

            client-to-client                                         

       Ctrl+x, type y and press enter to save.

33. Now restart the OpenVPN server

   systemctl stop openvpn@server.service

   systemctl start openvpn@server.service

   systemctl status openvpn@server.service

Connect the the OpenVPN Server from a client computer

===============================================

34. With root access use the following command to connect to the server from a Linux host. Notice, in the example command below the path to the myclient.ovpn file is the current directory. If the ovpn config file is in a different directory you will need to provide the path. You may need to install openvpn and easy-rsa if openvpn is not already installedon your linux client.

   openvpn myclient.ovpn   

 OpenVPN is now running in that terminal window, to close the OpenVPN connection press Ctrl+c, or to continue working you will need to open a new terminal window. You can also close OpenVPN and the tunnel connection using the pkill program.

   pkill openvpn

35. In a new terminal window examine your tunnel interface using ifconfig. You should see a tun0 interface with a 10.8.0.0 range IP address.

   ifconfig

36. Test to see if you can ping the router's tunnel interface at 10.8.0.1, as well communicate to the inside LAN network at 192.168.10.1 

   ping 10.8.0.1

   ping 192.168.10.1

37. To connect to the OpenVPN server from a Windows client computer you will need to download and install the openvpn client program from http://openvpn.net. You will find the the windows client installer at the website under community downloads. After installing the OpenVPN client for Windows you will need to copy the ca.crt, myclient.crt, myclient.key, and myclient.ovpn files to the C:\Programs and Files (x86)\OpenVPN\config\ folder, or if you installed the 64bit version of the OpenVPN client the location will be C:\Programs and Files\OpenVPN\config\.

38. Now start the Windows OpenVPN client. It will launch into the System Tray. You will right click the OpenVPN icon in the System Tray, choose the config file and select Connect.

   Start > Programs > OpenVPN GUI

   Right click the OpenVPN icon in the system stray, and select Connect.

 

Configure the iptables firewall to allow OpenVPN connections

===================================================

Earlier in the lab, I shutdown the iptables firewall with the intention of turning it back, after configuring it to allow OpenVPN connections.

39. to be posted soon...

 

Video Tutorial