VPN
Install OpenVPN in a Centos 7 Virtual Machine
OpenVPN Lab continued from Page 1
Install the EPEL Repositories
========================
To install OpenVPN you will need the EPEL repositories
13. Using yum install EPEL
yum install epel-release
Disable firewalld and use iptables
===========================
14. Centos 7 has the new firewalld dynamic firewall daemon installed by default. Firewalld has many new updated and advanced features that you would want in a firewall, however if you are more familiar with the iptables firewall service you can disable firewalld and use iptables. The following commands assume root access through su.
systemctl stop firewalld
systemctl disable firewalld
yum install iptables-services //iptables should already be installed, if not then type y to install.
systemctl enable iptables
systemctl start iptables
systemctl status iptables
systemctl stop iptables
Stop iptables with the intention of configuring it later in the lab.
Install and Configure the OpenVPN Server
===================================
15. Install OpenVPN server
yum install openvpn
16. Copy the sample OpenVPN server configuration file to the /etc/openvpn folder
cd /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/
ls
cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn
17. Edit the OpenVPN server.conf file
cd /etc/openvpn
nano server.conf
edit -> uncomment the following lines and change the DNS server addresses
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
user nobody
group nobody
Install Easy-RSA to create certificate of authority, server certificates, and keys
================================================================
18. Install easy-rsa to handle encryption, certificates, and keys
yum install easy-rsa
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
19. Change the variables file in the easy-rsa folder
nano /etc/openvpn/easy-rsa/vars
edit -> change the following lines (the following settings are just my example settings)
export KEY_COUNTRY="US"
export KEY_PROVINCE="OR"
export KEY_CITY="Portland"
export KEY_ORG="danscourses"
export KEY_EMAIL=" webadmin@danscentos-s2.danscourses.com"
export KEY_OU="danscourses"
20. Build your security your server security certificates and keys. You will accept the default settings.
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server $( hostname )
./build-dh
21. Copy your server certificates and keys to the openvpn folder
cd /etc/openvpn/easy-rsa/keys
cp ca.crt danscentos-s2.crt danscentos-s2.key dh2048.pem /etc/openvpn
Start the OpenVPN Server
=====================
22. Restore SE Linux security context and create symbolic link for systemd
restorecon -Rv /etc/openvpn
ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service
23. Edit the OpenVPN server.conf file and change the names of the server certificate and server key, to match the certificates and keys that you created. Save the file and exit.
cd /etc/openvpn
nano server.conf
in server.conf change the following lines:
cert server.crt
key server.key # This file should be kept secret
replace the word "server" with your server's hostname which should be the name of your server certificate and key files:
cert danscentos-s2.crt
key danscentos-s2.key # This file should be kept secret
24. Start the OpenVPN server
systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service
Video Tutorial
OpenVPN Lab continued from Page 2
Build the client keys using easy-rsa
=============================
You can build separate client keys for each client you wish to allow to connect to your server.
25. Navigate to the easy-rsa directory and build your client keys.
cd /etc/openvpn/easy-rsa
source ./vars
./build-key myclient
Copy the client keys to the client's computer
=====================================
26. Change directories to the keys folder and verify your client keys. You should see files named myclient.crt and myclient.key
cd /etc/openvpn/easy-rsa/keys
ls
27. Copy the files ca.crt, myclient.crt, and myclient.key to the remote client computer using a flash drive, emailing the files or using an SSH/SCP client like Filezilla. To copy the files using Filezilla you will may first need to copy the files to a folder like Documents that does not require root access and then change the file permissions on myclient.key so that group and public have read access. The client computer used to connect to the OpenVPN server can be a computer running Windows, Linux, or OSX.
cp ca.crt myclient.crt myclient.key /home/student/Documents
cd /home/student/Documents
ls -l
chmod 644 myclient.key
Now from a remote computer you can use a program like Filezilla to copy the files from the server.
Create the client OpenVPN configuration file used to connect to the server
=============================================================
28. Using a text editor like nano in Linux or notepad in Windows create the text file myclient.ovpn and place it in the same directory as the ca.crt, myclient.crt, and myclient.key files that you copied from the Centos 7 server.
nano myclient.ovpn
add the following lines.:
client
dev tun
proto udp
remote <centos server ip address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert myclient.crt
key myclient.key
auth-user-pass
On the server, enable Centos 7 to forward packets through its network interfaces
==================================================================
29. Use sysctl to allow IP packet forwarding. Add the following line to the sysctl.conf file
nano /etc/sysctl.conf
edit -> net.ipv4.ip_forward = 1
sysctl -p
Enable the OpenVPN pam authentication module to add user authentication
==============================================================
30. Using the OpenVPN auth-pam module the OpenVPN server can authenticate using the Linux system users. To do this you will need to create a PAM service file:
touch /etc/pam.d/openvpn
nano /etc/pam.d/openvpn
then add the following two lines:
auth required pam_unix.so shadow nodelay
account required pam_unix.so
31. Add the following line to the end of the OpenVPN server.conf file
nano /etc/openvpn/server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
On the server, add and uncomment two lines in the OpenVPN server.conf file
===============================================================
32. In server.conf add a line to push a route to the server's inside LAN network and uncomment a line to allow client to client communication between tunneled users
cd /etc/openvpn
nano server.conf
add/uncomment the following two lines:
push "route 192.168.10.0 255.255.255.0"
client-to-client
Ctrl+x, type y and press enter to save.
33. Now restart the OpenVPN server
systemctl stop openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service
Connect the the OpenVPN Server from a client computer
===============================================
34. With root access use the following command to connect to the server from a Linux host. Notice, in the example command below the path to the myclient.ovpn file is the current directory. If the ovpn config file is in a different directory you will need to provide the path. You may need to install openvpn and easy-rsa if openvpn is not already installedon your linux client.
openvpn myclient.ovpn
OpenVPN is now running in that terminal window, to close the OpenVPN connection press Ctrl+c, or to continue working you will need to open a new terminal window. You can also close OpenVPN and the tunnel connection using the pkill program.
pkill openvpn
35. In a new terminal window examine your tunnel interface using ifconfig. You should see a tun0 interface with a 10.8.0.0 range IP address.
ifconfig
36. Test to see if you can ping the router's tunnel interface at 10.8.0.1, as well communicate to the inside LAN network at 192.168.10.1
ping 10.8.0.1
ping 192.168.10.1
37. To connect to the OpenVPN server from a Windows client computer you will need to download and install the openvpn client program from http://openvpn.net. You will find the the windows client installer at the website under community downloads. After installing the OpenVPN client for Windows you will need to copy the ca.crt, myclient.crt, myclient.key, and myclient.ovpn files to the C:\Programs and Files (x86)\OpenVPN\config\ folder, or if you installed the 64bit version of the OpenVPN client the location will be C:\Programs and Files\OpenVPN\config\.
38. Now start the Windows OpenVPN client. It will launch into the System Tray. You will right click the OpenVPN icon in the System Tray, choose the config file and select Connect.
Start > Programs > OpenVPN GUI
Right click the OpenVPN icon in the system stray, and select Connect.
Configure the iptables firewall to allow OpenVPN connections
===================================================
Earlier in the lab, I shutdown the iptables firewall with the intention of turning it back, after configuring it to allow OpenVPN connections.
39. to be posted soon...
Video Tutorial