Linux:Powerful Server Administration
上QQ阅读APP看书,第一时间看更新

Securing remote access with OpenVPN

VPN enables two or more systems to communicate privately and securely over the public network or Internet. The network traffic is routed through the Internet, but is encrypted. You can use VPN to set up a secure connection between two datacenters or to access office resources from the leisure of your home. The VPN service is also used to protect your online activities, access location restricted contents, and bypass restrictions imposed by your ISP.

VPN services are implemented with a number of different protocols, such as Point-to-Point Tunneling Protocol (PPTP), Layer two tunneling protocol (L2TP), IPSec, and SSL. In this recipe, we will set up a free VPN server, OpenVPN. OpenVPN is an open source SSL VPN solution and provides a wide range of configurations. OpenVPN can be configured to use either TCP or UDP protocols. In this recipe, we will set up OpenVPN with its default UDP port 1194.

Getting ready…

You will need one server and one client system and root or equivalent access to both systems.

How to do it…

  1. Install OpenVPN with the following command:
    $ sudo apt-get update
    $ sudo apt-get install openvpn easy-rsa
    
  2. Now, set up your own certification authority and generate certificate and keys for the OpenVPN server.
  3. Next, we need to edit the OpenVPN files that are owned by the root user, and the build-ca script needs root access while writing new keys. Temporarily, change to root account using sudo su:
    $ sudo su
    

    Copy the Easy-RSA directory to /etc/openvpn:

    # cp -r /usr/share/easy-rsa /etc/openvpn/
    
  4. Now edit /etc/openvpn/easy-rsa/vars and change the variables to match your environment:
     export KEY_COUNTRY="US"
     export KEY_PROVINCE="ca"
     export KEY_CITY="your city"
     export KEY_ORG="your Company"
     export KEY_EMAIL="you@company.com"
     export KEY_CN="MyVPN"
     export KEY_NAME="MyVPN"
     export KEY_OU="MyVPN"
    
  5. Generate a Master certificate with the following commands:
    # cd /etc/openvpn/easy-vars
    # source vars
    # ./clean-all
    # ./build-ca
    
  6. Next, generate a certificate and private key for the server. Replace the server name with the name of your server:
    # ./build-key-server servername
    
  7. Press the Enter key when prompted for the password and company name.
  8. When asked for signing the certificate, enter y and then press the Enter key.
  9. Build Diffie Hellman parameters for the OpenVPN server:
    # ./build-dh
    
  10. Copy all the generated keys and certificates to /etc/openvpn:
    # cp /etc/openvpn/easy-rsa/keys/{servername.crt, servername.key, ca.crt, dh2048.pem} /etc/openvpn
    
  11. Next, generate a certificate for the client with the following commands:
    # cd /etc/openvpn/easy-rsa
    # source vars
    # ./build-key clientname
    
  12. Copy the generated key, certificate, and server certificate to the client system. Use a secure transfer mechanism such as SCP:
    /etc/openvpn/ca.crt
    /etc/openvpn/easy-rsa/keys/clientname.crt
    /etc/openvpn/easy-rsa/keys/clientname.key
    
  13. Now, configure the OpenVPN server. Use the sample configuration files provided by OpenVPN:
    $ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
    
  14. Open server.conf in your favorite editor:
    # nano /etc/openvpn/server.conf
    
  15. Make sure that the certificate and key path are properly set:
    ca ca.crt
    cert servername.crt
    key servername.key
    dh dh2048.pen
    
  16. Enable clients to redirect their web traffic through a VPN server. Uncomment the following line:
    push "redirect-gateway def1 bypass-dhcp"
    
  17. To protect against DNS leaks, push DNS settings to VPN clients and uncomment the following lines:
    push "dhcp-option DNS 208.67.222.222"
    push "dhcp-option DNS 208.67.220.220"
    
  18. The preceding lines point to OpenDNS servers. You can set them to any DNS server of your choice.
  19. Lastly, set OpenVPN to run with unprivileged user and group and uncomment the following lines:
    user nobody
    group nogroup
    
  20. Optionally, you can enable compression on the VPN link. Search and uncomment the following line:
    comp-lzo
    
  21. Save the changes and exit the editor.
  22. Next, edit /etc/sysctl to enable IP forwarding. Find and uncomment the following line by removing the hash, #, in front of it:
    #net.ipv4.ip_forward=1
    
  23. Update sysctl settings with the following command:
    # sysctl -p
    
  24. Now start the server. You should see an output similar to the following:
    # service openvpn start
     * Starting virtual private network daemon(s)
     * Autostarting VPN 'server'
    
  25. When it starts successfully, OpenVPN creates a new network interface named tun0. This can be checked with the ifconfig command:
    # ifconfig tun0
    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
     inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
    
  26. If the server does not start normally, you can check the logs at /var/log/syslog. It should list all the steps completed by the OpenVPN service.

How it works…

OpenVPN is the open source VPN solution. It is a traffic-tunneling protocol that works in client-server mode. You might already know that VPN is widely used to create a private and secure network connection between two endpoints. It is generally used to access your servers or access office systems from your home. The other popular use of VPN servers is to protect your privacy by routing your traffic through a VPN server. OpenVPN needs two primary components, namely a server and a client. The preceding recipe installs the server component. When the OpenVPN service is started on the OpenVPN host, it creates a new virtual network interface, a tun device named tun0. On the client side, OpenVPN provides the client with tools that configure the client with a similar setup by creating a tap device on the client's system.

Once the client is configured with a server hostname or IP address, a server certificate, and client keys, the client initiates a virtual network connection using a tap device on client to a tun device on the server. The provided keys and certificate are used to cross-check server authenticity and then authenticate itself. As the session is established, all network traffic on the client system is routed or tunneled via a tap network interface. All the external services that are accessed by the OpenVPN client, and you get to see the requests as if they are originated from the OpenVPN server and not from the client. Additionally, the traffic between the server and client is encrypted to provide additional security.

There's more…

In this recipe we have installed and configured OpenVPN server. To use the VPN service from your local system you will need a VPN client tool.

Following are the steps to install and configure VPN client on Ubuntu systems:

  1. Install the OpenVPN client with a similar command the one we used to install the server:
    $ sudo apt-get update
    $ sudo apt-get install openvpn
    
  2. Copy the sample client.conf configuration file:
    $ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
    
  3. Copy the certificates and keys generated for this client:
    $ scp user@yourvpnserver:/etc/openvpn/easy-rsa/keys/client1.key /etc/openvpn
    
  4. You can use other tools such as SFTP or WinSCP on the Windows systems.
  5. Now edit client.conf, enable client mode, and specify the server name or address:
    client
    remote your.vpnserver.com 1194
    
  6. Make sure that you have set the correct path for keys copied from the server.
  7. Now save the configuration file and start the OpenVPN server:
    $ service openvpn start
    
  8. This should create the tun0 network interface:
    $ ifconfig tun0
    
  9. Check the new routes created by VPN:
    $ netstat -rn
    
  10. You can test your VPN connection with any What's My IP service. You can also take a DNS leak test with online DNS leak tests.

    For Windows and Mac OS systems, OpenVPN provides respective client tools. You need an OpenVPN profile with the .ovpn extension. A template can be found with the OpenVPN client you are using or on the server under OpenVPN examples. The following is the complete path:

    /usr/share/doc/openvpn/examples/sample-config-files/client.conf
    

Note

Note that OpenVPN provides a web-based admin interface to manage VPN clients. This is a commercial offering that provides an easy-to-use admin interface to manage OpenVPN settings and client certificates.