Hng dn VPN Client to Site with OpenVPN on CentOS

M t:

User (VPN Client) t bn ngoi h thng thc hin quay VPN n Server OpenVPN theo c ch chng thc Certificate dng Key + Password bo v Key (khc vi Password ca Key nha). Qu trnh kt ni VPN thnh cng: - 1 ng hm (Tunnel o) c Subnet 10.8.0.0/24 c to ra, VPN Client s kt ni n h thng mng cng ty theo ng hm ny. (bo mt ) - VPN Client s c Server cp pht 1 a ch IP tnh thuc subnet 10.8.0.0/24 c th giao tip vi cc Local Computer bn trong h thng.

Bc 0: Chun b
Thit lp, t IP theo m hnh.

m bo: Local Computer kt ni c vi OpenVPN Server VPN Client kt ni ca OpenVPN Server ( quay VPN) Softs: OpenVPN GUI: ci t trn VPN Client dng quay VPN n Server Gi lzo: ci t trn Server dng nn d liu trn ng truyn Gi openvpn: ci t trn Server lm OpenVPN Server. Cc softs ny c th download trn trang ch hoc mnh sn y http://www.mediafire.com/?ir9fdp8nybzcy8n

Bc 1: Ci t VPN Server
- Copy cc gi ci t lzo-1.08, openvpn-2.0.9 vo th mc c nhn ca root (/root)

- cd /root - Gii nn v ci lzo-1.08 tar xvzf lzo-1.08.tar.gz cd lzo-1.08 ./configure (kim tra cc th vin cha) make (thc hin bin dch) make install (thc hin ci t) - Gii nn v ci t openvpn : cd .. tar -xzvf openvpn-2.0.9.tar.gz cd openvpn-2.0.9 ./configure make make install - To th mc /etc/openvpn: mkdir /etc/openvpn

Bc 2: To CA Certificate Server v Key

- Copy th mc easy-rsa t th mc gii nn vo /etc/openvpn cp -r /root/openvpn-2.0.9/easy-rsa/ /etc/openvpn/

- To CA Certifiacte Server: cd /etc/openvpn/easy-rsa/2.0/ mv * ../ (move ton b file trong th mc 2.0/ ra th mc easy-rsa/)

cd .. (chuyn n th mc easy-rsa/) mkdir keys (to th mc /etc/openvpn/easy-rsa/keys cha keys, certificate) vi vars (sa cc thng s mc nh hoc c th b qua bc ny, dng thng s mc nh)

export KEY_COUNTRY="VN" export KEY_PROVINCE="TP HCM" export KEY_CITY="HCM" export KEY_ORG="Nhat Nghe" export KEY_EMAIL=openvpn@nhatnghe.com - Cu hnh CA: . ./vars ; ch c 1 khong trng gia 2 du chm (dng khi to cc bin mi trng thit lp bc trn) Khi chy lnh ny, yu cu h thng l khng c file no trong th mc keys c, s hin ra dng thng bo chy lnh ./clean-all xa trng th mc /etc/openvpn/easy-rsa/keys nu c. ./clean-all

- To CA server: To private key lu trong file 'ca.key' cho CA ./build-ca, nhp cc thng s vo, lu : phn common name l xc nh duy nht do cn nh phn ny.

ls th mc keys s thy c cc file c to ra

Cc key ny u c m ha, c th cat ra xem c g trong cho zui

- To certificate v private key cho server (xin CA cho server) bc trn chng ta to CA Server tng t nh server ca cc t chc bn Certificate (Verizon, ), trong bc ny ta s to Private Key cho cc server c nhu cu s dng vic chng thc bng Certificate (cc ngn hng, ..) y server chng ta l OpenVPN. ./build-key-server openvpnserver

ls keys/ ra xem c thm vi file c to ra

- To Diffie Hellman ( DH ): bm keys ./build-dh Qu trnh bm keys c th din ra nhanh hay chm. - To Client Certificate v Private key cho Client ( thc hin chng thc 2 chiu). y mnh to 2 keys cho 2 user kuti v kuteo ./build-key kuti (common name: kuti)

Tng t to thm cho kuteo ./build-key kuteo (common name: kuteo) Xong bc ny l chng ta hon thnh vic to cc Certificate v Keys cn thit cho vic chng thc ls keys/ ra xem kt qu bc ny

Chng ta c kh nhiu file trong th mc keys/ ny, cc keys ny s c phn b n server, clients hp l theo nh bng bn di:

Bc 3: Cu hnh chc nng Forwarding (dng thc hin Lan Routing) vi /etc/sysctl.conf 7: net.ipv4.ip_forward = 1 sysctl p ( cho cc thng s c hiu lc) echo 1 > /proc/sys/net/ipv4/ip_forward Bc 4: Cu hnh VPN Server - Copy file cu hnh server.conf mu t source ci t vo /etc/openvpn/ cp /root/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/ - Chnh sa file cu hnh: cd /etc/openvpn/ vi server.conf 25: local 192.168.1.200 (chn card mng user quay VPN n, c th khng cn option ny) 32: port 1723 (default l 1194, thng port ny b firewall block nn t 1723 cho ging port VPN Server ca Windows Server) 36: proto udp (protocol udp) 53: dev tun (dng tunnel, nu dng theo bridge chn dev tap0 v nhng config khc s khc vi tunnel) 78: ca /etc/openvpn/easy-rsa/keys/ca.crt (khai bo ung dn cho file ca.crt) 79: cert /etc/openvpn/easy-rsa/keys/openvpnserver.crt 80: key /etc/openvpn/easy-rsa/keys/openvpnserver.key 87: dh /etc/openvpn/easy-rsa/keys/dh1024.pem 96: server 10.8.0.0 255.255.255.0 (khai bo dy IP cn cp cho VPN Client, mc nh VPN Server s ly IP u tin 10.8.0.1) 103: ;ifconfig-pool-persist ipp.txt (dng cho VPN Client ly li IP trc nu b t kt ni vi VPN server, do chng ta dng IP tnh nn khng s dng thng s ny) 124: push route 172.16.0.0 255.255.255.0 (lnh ny s y route mng 172.16.0.0 n Client, hay cn gi l Lan Routing trong Windows Server, gip cho VPN Client thy c mng bn trong ca cng ty) 125: ;push route 192.168.1.200 255.255.255.0 do bi Lab ca chng ta VPN Client connect n c network 192.168.1.0 nn khng cn add route dng ny (nu c s khng chy c) ,ch cn add route cc lp mng bn trong cng ty m Client bn ngoi khng connect c) 138: client-config-dir ccd (dng khai bo cp IP tnh cho VPN Client) 196: client-to-client (cho php cc VPN client nhn thy nhau, mc nh client ch thy server) Cng kh n gin nh, ngoi ra cn cnhng thng s khc khng dng n nh: 181 ;push redirect-gateway (mi traffic ca VPN Client http, dns, ftp, u thng qua ung Tunnel. Khc vi lnh push route, ch nhng traffic i vo mng ni b mi thng qua Tunnel, khi dng lnh ny yu cu bn trong mng ni b cn c NAT Server, DNS Server) 187, 188: push dhcp-option DNS (WINS) 10.8.0.1 y DNS or WINS config vo VPN Client Mi ngi c ngh lnh push s p config t server n VPN Client. Khi quay VPN thnh cng, Client s c VPN Server add nhng thng s config ny. - Cu hnh file IP tnh tng ng vi tng User: Sau khi cu hnh server, tip ta s cu hnh cc file t trong th mc cdd/ tng ng vi tng

User VPN. + To th mc ccd (/etc/openvpn/ccd) mkdir /etc/openvpn/ccd + To profile cho user kuti vi /etc/openvpn/ccd/kuti 1: ifconfig-push 10.8.0.2 10.8.0.1

theo file cu hnh trn user kuti s nhn IP l 10.8.0.2 Cp IP khai bo trong lnh trn phi thuc bng bn di, ng vi mi user s c 1 cp ip tng ng.

Cn l do thuc bng trn, cc bn tham kho y: http://openvpn.net/index.php/openso...to.html#policy + To profile cho user kuteo vi /etc/openvpn/ccd/kuteo 1: ifconfig-push 10.8.0.6 10.8.0.5 theo file cu hnh trn user kuti s nhn IP l 10.8.0.6 Cc bn c th thy hn ch ca vic t IP theo bng trn l Subnet 10.8.0.0/24 ta ch c th config IP tnh cho 64 user (tng ng vi 64 cp IP trn). Nu trong cng ty c nhiu hn 64 user s dng VPN , chng ta s to thm 1 subnet na, chng hn 10.9.0.0 v add route thm mng ny vo file server.conf trn. Bc 5: Start VPN Server v tin hnh quay VPN, test vi cc user kuti, kuteo. - Start OpenVPN Server cd /etc/openvpn

openvpn server.conf

- Ci t, config OpenVPN GUI cho Client + Chy file openvpn-2.0.9-gui-1.0.3-install.exe, ci t mc nh. + Chp cc file key, certificate cn thit ca.crt, kuti.crt, kuti.key vo ng dn C:\Program Files\OpenVPN\config + Copy file client.ovpn t ng dn C:\Program Files\OpenVPN\sample-config vo C:\Program Files\OpenVPN\config

+ Edit file client.ovpn: client dev tun (tunnel) proto udp (upd protocol) remote 192.168.1.200 1723 (khai bo IP:Port server OpenVPN) nobind persist-key persist-tun ca ca.crt (khai bo CA server) cert kuti.crt (certificate user kuti) key kuti.key (private key kuti) comp-lzo verb 3 - Quay VPN Right Click vo biu tng Card mng mi sau khi ci OpenVPN GUI, chn Connects

Cc bn c th thy quay VPN thnh cng, nhn IP 10.8.0.2, cc route cn thit cng c add vo. - Set password bo v Key: Right click vo Icon OpenVPN Chn Change Password

Sau ny khi quay VPN, h thng s yu cu thm password ny na.

- Test: + Kim tra Route print: start --> run --> cmd --> route print

Ok, thy server add route cho client kuti 2 mng 172.16.0.0/24 v 192.168.1.0/24, cc bn c th

thy 2 mng ny u i qua Gateway c IP: 10.8.0.1 IP Tunnel ca VPN Server - vi metric 1. + Kim tra kt ni vi mng bn trong bng lnh ping.

+ Quay VPN vi user kuteo Lm cc bc tng t nh user kuti

User kuteo nhn IP: 10.8.0.6 nh cu hnh trong file /etc/openvpn/ccd/kuteo trn. + Ping n VPN Client 1 (kuti: 10.8.0.2) v Local Computer (172.16.0.2)

Nh vy chng ta hon thnh bi Lab ny. Hi vng mi ngi u lm c, nu b li hoc khng hiu lm bc no: - Xem hng dn, gii thch full : http://openvpn.net/howto.html - Post ln mnh s c gng tr li (nu c ). Cn 1 phn nh (lm thm) na trong bi Lab ny, mnh s cp nht sau Bi vit kh di (dng) anh em c t t nh.