Scribd Logo
Upload

Welcome to Scribd!

  • Linux VPN

    Uploaded by

    Alvaro Silva Santisteban
    16 views6 pages
    5

    Original Title

    LINUX VPN

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    5

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    16 views6 pages

    Linux VPN

    Uploaded by

    Alvaro Silva Santisteban
    5

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    PREREQUISITES

    We will need the following to be able to successfully setup an OpenVPN


    server:
    - A CentOS 7.2 x64 VPS server
    - Root Access to the server
    - An SSH client (You can download Putty or Bitvise depends on your
    operating system and liking)

    When you have all this ingredients we can now start setting up our OpenVPN
    Server. Please follow the guide carefully, remember, you can always copy
    and paste the commands below for ease of installation and configuration.

    INSTALLING OPENVPN SERVER

    First, Update your CentOS distribution:


    yum update

    Then we will install the EPEL Repo. The EPEL Repo is an open source and
    community based repository of the Fedora Team which provides 100%
    quality add-on software packages.
    yum install epel-release

    We will now install OpenVPN and Easy-RSA package. The Easy-RSA package is
    provided so we can have an easier way of generating certificates.
    yum install openvpn easy-rsa

    GENERATE KEYS & CERTIFICATES

    We will need to create a folder so we can store the keys and certificates that
    we will generate later.
    mkdir -p /etc/openvpn/easy-rsa/keys

    Next, we will copy the certificate generation scripts from their default
    location to our OpenVPN folder.
    cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
    We will go to the easy-rsa directory and source the variables.
    cd /etc/openvpn/easy-rsasource ./vars
    Then we will clean all the existing keys & certificates (if any) and generate the
    new certificate authority.
    ./clean-all
    When building the certificate authority we will be asked for different
    information such as the country, organization and department. You can fill in
    your information or to leave it as it is you can just press enter.
    ./build-ca

    The next thing we will generate are the keys and certificates for the
    OpenVPN server. You will be again asked the same questions as the above
    command which you can fill in or ignore by just pressing the enter key. From
    the below command, we will create the keys and certificates with the
    filename of server. After entering your information, you will be asked to Sign
    the Certificate, press "y" to approve.
    ./build-key-server server
    We will also need to create a Diffie-Hellman file. Creation of this file will
    depends on the length of the key. For this default we will use 2048 bit key
    but you can always change it by editing the vars file in the easy-rsa folder.
    Key generation may take a minute or two.
    ./build-dh
    Since this guide is all about OpenVPN authentication using client certificate
    we will also need to generate a certificate for our client. Without this
    certificate, our client will not be able to login to the OpenVPN server. Always
    remember to keep this client certificate safe with you at all times, you should
    never distribute your own certificate to others. If you want others to use
    your OpenVPN server you should create a client certificate for them by
    following the below command. For this guide we will create a certificate for
    "John".
    ./build-key john
    john.key will be the filename of the client key & certificate.
    For the above commands we will have the following keys and certificates in
    the folder /etc/openvpn/easy-rsa/keys

    server.key

    server.crt

    john.key

    john.crt

    ca.crt

    ca.key

    dh2048.pem

    You will need to download john.key, john.crt and ca.crt for use by the
    OpenVPN client.

    CONFIGURING OPENVPN

    We will now configure the OpenVPN server. First, create a configuration file
    named server.conf
    nano /etc/openvpn/server.conf

    Then we will fill up the file using the below basic configuration details. For
    more information on the configuration please see man openvpn.

    port 443

    proto tcp

    dev tun

    server 10.11.0.0 255.255.255.0

    ca /etc/openvpn/easy-rsa/keys/ca.crt

    cert /etc/openvpn/easy-rsa/keys/server.crt

    key /etc/openvpn/easy-rsa/keys/server.key

    dh /etc/openvpn/easy-rsa/keys/dh2048.pem
    persist-key

    persist-tun

    keepalive 10 60

    reneg-sec 0

    comp-lzo

    tun-mtu 1468

    tun-mtu-extra 32

    mssfix 1400

    push "persist-key"

    push "persist-tun"

    push "redirect-gateway def1"

    push "dhcp-option DNS 8.8.8.8"

    push "dhcp-option DNS 8.8.4.4"

    status /etc/openvpn/443.log

    verb 3

    Save the file and exit.

    Next we need to run and enable OpenVPN on startup.


    systemctl start openvpn@server.service

    systemctl -f enable openvpn@server.service

    ROUTING & FORWARDING RULES

    We will need to enter some iptable rules to enable internet on the client
    machine. Just change $serverip to your server's IP address.
    iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -j SNAT --to

    $serveripiptables-save
    Nest, edit systctl.conf to enable packet forwarding. Open the file
    /etc/sysctl.conf and add the line.
    net.ipv4.ip_forward=1
    then enable it by
    sysctl -p

    Now that our OpenVPN Server is finished we will now try connecting clients
    to the server.

    CONFIGURING CLIENT

    Remember the above instructions when I told you to copy:

    john.key

    john.crt

    ca.crt

    We will need this files to successfully connect to our openvpn server. Put
    these 3 files with the .ovpn file we will create below in the same folder. Copy
    the below configuration and save it as client.ovpn. Note the $serverip is the
    ip address of your openvpn server.

    client

    remote $serverip 443

    proto tcp

    resolv-retry infinite

    route-delay 2

    pull

    comp-lzo yes

    dev tun

    nobind

    ca ca.crt
    cert john.crt

    key john.key

    CONNECTING FROM WINDOWS


    Download the windows installer from openvpn, install it, run as admin then
    copy the 4 files (client.ovpn, ca.crt, john.crt & john.key) to the /Program
    Files/OpenVPN/config folder.
    In the system tray right click on the OpenVPN icon and click Connect.

    CONNECTING FROM LINUX


    Install OpenVPN from your distributions official repository then run
    OpenVPN by executing:
    sudo openvpn --config ~/path/to/client.ovpn

    CONNECTING FROM MAC


    For MAC, there is an application you can download called Tunnelblick. You
    should install it and run, make sure that the 4 files required are in the same
    folder. While in tunnelblick look for your .ovpn file and click on it to install.
    To connect, just select the configuration name and click "Connect" .
    ___
    There you go! Now we have a working OpenVPN installation on CentOS 7.2
    using certificate authentication.
    Don't forget to put your comments if you succeeded using this guide.

    You might also like