Scribd Logo
Upload

Welcome to Scribd!

  • 08 - Linux ITNSA - OpenVPN

    Uploaded by

    SiskaAmalia
    17 views20 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views20 pages

    08 - Linux ITNSA - OpenVPN

    Uploaded by

    SiskaAmalia

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    OpenVPN

    OpenVPN
    OpenVPN is a virtual private network (VPN) system that implements techniques to create secure
    point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It
    implements both client and server applications.

    OpenVPN allows peers to authenticate each other using pre-shared secret keys, certificates or
    username/password. When used in a multi client - server configuration, it allows the server to release an
    authentication certificate for every client, using signatures and certificate authority.
    Dev tun , Dev tap
    TAP is basically at Ethernet level (layer 2) and acts like a switch whereas TUN works at network level (layer
    3) and routes packets on the VPN. TAP is bridging whereas TUN is routing.

    TAP Benefit TUN Benefit

    ● behaves like a real network adapter ● A lower traffic overhead, transports


    (except it is a virtual network adapter) only traffic which is destined for the
    ● can transport any network protocols VPN client
    (IPv4, IPv6, Netalk, IPX, etc, etc) ● Transports only layer 3 IP packets
    ● Works in layer 2, meaning Ethernet
    frames are passed over the VPN
    tunnel
    ● Can be used in bridges
    Dev tun , Dev tap

    TAP Drawbacks TUN Drawbacks

    ● causes much more broadcast ● Broadcast traffic is not normally


    overhead on the VPN tunnel transported
    ● adds the overhead of Ethernet ● Can only transport IPv4 (OpenVPN
    headers on all packets transported 2.3 adds IPv6)
    over the VPN tunnel ● Cannot be used in bridges
    ● scales poorly
    Lab ITNSA
    ● Configure LDAP in MAIL to provide users available for VPN Authentication.
    ○ Configure using domain dc=itnsa,dc=id.
    ○ Create user ‘vpn’ with password ‘Skills39’ for VPN testing.
    ● Configure openvpn in MON1 to provide remote access VPN to remote clients.
    ○ Allow any client to connect using username and password authentication via LDAP.
    ○ Distribute client configuration file to connect in /etc/openvpn/client.ovpn
    ○ Configure remote clients to use following IP:
    ■ Start: 10.22.22.10
    ■ End: 10.22.22.50
    ■ Subnet: 255.255.255.0
    ■ Gateway: 10.22.22.1
    ● You can use NF to test the VPN Client connection, but please don’t keep the connection running
    OpenVPN Server on MON1
    1. Install OpenVPN
    ○ # apt install openvpn
    2. Create Cert SSL for Server and Client OpenVPN
    ○ Move file vpn.itnsa.id.crt , vpn.itnsa.id.key, ca.crt, dh.pem to /etc/openvpn
    3. Configure OpenVPN Server
    ○ # cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/
    OpenVPN Server on MON1
    ○ # vim /etc/openvpn/server.conf

    local 10.99.99.21 cipher AES-256-CBC


    port 1194 persist-key
    proto udp persist-tun
    dev tap status /var/log/openvpn/openvpn-status.log
    ca ca.crt log /var/log/openvpn/openvpn.log
    cert vpn.itnsa.id.crt log-append /var/log/openvpn/openvpn.log
    key vpn.itnsa.id.key verb 3
    dh dh.pem explicit-exit-notify 1
    mode server
    tls-server
    topology subnet
    ifconfig 10.22.22.1 255.255.255.0
    ifconfig-pool 10.22.22.10 10.22.22.50
    keepalive 10 120
    OpenVPN Server on MON1
    ○ Start OpenVPN Server
    ■ # systemctl start openvpn@server
    ○ Verify status OpenVPN Server
    ■ # systemctl status openvpn
    ■ # ps -ef |grep openvpn
    ■ # tail -f /var/log/openvpn/openvpn.log
    ■ # ip addr
    Create OpenVPN client file on MON1
    1. Cert File for Client
    ○ Move file nf.itnsa.id.crt , nf.itnsa.id.key, ca.crt to /etc/openvpn/client
    ○ # cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client/
    Create OpenVPN client file on MON1
    ○ # vim /etc/openvpn/client/client.conf

    client
    dev tap
    proto udp
    remote 10.99.99.21 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    remote-cert-tls server
    cipher AES-256-CBC
    route 0.0.0.0 0.0.0.0 10.22.22.1
    verb 3
    Create OpenVPN client file on MON1
    ■ Create file client.ovpn
    ○ # cd /etc/openvpn/client
    ○ # cat client.conf > client.ovpn && echo "<cert>" >> client.ovpn && cat nf.crt >>
    client.ovpn && echo "</cert>" >> client.ovpn && echo "<key>" >> client.ovpn && cat
    nf.key >> client.ovpn && echo "</key>" >> client.ovpn && echo "<ca>" >> client.ovpn &&
    cat ca.crt >> client.ovpn && echo "</ca>" >> client.ovpn
    ■ Copy / SCP file client.ovpn to NF
    OpenVPN Client on NF using NetworkManager
    1. Install OpenVPN
    ○ # apt install openvpn
    2. Install Network Manager to use .ovpn file
    ○ # apt install network-manager network-manager-openvpn
    3. Configure NetworkManager
    ○ # vim /etc/NetworkManager/NetworkManager.conf

    [ifupdown]
    managed=true

    ○ # systemctl restart NetworkManager


    OpenVPN Client on NF using NetworkManager
    4. Import client.ovpn using NetworkManager
    ○ # nmcli connection import type openvpn file /home/support/client.ovpn
    5. Verify import file
    ○ # nmcli connection show
    ○ # nmcli device status
    6. BAD NEWS
    ○ NetworkManager OpenVPN need default gateway , so we will add default gateway just for test
    connection
    ■ # ip route add default via 10.199.99.252 dev enp0s3
    7. OpenVPN Connect to Server
    ○ # nmcli connection up client
    8. Verify
    ○ # journalctl -f
    ○ # nmcli connection show
    ○ # nmcli device status
    ○ # ip addr
    ○ # ip route
    OpenVPN Client on NF using Systemd
    1. No need default Gateway just do this command :
    ○ # cp /home/support/client.ovpn /etc/openvpn/client.conf
    ○ # systemctl start openvpn@client
    OpenVPN Server on MON1 using LDAP Auth
    1. Install openvpn ldap auth
    ○ # apt install openvpn-auth-ldap
    2. Configure OpenVPN Auth LDAP Plugin
    ○ # cp /usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf /etc/openvpn/
    OpenVPN Server on MON1 using LDAP Auth
    ○ # cp /usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf /etc/openvpn/

    <LDAP>
    URL ldap://ldap.itnsa.id
    BindDN cn=admin,dc=itnsa,dc=id
    Password admin
    Timeout 15
    TLSEnable no
    FollowReferrals no
    </LDAP>

    <Authorization>
    BaseDN "ou=People,dc=itnsa,dc=id"
    SearchFilter "(uid=%u)"
    RequireGroup false
    </Authorization>
    OpenVPN Server on MON1 using LDAP Auth
    3. Enable plugin auth ldap on server.conf
    ○ # echo "plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf" >>
    /etc/openvpn/server.conf
    ○ # systemctl restart openvpn@server
    OpenVPN client on NF Auth LDAP using NetworkManager
    1. Edit file client nmconnection
    ○ # vim /etc/NetworkManager/system-connections/client.nmconnection

    user-name=vpn
    password-flags=0

    [vpn-secrets]
    password=Skills39

    2. Don't forget to add default route


    3. Connect to Server
    ○ # nmcli connection up client
    OpenVPN client on NF Auth LDAP using Systemd
    1. Create file auth login
    ○ # vim /etc/openvpn/login.txt
    vpn
    Skills39

    2. Edit file client.conf


    ○ # vim /etc/openvpn/client.conf
    ○ Add this line before <cert>

    auth-user-pass /etc/openvpn/login.txt

    3. Connect to Server
    ○ # systemctl start openvpn@client
    Reference
    https://en.wikipedia.org/wiki/OpenVPN

    https://community.openvpn.net/openvpn/wiki/BridgingAndRouting

    You might also like