DMZ Without the Risk - Part 1: Setting Up OpenVPN

Discussion in 'Linux Networking' started by Eric Hansen, Oct 23, 2013.

  1. Eric Hansen

    Eric Hansen Moderator Staff Writer

    Messages:
    117
    Likes Received:
    70
    Trophy Points:
    28
    A friend of mine recently showed me a fun little project he was working on involving an unused VPS and PPTP. What he did is set up his VPS in Dallas as a VPN server and act as a proxy to serve requests from his home in Maryland. As you might suspect there’s a bit of latency between requests while doing this, but if you want to have some fun this is the way to go!

    While we set up OpenVPN before in an LXC container I'm not going to concern myself with that this time (though the same can be used here). Instead what we are going to do is start from scratch and have some fun with it. Since I have a small VPS I’ll use that as well.

    Installing OpenVPN

    I’m typing this guide up as if you’re using Ubuntu/Debian since that is the distro I run on all of my Linux servers.

    First thing we need to do is install OpenVPN itself:

    Code:
    root@cs01:~# apt-get install openvpn
    Set Up OpenVPN

    Now we’ll make creating certificates so much easier:

    Code:
    root@cs01:~# cd /etc/openvpn/
    root@cs01:/etc/openvpn# mkdir easy-rsa
    root@cs01:/etc/openvpn# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* easy-rsa/
    root@cs01:/etc/openvpn# cd easy-rsa/
    What we need to do here is edit the vars file which holds a lot of useful exports for our environment. But what we are focused on are the following:

    Code:
    export KEY_COUNTRY="US"
    export KEY_PROVINCE="CA"
    export KEY_CITY="SanFrancisco"
    export KEY_ORG="Fort-Funston"
    export KEY_EMAIL="me@myhost.mydomain"
    Edit those to fit your needs then save and exit. Now we need to import them into our environment.

    Code:
    root@cs01:/etc/openvpn/easy-rsa# source vars
    Now, I ran into an issue in that openssl.cnf was not found. To find out where the easy-rsa scripts will look for, do this:

    Code:
    echo $KEY_CONFIG
    You should see something like this:

    Code:
    root@cs01:/etc/openvpn/easy-rsa# echo $KEY_CONFIG
    /etc/openvpn/easy-rsa/openssl.cnf
    If that file doesn’t exist, then find out what version of OpenSSL you’re using:

    Code:
    root@cs01:/etc/openvpn/easy-rsa# openssl version
    OpenSSL 1.0.1 14 Mar 2012
    Then copy or symlink that OpenSSL version in /etc/openvpn/easy-rsa/ to wherever its looking for openssl.cnf, for me I did this:

    Code:
    root@cs01:/etc/openvpn/easy-rsa# cp openssl-1.0.0.cnf openssl.cnf
    Lets make sure everything is fresh:

    Code:
    root@cs01:/etc/openvpn/easy-rsa# ./clean-all 
    Finally, we’ll build the server-wide certificate (CA) file:

    Code:
    root@cs01:/etc/openvpn/easy-rsa# ./build-ca
    Generating a 1024 bit RSA private key
    ............................................................................................++++++
    ..............++++++
    writing new private key to 'ca.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]:
    State or Province Name (full name) [CA]:
    Locality Name (eg, city) [SanFrancisco]:
    Organization Name (eg, company) [Fort-Funston]:
    Organizational Unit Name (eg, section) [changeme]:
    Common Name (eg, your name or your server's hostname) [changeme]:
    Name [changeme]:
    Email Address [mail@host.domain]:
    Now we need to build the key for the server itself.

    Code:
    root@cs01:/etc/openvpn/easy-rsa# ./build-key-server thehive
    Replace “thehive” with whatever hostname your machine has (I was just being cute here). The process is similar to building the CA file. If you want you can set a password for the certificate (recommended but you’ll have to enter it every time you start OpenVPN). There is something else different here, however.

    You’ll see this:

    Code:
    Sign the certificate? [y/n]:
    This is basically saying “do you want to validate this certificate with the CA file?” You’ll want to sign it.

    Next, you’ll see this:


    Code:
    1 out of 1 certificate requests certified, commit? [y/n]
    This is basically the “are you sure you’re sure you want to make this happen?” Again, do it. Lastly, you’ll see this lovely output:

    Code:
    Write out database with 1 new entries
    Data Base Updated
    All of the keys we’ve created so far exist in /etc/openvpn/easy-rsa/keys. You can keep them there or move them (most people recommend /etc/openvpn/). I just keep them due to laziness. Just make sure you set the correct permissions (chmod 0400 *.key *.csr).

    The server will also need a Diffie-Hellman key file as well. By default it generates a 1024-bit file which is fine for our purposes:

    Code:
    root@cs01:/etc/openvpn/easy-rsa# ./build-dh
    Generating DH parameters, 1024 bit long safe prime, generator 2
    This is going to take a long time
    .................................+...................+...............................................................................................+.........+.......................................+...................................................................................................................................................................+........................................................+............................+.............................................+.............................................................................................+....................++*++*++*
    
    You can find this as the “dh1024.pem” file in the aforementioned keys directory.

    Configuring OpenVPN Server

    Luckily for us OpenVPN already comes with a sample configuration file, so we’ll use that as a base:

    Code:
    root@cs01:/etc/openvpn/easy-rsa# cd ..
    root@cs01:/etc/openvpn# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
    root@cs01:/etc/openvpn# gzip -d server.conf.gz
    The parts that we need to edit are for the paths to the key files we made. They are relative to the directory where the config file is found (in this case /etc/openvpn), so keep that in mind if you need to make any changes to the path of the key files.

    Code:
    ca easy-rsa/keys/ca.crt
    cert easy-rsa/keys/thehive.crt
    key easy-rsa/keys/thehive.key
    dh easy-rsa/keys/dh1024.pem
    Start OpenVPN now:

    Code:
    root@cs01:/etc/openvpn# service openvpn start
    * Starting virtual private network daemon(s)...
      *  Autostarting VPN 'server'  
    If you don’t see anything acknowledging that it start check netstat (or ss if you have that instead):

    Code:
    root@cs01:/etc/openvpn# netstat -ntlup
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address  Foreign Address  State  PID/Program name
    tcp  0  0 0.0.0.0:22  0.0.0.0:*  LISTEN  232/sshd 
    tcp6  0  0 :::22  :::*  LISTEN  232/sshd 
    udp  0  0 0.0.0.0:1194  0.0.0.0:*  660/openvpn  
    Next thing you want to check for is a tun interface (tun0 for me):

    Code:
    root@cs01:/etc/openvpn# ifconfig | grep '^tun'
    tun0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    Code:
    root@cs01:/etc/openvpn# ifconfig tun0
    tun0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
    inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    If yours looks like this then you should be fine. If you are doing this on a VPS you might have to enable the TUN/TAP interface. This is out of the scope of this guide but is easy to do in SolusVM.

    Attached Files:

    DevynCJohnson likes this.
  2. DevynCJohnson

    DevynCJohnson Well-Known Member Staff Member Staff Writer

    Messages:
    1,162
    Likes Received:
    990
    Trophy Points:
    113
    Debian-based systems are also the most popular. Even for non-Debian users, the directions are the same. Instead of

    Code:
    root@cs01:~# apt-get install openvpn
    it would be

    Code:
    root@cs01:~# yum install openvpn
    for RedHat-based systems.

    Some of the directories may be different, but overall, these directions work for nearly any Linux distro. Maybe even some Unix systems.
  3. Eric Hansen

    Eric Hansen Moderator Staff Writer

    Messages:
    117
    Likes Received:
    70
    Trophy Points:
    28
    Thanks :) For the most part they are but at the same time I don't have a RPM-based system readily available to test drive things on, so I like to CMA when doing things where things could differ.
    DevynCJohnson likes this.

Share This Page