DMZ Without the Risk - Part 2: Setting Up the Client

Discussion in 'Linux Networking' started by Eric Hansen, Oct 23, 2013.

  1. Eric Hansen

    Eric Hansen Member

    Messages:
    95
    Likes Received:
    38
    Trophy Points:
    18
    In the last part of this series we set up an OpenVPN server from scratch in a VPS. Now we are going to set up the client. Again this will be done on Debian/Ubuntu.

    Installing OpenVPN is the same:

    Code:
    root@SKYNet:~# apt-get install openvpn
    Now on the server we need to generate a certificate for this client as well (when the prompt comes up set the Common Name to the hostname if its not already):

    Code:
    root@cs01:/etc/openvpn# cd easy-rsa/
    root@cs01:/etc/openvpn/easy-rsa# ./build-key SKYNet
    This will create a SKYNet.csr/crt key pair in the keys/ directory. Now, what we need to ensure is transferred is the CA file and the SKYNet files:

    (Server)
    Code:
    root@cs01:/etc/openvpn/easy-rsa# tar -cf /home/ehansen/keys.tar.gz keys/{ca.crt,SKYNet.crt,SKYNet.key}
    root@cs01:/etc/openvpn/easy-rsa# chown ehansen:ehansen /home/ehansen/keys.tar.gz
    (Client)
    Code:
    root@SKYNet:/etc/openvpn# scp ehansen@cs01.example.com:keys.tar.gz .
    ehansen@cs01.example.com's password:
    keys.tar.gz  100%  10KB  10.0KB/s  00:00  
    We need a client config, so we’ll work with this one:


    Code:
    root@SKYNet:/etc/openvpn# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf .
    We will also need to extract our keys so we can use them:

    Code:
    root@SKYNet:/etc/openvpn# tar -xf keys.tar.gz
    root@SKYNet:/etc/openvpn# ls
    client.conf  keys  keys.tar.gz  update-resolv-conf
    There’s a few lines in the client.conf we need to edit as well:

    Code:
    remote cs01.example.com 1194
    Change “cs01.example.com” to point to the OpenVPN server (can either be IP or hostname).

    Code:
    ca keys/ca.crt
    cert keys/SKYNet.crt
    key keys/SKYNet.key
    Same as what we had to do for the server, just we're using the client cert and key this time.

    Now we need to start the client:

    Code:
    root@SKYNet:/etc/openvpn# service openvpn restart
    * Stopping virtual private network daemon(s)...
      *  Stopping VPN 'client'  [ OK ]
    * Starting virtual private network daemon(s)...
      *  Autostarting VPN 'client'  
    Not done just yet though. Again we need to make sure its running:

    Code:
    root@SKYNet:/etc/openvpn# ifconfig tun0
    tun0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
    inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    A tun adapter won’t be created if OpenVPN isn’t started or running. Make note of the inet addr (10.8.0.6 in my case). We’ll need that in the next part.

    Now for the final test, see if you can ping the server itself (10.8.0.1):
    Code:
    root@SKYNet:/etc/openvpn# ping -c 1 10.8.0.1
    PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
    64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=41.7 ms
    --- 10.8.0.1 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 41.733/41.733/41.733/0.000 ms

    Attached Files:

    • slide.jpg
      slide.jpg
      File size:
      65.7 KB
      Views:
      136,964
    DevynCJohnson likes this.
  2. DevynCJohnson

    DevynCJohnson Super Moderator Staff Member Staff Writer

    Messages:
    951
    Likes Received:
    848
    Trophy Points:
    93
    On November 15, this article had 1431 views and part 3 had 4196. Who reads part 3 of a series and skips part 2?o_O

Share This Page