DMZ Without the Risk - Part 2: Setting Up the Client

[Eric Hansen]

In the last part of this series we set up an OpenVPN server from scratch in a VPS. Now we are going to set up the client. Again this will be done on Debian/Ubuntu.

Installing OpenVPN is the same:

root@SKYNet:~# apt-get install openvpn

Now on the server we need to generate a certificate for this client as well (when the prompt comes up set the Common Name to the hostname if its not already):

root@cs01:/etc/openvpn# cd easy-rsa/
root@cs01:/etc/openvpn/easy-rsa# ./build-key SKYNet

This will create a SKYNet.csr/crt key pair in the keys/ directory. Now, what we need to ensure is transferred is the CA file and the SKYNet files:

(Server)

root@cs01:/etc/openvpn/easy-rsa# tar -cf /home/ehansen/keys.tar.gz keys/{ca.crt,SKYNet.crt,SKYNet.key}
root@cs01:/etc/openvpn/easy-rsa# chown ehansen:ehansen /home/ehansen/keys.tar.gz

(Client)

root@SKYNet:/etc/openvpn# scp [email protected]:keys.tar.gz .
[email protected]'s password:
keys.tar.gz  100%  10KB  10.0KB/s  00:00

We need a client config, so we’ll work with this one:

root@SKYNet:/etc/openvpn# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf .

We will also need to extract our keys so we can use them:

root@SKYNet:/etc/openvpn# tar -xf keys.tar.gz
root@SKYNet:/etc/openvpn# ls
client.conf  keys  keys.tar.gz  update-resolv-conf

There’s a few lines in the client.conf we need to edit as well:

remote cs01.example.com 1194

Change “cs01.example.com” to point to the OpenVPN server (can either be IP or hostname).

ca keys/ca.crt
cert keys/SKYNet.crt
key keys/SKYNet.key

Same as what we had to do for the server, just we're using the client cert and key this time.

Now we need to start the client:

root@SKYNet:/etc/openvpn# service openvpn restart
* Stopping virtual private network daemon(s)...
  *  Stopping VPN 'client'  [ OK ]
* Starting virtual private network daemon(s)...
  *  Autostarting VPN 'client'

Not done just yet though. Again we need to make sure its running:

root@SKYNet:/etc/openvpn# ifconfig tun0
tun0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

A tun adapter won’t be created if OpenVPN isn’t started or running. Make note of the inet addr (10.8.0.6 in my case). We’ll need that in the next part.

Now for the final test, see if you can ping the server itself (10.8.0.1):

root@SKYNet:/etc/openvpn# ping -c 1 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=41.7 ms
--- 10.8.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 41.733/41.733/41.733/0.000 ms

 

[DevynCJohnson]

On November 15, this article had 1431 views and part 3 had 4196. Who reads part 3 of a series and skips part 2?