LFCS – Tunneling

Jarret B

Well-Known Member
Staff member
Joined
May 22, 2017
Messages
340
Reaction score
367
Credits
11,754
Tunneling is setting up a connection between two systems where the systems encrypt all data sent between them.

There are two types of tunneling that we will cover for the LCFS exam. The two types are:
  1. SSH
  2. openVPN
I will cover setting this up for both CentOS and Ubuntu. There will be a few packages we’ll need to add for either Server1 or Server2.

SSH Tunnel

SSH Tunneling allows you to forward a port to another port on another system. For instance, if you have an application or service on another system, you can access that program from a local port. Let’s say you have a web server that you want to access through an encrypted connection. The port on the web server is Port 80. We can set the local Port to 8080 and forward that to the web server on port 80.

So, to do this, you need to add some packages to your servers. We’ll use Server1 as our ‘client’ while Server2 is our web server.

For CentOS systems, perform the following commands in a terminal:

Server1 and Server2:

Code:
sudo yum install w3m openssh-clients-y

Server2:

Code:
sudo yum install httpd openssh-server -y

For Ubuntu, do these commands:

Server1 and Server2:

Code:
sudo apt install w3m openssh-client -y

Server2:

Code:
sudo apt install apache2 openssh-server -y

NOTE: Some packages may already be present.

This should install everything you need. You can check to see that the web service is running:

Code:
(CentOS) sudo systemctl status httpd

(Ubuntu) sudo systemctl status apache2

The service should be running and enabled.

To test the web services, you can run ‘w3m localhost’ from a Terminal on Server2. You should see a test page appear for the web server.

To set up the SSH Tunnel, we’ll run the following command from a terminal prompt:

Code:
ssh -f -L 8080:localhost:80 root@server2 -N

The following explains the parameters being used:

  • -f – used to put SSH in the background so we can run other programs through the SSH Tunnel
  • -L – binds a Port for a host to a port on the connected system
  • -N - do not execute a remote command
The SSH process will be in the background and we capture packets meant for the local system and sent to the remote system. The packets are then sent to the system as localhost to Port 80 on the remote server. We will connect to the remote server as the user ‘root’, which you can use your regular user account. The system we connect to is ‘server2’, denoted by ‘@server2’ which you can use the IP Address for better results. Since we only want to open a tunnel and keep it open, we do not need to execute any remote commands.

Once you run the command, you should be back at a command prompt.

NOTE: If an error occurs, try to replace the hostname (server2) with the IP Address of Server2. Use the command ‘ip a’ to find the IP Address.

From Server1, which should not have a web server on it, use the next command to connect to the web server through the SSH Tunnel:

Code:
w3m http://localhost:8080

The test page should appear from Server2. Press ‘Q’ to quit w3m and then ‘y’ to approve you quitting the program.

To end the SSH Tunnel, you need to find the Process ID of the SSH Tunnel. Run the command to get the Process ID:

Code:
ps -ef | grep “ssh -f”

The first number of the first result should be what you need. Use the command ‘sudo kill <pid>’. Make sure you get the Process ID (pid) correct.

Just keep in mind that you can set up the connection and leave it as long as needed. The connection is only useful for connecting to one system.

Be sure to change the ports you need for a specific application. If the local port is 1024 or below, then you need to run the ssh command with elevated privileges.

openVPN

This part of the article will be quite involved.

With openVPN, all outgoing ports and requests will go through the openVPN Server. It is not like SSH where one tunnel is for one port. This does them all.

In this setup, we will use Server2 as the openVPN Server and Server1 as a client.

If you are using VirtualBox, make sure both systems have the ‘NATNetwork’ adapter. And only Server2 has a ‘Bridged’ adapter. This will allow the data from Server1 to go to Server2 on the NATNetwork and through the openVPN service to the Bridged adapter and out to the Internet.

So, let’s get to work.

Setup openVPN Server (Server2)

If you are using this article for openVPN and you have done no other LFCS article, then you need to install the EPEL Release Repository with the command ‘yum install epel-release’.

NOTE: These instructions are for CentOS and not Ubuntu.

We can install the openVPN packages with the command ‘sudo yum install openvpn -y’. You may also need to get the ‘wget’ package with ‘sudo yum install wget -y’.

We’ll need a Certificate Authority to create keys for connecting systems to the openVPN Server. Make sure you perform ‘sudo su’ to get Root privileges. Then make sure you are in the Home folder ‘cd~’. The command to do this is ‘wget https://github.com/OpenVPN/easy-rsa/archive/v.3.0.8.tar.gz’. You can go to the page at https://github.com/OpenVPN/easy-rsa to see the newest version listed to the right side. When I wrote this, there was version 3.1.1 available, but I stuck with version 3.0.8 since I know it works the way I’m used to is working. I did not want to open a new can of worms.

Once you download the file, you can extract it with the command ‘tar -xvf v3.0.8.tar.gx’. Once you extract the files, we need to create a new folder and move the extracted files into it. Perform the command ‘mkdir /etc/openvpn/easy-rsa’. Now to move the files ‘cp /root/easy-rsa-3.0.8 /etc/openvpn/easy-rsa’. If you want you can move (mv) them instead of copying (cp) the files.

Now that everything is installed, it is time to configure openVPN.

Configure openVPN (server2)

To configure the openVPN server, go back to the Home Folder (‘cd ~’ or ‘cd’). We need to get a copy of the sample configuration file named ‘server.conf’. Use the command ‘cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn’. Make a note of the folder name with the version number. If it doesn’t work, start typing the folder's name and then press TAB to auto-complete it.

Now, we need to edit the file to make changes specific to our server. Use ‘vi /etc/openvpn/server.conf’. Uncomment the lines:

  • topology subnet
  • push "redirect-gateway def1 bypass-dhcp"
  • push "dhcp-option DNS 208.67.222.222"
  • push "dhcp-option DNS 208.67.220.220"
  • user nobody
  • group nobody
For the two lines containing a DNS IP Address, you can change these out to Google’s addresses of 8.8.8.8 and 8.8.4.4.

The next line needs commenting, by adding a semi-colon in front of it:
  • tls-auth ta.key 0 # This file is secret
After commenting the last line, add the following line below it:

  • tls-crypt myvpn.tlsauth
Save the file and exit the editor. We need to create the file we specified, ‘myvpn.tlsauth’, with the command ‘openvpn --genkey --secret /etc/openvpn/myvpn.tlsauth’.

We now need to get a file that will help generate variables to be used when generating keys. The file doesn’t exist, so we need to get an example file and modify for us to use. To copy the sample file, we need to move into a specific folder with the command ‘cd /etc/openvpn/easy-rsa/easyrsa3’. If you list the files with the command ‘ls’, you should see a file named ‘vars.example. We need to copy this to a file named ‘vars’ by issuing ‘cp vars.example vars’. You should now see a file named ‘vars’ when you perform a list (ls) command.

Open the ‘vars’ file in an editor and find the following lines, changing them to match your location:

Code:
#set_var EASYRSA_REQ_COUNTRY "US"
#set_var EASYRSA_REQ_PROVINCE "California"
#set_var EASYRSA_REQ_CITY "San Francisco"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL "[email protected]"
#set_var EASYRSA_REQ_OU "My Organizational Unit"

Remove the pound sign from each line and then change the information in the quotes as you need. Go to the end of the file and add the following two lines:

Code:
export KEY_NAME=“server”
export KEY_CN=openvpn.<domain>.com

Modify ‘<domain>’ to match your domain name you set up in the /etc/hosts’ file.

Once you have made these changes, save the file and exit your editor.

The next step is to remove any existing keys. Do not run the command if you already have keys you use.

Code:
./easyrsa clean-all

Now that the keys are all cleared, we can build a new Certificate Authority (CA) with the command:

Code:
./easyrsa build-ca

It should prompt you for a passphrase, but you can set it so it does not prompt you each time you sign your certificate, use the parameter ‘nopass’.

We need to create a key for the server and name it. The command is:

Code:
./easyrsa build-server-full <server-name> nopass

Again, we use the parameter ‘nopass’ so we aren’t prompted for a password. The ‘<server-name.’ is replaced with the server name you will use when starting the VPN. The name doesn’t need to match the hostname, but it may be easier to remember. So, you should probably name it ‘server2’.

We need to create a Diffie-Helman key exchange file to allow two systems to negotiate a shared secret key over an unsecured connection. Before it sets the encrypted tunnel up, the two systems need to set up a secret key for encryption and decryption. The command to do this is ‘./easyrsa gen-dh’.

Now, as a final step, every client needs to have a certificate and key. To generate these, you can create one for each user and name it the same as their username. You could use one and copy it among them, but multiples may be the best. To create one, use the command ‘./easyrsa build-client-full <client-name> nopass’. Just change the ‘<client-name>’ to your desired name for each client.

Now that it generated the certificate and keys, we need to place them in a centralized location. The location is at ‘/etc/openvpn’. So you need to switch to the folder ‘/etc/openvpn/easy-rsa/easyrsa3/pki’ and perform:

Code:
cp ca.crt dh.pem /etc/openvpn
cd private
cp ca.key server.key /etc/openvpn
cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn

One last file needs to be managed. We need to copy a file and rename it at the same time. Perform the following command to manipulate the last file ‘cp /etc/openvpn/dh.pem /etc/openvpn/dh2048.pem’.

The server is nearly there. We need to start up the firewall service if it is not started. Issue the command ‘systemctl start firewalld’. You’ll need to add the service to the firewall service to allow it to pass information through the firewall, ‘firewall-cmd --add-service openvpn’.

Now we only need to start the openVPN Service with the command ‘systemctl -f enable openvpn@server2’. When you issued the command ‘./easyrsa build-server-full <server-name> nopass’ previously, this is the server name you use after the ‘@’ symbol.

Now that it enabled the service to start at system startup, we need to start the service right now, use ‘systemctl start openvpn@server2’. Use the same server name again.

You should see no errors and you should be at a command prompt. You can check the status to verify it is running with ‘systemctl status openvpn@server2’. Make sure you use the proper server name.

The server should now be running. You can also verify the VPN is working by running ‘ip a’ and the last entry should be ‘tun0’ for ‘tunnel 0’.

Client Side Setup

For the client side, another CentOS 7 system, we’ll need to copy over four files from the openVPN server. To do this, we use the SSH protocol to copy the files with the command ‘scp’. Perform the following and the four commands to copy the files:

Code:
sudo su
cd /root
mkdir certs
cd certs
scp root@server2:/etc/openvpn/ca.crt .
scp root@server2:/etc/openvpn/easy-rsa/easyrsa3/pki/private/client.key .
scp root@server2:/etc/openvpn/easy-rsa/easyrsa3/pki/issued/client.crt .scp root@server2:/etc/openvpn/myvpn.tlsauth .

We need to copy a sample file named ‘clients.conf’ into the /root/certs’ folder. Change folders to the ‘/root/certs’ folder an issue the command ‘cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf .’. Open the file in an editor and you can erase all but the following, or simply cut and paste it:

Code:
client
dev tun
proto udp
remote server2 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /root/certs/ca.crt
cert /root/certs/client.crt
key /root/certs/client.key
tls-crypt /root/certs/myvpn.tlsauth
verb 3

Notice we put a path to the ‘crt’, ‘key’ and ‘tlsauth’ files we had copied to the client. Some of these lines were commented in the original file. Make sure they all copy correctly. Like I said, it may be best to copy and paste.

To start the openVPN on the client, you can issue ‘openvpn --config client.conf’. By issuing the command ‘ip a’, see that the ‘tun0’ connection is shown.

NOTE: This terminal is now locked to the openVPN service and should not be closed unless you want the tunnel closed.

The connection is made and you should be able to ping the server through the tunnel by using the IP Addresses that are set aside for use by the tunnel, in this case 10.8.0.1 for the ‘gateway’ at Server2.

From Server2, you should be able to open a web browser and contact the Internet.

Conclusion

Using openVPN to connect two servers can be performed over the Internet between two systems to produce an encrypted connection. No one will see what is occurring between the two systems.

For sensitive information that needs to be accessed over a public network, this is a good choice to keep things secure.

Be sure to understand the steps for the LCFS exam.
 

Members online


Top