SlideShare une entreprise Scribd logo

Getting started with open vpn (server) – low end box

L
leonirlopes
Technologie
1  sur  6
Télécharger pour lire hors ligne
01/09/13 Getting started with OpenVPN (server) – Low End Box LowEndBox Hosting Websites on Bare Minimum VPS/Dedicated Servers Getting started with OpenVPN (server) tutorials August 31, 2013 @ 1:22 pm, by Maarten Kossen There are various ways to set up a Virtual Private Network (VPN). With the various protocols available to use for VPN and all the software out there, it’s often a spider’s web when you just want to set up a VPN. Well, rest assured: it’s not that hard! A VPN can be useful for various things, but it’s often used for one of these: Secure connection to an internal office network not accessible from the outside Secure connection to the internet on public wifi (although from the VPN server on it’s back to “default” security) Hiding your real IP/masking your location (for example: using Netflix outside the USA) I’m going to show you how to set up OpenVPN using a ‘tap’ device. For this, you need a KVM or Xen VPS, or an OpenVZ VPS which supports TAP. If you use an OpenVZ VPS, be sure to enable TAP first from the control panel (it requires a reboot). Other than that, there’s no real system requirements. This guide works on both CentOS and Ubuntu. I’ve chosen OpenVPN because it’s a well-established open source solution with good client software support. Alternatives I considered were PPTP, which has some security issues, and IPSec/L2TP, which has a more complicated setup and software that has some “quirks”. Installing software First of all, let’s install the software. Ubuntu sudo apt-get install openvpn CentOS sudo yum install openvpn Enable IPv4 forwarding lowendbox.com/blog/getting-started-with-openvpn-server/ 1/8
01/09/13 Getting started with OpenVPN (server) – Low End Box IPv4 forwarding needs to be enabled, otherwise packets can’t go from the internet, via the VPS to you. To enable this, open up /etc/sysctl.conf and fine a line that looks like: net.ipv4.ip_forward=1 The value for this option should be ’1′. Sometimes it’s commented (Ubuntu) and sometimes it’s a ’0′ (CentOS). Make sure it looks like the line above, save the file and: sudo sysctl -p Which reloads these settings. Alternatively, reboot. Generating keys Now the software is installed, let’s start by generating the keys used for encryption and authentication. First, create directory that’s going to hold the keys and the scripts to generate these keys: sudo mkdir /etc/openvpn/easy-rsa Next, download the key generation software: wget https://github.com/OpenVPN/easy-rsa/archive/v2.2.0.tar.gz -O easy-rsa.tar.gz Ubuntu already has these scripts included, but CentOS hasn’t. For the sake of simplicity, downloading them from OpenVPN’s github is the best option. Now, let’s extract the files to the proper directory: sudo tar xvzf easy-rsa.tar.gz -C /etc/openvpn/easy-rsa –strip-components=3 easy-rsa2.2.0/easy-rsa/2.0/ And go to that directory: cd /etc/openvpn/easy-rsa/ OpenVPN uses SSL (certificates) for connection security and authentication. We’re going to generate the certificates required for this: Root key/certificate (ca.key/ca.crt) TLS key (ta.key) Server key/certificate (server.key/server.crt) Client key/certificate (client.key/client.crt) The data being used for these keys (country, organisation, etc.) can be modified. It doesn’t make a real difference if you change these or not, but it does help recognizing the certificate. You could, optionally, require a certain certificate subject (not covered by this tutorial) for added security. Open up /etc/openvpn/easy-rsa/vars and look for the following lines: export KEY_COUNTRY=”US” export KEY_PROVINCE=”CA” lowendbox.com/blog/getting-started-with-openvpn-server/ 2/8
01/09/13 Getting started with OpenVPN (server) – Low End Box export KEY_CITY=”SanFrancisco” export KEY_ORG=”Fort-Funston” export KEY_EMAIL=mail@host.domain export KEY_CN=changeme export KEY_NAME=changeme export KEY_OU=changeme You should change these all to reflect your situation. You can remove the duplicate KEY_EMAIL export, as the second one overwrites the first one anyway. You can safely ignore the PK11 variables listed below the above ones in the file. To be sure we have proper permissions, let’s change the group of the easy-rsa directory to sudo: sudo chown -R root:sudo . And set group write permissions, so members of the sudo group can write to it: sudo chmod g+w . With these permissions set, we can generate certificates. First, execute the vars file you’ve just edited to all the vars are available in the environment: source ./vars Next, clean all the keys: ./clean-all Generate the Diffie-Hellman parameters for the server site TLS/SSL: ./build-dh Generate the root key and certificate: ./pkitool –initca And finally, generate the server private key and certificate: ./pkitool –server server Now that all the keys are generated, let’s build a TLS key and put all keys into place. Go to the ‘keys’ directory inside the ‘easy-rsa’ directory where you currently are: cd keys/ And generate the TLS key: openvpn –genkey –secret ta.key Finally, copy all these keys to the openvpn directory: sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../ lowendbox.com/blog/getting-started-with-openvpn-server/ 3/8
01/09/13 Getting started with OpenVPN (server) – Low End Box And we’re done with the server-side keys! Final keys to generate now, are the client-side keys. Make sure you are in /etc/openvpn/easy-rsa/vars again and edit the variables to reflect your client. Otherwise you get an error when generating the certificate because it’s not unique. Initialize the new environment variables: source ./vars And generate the client-side keys: ./pkitool client That’s it! Keys are ready. Finally, set the proper ownership to the ‘keys’ directory, as it’s currently owned by your user: sudo chown root:sudo keys Now, let’s configure OpenVPN! Configuring OpenVPN OpenVPN has a lot of configuration options. I’m going to cover a basic configuration which uses a tap interface. The server configuration file is /etc/openvpn/server.conf. The default configuration file has a lot of comments in it, so it’s a good starting point to discover more about the configuration of OpenVPN. I’m going to give you the configuration that I’ve tested: local 192.0.2.15 # Server IP address through which you connect, replace this with yours port 1194 # Port the server runs on (default) proto udp # Protocol to use (default) dev tap ca ca.crt # Root certificate cert server.crt # Server certificate key server.key # Server key file dh dh1024.pem # DH file server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt # File that keeps track of IP leases push “redirect-gateway def1 bypass-dhcp” # Push some options to the client duplicate-cn keepalive 10 120 # When should we disconnect a client? tls-auth ta.key 0 comp-lzo # Enable compression user nobody # Run as user nobody group nogroup # Run as group nobody persist-key # Avoid trying to access unavailable resources after a restart persist-tun # Avoid trying to access unavailable resources after a restart status openvpn-status.log # Status log for active connections log-append openvpn.log # Append the OpenVPN log rather then starting with a new one every lowendbox.com/blog/getting-started-with-openvpn-server/ 4/8
01/09/13 Getting started with OpenVPN (server) – Low End Box time you restart verb 3 # Log verbosity level mute 20 # Limit the number of repeating messages script-security 2 # Set the security level for the usage of external programs and scripts link-mtu 1648 As you can see, I’ve added some inline comments. It would be good to read these. I’ll highlight the lines I would like to discuss in more detail, those are the most important options for you to know about. dev tap This line indicates we use a TAP tunnel, which is an ethernet tunnel rather than a routed IP tunnel. A TAP tunnel passes through all traffic rather than just HTTP and HTTPS. It’s the more “complete” tunnel when compared to TUN. server 10.8.0.0 255.255.255.0 Set the internal IP range for the server and the clients. The server will get the IP 10.8.0.1 and the client IP addresses will start at 10.8.0.2. Change this to your liking or when it conflicts with other ranges on any of your clients. duplicate-cn This line allows multiple connections with the same client certificates. Leave this out to disable this option. If you edit the vars file for every client certificate you generate, this option can safely be disabled. tls-auth ta.key 0 Name of the TLS key file and the “side” of the TLS connection. Since the server is 0, the client should be 1. This should be configured in you OpenVPN client software. link-mtu 1648 This is the MTU for the VPN connection. The MTU (Maximal Tranmission Unit) is the maximum size in bytes of the largest piece of data that the link can transport. I’ve used this value because it worked for me. This will also need to be configured in your client. If you VPN doesn’t work, check the logs for MTU errors. Once the configuration file is in place, restart OpenVPN: sudo /etc/init.d/openvpn restart And you should be good! Final step is adding three firewall rules to allow traffic to pass through your server: sudo /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo /sbin/iptables -A FORWARD -i eth0 -o tap0 -m state –state RELATED,ESTABLISHED -j ACCEPT sudo /sbin/iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT You should replace ‘eth0′ with the device name of your ethernet device. On most OpenVZ VPS this is venet0. What these lines do, is the following (in order): lowendbox.com/blog/getting-started-with-openvpn-server/ 5/8
01/09/13 Getting started with OpenVPN (server) – Low End Box 1. Allow transparent NAT traffic over eth0 2. Allow packets to be forwarded from eth0 to tap0 with certain connection states 3. Allow packets to be forwarded from tap0 to eth0 regardless of the connection state Now, with the server up and running and your firewall configured, you need to configure your client. I will cover some clients in next week’s tutorial (it was too much to combine it all in here), but here’s something to get you started on your own. To connect with a client, you need to: 1. 2. 3. 4. 5. Have the client.crt, client.key, ca.crt and ta.key on your client Enable LZO compression Enable TAP Set the link MTU to 1648 Set the TLS “side” to 1 If you’ve done that on you client, you should be able to connect! Final notes As you may have noticed, setting up OpenVPN isn’t hard but it isn’t very easy either. There’s a lot of steps to take, a lot of options available and a lot that can go wrong. I’ve tried to keep this guide concise and limited for the sake of clarity. If there is a clear demand for more explanation on certain subjects, please let me know. I’ll add more explanation/write a more detailed guide on a certain subject in that case. Up next week: Getting started with OpenVPN (client) 3 Comments 1. André: I wrote this “guide” as a reference to myself: http://blog.bugflux.org/2012/08/android-networkprivacy-and-firewall.html I guess the steps are rather similar, I wish you had written this long ago! =) August 31, 2013 @ 1:55 pm | Reply 2. usman: Good effort. Nice updated tutorial on installing openvpn. I also did an attempt to write a detailed openvpn installation guide but i think it is a bit dated now. Referencing it here just to let the readers also have a graphical view of the commands that they are supposed to run. http://tipupdate.com/how-toinstall-openvpn-on-centos-vps/ August 31, 2013 @ 3:54 pm | Reply 3. lowendbox.com/blog/getting-started-with-openvpn-server/ 6/8

Recommandé

Open vpn feature_on_yealink_ip_phones_v80_60(1)
Open vpn feature_on_yealink_ip_phones_v80_60(1)Open vpn feature_on_yealink_ip_phones_v80_60(1)
Open vpn feature_on_yealink_ip_phones_v80_60(1)
maunicmer
 
Droidcon2013 open vpn_schaeuffelhut
Droidcon2013 open vpn_schaeuffelhutDroidcon2013 open vpn_schaeuffelhut
Droidcon2013 open vpn_schaeuffelhut
Droidcon Berlin
 
Securing Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNSecuring Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPN
A Green
 
Naidoc
NaidocNaidoc
Naidoc
starling11
 
A2A Solar power
A2A Solar powerA2A Solar power
A2A Solar power
Avi de Lune
 
A2A Hydroelectric power 2
A2A Hydroelectric power 2A2A Hydroelectric power 2
A2A Hydroelectric power 2
Avi de Lune
 
Operating manual (deh 6450bt - deh-5450sd)-eng-esp-por
Operating manual (deh 6450bt - deh-5450sd)-eng-esp-porOperating manual (deh 6450bt - deh-5450sd)-eng-esp-por
Operating manual (deh 6450bt - deh-5450sd)-eng-esp-por
leonirlopes
 
Naidoc
NaidocNaidoc
Naidoc
starling11
 

Recommandé

Open vpn feature_on_yealink_ip_phones_v80_60(1)
Open vpn feature_on_yealink_ip_phones_v80_60(1)Open vpn feature_on_yealink_ip_phones_v80_60(1)
Open vpn feature_on_yealink_ip_phones_v80_60(1)
maunicmer
 
Droidcon2013 open vpn_schaeuffelhut
Droidcon2013 open vpn_schaeuffelhutDroidcon2013 open vpn_schaeuffelhut
Droidcon2013 open vpn_schaeuffelhut
Droidcon Berlin
 
Securing Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPNSecuring Back Office Business Processes with OpenVPN
Securing Back Office Business Processes with OpenVPN
A Green
 
Naidoc
NaidocNaidoc
Naidoc
starling11
 
A2A Solar power
A2A Solar powerA2A Solar power
A2A Solar power
Avi de Lune
 
A2A Hydroelectric power 2
A2A Hydroelectric power 2A2A Hydroelectric power 2
A2A Hydroelectric power 2
Avi de Lune
 
Operating manual (deh 6450bt - deh-5450sd)-eng-esp-por
Operating manual (deh 6450bt - deh-5450sd)-eng-esp-porOperating manual (deh 6450bt - deh-5450sd)-eng-esp-por
Operating manual (deh 6450bt - deh-5450sd)-eng-esp-por
leonirlopes
 
Naidoc
NaidocNaidoc
Naidoc
starling11
 
MDC presentation
MDC presentationMDC presentation
MDC presentation
Maria Lato
 
Личность педагога или
Личность педагога илиЛичность педагога или
Личность педагога или
Иван Шаравин
 
Adult learning practices
Adult learning practicesAdult learning practices
Adult learning practices
Brianne Mae
 
A2A Wind energy
A2A Wind energyA2A Wind energy
A2A Wind energy
Avi de Lune
 
Naidoc
NaidocNaidoc
Naidoc
starling11
 
Naidoc
NaidocNaidoc
Naidoc
starling11
 
netfilter programming
netfilter programmingnetfilter programming
netfilter programming
Gopi Krishnan S
 
Firewall(linux)
Firewall(linux)Firewall(linux)
Firewall(linux)
Santosh Khadsare
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
jvehent
 
Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using Iptables
Ahmed Mekkawy
 
Understanding iptables
Understanding iptablesUnderstanding iptables
Understanding iptables
Denys Haryachyy
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through Iptables
Bud Siddhisena
 
A2A Geothermal energy
A2A Geothermal energyA2A Geothermal energy
A2A Geothermal energy
Avi de Lune
 
Amazon ecommerce
Amazon ecommerceAmazon ecommerce
Amazon ecommerce
Nikhil Garg
 
OpenVPN
OpenVPNOpenVPN
OpenVPN
francisdinha
 
A2A Fossil fuel ppt
A2A Fossil fuel pptA2A Fossil fuel ppt
A2A Fossil fuel ppt
Avi de Lune
 
ISO/IEC 38500 - IT Governance Standard
ISO/IEC 38500 - IT Governance StandardISO/IEC 38500 - IT Governance Standard
ISO/IEC 38500 - IT Governance Standard
leonirlopes
 
CMMI - Capability Maturity Model Integration
CMMI - Capability Maturity Model IntegrationCMMI - Capability Maturity Model Integration
CMMI - Capability Maturity Model Integration
leonirlopes
 
MPS.BR
MPS.BRMPS.BR
MPS.BR
leonirlopes
 
Modelos de Governança de TI: COBIT e ITIL
Modelos de Governança de TI: COBIT e ITILModelos de Governança de TI: COBIT e ITIL
Modelos de Governança de TI: COBIT e ITIL
leonirlopes
 
Your own mail server with virtualmin – low end box
Your own mail server with virtualmin – low end boxYour own mail server with virtualmin – low end box
Your own mail server with virtualmin – low end box
leonirlopes
 
Torrentflux baixando propagando torrents e arquivos
Torrentflux baixando propagando torrents e arquivosTorrentflux baixando propagando torrents e arquivos
Torrentflux baixando propagando torrents e arquivos
leonirlopes
 

Contenu connexe

En vedette

MDC presentation
MDC presentationMDC presentation
MDC presentation
Maria Lato
 
Adult learning practices
Adult learning practicesAdult learning practices
Adult learning practices
Brianne Mae
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
jvehent
 
Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using Iptables
Ahmed Mekkawy
 
A2A Geothermal energy
A2A Geothermal energyA2A Geothermal energy
A2A Geothermal energy
Avi de Lune
 
A2A Fossil fuel ppt
A2A Fossil fuel pptA2A Fossil fuel ppt
A2A Fossil fuel ppt
Avi de Lune
 

En vedette (16)

MDC presentation
MDC presentationMDC presentation
MDC presentation
 
Личность педагога или
Личность педагога илиЛичность педагога или
Личность педагога или
 
Adult learning practices
Adult learning practicesAdult learning practices
Adult learning practices
 
A2A Wind energy
A2A Wind energyA2A Wind energy
A2A Wind energy
 
Naidoc
NaidocNaidoc
Naidoc
 
Naidoc
NaidocNaidoc
Naidoc
 
netfilter programming
netfilter programmingnetfilter programming
netfilter programming
 
Firewall(linux)
Firewall(linux)Firewall(linux)
Firewall(linux)
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
 
Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using Iptables
 
Understanding iptables
Understanding iptablesUnderstanding iptables
Understanding iptables
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through Iptables
 
A2A Geothermal energy
A2A Geothermal energyA2A Geothermal energy
A2A Geothermal energy
 
Amazon ecommerce
Amazon ecommerceAmazon ecommerce
Amazon ecommerce
 
OpenVPN
OpenVPNOpenVPN
OpenVPN
 
A2A Fossil fuel ppt
A2A Fossil fuel pptA2A Fossil fuel ppt
A2A Fossil fuel ppt
 

Plus de leonirlopes

Your own mail server with virtualmin – low end box
Your own mail server with virtualmin – low end boxYour own mail server with virtualmin – low end box
Your own mail server with virtualmin – low end box
leonirlopes
 
Torrentflux baixando propagando torrents e arquivos
Torrentflux baixando propagando torrents e arquivosTorrentflux baixando propagando torrents e arquivos
Torrentflux baixando propagando torrents e arquivos
leonirlopes
 
Mfl59166626 rev04
Mfl59166626 rev04Mfl59166626 rev04
Mfl59166626 rev04
leonirlopes
 
Ht c350-br-por-0316
Ht c350-br-por-0316Ht c350-br-por-0316
Ht c350-br-por-0316
leonirlopes
 
Java como programar.volume_4_john_lennonn
Java como programar.volume_4_john_lennonnJava como programar.volume_4_john_lennonn
Java como programar.volume_4_john_lennonn
leonirlopes
 
java paradigma oo
java paradigma oojava paradigma oo
java paradigma oo
leonirlopes
 
Como burlar internet da vivo on 200 mb no android
Como burlar internet da vivo on 200 mb no androidComo burlar internet da vivo on 200 mb no android
Como burlar internet da vivo on 200 mb no android
leonirlopes
 
Como ganhar na loteria usando sistemas
Como ganhar na loteria usando sistemasComo ganhar na loteria usando sistemas
Como ganhar na loteria usando sistemas
leonirlopes
 

Plus de leonirlopes (12)

ISO/IEC 38500 - IT Governance Standard
ISO/IEC 38500 - IT Governance StandardISO/IEC 38500 - IT Governance Standard
ISO/IEC 38500 - IT Governance Standard
 
CMMI - Capability Maturity Model Integration
CMMI - Capability Maturity Model IntegrationCMMI - Capability Maturity Model Integration
CMMI - Capability Maturity Model Integration
 
MPS.BR
MPS.BRMPS.BR
MPS.BR
 
Modelos de Governança de TI: COBIT e ITIL
Modelos de Governança de TI: COBIT e ITILModelos de Governança de TI: COBIT e ITIL
Modelos de Governança de TI: COBIT e ITIL
 
Your own mail server with virtualmin – low end box
Your own mail server with virtualmin – low end boxYour own mail server with virtualmin – low end box
Your own mail server with virtualmin – low end box
 
Torrentflux baixando propagando torrents e arquivos
Torrentflux baixando propagando torrents e arquivosTorrentflux baixando propagando torrents e arquivos
Torrentflux baixando propagando torrents e arquivos
 
Mfl59166626 rev04
Mfl59166626 rev04Mfl59166626 rev04
Mfl59166626 rev04
 
Ht c350-br-por-0316
Ht c350-br-por-0316Ht c350-br-por-0316
Ht c350-br-por-0316
 
Java como programar.volume_4_john_lennonn
Java como programar.volume_4_john_lennonnJava como programar.volume_4_john_lennonn
Java como programar.volume_4_john_lennonn
 
java paradigma oo
java paradigma oojava paradigma oo
java paradigma oo
 
Como burlar internet da vivo on 200 mb no android
Como burlar internet da vivo on 200 mb no androidComo burlar internet da vivo on 200 mb no android
Como burlar internet da vivo on 200 mb no android
 
Como ganhar na loteria usando sistemas
Como ganhar na loteria usando sistemasComo ganhar na loteria usando sistemas
Como ganhar na loteria usando sistemas
 

Dernier

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Dernier (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Getting started with open vpn (server) – low end box

  • 1. 01/09/13 Getting started with OpenVPN (server) – Low End Box LowEndBox Hosting Websites on Bare Minimum VPS/Dedicated Servers Getting started with OpenVPN (server) tutorials August 31, 2013 @ 1:22 pm, by Maarten Kossen There are various ways to set up a Virtual Private Network (VPN). With the various protocols available to use for VPN and all the software out there, it’s often a spider’s web when you just want to set up a VPN. Well, rest assured: it’s not that hard! A VPN can be useful for various things, but it’s often used for one of these: Secure connection to an internal office network not accessible from the outside Secure connection to the internet on public wifi (although from the VPN server on it’s back to “default” security) Hiding your real IP/masking your location (for example: using Netflix outside the USA) I’m going to show you how to set up OpenVPN using a ‘tap’ device. For this, you need a KVM or Xen VPS, or an OpenVZ VPS which supports TAP. If you use an OpenVZ VPS, be sure to enable TAP first from the control panel (it requires a reboot). Other than that, there’s no real system requirements. This guide works on both CentOS and Ubuntu. I’ve chosen OpenVPN because it’s a well-established open source solution with good client software support. Alternatives I considered were PPTP, which has some security issues, and IPSec/L2TP, which has a more complicated setup and software that has some “quirks”. Installing software First of all, let’s install the software. Ubuntu sudo apt-get install openvpn CentOS sudo yum install openvpn Enable IPv4 forwarding lowendbox.com/blog/getting-started-with-openvpn-server/ 1/8
  • 2. 01/09/13 Getting started with OpenVPN (server) – Low End Box IPv4 forwarding needs to be enabled, otherwise packets can’t go from the internet, via the VPS to you. To enable this, open up /etc/sysctl.conf and fine a line that looks like: net.ipv4.ip_forward=1 The value for this option should be ’1′. Sometimes it’s commented (Ubuntu) and sometimes it’s a ’0′ (CentOS). Make sure it looks like the line above, save the file and: sudo sysctl -p Which reloads these settings. Alternatively, reboot. Generating keys Now the software is installed, let’s start by generating the keys used for encryption and authentication. First, create directory that’s going to hold the keys and the scripts to generate these keys: sudo mkdir /etc/openvpn/easy-rsa Next, download the key generation software: wget https://github.com/OpenVPN/easy-rsa/archive/v2.2.0.tar.gz -O easy-rsa.tar.gz Ubuntu already has these scripts included, but CentOS hasn’t. For the sake of simplicity, downloading them from OpenVPN’s github is the best option. Now, let’s extract the files to the proper directory: sudo tar xvzf easy-rsa.tar.gz -C /etc/openvpn/easy-rsa –strip-components=3 easy-rsa2.2.0/easy-rsa/2.0/ And go to that directory: cd /etc/openvpn/easy-rsa/ OpenVPN uses SSL (certificates) for connection security and authentication. We’re going to generate the certificates required for this: Root key/certificate (ca.key/ca.crt) TLS key (ta.key) Server key/certificate (server.key/server.crt) Client key/certificate (client.key/client.crt) The data being used for these keys (country, organisation, etc.) can be modified. It doesn’t make a real difference if you change these or not, but it does help recognizing the certificate. You could, optionally, require a certain certificate subject (not covered by this tutorial) for added security. Open up /etc/openvpn/easy-rsa/vars and look for the following lines: export KEY_COUNTRY=”US” export KEY_PROVINCE=”CA” lowendbox.com/blog/getting-started-with-openvpn-server/ 2/8
  • 3. 01/09/13 Getting started with OpenVPN (server) – Low End Box export KEY_CITY=”SanFrancisco” export KEY_ORG=”Fort-Funston” export KEY_EMAIL=mail@host.domain export KEY_CN=changeme export KEY_NAME=changeme export KEY_OU=changeme You should change these all to reflect your situation. You can remove the duplicate KEY_EMAIL export, as the second one overwrites the first one anyway. You can safely ignore the PK11 variables listed below the above ones in the file. To be sure we have proper permissions, let’s change the group of the easy-rsa directory to sudo: sudo chown -R root:sudo . And set group write permissions, so members of the sudo group can write to it: sudo chmod g+w . With these permissions set, we can generate certificates. First, execute the vars file you’ve just edited to all the vars are available in the environment: source ./vars Next, clean all the keys: ./clean-all Generate the Diffie-Hellman parameters for the server site TLS/SSL: ./build-dh Generate the root key and certificate: ./pkitool –initca And finally, generate the server private key and certificate: ./pkitool –server server Now that all the keys are generated, let’s build a TLS key and put all keys into place. Go to the ‘keys’ directory inside the ‘easy-rsa’ directory where you currently are: cd keys/ And generate the TLS key: openvpn –genkey –secret ta.key Finally, copy all these keys to the openvpn directory: sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../ lowendbox.com/blog/getting-started-with-openvpn-server/ 3/8
  • 4. 01/09/13 Getting started with OpenVPN (server) – Low End Box And we’re done with the server-side keys! Final keys to generate now, are the client-side keys. Make sure you are in /etc/openvpn/easy-rsa/vars again and edit the variables to reflect your client. Otherwise you get an error when generating the certificate because it’s not unique. Initialize the new environment variables: source ./vars And generate the client-side keys: ./pkitool client That’s it! Keys are ready. Finally, set the proper ownership to the ‘keys’ directory, as it’s currently owned by your user: sudo chown root:sudo keys Now, let’s configure OpenVPN! Configuring OpenVPN OpenVPN has a lot of configuration options. I’m going to cover a basic configuration which uses a tap interface. The server configuration file is /etc/openvpn/server.conf. The default configuration file has a lot of comments in it, so it’s a good starting point to discover more about the configuration of OpenVPN. I’m going to give you the configuration that I’ve tested: local 192.0.2.15 # Server IP address through which you connect, replace this with yours port 1194 # Port the server runs on (default) proto udp # Protocol to use (default) dev tap ca ca.crt # Root certificate cert server.crt # Server certificate key server.key # Server key file dh dh1024.pem # DH file server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt # File that keeps track of IP leases push “redirect-gateway def1 bypass-dhcp” # Push some options to the client duplicate-cn keepalive 10 120 # When should we disconnect a client? tls-auth ta.key 0 comp-lzo # Enable compression user nobody # Run as user nobody group nogroup # Run as group nobody persist-key # Avoid trying to access unavailable resources after a restart persist-tun # Avoid trying to access unavailable resources after a restart status openvpn-status.log # Status log for active connections log-append openvpn.log # Append the OpenVPN log rather then starting with a new one every lowendbox.com/blog/getting-started-with-openvpn-server/ 4/8
  • 5. 01/09/13 Getting started with OpenVPN (server) – Low End Box time you restart verb 3 # Log verbosity level mute 20 # Limit the number of repeating messages script-security 2 # Set the security level for the usage of external programs and scripts link-mtu 1648 As you can see, I’ve added some inline comments. It would be good to read these. I’ll highlight the lines I would like to discuss in more detail, those are the most important options for you to know about. dev tap This line indicates we use a TAP tunnel, which is an ethernet tunnel rather than a routed IP tunnel. A TAP tunnel passes through all traffic rather than just HTTP and HTTPS. It’s the more “complete” tunnel when compared to TUN. server 10.8.0.0 255.255.255.0 Set the internal IP range for the server and the clients. The server will get the IP 10.8.0.1 and the client IP addresses will start at 10.8.0.2. Change this to your liking or when it conflicts with other ranges on any of your clients. duplicate-cn This line allows multiple connections with the same client certificates. Leave this out to disable this option. If you edit the vars file for every client certificate you generate, this option can safely be disabled. tls-auth ta.key 0 Name of the TLS key file and the “side” of the TLS connection. Since the server is 0, the client should be 1. This should be configured in you OpenVPN client software. link-mtu 1648 This is the MTU for the VPN connection. The MTU (Maximal Tranmission Unit) is the maximum size in bytes of the largest piece of data that the link can transport. I’ve used this value because it worked for me. This will also need to be configured in your client. If you VPN doesn’t work, check the logs for MTU errors. Once the configuration file is in place, restart OpenVPN: sudo /etc/init.d/openvpn restart And you should be good! Final step is adding three firewall rules to allow traffic to pass through your server: sudo /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo /sbin/iptables -A FORWARD -i eth0 -o tap0 -m state –state RELATED,ESTABLISHED -j ACCEPT sudo /sbin/iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT You should replace ‘eth0′ with the device name of your ethernet device. On most OpenVZ VPS this is venet0. What these lines do, is the following (in order): lowendbox.com/blog/getting-started-with-openvpn-server/ 5/8
  • 6. 01/09/13 Getting started with OpenVPN (server) – Low End Box 1. Allow transparent NAT traffic over eth0 2. Allow packets to be forwarded from eth0 to tap0 with certain connection states 3. Allow packets to be forwarded from tap0 to eth0 regardless of the connection state Now, with the server up and running and your firewall configured, you need to configure your client. I will cover some clients in next week’s tutorial (it was too much to combine it all in here), but here’s something to get you started on your own. To connect with a client, you need to: 1. 2. 3. 4. 5. Have the client.crt, client.key, ca.crt and ta.key on your client Enable LZO compression Enable TAP Set the link MTU to 1648 Set the TLS “side” to 1 If you’ve done that on you client, you should be able to connect! Final notes As you may have noticed, setting up OpenVPN isn’t hard but it isn’t very easy either. There’s a lot of steps to take, a lot of options available and a lot that can go wrong. I’ve tried to keep this guide concise and limited for the sake of clarity. If there is a clear demand for more explanation on certain subjects, please let me know. I’ll add more explanation/write a more detailed guide on a certain subject in that case. Up next week: Getting started with OpenVPN (client) 3 Comments 1. André: I wrote this “guide” as a reference to myself: http://blog.bugflux.org/2012/08/android-networkprivacy-and-firewall.html I guess the steps are rather similar, I wish you had written this long ago! =) August 31, 2013 @ 1:55 pm | Reply 2. usman: Good effort. Nice updated tutorial on installing openvpn. I also did an attempt to write a detailed openvpn installation guide but i think it is a bit dated now. Referencing it here just to let the readers also have a graphical view of the commands that they are supposed to run. http://tipupdate.com/how-toinstall-openvpn-on-centos-vps/ August 31, 2013 @ 3:54 pm | Reply 3. lowendbox.com/blog/getting-started-with-openvpn-server/ 6/8