configuration of VPN
-
Upload
connecttomeher -
Category
Documents
-
view
229 -
download
0
Transcript of configuration of VPN
-
7/29/2019 configuration of VPN
1/23
1. Introduction
This article will describe a configuration of Virtual Private Network connection by using an
OpenVPNapplication. Firstly, you will be exposed to some basic theory behind Virtual PrivateNetworks. Then, the article will guide you with step-by-step instructions on how to setup a
OpenVPN virtual private network by usingSymmetric Key EncryptionandPublic Key
Encryption. This article is meant for everybody who possesses a basic knowledge of linux
administration and networking.
2. Why VPN
If you work in IT industry, it is very common that you do not use only a single computer sitting
on your work desk, but you also utilize other systems connected to the same local area network.
As long as you are sitting on your office chair this approach should not be a problem. However,this situation can become complicated once you are in hurry, and therefore, you need to take
some of your work home. You are able to take you company laptop with you, but to fully utilize
company resources you would also need to be connected to the company's local area network.
The solution to this problem depends on what resources are needed to complete your job. If you
need some shared files available on the company's network, you may just simply copy these file
to your laptop's hard drive or to USB stick. In case you need to work on the system installed on
your company's PC you can also use some virtualization tools such as VirtualBox or VMware.
Soon enough you will realize that this approach is not as convenient as you would like it to be,
and that you spent more time by copying files and synchronizing virtual systems than
concentrating on your work. The ideal solution in this case should allow employees to access
company's local resources from an external network. This can be done by forwarding ports of thelocal services via firewall. Exposing local ports to the Internet is not entirely the safest approach.
The more ports are exposed from your local network to an external network such as the Internet,
the more vulnerable your local system will become. The ideal approach in this situation could be
a use of just single port for all services coupled with encryption and user authentication. This can
be achieved, for example, by using aVirtual Private Network (VPN)
.
3. How does VPN works
VPN networks are often operated as client-server applications. Good example could be an
implementation of MS Windows PPTP or OpenVPN on the Linux Platform. VPN server is
directly running on a firewall, where it creates virtual network interface and additional virtual
network subnet. VPN server is waiting for connections on the external network interface of the
firewall where it performs authentication of a VPN client application. After successful VPN
client authentication a VPN client is given an IP address from a virtual subnet. Consequently, an
encrypted tunnel is created between VPN client and VPN server, which is used for safe transfer
http://openvpn.net/http://openvpn.net/http://en.wikipedia.org/wiki/Symmetric-key_algorithmhttp://en.wikipedia.org/wiki/Symmetric-key_algorithmhttp://en.wikipedia.org/wiki/Symmetric-key_algorithmhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://computer.howstuffworks.com/vpn.htmhttp://computer.howstuffworks.com/vpn.htmhttp://computer.howstuffworks.com/vpn.htmhttp://computer.howstuffworks.com/vpn.htmhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Public-key_cryptographyhttp://en.wikipedia.org/wiki/Symmetric-key_algorithmhttp://openvpn.net/ -
7/29/2019 configuration of VPN
2/23
of packets between two distant networks via the Internet. Services, which a VPN client can
connect to, can furthermore be defined by firewall rules. This way firewall ensures that VPN
client can connect only to services it is allowed to connect. If the previous couple sentences
looked to you little difficult to understand, do not despair! Everything will become clearer once
we see how encrypted tunnel works in an example.
4. VPN Encrypted Tunnel Fundamentals
VPN tunnels are generally considered as something mysterious and everybody who mentions
them, is "cool" :-) However, there is nothing to be afraid about, in the fact principle of Virtual
Private Network is very simple. Data in IP networks are exchanged in packets. Information about
destination and a source of the packet can be found in the packet's header. The actual user data
are carried as a payload. Lets imagine that ssh client wants to talk to ssh server over the Virtual
Private Network. Packets leaving a host's network interface located on the local network are sent
with a destination port number 22. When this packet reaches a VPN tunnel it is encapsulated into
the VPN packet where original packet is now treated as a payload. If the VPN server listens onthe port 443, the VPN packet will carry a destination port 443.
When looking at the previous figure it is apparent that this kind of network data transfer over the
VPN is a waste of transfer rate because original packet has a smaller payload space just because
it needs to fit into the VPN tunnel packet. In VPN analogical sense this can be considered as a
drawback.
5. The theory behind Virtual Private Network
Let's imagine a small company network consisting just from a single subnet, in which all clients
are connected to the Internet via company's gateway, which can also used as a firewall. How theconnection is done, is not important, it is enough to mention that external gateway network
interface uses external ip address. This scenario is visualized on the following figure:
-
7/29/2019 configuration of VPN
3/23
In case that an employee wants to connect to some company's services from outside world,
his/her attempt would be rejected by the firewall. Not just because this attempt is coming from
completely different subnet but also because the ports to the particular services are not open.
Once the VPN server starts functioning on the gateway, it automatically creates a virtual networkinterface with subnet 192.168.2.0/24, which would then start accepting a connection from
external network. Once employee passes VPN server's authentication, a VPN server will assign
an IP address from a 192.168.2.0/24. For 192.168.1.0/24 hosts would be the systems on
192.168.2.0/24 network appear that they are located on the separate local subnet, but in fact the
communication is done by encrypted VPN tunnel over the Internet.
5.1. VPN fundamentals
The following image will try to explain fundamental principles of VPN server-client
communication. The gif animation will change every 14 seconds. The aim of this animation is
to explain a logic behind a VPN communication in simplest form as possible. Please note, thatthere are many other factors behind the scenes which had been for the sake of simplicity omitted.
-
7/29/2019 configuration of VPN
4/23
1/14: VPN Client establishes a connection with a VPN Server via external network interface. 2/14: VPN Server assigns IP address to a vpn client from a local virtual subnet 192.168.2.0/24. 3/14: VPN Client prepares a packet for a host 192.168.1.3 located within a private subnet
192.168.1.0/24.
4/14: VPN Client encrypts and hides an original packet inside the outer public packet. 5/14: The packet is dispatched by the VPN client via public network to the VPN Server. 6/14: A network packet acquired from the public network is decrypted and decapsulated by the
vpn server. This way VPN server obtains a packet for the private network.
7/14: VPN Server handles a newly acquired packet as it was sent locally on a 192.168.1.0/24subnet.
8/14: Packet is delivered to the host with destination IP address 192.168.1.3. 9/14: Host with IP address 192.168.1.3 creates a network packet with destination IP
192.168.2.2.
10/14: VPN Server receives a reply packet. 11/14: According to the VPN Server's routing table, this packet links up with the Virtual Private
Network.
-
7/29/2019 configuration of VPN
5/23
12/14: VPN server encrypts and hides an original packet inside the outer public packet. 13/14: The packet is dispatched by the VPN server via public network to the VPN client. 14/14: The network packet acquired from the public network is decrypted and decapsulated by
the vpn Client. This way VPN client obtains a packet from the private network.
6. Static key vs. Certificates
One of the best characteristics of VPN solution is an encryption which leads to the client-server
confidentiality communication enhancement. Once the connection between VPN Server and
VPN Client is encrypted, an interceptor cannot read the message. Encryption is done on both
sides of VPN transmission and thus creating so called VPN tunnel via public network such as the
Internet. Encryption can be divided into two main groups:
6.1. Symmetric Key Encryption
This type of communication requires a one symmetric key which will be used on both sides toencrypt a message and this way preventing an interceptor to read a message. To do this,
symmetric key needs to be produced and exchanged between both sides. This means that both
sides will use the same encryption key to encrypt as well as to decrypt sent and received
messages.
6.2. Public Key Encryption
When it comes to the public key encryption, each side has a public key and private key. There
are four keys in total. Sender encrypts a message with a receiver's public key and receiver
decrypts a message with its own private key. Since only the receiver has an access to its ownprivate key only he can decrypt a message. OpenVPN supports both ways of above mentioned
encryptions. Symmetric encryption in terms of OpenVPN is regarded as a static key mode and
public key encryption as a certificate mode. Before we put both types of encryption s into the test
by showing a real configuration and testing examples, let's have a look on the following list
which contains deliberately unsorted strengths and weaknesses for each solution:
Symmetric Key Encryption:
symmetric encryption simple configuration no Certificate Authority ( CA ) is required server can serve only single client at the same time key must be stored in text file on the both systems which increases a risk that it will fall to the
wrong hands
difficult key exchangePublic Key Encryption:
asymmetric encryption
-
7/29/2019 configuration of VPN
6/23
more complicated configuration Certificate Authority ( CA ) is required server can server many clients simultaneously
7. Examples of VPN connection
Now, that we have grasped a necessary theory about Virtual Private Networks, we can move on,
and explore all mandatory steps for creating a VPN connection with Symmetric Key Encryption
and Public Key Encryption. As a starting point in both cases there will be two computers with
fresh Debian Linux installation. How the connection between those two PC's is created is not
important. The connection can be done via cross-over cable, two bridged virtual machines or
over the Internet. What is important, is that both PC's can ping each other and VPN Server will
have 1194/UDP port open for connection from a VPN Client. In the further text we will refer to
these systems as a VPN-Server ( IP Address: 10.1.1.3 ) and a VPN-Client ( IP Address: 10.1.1.4
).
A VPN tunell will be created as point-to-point 192.168.0.1 - 192.168.0.2. However, for VPN
tunnel created with use of Public Key Encryption ( OpenVPN certification mode ) the client's IP
address will differ and will be assigned from 192.168.0.0/16 subnet IP address pool. In our case
the client will obtain a IP address 192.168.0.6.
8. Installation of OpenVPN
OpenVPN application consists only from one binary file which name is equal to the application
name itself, thus openvpn. This binary file is used to start an OpenVPN server as well as
OpenVPN client and therefore it is important to install the same OpenVPN packages on both
sides. To be more precise, a difference between an OpenVPN Server and OPenVPN Client is just
in how the configuration is carried out on both sides. It is recommended to install OpenVPN
packages from the official repository of your Linux Distribution you intent to use for this
purpose. If, from some reason the packages for OpenVPN are not included in the official
-
7/29/2019 configuration of VPN
7/23
repository of your linux distribution feel free to install from source code. Both installations will
be briefly covered in the following paragraphs. Repeat a following installation steps for vpn-
server as well as a vpn-client.
8.1. Installation from official repository
Installation from the official Debian repository is simple as running a apt-get command:
linuxconfig.org:~# apt-get install openvpnReading package lists... DoneBuilding dependency tree... DoneThe following extra packages will be installed:
liblzo2-2Suggested packages:
opensslThe following NEW packages will be installed:
liblzo2-2 openvpn0 upgraded, 2 newly installed, 0 to remove and 19 not upgraded.
Need to get 397kB of archives.After unpacking 1114kB of additional disk space will be used.Do you want to continue [Y/n]?
Apt-get will automatically fetch required prerequisites as in this case it is a liblzo2-2 package.
8.2. Installation from a source code
Installation of OpenVPN from source code involves steps like downloading a source code from
OpenVPN Home pageand compiling it with following sequence of commands:
linuxconfig.org:~$ wget http://openvpn.net/release/openvpn-2.0.9.tar.gzlinuxconfig.org:~$ tar xfz openvpn-2.0.9.tar.gzlinuxconfig.org:~$ cd openvpn-2.0.9linuxconfig.org:~$ ./configure --prefix=/usr/locallinuxconfig.org:~$ makelinuxconfig.org:~# make install
What happens here, is that openvpn binary file will be created by the source code compilation
and installed in a /usr/local/sbin directory.
8.3. Enabling a Virtual Network Interface
OpenVPN works with Virtual Network Interfaces TUN/TAP. TUN and TAP are virtual network
kernel drivers and TUN ( TUNnel ) must be enabled in the kernel or at least as a module in order
to virtual private network be able to function. TAP kernel driver can be found in the network
interfaces section under the name "Universal TUN/TAP device driver support". To confirm that
a TUN module is supported by your system check a config file created during a kernel
compilation. As it was already mentioned previously, for this article a Linux Debian was used,
http://www.openvpn.net/http://www.openvpn.net/http://www.openvpn.net/ -
7/29/2019 configuration of VPN
8/23
and in Debian a TUN driver is supported by default in the form of a kernel module. This can by
confirmed by the following command:
grep CONFIG_TUN= /boot/config-
eth0 interface directly represents a hardware device, which can be, for example a PCI network
card. On the other hand, TUN/TAP devices represent a virtual network interface. Packets
traveling via TUN/TAP interface are sent to the application before they reach eth0 network
interface. This allows an application such as OpenVPN encrypt or decrypt packets before they
reach a physical network.
9. VPN Connection and Symmetric Key Encryption
9.1. Setting up VPN Server
Almost all configuration settings can be passed to the OpenVPN application via command line.Another option is to create a configuration file which will be read during the OpenVPN
initialization. Creating a configuration file is a clean way to maintain a Virtual Private Network
connection settings, since the number of outgoing connections can grow where the only limits is
just a robustness of your system. However, for sake of simplicity and transparency in the
following example we will use command line parameters to configure an OpenVPN server.
linux_VPN_Server:~# /sbin/ifconfig eth0eth0 Link encap:Ethernet HWaddr 00:0C:29:70:5A:F7
inet addr:10.1.1.3 Bcast:10.255.255.255 Mask:255.0.0.0inet6 addr: fe80::20c:29ff:fe70:5af7/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:110 errors:0 dropped:0 overruns:0 frame:0TX packets:85 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:11724 (11.4 KiB) TX bytes:13204 (12.8 KiB)Interrupt:169 Base address:0x2000
9.1.1. Generate Static Symmetric Key
Before we can start a OpenVPN tunnel, a symmetric key neds to be generated and exchanged
between server and client. To generate a Symmetric Key run a following command:
linux_VPN_Server:~# openvpn --genkey --secret staticVPN.key
linux_VPN_Server:~# cat staticVPN.key## 2048 bit OpenVPN static key#-----BEGIN OpenVPN Static key V1-----00e5dea65588eec9800f72607c6fb05062a58ad4a44039d22635bdd817886c8b69dbe38384eed05dcdca54c604e46d74daec8f0e074f2a142db0efafe25520cba71a0c0314800be297275205bc6d18e3
-
7/29/2019 configuration of VPN
9/23
852419caac500dc4135c2ce375c5020add4ed783c1f47518e74c6b10124173ca8ef3b52cfc297daf21683bb4f735856f825c7ee868385dfcf4c3363d261e0e13dfb60d3e3abc6a2075b8d243d3976eee1afdff0e865d5973e2f6b6418f603aca1923053d44ac0021ff74efbf00e60e3fb928d4cc32f9d3d65566f8c1aaa5eb45e1ebc134a1b060b6dde30ca5b9a54900a1a5e0746ba7778285f163317433fb19c0d5669677d9e921051c1fa6d3c75d47-----END OpenVPN Static key V1-----
9.1.2. Start OpenVPN Server
At this stage a Static Symmetric Key can be used to start an OpenVPN server with will create a
one side of a Virtual Private Network tunnel ready for connections:
linux_VPN_Server:~# openvpn --dev tun --ifconfig 192.168.0.1 192.168.0.2 --
secret staticVPN.keyWed Jan 28 03:48:09 2009 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL]built on Sep 20 2007Wed Jan 28 03:48:09 2009 IMPORTANT: OpenVPN's default port number is now1194, based on an official
port number assignment by IANA.OpenVPN 2.0-beta16 and earlier used 5000 as the
default port.Wed Jan 28 03:48:09 2009 TUN/TAP device tun0 openedWed Jan 28 03:48:09 2009 ifconfig tun0 192.168.0.1 pointopoint 192.168.0.2mtu 1500Wed Jan 28 03:48:09 2009 UDPv4 link local (bound): [undef]:1194Wed Jan 28 03:48:09 2009 UDPv4 link remote: [undef]
Parameter "--dev tun" instructs an OpenVPN application to use a virtual network interface TUN.
The following parameter "--ifconfig 192.168.0.1 192.168.0.2" specifies IP addresses for both
sides of virtual tunnel. OpenVPN consequently sets a virtual network interface tun0 to an IP
address 192.168.0.1 and will enable a slot for a connection form a OpenVPN client on a IP
address 192.168.0.2. Last parameter "--secret staticVPN.key" specifies a file with Static
Symmetric Key created in the previous step. Let's confirm a correctness of the previous
statements with ifconfig command:
linux_VPN_Server:~# ifconfig tun0tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.0.1 P-t-P:192.168.0.2 Mask:255.255.255.255UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:100RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
9.2. Setting up VPN Client
-
7/29/2019 configuration of VPN
10/23
The procedure for setting up a OpneVPN client is very similar the the one which was used to set
up a OpenVPN server. At this point we assume established connecton via 10.0.0.0 netowrk,
client has installed and ready to use an OpenVPN application as well as a Symmetric key
generated previously was copied over to the client by means of USB key or SCP. If this is the
case nothing can stop us to start a OpenVPN client:
linux_VPN_Client:~# ifconfig eth0eth0 Link encap:Ethernet HWaddr 00:0C:29:00:C1:42
inet addr:10.1.1.4 Bcast:10.255.255.255 Mask:255.0.0.0inet6 addr: fe80::20c:29ff:fe00:c142/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:456 errors:0 dropped:0 overruns:0 frame:0TX packets:293 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:434285 (424.1 KiB) TX bytes:28413 (27.7 KiB)Interrupt:169 Base address:0x2000
9.2.1. Start Client
Following command and paramaters can be used to start a OpenVPN client with static symmetric
key:
linux_VPN_Client:~# openvpn --remote 10.1.1.3 --dev tun --ifconfig192.168.0.2 192.168.0.1 \--secret staticVPN.keyWed Jan 28 03:51:02 2009 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL]built on Sep 20 2007Wed Jan 28 03:51:02 2009 IMPORTANT: OpenVPN's default port number is now1194, based on an official portnumber assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the
default port.Wed Jan 28 03:51:02 2009 TUN/TAP device tun0 openedWed Jan 28 03:51:02 2009 ifconfig tun0 192.168.0.2 pointopoint 192.168.0.1mtu 1500Wed Jan 28 03:51:02 2009 UDPv4 link local (bound): [undef]:1194Wed Jan 28 03:51:02 2009 UDPv4 link remote: 10.1.1.3:1194
Parameter "--remote 10.1.1.3" speciefies a real IP address of the OpenVPN server which is
waiting for a connection and therefore a OpenVPN client will connect to socket
10.1.1.3:1194/UDP. rest of the parameters has a exactly the same meaning as it was in case of
OpenVPN server. The only difference is an order of IP addresses which are passed to the "--
ifconfig" parameter. This way an OpenVPN application sets a local tun0 virtual network
interface to 192.168.0.2 and will expect the OpenVPN Server to be set on 192.168.0.1. Agianconfirm a corectenss of of these settings by ifconfig command:
linux_VPN_Client:~# ifconfig tun0tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.0.2 P-t-P:192.168.0.1 Mask:255.255.255.255UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0
-
7/29/2019 configuration of VPN
11/23
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:100RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
9.3. Testing A VPN Connection
OpenVPN server and client now uses a tun0 virtual network interface to maintain a encrypted
virtual tunnel connection. OpenVPN server's tun0 interface is set to 192.168.0.1 and OpenVPN
client's tn0 interface is set to 192.168.0.2.
linux_VPN_Server:~# ifconfigeth0 Link encap:Ethernet HWaddr 00:0C:29:70:5A:F7
inet addr:10.1.1.3 Bcast:10.255.255.255 Mask:255.0.0.0inet6 addr: fe80::20c:29ff:fe70:5af7/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:1264 errors:0 dropped:0 overruns:0 frame:0TX packets:835 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000
RX bytes:507743 (495.8 KiB) TX bytes:105283 (102.8 KiB)Interrupt:169 Base address:0x2000
lo Link encap:Local Loopbackinet addr:127.0.0.1 Mask:255.0.0.0inet6 addr: ::1/128 Scope:HostUP LOOPBACK RUNNING MTU:16436 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-
00-00-00 inet addr:192.168.0.1 P-t-P:192.168.0.2 Mask:255.255.255.255UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:100RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
linux_VPN_Client:~# ifconfigeth0 Link encap:Ethernet HWaddr 00:0C:29:00:C1:42
inet addr:10.1.1.4 Bcast:10.255.255.255 Mask:255.0.0.0inet6 addr: fe80::20c:29ff:fe00:c142/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:1953 errors:0 dropped:0 overruns:0 frame:0TX packets:1376 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000RX bytes:569341 (555.9 KiB) TX bytes:372027 (363.3 KiB)Interrupt:169 Base address:0x2000
lo Link encap:Local Loopbackinet addr:127.0.0.1 Mask:255.0.0.0inet6 addr: ::1/128 Scope:HostUP LOOPBACK RUNNING MTU:16436 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
-
7/29/2019 configuration of VPN
12/23
collisions:0 txqueuelen:0RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.0.2 P-t-P:192.168.0.1 Mask:255.255.255.255UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:100RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
If everything went smoothly and there is no firewall set between both endpoint which may
interfere with the VPN tunnel, it should be easy to confirm a VPN connection with ping
command.
linux_VPN_Server:~# ping -c 5 192.168.0.2PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=3.24 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=4.30 ms64 bytes from 192.168.0.2: icmp_seq=3 ttl=64 time=1.76 ms64 bytes from 192.168.0.2: icmp_seq=4 ttl=64 time=1.83 ms64 bytes from 192.168.0.2: icmp_seq=5 ttl=64 time=2.52 ms
--- 192.168.0.2 ping statistics ---5 packets transmitted, 5 received, 0% packet loss, time 4012msrtt min/avg/max/mdev = 1.766/2.733/4.305/0.952 ms
If at the same time we would start a tcpdump program on the OpenVPN client's virtual tun0
network interface we see an ICMP packets transmitted by ping program, including a replay
packets.
linux_VPN_Client:~# tcpdump -i tun003:54:11.648040 IP 192.168.0.1 > 192.168.0.2: ICMP echo request, id 32520,seq 1, length 64
However on the OpenVPN client's real eth0 network interface the tcpdump program will produce
a following ouptut:
linux_VPN_Client:~# tcpdump -i eth003:54:11.803616 IP 10.1.1.3.openvpn > 10.1.1.3.openvpn: UDP, length 124
This output from a tcpdump program can be used as a proof of what we have learn previously,
that a packets from a virtual tun0 network interface are encapsulated into public network packetsand are sent to the recipient encrypted via single 1194/UDP port.
9.4. Using a OpenVPN configuration files
Previous VPN tunnel example used a number of arguments and parameters passed on the
command line to create a VPN connection. Although, almost every OpenVPN configuration
directive can be passed to the openvpn command from the command line, this can sometimes
-
7/29/2019 configuration of VPN
13/23
become a very tiresome work. Therefore, we should complete this section on how to create a
VPN connection using a Static Symmetric Key and OpenVPN configuration files. Here is a
solution which involves a configuration files to achieve the same goal as shown previously.
OpenVPN Server config file Create a
vpn-server.conf file with a following
content:
# OpenVPN configuration filefor VPN SERVERdev tunifconfig 192.168.0.1192.168.0.2secret /root/staticVPN.keycomp-lzo
keepalive 10 60ping-timer-rempersist-tunpersist-keyuser openvpngroup openvpndaemon
OpenVPN Client config file Create a vpn-
client.conf file with a following content:
# OpenVPN configuration filefor VPN CLIENT
dev tunremote 10.1.1.3ifconfig 192.168.0.2192.168.0.1secret /root/staticVPN.keycomp-lzokeepalive 10 60ping-timer-rempersist-tunpersist-keyuser openvpngroup openvpndaemon
Explanation of OpenVPN configuration directives:
dev - use a TUN virtual network device remote - specifies a IP address or name of a VPN Server ifconfig - specifies local and remote endpoint secret - a path to the pre-shared static key file comp-lzo - enable a fast LZO data compression keepalive - keep connection alive by sending a regular ping pa
our case the ping packet is sent every 10 seconds where reply
must come within 60 seconds otherwise assume that the othe
is down. ping-timer-rem - should be used only on VPN server side whe
started without explicit remote IP address, this way timeout s
after VPN client connection.
persist-tun - do not re-create a virtual network interface TUNautomatic restart
persist-key - no need to read pre-shared static key file again aautomatic restart
user - run openvpn tunnel a user openvpn group - run openvpn tunnel a group openvpn daemon - once the initialization functions are completed run
background as a daemon
It is time to put those two OpenVPN configuration files into the action. As stated in both config
files we need to create an openvpn user and group first. OpenVPN can run as a root. However,
run a vpn tunnel as a non-privileged user "openvpn" is a smart move, and it will greatly enhance
a security of your hosts. To create an openvpn group an addgroup command can be used:
-
7/29/2019 configuration of VPN
14/23
NOTE: openvpn user and group need to be created on both sides of the VPN tunnel (VPN
Server and VPN Clients )
# addgroup openvpn
Now, that "openvpn" group is ready we can create a "openvpn" user.
# useradd --shell=/bin/false -g openvpn openvpn
At this point we are ready to engage both configuration files in OpenVPN tunnel creation:
Start OpenVPN Server:
linux_VPN_Server:~# openvpn --config /root/vpn-server.conflinux_VPN_Server:~# ps aux | grep openvpn
openvpn 2310 0.2 0.6 4060 988 ? Ss 01:00 0:00 openvpn--config vpn-server.confroot 2313 0.0 0.1 1512 224 pts/1 R+ 01:00 0:00 grep openvpn
Start OpenVPN Client:
linux_VPN_Client:~# openvpn --config /root/vpn-client.conflinux_VPN_Client:~# ps aux | grep openvpnopenvpn 2317 0.8 0.7 4060 1188 ? Ss 01:16 0:00 openvpn --config vpn-client.confroot 2319 0.0 0.4 2852 704 pts/0 S+ 01:16 0:00 grep openvpn
Test VPN Connection:
linux_VPN_Client:~# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=8.50 ms64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=4.32 ms
--- 192.168.0.1 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1005msrtt min/avg/max/mdev = 4.327/6.416/8.506/2.091 ms
10. VPN Connection with Public Key Encryption
If you have followed this article from the begging up to this point, you may already know some
basics on how Virtual Private Network works as well as you have established a VPN connectionusing Symmetric Key Encryption. Prior to the establishment of a VPN connection using
Symmetric Key Encryption both VPN endpoints need to exchange a symmetric key first.
Symmetric key needs to be exchanged securely using some private medium. In case, that
company has a large number of employees and each employee needs to exchange symmetric key
with anyone who wishes to establish VPN connection with, this task can become very tedious,
not to mention that a key can be disclosed to the public somewhere on the way and the whole
process would need to start again. This is where it comes to thePublic key infrastructure (PKI)
http://en.wikipedia.org/wiki/Public_key_infrastructurehttp://en.wikipedia.org/wiki/Public_key_infrastructurehttp://en.wikipedia.org/wiki/Public_key_infrastructurehttp://en.wikipedia.org/wiki/Public_key_infrastructure -
7/29/2019 configuration of VPN
15/23
.
10.1. Public key infrastructure
To avoid a public key exchange chaos when using a mesh like model, we could delegate one
employee as a Certification Authority ( CA ) who will be responsible for keeping a record of allpublic keys. The aim of CA will be to collect all private keys from all employees and sign them
with CA's private key - to issue a certificate. If anyone would like to confirm a document's
signature created by any other employee, s|he would first use a CA's public key to confirm a
sender's public key ( certificate ). Once the sender's public key is confirmed, this key can be
further used to confirm a signature of the actual document. Since every peer sends it's own CA
signed certificate, only what needs to be done, is just to redistribute CA's public key to every
employee.
10.2. What needs to be done
To reduce a complexity, let's briefly describe steps which need to be done in order to create a
VPN connection using OpenVPN and Symmetric Key Encryption: First we would need to
establish Certification Authority. For this we will be using our VPN-Server with IP 10.1.1.3 .
Note, that you can establish CA on any other system. The fact that we intend to have CA and
vpn-server on the same system as our VPN-Server, is just matter of convenience. This step will
produce a CA's self-signed public key ( certificate ) as well as matching private key. In the next
step, we will generate a server's and client's Certificate Signing Request (CSR) and the outcome
would be CSR also private key for both peers ( server & client ). Note, that both operations will
be done separately on the server and client side. This way we do not have to transfer a client's
private key over unsecured connection. Next we would need to transfer client's CSR to the server
where we would sign both server's and clients requests using CA's private key. This will producetwo signed certificates one for a server and one for a client. In the next step, we would transfer
client's signed certificate to the client along with CA's public key. Before we start, make sure that
you have an openssl package installed on both systems ( vpn-client and vpn-server ):
apt-get install openssl
and that username "openvpn" and "openvpn" group does exist on both endpoints ( vpn-client and
vpn-server ) of your future VPN connection.
# addgroup openvpn# useradd --shell=/bin/false -g openvpn openvpn
10.3. Establishment of Certification Authority
The following command will generate a CA self-signed certificate and private key. Which is all
what we need, in order to be able to sign CSRs.
linux_VPN_Server:~#openssl req -new -x509 -extensions v3_ca -keyout ca-private-key.pem -out ca-
-
7/29/2019 configuration of VPN
16/23
certificate.pem -days 365linux_VPN_Server:~#
You will need to supply some details and more importantly pass-phrase which you would use to
sign CSR's. The output will look something like this:
linux_VPN_Server:~# openssl req -new -x509 -extensions v3_ca -keyout ca-private-key.pem \-out ca-certificate.pem -days 365Generating a 1024 bit RSA private key...............++++++...++++++writing new private key to 'ca-private-key.pem'Enter PEM pass phrase:Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:SKState or Province Name (full name) [Some-State]:SlovakiaLocality Name (eg, city) []:BratislavaOrganization Name (eg, company) [Internet Widgits Pty Ltd]:linuxconfig.orgOrganizational Unit Name (eg, section) []: Certificate Authority ( CA )Common Name (eg, YOUR name) []:Certificate Authority ( CA )Email Address []:linux_VPN_Server:~#
If everything went well, now you have established your own CA ready to sign CSR. You canfind two new files in a directory from where you have issued openssl command:
linux_VPN_Server:~# lsca-certificate.pem ca-private-key.pemlinux_VPN_Server:~#
10.4. Generate a Certificate Signing Request
Our CA is ready, so at this point we need to create a Certificate Signing Request for our vpn-
server and vpn-client. You will be asked to enter some details in regard to your company. It is
important that "Common Name" reflects your IP address or a fully qualified domain name (orFQDN) of the system the certificate is intended for.
linux_VPN_Server:~# openssl req -new -nodes -out vpn-server-CSR.pemGenerating a 1024 bit RSA private key..........................++++++............................................++++++writing new private key to 'privkey.pem'-----
-
7/29/2019 configuration of VPN
17/23
You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:SKState or Province Name (full name) [Some-State]:SlovakiaLocality Name (eg, city) []:BratislavaOrganization Name (eg, company) [Internet Widgits Pty Ltd]:linuxconfig.orgOrganizational Unit Name (eg, section) []:VPN-SERVERCommon Name (eg, YOUR name) []:10.1.1.3Email Address []:
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:linux_VPN_Server:~#
After creating a Certificate Signing Request you should have acquired two new files. vpn-server-CSR.pem - vpn-server Certificate Signing Request
privkey.pem - vpn-server private keylinux_VPN_Server:~# lsca-certificate.pem ca-private-key.pem privkey.pem vpn-server-CSR.pemlinux_VPN_Server:~#inux_VPN_Client:~# openssl req -new -nodes -out vpn-client-CSR.pemGenerating a 1024 bit RSA private key............++++++.....++++++writing new private key to 'privkey.pem'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:SKState or Province Name (full name) [Some-State]:SlovakiaLocality Name (eg, city) []:BratislavaOrganization Name (eg, company) [Internet Widgits Pty Ltd]:linuxconfig.orgOrganizational Unit Name (eg, section) []:VPN-CLIENT
Common Name (eg, YOUR name) []:10.1.1.4Email Address []:
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:linux_VPN_Client:~#
-
7/29/2019 configuration of VPN
18/23
After creating a Certificate Signing Request you shoud have accquired two new files. * vpn-
client-CSR.pem - vpn-client Certificate Signing Request * privkey.pem - vpn-client private key
linux_VPN_Client:~# lsprivkey.pem vpn-client-CSR.pemlinux_VPN_Client:~#
Since our signing Certificate Authority resides on our vpn-server we copy clients signing a
request to be signed there:
linux_VPN_Client:~# scp vpn-client-CSR.pem [email protected]:~/[email protected]'s password:vpn-client-CSR.pem 100% 672 0.7KB/s 00:00linux_VPN_Client:~#
10.5. Signing Certificate Signing Requests
Both Certificates Signing Requests are waiting to be signed.
vpn-server-CSR.pem vpn-client-CSR.pem
For that we could create an openssl config file similar to bellow and use it with conjunction of
openssl command. Use your favorite text editor and create a file called CA-openssl.config with
content shown below:
linux_VPN_Server:~# cat CA-openssl.config[ ca ]default_ca = ca_default
[ ca_default ]dir = .new_certs_dir = .private_key = ca-private-key.pemcertificate = ca-certificate.pemdatabase = index.txtdefault_md = md5serial = serialdefault_days = 365x509_extensions = usr_cert
policy = generic_policy
[ generic_policy ]countryName = optionalstateOrProvinceName = optionallocalityName = optionalorganizationName = optionalorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional
[ usr_cert ]
-
7/29/2019 configuration of VPN
19/23
authorityKeyIdentifier = keyidbasicConstraints = CA:FALSEkeyUsage = digitalSignatureextendedKeyUsage = serverAuthlinux_VPN_Server:~#
Certificate Authority needs to keep a track of all signed certificates ( index.txt ) and assigned aserial numbers to each of them ( serial ). Therefore, we need to create these two files:
touch index.txt; echo 01 > serial;
All is ready to sign CSR. Let's first sign vpn-server's CSR:
linux_VPN_Server:~# openssl ca -config CA-openssl.config -infiles \vpn-server-CSR.pemUsing configuration from CA-openssl.configEnter pass phrase for ca-private-key.pem:Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'SK'stateOrProvinceName :PRINTABLE:'Slovakia'localityName :PRINTABLE:'Bratislava'organizationName :PRINTABLE:'linuxconfig.org'organizationalUnitName:PRINTABLE:'VPN-SERVER'commonName :PRINTABLE:'10.1.1.3'Certificate is to be certified until Feb 25 21:34:25 2010 GMT (365 days)Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entries
Server certificated is ready, we need to amend CA-openssl.config to sign VPN-Client's public
key. Change line:
extendedKeyUsage = serverAuthTO:extendedKeyUsage = clientAuth
The following command will also do the trick:
sed 's/serverAuth/clientAuth/' CA-openssl.config > temp; mv temp CA-openssl.config
Now, we are ready to sign vpn-client's CSR:
linux_VPN_Server:~# openssl ca -config CA-openssl.config -infiles \vpn-client-CSR.pemUsing configuration from CA-openssl.configEnter pass phrase for ca-private-key.pem:Check that the request matches the signatureSignature ok
-
7/29/2019 configuration of VPN
20/23
The Subject's Distinguished Name is as followscountryName :PRINTABLE:'SK'stateOrProvinceName :PRINTABLE:'Slovakia'localityName :PRINTABLE:'Bratislava'organizationName :PRINTABLE:'linuxconfig.org'organizationalUnitName:PRINTABLE:'VPN-CLIENT'commonName :PRINTABLE:'10.1.1.4'Certificate is to be certified until Feb 25 21:37:53 2010 GMT (365 days)Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entries
Signed certificates are ready to use:
01.pem - vpn-server certificate 02.pem - vpn-client certificate
linux_VPN_Server:~# ls01.pem ca-certificate.pem ca-private-key.pemindex.txt.attr index.txt.old serialvpn-client-CSR.pem 02.pem CA-openssl.configindex.txt index.txt.attr.old privkey.pemserial.old vpn-server-CSR.pemlinux_VPN_Server:~#
You can see both certificates with following commands:
openssl x509 -in 01.pem -noout -textopenssl x509 -in 02.pem -noout -text
At this stage we need to copy vpn-vlient's certificate to the vpn-client system (10.1.1.4) and
change the name to something like vpn-client-certificate.pem. Along with the vpn-client
certificate we also need to copy a CA's certificate:
linux_VPN_Server:~# scp 02.pem [email protected]:~/[email protected]'s password:02.pem 100% 3173 3.1KB/s 00:00linux_VPN_Server:~# scp ca-certificate.pem [email protected]:~/[email protected]'s password:ca-certificate.pem 100% 1367 1.3KB/s 00:00linux_VPN_Server:~#
Change the name of vpn-server's certificate to something like vpn-server-certificate.pem
linux_VPN_Server:~# mv 01.pem vpn-server-certificate.pemlinux_VPN_Server:~#
list of files in vpn-server working directory:
-
7/29/2019 configuration of VPN
21/23
linux_VPN_Server:~# ls02.pem ca-private-key.pem index.txt.attr.old privkey.pemvpn-client-CSR.pemca-certificate.pem index.txt index.txt.old serialvpn-server-certificate.pemCA-openssl.config index.txt.attr openvpn-server.conf serial.oldvpn-server-CSR.pemlinux_VPN_Server:~#
10.6. Diffie-Hellman Key Agreement Protocol
Diffie-Hellman Key Agreement protocolallows two users to exchange a secret key over an
insecure medium without any prior secrets. We need Diffie-Hellman Key Agreement file only on
the server side of our vpn. It can be created by the following command:
linux_VPN_Server:~# openssl dhparam -out dh.pem 1024
10.7. Creating configuration files
OpenVPN configuration files will look similar to those we have created in the previous sections
where we have created a virtual private network using Symmetric Key Encryption. Create files
named openvpn-server.conf and openvpn-client.conf with the following content:
OpenVPN Server config file Create a
openvpn-server.conf file with a
following content:
# OpenVPN serverconfiguration file examplelocal 10.1.1.3dev tunserver 192.168.0.0255.255.0.0ca ca-certificate.pemcert vpn-server-certificate.pemkey privkey.pemdh dh.pem
push "redirect-gateway"comp-lzokeepalive 10 60ping-timer-rempersist-tunpersist-keyuser openvpngroup openvpndaemon
Explanation of OpenVPN configuration directives
dev - use a TUN virtual network device server - assign IP addresses to the clients from a given subnet ca - path to the Certificate Authority's certificate cert - path to the vpn-server's signed certificate key - path to the vpn-server's private key dh - path to the Diffie-Hellman Key Agreement file remote - specifies a IP address or name of a VPN Server ifconfig - specifies local and remote endpoint secret - a path to the pre-shared static key file comp-lzo - enable a fast LZO data compression push - push a config file to the clients. Available options are: --r
route-gateway, --route-delay, --redirect-gateway, --ip-win32, --d--inactive, --ping, --ping-exit, --ping-restart, --setenv, --persist-ke
tun, --echo, --comp-lzo, --socket-flags, --sndbuf, --rcvbuf
keepalive - keep connection alive by sending a regular ping paccase the ping packet is sent every 10 seconds where reply packe
come within 60 seconds otherwise assume that the other endp
down.
http://www.rsa.com/rsalabs/node.asp?id=2248http://www.rsa.com/rsalabs/node.asp?id=2248http://www.rsa.com/rsalabs/node.asp?id=2248 -
7/29/2019 configuration of VPN
22/23
OpenVPN Client config file Create a
openvpn-client.conf file with a
following content:
# OpenVPN clientconfiguration file exampleclientdev tunremote 10.1.1.3tls-remote 10.1.1.3ca ca-certificate.pemcert vpn-client-certificate.pemkey privkey.pemcomp-lzokeepalive 10 60ping-timer-rem
persist-tunpersist-keyuser openvpngroup openvpndaemonlinux_VPN_Client:~#
ping-timer-rem - should be used only on VPN server side wherestarted without explicit remote IP address, this way timeout sta
after VPN client connection.
persist-tun - do not re-create a virtual network interface TUN aautomatic restart
persist-key - no need to read pre-shared static key file again aftautomatic restart user - run openvpn tunnel a user openvpn group - run openvpn tunnel a group openvpn daemon - once the initialization functions are completed run in
background as a daemon
10.8. Start OpenVPN server
linux_VPN_Server:~# openvpn --config openvpn-server.conflinux_VPN_Server:~# ifconfig tun0tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-
00-00-00inet addr:192.168.0.1 P-t-P:192.168.0.2 Mask:255.255.255.255UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:100RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
10.9. Start OpenVPN client
linux_VPN_Client:~# openvpn --config openvpn-client.conflinux_VPN_Client:~# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.0.6 P-t-P:192.168.0.5 Mask:255.255.255.255UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:100RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
linux_VPN_Client:~#
-
7/29/2019 configuration of VPN
23/23
10.10. Test VPN Connection
linux_VPN_Client:~# ping 192.168.0.1PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.805 ms64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=1.51 ms
--- 192.168.0.1 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1001msrtt min/avg/max/mdev = 0.805/1.159/1.513/0.354 mslinux_VPN_Client:~#