212.5. OpenVPN

Weight: 2
Description: Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
Key Knowledge Areas:
OpenVPN
Terms and Utilities:
/etc/openvpn/
openvpn
In this light weight lesson we talk about OpenVPN but before that lets talk about VPN itself.
What is VPN all about?
Imagine that your are working for a company. And you have been asked to provide secure access to the company lan for another user or remote company branch. The problem is that our traffic shoud be transfer over the internet, which is routed and untrusted. The solution is VPN.
A Virtual Private Network  (VPN) is a technology solution used to provide privacy and security for network connections.
It's  Virtual...because it's as if we have a private connection directly to another computer we connect to.
It's  Private...because all our traffic is encrypted and no one can recognize what is really transfered.
It's a  Network...because we're using a special network of VPN servers that covers the entire globe.
Typically an encryption is added and that is SSL/TLS, which uses certificates to make sure that the connection is encrypted and established between trusted parties as well.
As its shown above there are two types of vpn connections:
Point to Point :  the most commonly used VPN. PPTP VPNs are used by remote users to connect them to the VPN network using their existing internet connection. This is a useful VPN for both business users and home users.
Site to Site : is mostly used in corporate based operations. The fact that many companies have offices located both nationally and internationally, a Site-to-Site VPN is used to connect the network of the main office location to multiple offices. This is also known as an Intranet based VPN.
OpenVPN
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections.
OpenVPN can use a variety of methods such as pre-shared secret keys, certificates, or usernames/passwords, to let clients authenticate to the server. OpenVPN uses the OpenSSL protocol and implements many security and control features such as challenge response authentication, single sign-on capability, load balancing and failover features and multi daemon support.
By default OpenVPN works on port 1194 UDP but Open VPN is highly capable of transparently traversing through firewalls especially when the default port is chnaged to 443.
Lets get started by installing OpenVPN and establish a VPN connection between two computers.
We use CentOS(192.168.10.147) computer az a server and ubuntu(192.168.10.129) machine as a client, also for keeping simple we will use pre-shared keys instead of generating certificates:
1
[[email protected] ~]# yum search openvpn
2
Loaded plugins: fastestmirror, langpacks
3
Loading mirror speeds from cached hostfile
4
 * base: mirrors.maine.edu
5
 * extras: mirror.clarkson.edu
6
 * updates: mirror.math.princeton.edu
7
Warning: No matches found for: openvpn
8
No matches found
Copied!
For installing Open VPN we have to add epel-release repository :
1
[[email protected] ~]# yum install epel-release.noarch  -y
2
​
3
[[email protected] ~]# yum repolist 
4
Loaded plugins: fastestmirror, langpacks
5
Loading mirror speeds from cached hostfile
6
 * base: mirror.linux.duke.edu
7
 * epel: fedora-epel.mirrors.tds.net
8
 * extras: repos.forethought.net
9
 * updates: centos.mirror.ndchost.com
10
repo id                      repo name                                           status
11
base/7/x86_64                CentOS-7 - Base                                      9,911
12
docker-ce-stable/x86_64      Docker CE Stable - x86_64                               16
13
epel/x86_64                  Extra Packages for Enterprise Linux 7 - x86_64      12,640
14
extras/7/x86_64              CentOS-7 - Extras                                      363
15
updates/7/x86_64             CentOS-7 - Updates                                   1,004
16
repolist: 23,934
Copied!
and lets install open vpn:
1
[[email protected] ~]# yum search openvpn
2
Loaded plugins: fastestmirror, langpacks
3
epel/x86_64/metalink                                                                                                 |  19 kB  00:00:00     
4
epel                                                                                                                 | 3.2 kB  00:00:00     
5
(1/3): epel/x86_64/group_gz                                                                                          |  88 kB  00:00:02     
6
(2/3): epel/x86_64/updateinfo                                                                                        | 933 kB  00:00:08     
7
(3/3): epel/x86_64/primary                                                                                           | 3.6 MB  00:00:23     
8
Loading mirror speeds from cached hostfile
9
 * base: mirrors.maine.edu
10
 * epel: mirror.clarkson.edu
11
 * extras: mirror.clarkson.edu
12
 * updates: mirror.math.princeton.edu
13
epel                                                                                                                            12642/12642
14
=========================================================== N/S matched: openvpn ===========================================================
15
NetworkManager-openvpn.x86_64 : NetworkManager VPN plugin for OpenVPN
16
NetworkManager-openvpn-gnome.x86_64 : NetworkManager VPN plugin for OpenVPN - GNOME files
17
kde-plasma-networkmanagement-openvpn.x86_64 : OpenVPN support for kde-plasma-networkmanagement-extras
18
openvpn-auth-ldap.x86_64 : OpenVPN plugin for LDAP authentication
19
openvpn-devel.x86_64 : Development headers and examples for OpenVPN plug-ins
20
openvpn.x86_64 : A full-featured SSL VPN solution
21
stonevpn.noarch : Easy OpenVPN certificate and configuration management
22
​
23
  Name and summary matches only, use "search all" for everything.
24
​
25
[[email protected] ~]# yum install openvpn.x86_64 -y
Copied!
okey lets start generating shared keys:
1
[[email protected] ~]# openvpn --genkey --secret openvpn.key
2
[[email protected] ~]# ls
3
anaconda-ks.cfg  initial-setup-ks.cfg  openvpn.key
4
[[email protected] ~]# cat openvpn.key 
5
#
6
# 2048 bit OpenVPN static key
7
#
8
-----BEGIN OpenVPN Static key V1-----
9
6149f8d2af7902514d2b8644adfcffbe
10
38ddc9d9e098b789a5d0d86b08087354
11
5d1da124e366467caca99b441a0a1b23
12
1f84f6f62f7cc8e42e032015c4810c9a
13
7d6ff4e5d45269c8d33162697993d51f
14
b0a2401a67df25d6b509fff1daa1e22d
15
f541b06cda4fe022aaa55e7d11d538c4
16
36a1328174a37bd664a98d746da180e2
17
eefed62516266f54819d6ce2d43595fb
18
9f1b05fc0aee8b51248fb070f31c90a7
19
a610caaa67e56420ca51067d346d0b5b
20
b418e8f054438eb9c0ec3e35b171a0b5
21
b0abeeca0090b3204e5d7722ace098b6
22
334ba1c2d612b67a51cfbe65d2d38ca5
23
3442bfa9e9affb53382897213a801362
24
26c466dd85e53c5a37215a90be421e04
25
-----END OpenVPN Static key V1-----
Copied!
Transfer shared-key to the client machine with any method that you like:
1
[[email protected] ~]# scp openvpn.key 192.168.10.129:/root/
2
The authenticity of host '192.168.10.129 (192.168.10.129)' can't be established.
3
ECDSA key fingerprint is SHA256:GV/PpX9YGvMZTAbuz6w3zBDreokesZHhVSM1zrXmHLw.
4
ECDSA key fingerprint is MD5:80:73:95:56:eb:94:6e:f6:45:df:1e:c4:bb:62:f7:9c.
5
Are you sure you want to continue connecting (yes/no)? yes
6
Warning: Permanently added '192.168.10.129' (ECDSA) to the list of known hosts.
7
[email protected]'s password: 
8
openvpn.key
Copied!
on the ubuntu client:
1
[email protected]:~# cd
2
[email protected]:~# ls
3
openvpn.key
Copied!
Okey lets go back to our CentOS server and configre OpenVPN Server configuration file:
1
[[email protected] ~]# vi server.conf
2
[[email protected] ~]# cat server.conf 
3
dev tun
4
ifconfig 10.10.10.1 10.10.10.2
5
secret openvpn.key
Copied!
and lets start the openvpn sever to recieve connections:
1
[[email protected] ~]# openvpn --config server.conf
2
Sat Aug 11 04:28:59 2018 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
3
Sat Aug 11 04:28:59 2018 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
4
Sat Aug 11 04:28:59 2018 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
5
Sat Aug 11 04:28:59 2018 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
6
Sat Aug 11 04:28:59 2018 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
7
Sat Aug 11 04:28:59 2018 TUN/TAP device tun0 opened
8
Sat Aug 11 04:28:59 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
9
Sat Aug 11 04:28:59 2018 /sbin/ip link set dev tun0 up mtu 1500
10
Sat Aug 11 04:28:59 2018 /sbin/ip addr add dev tun0 local 10.10.10.1 peer 10.10.10.2
11
Sat Aug 11 04:28:59 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET
12
Sat Aug 11 04:28:59 2018 UDPv4 link local (bound): [AF_INET][undef]:1194
13
Sat Aug 11 04:28:59 2018 UDPv4 link remote: [AF_UNSPEC]
Copied!
and it is client configuration time:
1
[email protected]:~# apt install openvpn
2
​
3
[email protected]:~# vim client.conf
4
[email protected]:~# cat client.conf 
5
remote 192.168.10.147
6
dev tun
7
ifconfig 10.10.10.2 10.10.10.1
8
secret openvpn.key
Copied!
and lets get connected:
1
[email protected]:~# openvpn --config client.conf 
2
Sat Aug 11 02:39:53 2018 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
3
Sat Aug 11 02:39:53 2018 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
4
Sat Aug 11 02:39:53 2018 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
5
Sat Aug 11 02:39:53 2018 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
6
Sat Aug 11 02:39:53 2018 TUN/TAP device tun0 opened
7
Sat Aug 11 02:39:53 2018 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
8
Sat Aug 11 02:39:53 2018 /sbin/ip link set dev tun0 up mtu 1500
9
Sat Aug 11 02:39:53 2018 /sbin/ip addr add dev tun0 local 10.10.10.2 peer 10.10.10.1
10
Sat Aug 11 02:39:53 2018 UDPv4 link local (bound): [undef]
11
Sat Aug 11 02:39:53 2018 UDPv4 link remote: [AF_INET]192.168.10.147:1194
12
^CSat Aug 11 02:43:07 2018 event_wait : Interrupted system call (code=4)
13
Sat Aug 11 02:43:07 2018 /sbin/ip addr del dev tun0 local 10.10.10.2 peer 10.10.10.1
14
Sat Aug 11 02:43:07 2018 SIGINT[hard,] received, process exiting
15
[email protected]:~# openvpn --config client.conf 
16
Sat Aug 11 02:43:09 2018 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
17
Sat Aug 11 02:43:09 2018 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
18
Sat Aug 11 02:43:09 2018 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
19
Sat Aug 11 02:43:09 2018 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
20
Sat Aug 11 02:43:09 2018 TUN/TAP device tun0 opened
21
Sat Aug 11 02:43:09 2018 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
22
Sat Aug 11 02:43:09 2018 /sbin/ip link set dev tun0 up mtu 1500
23
Sat Aug 11 02:43:09 2018 /sbin/ip addr add dev tun0 local 10.10.10.2 peer 10.10.10.1
24
Sat Aug 11 02:43:09 2018 UDPv4 link local (bound): [undef]
25
Sat Aug 11 02:43:09 2018 UDPv4 link remote: [AF_INET]192.168.10.147:1194
26
Sat Aug 11 02:43:19 2018 Peer Connection Initiated with [AF_INET]192.168.10.147:1194
27
Sat Aug 11 02:43:20 2018 Initialization Sequence Completed
Copied!
And as you can see our virtual private network connection has been established and we can ping each other on an imaginary ip addresses that we have set. Before checking, Please make sure that UDP port 1194 is open on the server and the virtual TUN interface used by OpenVPN is not blocked on either the client or server :
1
### CentOS server
2
[[email protected] ~]# ifconfig
3
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
4
        inet 192.168.10.147  netmask 255.255.255.0  broadcast 192.168.10.255
5
        inet6 fe80::20c:29ff:fe2d:76a6  prefixlen 64  scopeid 0x20<link>
6
        ether 00:0c:29:2d:76:a6  txqueuelen 1000  (Ethernet)
7
        RX packets 17624  bytes 17631188 (16.8 MiB)
8
        RX errors 0  dropped 0  overruns 0  frame 0
9
        TX packets 4459  bytes 320008 (312.5 KiB)
10
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
11
​
12
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
13
        inet 127.0.0.1  netmask 255.0.0.0
14
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
15
        loop  txqueuelen 1  (Local Loopback)
16
        RX packets 486  bytes 40650 (39.6 KiB)
17
        RX errors 0  dropped 0  overruns 0  frame 0
18
        TX packets 486  bytes 40650 (39.6 KiB)
19
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
20
​
21
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
22
        inet 10.10.10.1  netmask 255.255.255.255  destination 10.10.10.2
23
        inet6 fe80::60a8:4a69:efdf:2e03  prefixlen 64  scopeid 0x20<link>
24
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
25
        RX packets 7  bytes 444 (444.0 B)
26
        RX errors 0  dropped 0  overruns 0  frame 0
27
        TX packets 64  bytes 5268 (5.1 KiB)
28
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
29
​
30
virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
31
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
32
        ether 52:54:00:68:0d:c9  txqueuelen 1000  (Ethernet)
33
        RX packets 0  bytes 0 (0.0 B)
34
        RX errors 0  dropped 0  overruns 0  frame 0
35
        TX packets 0  bytes 0 (0.0 B)
36
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
37
​
38
virbr0-nic: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
39
        ether 52:54:00:68:0d:c9  txqueuelen 1000  (Ethernet)
40
        RX packets 0  bytes 0 (0.0 B)
41
        RX errors 0  dropped 0  overruns 0  frame 0
42
        TX packets 0  bytes 0 (0.0 B)
43
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
44
​
45
[[email protected] ~]# ping 10.10.10.2
46
PING 10.10.10.2 (10.10.10.2) 56(84) bytes of data.
47
64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=0.808 ms
48
64 bytes from 10.10.10.2: icmp_seq=2 ttl=64 time=0.890 ms
49
^C
50
--- 10.10.10.2 ping statistics ---
51
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
52
rtt min/avg/max/mdev = 0.808/0.849/0.890/0.041 ms
Copied!
1
### Client
2
[email protected]:~# ping 10.10.10.2
3
PING 10.10.10.2 (10.10.10.2) 56(84) bytes of data.
4
64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=0.090 ms
5
^C
6
--- 10.10.10.2 ping statistics ---
7
1 packets transmitted, 1 received, 0% packet loss, time 0ms
8
rtt min/avg/max/mdev = 0.090/0.090/0.090/0.000 ms
9
[email protected]:~# ifconfig 
10
ens33     Link encap:Ethernet  HWaddr 00:0c:29:03:64:0d  
11
          inet addr:192.168.10.128  Bcast:192.168.10.255  Mask:255.255.255.0
12
          inet6 addr: fe80::6b27:5482:7f91:fe70/64 Scope:Link
13
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
14
          RX packets:441392 errors:0 dropped:0 overruns:0 frame:0
15
          TX packets:168340 errors:0 dropped:0 overruns:0 carrier:0
16
          collisions:0 txqueuelen:1000 
17
          RX bytes:434873292 (434.8 MB)  TX bytes:11126119 (11.1 MB)
18
​
19
lo        Link encap:Local Loopback  
20
          inet addr:127.0.0.1  Mask:255.0.0.0
21
          inet6 addr: ::1/128 Scope:Host
22
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
23
          RX packets:25627 errors:0 dropped:0 overruns:0 frame:0
24
          TX packets:25627 errors:0 dropped:0 overruns:0 carrier:0
25
          collisions:0 txqueuelen:1000 
26
          RX bytes:1725455 (1.7 MB)  TX bytes:1725455 (1.7 MB)
27
​
28
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
29
          inet addr:10.10.10.2  P-t-P:10.10.10.1  Mask:255.255.255.255
30
          inet6 addr: fe80::dbb5:654:4d57:f049/64 Scope:Link
31
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
32
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
33
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
34
          collisions:0 txqueuelen:100 
35
          RX bytes:0 (0.0 B)  TX bytes:636 (636.0 B)
36
​
37
[email protected]:~# ping 10.10.10.1
38
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
39
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=1.55 ms
40
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=2.17 ms
41
64 bytes from 10.10.10.1: icmp_seq=3 ttl=64 time=2.05 ms
42
^C
43
--- 10.10.10.1 ping statistics ---
44
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
45
rtt min/avg/max/mdev = 1.557/1.928/2.177/0.269 ms
Copied!
It was the simplest example we could demonstrate for establishing point-to-point VPN connection between to computers using a shared key, but as we said, we can use Certificates inorder to provide SSL/TLS connections to make secure, encrypted VPN connections.This way we can prevent snooping our traffic in a higher level. For that we have to install easy-rsa package and do some extra steps(LPIC3 303 course)
/etc/openvpn/
All OpenVPN configuration files should be configured under /etc/openvpn directory but by default no configuration files are found here. So we should either create new ones (which seems complicated) or we can easily copy sample configuration files from /usr/share/doc/openvpn-x to /etc/openvpn directory and modify them (the simplest way)
1
[[email protected] ~]# tree /usr/share/doc/openvpn-2.4.6/
2
/usr/share/doc/openvpn-2.4.6/
3
├── AUTHORS
4
├── ChangeLog
5
├── Changes.rst
6
├── contrib
7
│   ├── OCSP_check
8
│   │   └── OCSP_check.sh
9
│   ├── openvpn-fwmarkroute-1.00
10
│   │   ├── fwmarkroute.down
11
│   │   ├── fwmarkroute.up
12
│   │   └── README
13
│   ├── pull-resolv-conf
14
│   │   ├── client.down
15
│   │   └── client.up
16
│   └── README
17
├── COPYING
18
├── COPYRIGHT.GPL
19
├── management-notes.txt
20
├── README
21
├── README.auth-pam
22
├── README.down-root
23
├── README.systemd
24
└── sample
25
    ├── sample-config-files
26
    │   ├── client.conf
27
    │   ├── firewall.sh
28
    │   ├── home.up
29
    │   ├── loopback-client
30
    │   ├── loopback-server
31
    │   ├── office.up
32
    │   ├── openvpn-shutdown.sh
33
    │   ├── openvpn-startup.sh
34
    │   ├── README
35
    │   ├── roadwarrior-client.conf
36
    │   ├── roadwarrior-server.conf
37
    │   ├── server.conf
38
    │   ├── static-home.conf
39
    │   ├── static-office.conf
40
    │   ├── tls-home.conf
41
    │   ├── tls-office.conf
42
    │   ├── xinetd-client-config
43
    │   └── xinetd-server-config
44
    ├── sample-scripts
45
    │   ├── auth-pam.pl
46
    │   ├── bridge-start
47
    │   ├── bridge-stop
48
    │   ├── ucn.pl
49
    │   └── verify-cn
50
    └── sample-windows
51
        └── sample.ovpn
52
​
53
8 directories, 41 files
Copied!
Keep this information in your mind for lpic 3 course.
that's all folks!
Congratulation we have done lpic2-202 !!! do not forget to give a start and donate :-)

212.4. Security tasks

Last modified 1yr ago

Copy link

Contents

What is VPN all about?

OpenVPN

/etc/openvpn/

Congratulation we have done lpic2-202 !!! do not forget to give a start and donate :-)