We lay virtual networks
Since the Internet (or rather, ARPAnet) has been a small American grid, a lot of kissel has flowed. Now the network is a large unsafe place where protecting your data is one of the priorities. About how less afraid I’ll tell you in this little opus.
We have two wonderful jobs, one at the office at work and the other at home. And we have the task of how convenient it is to take files from work to home and from home to work. Carry on a CD? Inconvenient. Wear on a flash drive? You torture to copy every time. And suddenly it is not known what files will be needed today? Carry all at once? Not an option. Especially in the courtyard of the 21st century, the Internet is as fast as ever, and there are unlimited rates in almost every city (well, if not now, then in the foreseeable future they will definitely be). So what to do? Combine computers into a local network and quietly copy files, connect to a remote desktop and even play games (well, you never know, whoever wants it).
With the help of the free program OpenVPN, we will combine our two computers (and maybe more) into a single virtual network. All transmitted data will be securely encrypted using Blowfish with a key of up to 448 bits (hacking with the current power of computers is simply unrealistic).
OpenVPN is best put together with the GUI. You can download all this miracle from the official site OpenVPN GUI .
')
So, we have two computers. One of them has an external IP-address (well, most likely home, because in offices they often sit at firewalls), and the other is hidden behind NAT. It's clear that it will be problematic to connect to the computer that is hidden behind the NAT, especially if you want to download files from it. Because the server OpenVPN we choose a home computer, and as the client will be our office PC. So let's get started.
Installing OpenVPN is simple and does not require special knowledge. Next next next finish. Actually setting is much more interesting.
Preparation for action is complete. Now is the time to describe technically how all this will act.
We have:
Home computer A with external address $ HOMEIP;
Office computer B is closed with a firewall and does not have an external address;
It is necessary:
Office computer B should connect to computer A using TCP protocol on port 12345. The virtual network will have the address 10.0.1.0/24, where 10.0.1.1 is the home computer and 10.0.1.2 is the office one. Authorization should take place on certificates without using passwords.
OpenVPN is installed by default in C: \ Program Files \ OpenVPN. We start the console (cmd.exe and go to the directory C: \ Program Files \ OpenVPN \ easy-rsa and execute the init-config.bat there.
Now open the vars.bat configuration file and bring it to the following form:
Here:
KEY_DIR - directory where keys will be stored;
KEY_SIZE - the length of the RSA key used for the signature;
KEY_COUNTRY - country code;
KEY_PROVINCE - region code (provinces, regions, etc.)
KEY_CITY - city;
KEY_ORG - organization;
KEY_EMAIL - email address;
Now, to generate the necessary keys and certificates, run the following commands in sequence:
As a result, the console will have something like this:
The key generation for the server is complete. Copy the following ca.crt, homepc.key, homepc.crt and dh2048.pem files from the OpenVPN \ easy-rsa \ keys directory to the OpenVPN \ config \ directory. Then we create the OpenVPN server config \ config \ server.ovpn (if you have Vista, then first create a config for example on the desktop, and then copy it into the config directory). In it we hammer the following:
Save, then click on it with the right mouse button, and select the launch using OpenVPN (well, or open with OpenVPN, if the config has the extension txt). The server will start and be ready to maintain connections.
To work with clients, we will generate a single file containing the keys and certificates we need. To do this, in the server console (for example, after generating its keys), execute the vars.bat command and then build-key-pkcs12.bar officepc . We get something like this:
Note! It is not necessary to enter the password at the last stage of generation. Personally, I just hit Enter.
Now copy the officepc.p12 file from the OpenVPN \ easy-rsa \ keys directory to the OpenVPN \ config directory LOCATED ON THE CLIENT'S MACHINE . And we create a config on the client’s machine, for example client.ovpn, with the following contents:
Everything. Setup is over. Run the configuration file on the client (open with OpenVPN). Our virtual network is ready.
PS If I didn’t say anything, or what moments are incomprehensible I will add and expand the post. Welcome)
1. Suppose ...
We have two wonderful jobs, one at the office at work and the other at home. And we have the task of how convenient it is to take files from work to home and from home to work. Carry on a CD? Inconvenient. Wear on a flash drive? You torture to copy every time. And suddenly it is not known what files will be needed today? Carry all at once? Not an option. Especially in the courtyard of the 21st century, the Internet is as fast as ever, and there are unlimited rates in almost every city (well, if not now, then in the foreseeable future they will definitely be). So what to do? Combine computers into a local network and quietly copy files, connect to a remote desktop and even play games (well, you never know, whoever wants it).
2. What ...
With the help of the free program OpenVPN, we will combine our two computers (and maybe more) into a single virtual network. All transmitted data will be securely encrypted using Blowfish with a key of up to 448 bits (hacking with the current power of computers is simply unrealistic).
OpenVPN is best put together with the GUI. You can download all this miracle from the official site OpenVPN GUI .
')
3. How to ...
So, we have two computers. One of them has an external IP-address (well, most likely home, because in offices they often sit at firewalls), and the other is hidden behind NAT. It's clear that it will be problematic to connect to the computer that is hidden behind the NAT, especially if you want to download files from it. Because the server OpenVPN we choose a home computer, and as the client will be our office PC. So let's get started.
4. Installation
Installing OpenVPN is simple and does not require special knowledge. Next next next finish. Actually setting is much more interesting.
5. Technical description of the task
Preparation for action is complete. Now is the time to describe technically how all this will act.
We have:
Home computer A with external address $ HOMEIP;
Office computer B is closed with a firewall and does not have an external address;
It is necessary:
Office computer B should connect to computer A using TCP protocol on port 12345. The virtual network will have the address 10.0.1.0/24, where 10.0.1.1 is the home computer and 10.0.1.2 is the office one. Authorization should take place on certificates without using passwords.
6. Server
OpenVPN is installed by default in C: \ Program Files \ OpenVPN. We start the console (cmd.exe and go to the directory C: \ Program Files \ OpenVPN \ easy-rsa and execute the init-config.bat there.
C:\Program Files\OpenVPN\easy-rsa>init-config.bat
C:\Program Files\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat
: 1.
C:\Program Files\OpenVPN\easy-rsa>copy openssl.cnf.sample openssl.cnf
: 1.
Now open the vars.bat configuration file and bring it to the following form:
@echo off
set HOME=%ProgramFiles%\OpenVPN\easy-rsa
set KEY_CONFIG=openssl.cnf
set KEY_DIR=keys
set KEY_SIZE=2048
set KEY_COUNTRY=RU
set KEY_PROVINCE=MSK
set KEY_CITY=Moskow
set KEY_ORG=Kremlin
set KEY_EMAIL=none@net.com
Here:
KEY_DIR - directory where keys will be stored;
KEY_SIZE - the length of the RSA key used for the signature;
KEY_COUNTRY - country code;
KEY_PROVINCE - region code (provinces, regions, etc.)
KEY_CITY - city;
KEY_ORG - organization;
KEY_EMAIL - email address;
Now, to generate the necessary keys and certificates, run the following commands in sequence:
vars.bat
clean-all.bat
build-ca.bat
build-dh.bat
build-key-server.bat homepc
As a result, the console will have something like this:
C:\Program Files\OpenVPN\easy-rsa>vars
C:\Program Files\OpenVPN\easy-rsa>clean-all.bat
: 1.
: 1.
C:\Program Files\OpenVPN\easy-rsa>build-ca.bat
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
...+++
....................+++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [RU]:
State or Province Name (full name) [MSK]:
Locality Name (eg, city) [Moskow]:
Organization Name (eg, company) [Kremlin]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server
Email Address [none@net.com]:
C:\Program Files\OpenVPN\easy-rsa>build-dh.bat
Loading 'screen' into random state - done
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........+........++*
C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat homepc
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
...........................................................+++
.......................+++
writing new private key to 'keys\homepc.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [RU]:
State or Province Name (full name) [MSK]:
Locality Name (eg, city) [Moskow]:
Organization Name (eg, company) [Kremlin]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:homepc
Email Address [none@net.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'RU'
stateOrProvinceName :PRINTABLE:'MSK'
localityName :PRINTABLE:'Moskow'
organizationName :PRINTABLE:'Kremlin'
commonName :PRINTABLE:'homepc'
emailAddress :IA5STRING:'none@net.com'
Certificate is to be certified until Aug 11 12:51:16 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\Program Files\OpenVPN\easy-rsa>
The key generation for the server is complete. Copy the following ca.crt, homepc.key, homepc.crt and dh2048.pem files from the OpenVPN \ easy-rsa \ keys directory to the OpenVPN \ config \ directory. Then we create the OpenVPN server config \ config \ server.ovpn (if you have Vista, then first create a config for example on the desktop, and then copy it into the config directory). In it we hammer the following:
############################
# OpenVPN
mode server
# TLS
tls-server
# , udp tcp-server
proto tcp-server
# ,TUN - , TAP -
dev tap
#
port 12345
#
ca ca.crt
#
cert homepc.crt
#
key homepc.key
# -
dh dh2048.pem
#
ifconfig 10.0.1.1 255.255.255.0
# , 3
verb 3
# , 256
keysize 256
# , blowfish
cipher BF-CBC
#
comp-lzo
Save, then click on it with the right mouse button, and select the launch using OpenVPN (well, or open with OpenVPN, if the config has the extension txt). The server will start and be ready to maintain connections.
7. Customer.
To work with clients, we will generate a single file containing the keys and certificates we need. To do this, in the server console (for example, after generating its keys), execute the vars.bat command and then build-key-pkcs12.bar officepc . We get something like this:
C:\Program Files\OpenVPN\easy-rsa>build-key-pkcs12.bat officepc
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
................................................................................
.......+++
...+++
writing new private key to 'keys\officepc.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [RU]:
State or Province Name (full name) [MSK]:
Locality Name (eg, city) [Moskow]:
Organization Name (eg, company) [Kremlin]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:officepc
Email Address [none@net.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'RU'
stateOrProvinceName :PRINTABLE:'MSK'
localityName :PRINTABLE:'Moskow'
organizationName :PRINTABLE:'Kremlin'
commonName :PRINTABLE:'officepc'
emailAddress :IA5STRING:'none@net.com'
Certificate is to be certified until Aug 11 13:17:22 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:
C:\Program Files\OpenVPN\easy-rsa>
Note! It is not necessary to enter the password at the last stage of generation. Personally, I just hit Enter.
Now copy the officepc.p12 file from the OpenVPN \ easy-rsa \ keys directory to the OpenVPN \ config directory LOCATED ON THE CLIENT'S MACHINE . And we create a config on the client’s machine, for example client.ovpn, with the following contents:
#
dev tap
# TLS
tls-client
#
remote $HOMEIP 12345
#
proto tcp-client
#
ifconfig 10.0.1.2 255.255.255.0
#
comp-lzo
#
verb 3
#
pkcs12 cert.p12
#
comp-lzo
#
keysize 256
#
cipher BF-CBC
Everything. Setup is over. Run the configuration file on the client (open with OpenVPN). Our virtual network is ready.
PS If I didn’t say anything, or what moments are incomprehensible I will add and expand the post. Welcome)
Source: https://habr.com/ru/post/36845/
All Articles