⬆️ ⬇️

The book "Linux in action"

image Hello, habrozhiteli! In the book, David Clinton describes 12 real-world projects, including automating a backup and recovery system, setting up a personal Dropbox-style file cloud, and creating your own MediaWiki server. With interesting examples, you will learn about virtualization, disaster recovery, security, backup, deploying DevOps, and troubleshooting system problems. Each chapter ends with a review of practical recommendations, a glossary of new terms, and exercises.



Excerpt "10.1. Creating an OpenVPN Tunnel »



In this book, I have already talked a lot about encryption. SSH and SCP can protect data transmitted through remote connections (chapter 3), file encryption allows you to protect data when stored on the server (chapter 8), and TLS / SSL certificates can protect data during transmission between sites and client browsers (chapter 9). But sometimes your data requires protection in a wider range of connections. For example, it’s possible that some members of your team have to work on the road, connecting to the network via Wi-Fi through public access points. You should definitely not assume that all such access points are safe, but your people really need a way to connect to company resources - in which case a VPN will help.



A properly designed VPN tunnel provides a direct connection between remote clients and the server in such a way as to hide data when it is transmitted over an insecure network. So what? You have already seen many tools that can do this with encryption. The real value of a VPN is that by opening the tunnel, you can connect remote networks as if they were all together local. In a sense, you are using a bypass.

')

Using such an extended network, administrators can do their work on their servers from anywhere. But, more importantly, a company with resources distributed across several branches can make them all visible and accessible to all groups that need them, wherever they are (Fig. 10.1).



The tunnel itself does not guarantee security. But one of the encryption standards can be included in the network structure, which significantly increases the level of security. Tunnels created using the OpenVPN open source package use the same TLS / SSL encryption that you already read about. OpenVPN is not the only option available for tunneling, but one of the most famous. It is believed to be slightly faster and safer than an alternative layer 2 tunneling protocol that uses IPsec encryption.



Do you want everyone in your team to communicate safely with each other while on the road or working in different buildings? To do this, you must create an OpenVPN server to allow application sharing and access to the server’s local network environment. For this to work, it is enough to start two virtual machines or two containers: one for acting as a server / host, and the other for the client. Creating a VPN is not an easy process, so it’s probably worth spending a few minutes to get the big picture.



image


10.1.1. Configuring OpenVPN Server



Before you begin, I will give you useful advice. If you are going to do everything yourself (and I highly recommend it to you), you will probably find that you are working with several terminal windows open on the Desktop, each of which is connected to its machine. There is a risk that at some point you will enter the wrong command in the window. To avoid this, you can use the hostname command to change the machine name displayed on the command line to something that will clearly tell you where you are. As soon as you do this, you will need to exit the server and log in again for the new settings to take effect. Here's what it looks like:



image


Adhering to this approach and assigning the corresponding names to each of the machines you work with, you can easily track where you are.



After using hostname, you may encounter annoying Unable to Resolve Host OpenVPN-Server messages when you run the following commands. Updating the / etc / hosts file with the corresponding new host name should fix the problem.


Preparing Your Server for OpenVPN



Installing OpenVPN on your server requires two packages: openvpn and easy-rsa (to control the process of generating the encryption key). If necessary, CentOS users must first install the epel-release repository, as you did in chapter 2. To be able to check access to the server application, you can also install the Apache web server (apache2 for Ubuntu and httpd on CentOS).



While you are setting up the server, I advise you to activate a firewall that blocks all ports except 22 (SSH) and 1194 (the default OpenVPN port). This example illustrates how ufw will work on Ubuntu, but I'm sure you still remember the firewall CentOS program from chapter 9:



# ufw enable # ufw allow 22 # ufw allow 1194 


To allow internal routing between network interfaces on the server, you need to uncomment one line (net.ipv4.ip_forward = 1) in the /etc/sysctl.conf file. This will allow you to redirect remote clients as needed after they connect. To make the new parameter work, run sysctl -p:



 # nano /etc/sysctl.conf # sysctl -p 


Now the server environment is fully configured, but there is something else to be done before you are ready: you will have to complete the following steps (we will consider them in more detail below).



  1. Create a key set on the server for encrypting the public key infrastructure (PKI) using the scripts that come with the easy-rsa package. In essence, the OpenVPN server also acts as its own certification authority (CA).
  2. Prepare the appropriate keys for the client
  3. Configure the server.conf file for the server
  4. Configure your OpenVPN client
  5. Check your VPN


Encryption Key Generation



In order not to complicate your life, you can configure your key infrastructure on the same machine where the OpenVPN server is running. However, security recommendations typically suggest using a separate CA server for deployments in a production environment. The process of generating and allocating encryption key resources for use in OpenVPN is illustrated in Fig. 10.2.



image


When you installed OpenVPN, the directory / etc / openvpn / was automatically created, but there is nothing in it yet. The openvpn and easy-rsa packages come with sample template files that you can use as the basis for your configuration. To start the certification process, copy the easy-rsa template directory from / usr / share / to / etc / openvpn and change to the easy-rsa / directory:



 # cp -r /usr/share/easy-rsa/ /etc/openvpn $ cd /etc/openvpn/easy-rsa 


The easy-rsa directory will now contain quite a few scripts. In the table. 10.1 lists the tools that you will use to create keys.



image


These operations require root authority, so through sudo su you need to become root.


The first file you will work with is called vars and contains the environment variables that easy-rsa uses when generating keys. You need to edit the file to use your own values ​​instead of the default values ​​that already exist. This is what my file will look like (Listing 10.1).



Listing 10.1. The main fragments of the file / etc / openvpn / easy-rsa / vars



 export KEY_COUNTRY="CA" export KEY_PROVINCE="ON" export KEY_CITY="Toronto" export KEY_ORG="Bootstrap IT" export KEY_EMAIL="info@bootstrap-it.com" export KEY_OU="IT" 


Running the vars file will allow you to transfer its values ​​to the shell environment, from where they will be included in the contents of your new keys. Why doesn't the sudo command alone work? Because at the first stage, we edit the script named vars, and then apply it. Application and means that the vars file transfers its values ​​to the shell environment, from where they will be included in the contents of your new keys.



Be sure to re-run the file using the new shell to complete the unfinished process. When this is done, the script will prompt you to run another script, clean-all, to remove any content in the / etc / openvpn / easy-rsa / keys / directory:



image


Naturally, the next step is to run the clean-all script, followed by build-ca, which uses the pkitool script to create the root certificate. You will be asked to confirm the authentication settings provided by vars:



 # ./clean-all # ./build-ca Generating a 2048 bit RSA private key 


Next comes the build-key-server script. Since it uses the same pkitool script along with the new root certificate, you will see the same questions to confirm the creation of the key pair. The keys will be given names based on the arguments you pass, which, unless you start several VPNs on this computer, will usually be server, as in the example:



 # ./build-key-server server [...] Certificate is to be certified until Aug 15 23:52:34 2027 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 


OpenVPN uses the parameters generated by the Diffie-Hellman algorithm (using build-dh) to negotiate authentication for new connections. The file created here should not be secret, but must be generated using the build-dh script for the RSA keys that are currently active. If you create new RSA keys in the future, you will also need to update the file based on the Diffie-Hellman algorithm:



 # ./build-dh 


Your server-side keys will now be in the / etc / openvpn / easy-rsa / keys / directory, but OpenVPN does not know this. By default, OpenVPN will look for keys in / etc / openvpn /, so copy them:



 # cp /etc/openvpn/easy-rsa/keys/server* /etc/openvpn # cp /etc/openvpn/easy-rsa/keys/dh2048.pem /etc/openvpn # cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn 


Preparing client encryption keys



As you have already seen, TLS encryption uses pairs of corresponding keys: one is installed on the server, and the other on the remote client. This means that you will need client keys. Our old friend pkitool is exactly what you need for this. In this example, running the program in the directory / etc / openvpn / easy-rsa /, we pass the client argument to it to generate files called client.crt and client.key:



 # ./pkitool client 


The two client files, along with the original ca.crt file, which is still in the keys / directory, should now be transferred safely to your client. Due to their affiliation and access rights, this may not be so easy. The easiest approach is to manually copy the contents of the source file (and nothing but this content) to the terminal running on the desktop of your PC (select the text, right-click on it and select Copy from the menu). Then paste this into a new file with the same name that you create in the second terminal connected to your client.



But anyone can cut and paste. Instead, think as an administrator, because you will not always have access to the GUI, where a cut / paste operation is possible. Copy the files to your user's home directory (so that the remote scp operation can access them), and then use chown to change the owner of the files from root to a regular non-root user so that the remote scp action can be performed. Make sure that all of your files are currently installed and accessible. You will move them to the client a bit later:



 # cp /etc/openvpn/easy-rsa/keys/client.key /home/ubuntu/ # cp /etc/openvpn/easy-rsa/keys/ca.crt /home/ubuntu/ # cp /etc/openvpn/easy-rsa/keys/client.crt /home/ubuntu/ # chown ubuntu:ubuntu /home/ubuntu/client.key # chown ubuntu:ubuntu /home/ubuntu/client.crt # chown ubuntu:ubuntu /home/ubuntu/ca.crt 


With a complete set of encryption keys ready for action, you need to tell the server how you want to create a VPN. This is done using the server.conf file.



Reduce the number of keystrokes



Too much to print? An extension with brackets will help reduce these six commands to two. I am sure that you can study these two examples and understand what is happening. More importantly, you can understand how to apply these principles to operations involving dozens or even hundreds of elements:



 # cp /etc/openvpn/easy-rsa/keys/{ca.crt,client.{key,crt}} /home/ubuntu/ # chown ubuntu:ubuntu /home/ubuntu/{ca.crt,client.{key,crt}} 




Setting up the server.conf file



How can you know what the server.conf file should look like? Remember the easy-rsa directory template that you copied from / usr / share /? When installing OpenVPN, a compressed configuration template file remained, which you can copy to / etc / openvpn /. I will build on the fact that the template has been archived and introduce you to a useful tool: zcat.



You already know about displaying the text content of a file using the cat command, but what if the file is compressed using gzip? You can always unzip the file, and then cat will gladly display it, but this is one or two steps more than necessary. Instead, as you probably already guessed, you can enter the zcat command to load the unpacked text into memory in one step. In the following example, instead of printing text on the screen, you redirect it to a new file called server.conf:



 # zcat \ /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz \ > /etc/openvpn/server.conf $ cd /etc/openvpn 


We leave aside the extensive and useful documentation that came with the file and see how it might look when you finish editing. Note that the semicolon (;) tells OpenVPN not to read or execute the next line (Listing 10.2).



image


Let's go through some of these settings.





In addition, the client-to-client value is also often added to the configuration file so that several clients can see each other in addition to the OpenVPN server. If you are satisfied with your configuration, then you can start the OpenVPN server:



 # systemctl start openvpn 


Due to the changing nature of the relationship between OpenVPN and systemd, the following syntax may sometimes be required to start a service: systemctl start openvpn @ server.


Running ip addr to display the list of network interfaces of your server should now display a link to a new interface named tun0. OpenVPN will create it to serve incoming clients:



 $ ip addr [...] 4: tun0: mtu 1500 qdisc [...] link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 valid_lft forever preferred_lft forever 


You may need to restart the server before everything starts working completely. The next stop is the client computer.



10.1.2. OpenVPN Client Configuration



Traditionally, tunnels are built with at least two exits (otherwise we would call them caves). A properly configured OpenVPN on the server directs traffic to and from the tunnel on the one hand. But you also need some kind of client-side software, that is, on the other end of the tunnel.



In this section, I am going to focus on manually configuring a Linux computer of one type or another to work as an OpenVPN client. But this is not the only way in which such an opportunity is available. OpenVPN supports client applications that can be installed and used on desktop computers and laptops with Windows or macOS, as well as on smartphones and tablets based on Android and iOS. See openvpn.net for details.



The OpenVPN package will need to be installed on the client computer, as it was installed on the server, although there is no need for easy-rsa, since the keys you use already exist. You need to copy the client.conf template file to the / etc / openvpn / directory that you just created. This time the file will not be archived, so the regular cp command will do this task perfectly:



 # apt install openvpn # cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf \ /etc/openvpn/ 


Most of the settings in your client.conf file will be pretty straightforward: they should match the values ​​on the server. As you can see from the following sample file, the unique parameter is remote 192.168.1.23 1194, which tells the client the IP address of the server. Again, make sure this is the address of your server. You must also force the client computer to authenticate the server certificate to prevent a possible man-in-the-middle attack. One way to do this is to add the line remote-cert-tls server (Listing 10.3).



image


Now you can go to the / etc / openvpn / directory and extract the certification keys from the server. Replace the server IP address or domain name in the example with your values:



image


Nothing exciting is likely to happen until you run OpenVPN on the client. Since you need to pass a couple of arguments, you will do it from the command line. The --tls-client argument tells OpenVPN that you will act as a client and connect using TLS encryption, and --config points to your configuration file:



 # openvpn --tls-client --config /etc/openvpn/client.conf 


Carefully read the output of the command to make sure that you are connected correctly. If for the first time something goes wrong, it may be due to a mismatch between the settings between the server and client configuration files or a network connection / firewall problem. Here are some troubleshooting tips.





about the author



David Clinton is a system administrator, teacher and writer. He administered, wrote about it and created training materials for many important technical disciplines, including Linux systems, cloud computing (in particular AWS) and container technologies such as Docker. He wrote the book Learn Amazon Web Services in a Month of Lunches (Manning, 2017). Many of his video tutorials can be found on Pluralsight.com, and links to his other books (on Linux administration and server virtualization) are available at bootstrap-it.com .



»More details on the book can be found on the publisher’s website

» Contents

» Excerpt



25% off coupon for hawkers - Linux

Upon payment of the paper version of the book, an electronic book is sent by e-mail.

Source: https://habr.com/ru/post/461879/



All Articles