Activities

March 2011
M T W T F S S
« Feb   Apr »
 123456
78910111213
14151617181920
21222324252627
28293031  

How do I setup VPN server in Linux

As we all aware about network security and risk of sharing files over the internet. A VPN is a good options to access our files over the public as well utilizing all the resources hosted in the office network. Here I’m using community edition of “openvpn” application which has unlimited user access. Installations is fairly easy and well documented on their site.

I would like to say before installing the VPN server , you must have good awareness about networking, routing concept, IPTALBLES and SSL certificate generation. So you need to spend much time for reading tutorials.

Here we go,

IN OpenVPN there are two tunneling mechanism is used for VPN.
1. IP routing (recommended)
2. Ethernet bridging

I found that

Ethernet bridging

is not the right choice if you are installing VPN on remote server where you have only ssh access allowed. This bridging causes the server from being vanished from the network during the installation time and require physical access to repair.

IP routing

install is fairly easy and doesn’t affect other service running on the server.

My Post is using

IP Routing

mechanism to install VPN.

1. Download the open vpn source files from the site. Furthermore, if you are building your own binary, you need the following packages to be installed before,
* openssl-devel
* lzo-devel
* pam-devel

  # wget http://swupdate.openvpn.net/community/releases/openvpn-2.1.4.tar.gz
  # tar -zxvf openvpn-2.1.4.tar.gz
  #yum install bridge*
  #yum install gcc
  #wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz
  #tar -zxvf lzo-2.04.tar.gz
  #cd lzo-2.04
  #sh configure && make && make install
  #yum install openssl*
  #cd openvpn-2.1.4
  #sh configure && make && make install
  #mkdir /etc/openvpn
  #cp -r easy-rsa/ /etc/openvpn/  
  #cd easy-rsa/

The folder ”

easy-rsa

” containing all the scripts which required for initial SSL setup and output is stored on ”

key

” folder in the same root directory.

Let me explain about the some scripts (/etc/openvpn/easy-rsa/2.0/) we are working with,

a. vars : – This file is stored the SSL information/environment variables require for all ssl certs generation, like County, Province, City, Organization name, email address etc. You may need to execute this file before executing other scripts.
b. clean_all : This script will wipe out all the information/config about the VPN server
c. build-ca : This is the Certificate Authority of all the SSL certs issued for this vpn server.
d. build-key-server : This will create the VPN server certificate and private key files ( not that keep this file in a secure place)
e. build-dh : Diffie Hellman parameters
f. build-key : Used for creating client certificates

1. Preparing environment Variables

#cd /etc/openvpn/easy-rsa/2.0/
           # chmod -R 755 /etc/openvpn/easy-rsa/2.0/
          # vi vars

Change the parameters with your values and save it
Eg.
export KEY_COUNTRY=”IN”
export KEY_PROVINCE=”Kerala”
export KEY_CITY=”Trivandrum”
export KEY_ORG=”Comany Name”
export KEY_EMAIL=”liju@serveridol.com”

[root@rc-047 2.0]# source vars
            NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/key

2. Create your CA

# ./build-ca

Generating a 1024 bit RSA private key
..........................++++++
......................................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [Kerala]:
Locality Name (eg, city) [Trivandrum]:
Organization Name (eg, company) [MyCompany]:
Organizational Unit Name (eg, section) []: IT
Common Name (eg, your name or your server's hostname) []:vpnhost.serveridol.com
Email Address [liju@serveridol.com]:

$ ls -l keys
total 6

-rw-r--r--  1 liju  liju  1151 Nov 27 19:01 ca.crt
-rw-------  1 liju  liju   887 Nov 27 19:01 ca.key
-rw-r--r--  1 liju  liju   113 Nov 27 19:00 index.txt
-rw-r--r--  1 liju  liju     3 Nov 27 19:00 serial

3. Create the OpenVPN server certificate
./build-key-server vpnhost.serveridol.com
This will guide you a series of questions and answer them according. The final steps would be like this.

Certificate is to be certified until Mar 22 19:19:09 2011 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

4. Create the DIFFIE-HELLMAN parameters for your server

#./build-dh

[root@rc-090 2.0]# source ./vars
                NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
                [root@rc-090 2.0]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time …………………….+…………………..+……………………………………………………………………………………………………………+………………….+………..+………+……………………………………………………………………………………………………..+………+…++*++*++*

[root@rc-47 2.0]# ls -la /etc/openvpn/easy-rsa/2.0/keys/dh*
                  -rw-r--r-- 1 root root 245 Mar 24 17:32 /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
                   [root@rc-047 2.0]#

5. Create a client certificate

We we need to generate ssl certificate for each client to authenticate. During the certificate generation time, it will ask to enter a “pass phase” for locking file for the operation. You can either set it or leave it blank.
#./build-key sale-team1 This command will prompt to enter certain details required for issuing SSL and complete it as in order. You will get the output like this,
The Subject’s Distinguished Name is as follows, Note the common name you are giving, because we need exact same for identifying the different clients SSL and for custom policy settings.

countryName           PRINTABLE:'IN'
stateOrProvinceName   PRINTABLE:'Kerala'
localityName          PRINTABLE:'Trivandrum'
organizationName      PRINTABLE:'MyCompany'
<strong>commonName            PRINTABLE:'sales1'</strong>
emailAddress          :IA5STRING:'sales@serveridol.com'
Certificate is to be certified until Nov 25 19:49:36 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Next we need to configure the server to load our new SSL generated.

6. Generating tls-auth keys
You can generate a tls-auth file with this command:
[root@rc-047 openvpn]#openvpn –genkey –secret /etc/openvpn/easy-rsa/2.0/keys/ta.key

7. Revoking Client certificate
We need to revoke one sample client certificate to enable the ssl revoke checking in server configuration file. The command revoke-full will create/update a entry in “/etc/openvpn/easy-rsa/2.0/keys/crl.pem” file.
[root@rc-047 2.0]# cd /etc/openvpn/easy-rsa/2.0/
[root@rc-047 2.0]# source vars
[root@rc-047 2.0]# sh revoke-full sale-team1

Verify if the certificate id revoked.

You can verify the vpn connectivity status by opening the log file “/var/log/openvpn.log“. While you are trying to connect the vpn using the revoked certificate, this log does have the following entry as shown on the pic,

8. Preparing Server configuration files. (/etc/openvpn/server.conf)

Here is my Network settings

1. Private LAN : 192.168.0.0/24
2. VPN Network : 192.168.10.0/24
3. VPN server IP : 192.168.0.47
4. DNS servers : 192.168.0.1 (LAN)

My serve configuration file having the following entry as shown below, you can download it from here

port 1194
proto udp
dev tun
crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/vpnhost.serveridol.com.crt
key /etc/openvpn/easy-rsa/2.0/keys/vpnhost.serveridol.com.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
server 192.168.10.0  255.255.255.0
keepalive 10 120
client-to-client
comp-lzo
user nobody
group nobody
persist-key
persist-tun
tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0
status openvpn-status.log
verb 4
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "redirect-gateway def1"
log /var/log/openvpn.log
log-append /var/log/openvpn.log

Explanations

a. Port : vpn port
b. proto : Proto type. can use TCP/UDP
c. dev : Type of mechanism , here we uses IP routing
d. crl-verify : Revocked SSL checking file (optional)
e. ca, cert and key : SSL crtificates files for running VPN server
f. dh : Kind of entryption mechanism
g. ifconfig-pool-persist : This file will keep a record on any new IP leases (DHCP lease) from the server
h. client-config-dir : This is our custom client configuration. We can assign a static ip to a client. Suppose I have issued a SSL using the common name “sales1″and going to assign a static IP for this user. Create a file named as “sales1″ under this folder ”

/etc/openvpn/ccd

” having the following contents. There is some issues in windows environment for defining certain ip ranges in custom “ip settings config. file” for each client.

[root@rc-047 2.0]# cat /etc/openvpn/ccd/sales1
ifconfig-push 192.168.10.21  192.168.10.22
ifconfig-push

VPN client desktop ip VPN client desktop gateway.
Use the following IP combination to build client config. file in “ccd” folder

[  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]

i. server : This will be the vpn server network. We do not need to assign any static ip for VPN “tun0” adapter. Default vpn server uses the first ip from the network range provided ie here 192.168.10.1

j. client-to-client : This options help to see each clients in a network and share files between them,
k. tls-auth : It’s ensuring secured connectivity to the server and block the DDoS and brute force attack

l. status : VPN access log against valid action
m. Log : vpn server log
o. push “route 192.168.0.0 255.255.255.0” : This will force VPN clients to use this network once connected

p. push “dhcp-option DNS 192.168.0.1” : Their primary DNS would be this private ip in vpn host network
q. push “redirect-gateway def1” : This option is really important. This will force clients to encrypt all the traffic through our VPN tunnel otherwise only vpn network requests are encrypted.

It’s the time to start the VPN server

9. Start VPN server
[root@rc-047 2.0]# openvpn –cd /etc/openvpn –daemon –config server.conf

How do I verify it is running,
[root@rc-047 openvpn]# netstat -nlp | grep “openvpn”
udp 0 0 0.0.0.0:1194 0.0.0.0:* 5930/openvpn
[root@rc-047 openvpn]#
The udp port 1194 is listening. !!!!!

Stopping VPN server
[root@rc-047 openvpn]#killall -TERM openvpn

9. Allowing VPN clients to access Office network
Once the clients connected to the VPN server, they can access all the resource only available on the VPN host. Now I want all the clients can able to access our office LAN (192.168.0.0/24) network. So I need to enable routing all the vpn client network to our office network.

Here IP tables would help you,

a. Edit the file “/etc/sysctl.conf” and enable ip routing in kernel. The value “net.ipv4.ip_forward” set to 1 to enable.

# Controls IP packet forwarding
            <strong>net.ipv4.ip_forward = 1</strong>

b. Add the following rule in your existing iptables

<strong># iptables -t nat -I POSTROUTING -s 192.168.10.0/24  -o eth0 -j MASQUERADE
   # service iptables save
   # chkconfig iptables on</strong>

192.168.10.0/24 : VPN network
eth0 : Suppose to be connected to office Private IP.

Part II : Preparing Client certificate

[root@rc-047 openvpn]# cd /etc/openvpn/easy-rsa/2.0/
[root@rc-047 openvpn]# source vars
[root@rc-047 openvpn]# ./build-key sumith
Just answer the questions you’ve been asked and ensure that “common name should be the same as file name “sumith” (for here). We need both name to be same for the custom access setup.

Now you have completed the client SSL setup. It’s time for building up client side config. file. Just create a file “sumith-vpn.ovpn( here) with the following content and save.

client
dev tun
proto udp
remote <vpn server ip > 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
pull
ns-cert-type server
tls-auth ta.key 1
ca ca.crt
cert sumith.crt
key sumith.key
comp-lzo
verb 4
route-method exe
route-delay 2

Pls note ca, cert, key, tls-key and remote are values need to add. We need to provide total 5 files (ca.crt, cleint.key, client.crt and ta.key, .ovpn file) to the client.
# cd /etc/openvpn
#mkdir -p client-ssl/sumith
#cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn/client-ssl/sumtih/
#cp /etc/openvpn/easy-rsa/2.0/keys/sumith.key /etc/openvpn/client-ssl/sumtih/
#cp /etc/openvpn/easy-rsa/2.0/keys/sumith.crt/etc/openvpn/client-ssl/sumtih/
#cp /etc/openvpn/easy-rsa/2.0/keys/ta.key /etc/openvpn/client-ssl/sumtih/

Download the openvpn client for windows and go to the folder where client certificates that you have copied from the server. Choose the file sumith.ovpn/ Right click and select ” Starts vpn server using this config file”. The screen will be same you get once you have got connected.

# Try to access your office servers or use ping command to verify connectivity.

Happy VPNing !! 🙂

7 comments to How do I setup VPN server in Linux

  • Thanks a lot , I’ll do it and I’ll feed you back ASAP ,
    I’m using CentOS 5.5

    regards and respect

  • romel

    Sample Setup
    Modem Provided by ISP (Public IP) : 120.20.21.42
    Linksys RV04 VPN Router
    Device IP Address : 192.168.254.254 255.255.255.0
    DHCP Range : 192.168.254.100-192.168.254.149
    Centos 5.5 with squid proxy
    eth0 IP: 192.168.254.101 (acquired from RV042 VPN router)
    eth1 IP : 52.212.3.2 255.255.255.0 (LAN IP)
    Currently my network is working and all my client can also access internet tru squid but my problem is setting up VPN so I could access my files on the network with Ips 52.212.3.*/24
    Question:
    1. How Can I Connect to my LAN IP as part of the network once I am connected to RV042 VPN Router?
    2. Can I use openvpn as my client for this setup? If yes. How?
    I read your tutorial on How do I setup VPN server in Linux but I want to be specific on my configuration and also to use my linksys RV042 VPN router as VPN Server instead of Openvpn.
    Thank you very much sir in advance.

    • Hello,

      Best option is to setup a linux router another network and use it as a gateway of your LAN users.

      ie RV042 will work as firewall and router for the same network. Linux router should be placed on another network as we can’t route the same network

  • Mary Joy Tomas

    Please anyone can help me how to set up linksys RV042 using squid proxy..

  • Mary Joy Tomas

    @lijum:

    hi thanks for the response..i really appreciated it..
    but still this isn’t enough..can u give give me more accurate procedure..its not actually me whos going to to do..im just being ask to luk for it here in the net..coz were having trouble on our net connections just recently.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>