{"id":333,"date":"2019-04-12T20:57:22","date_gmt":"2019-04-12T20:57:22","guid":{"rendered":"https:\/\/bootstrap-it.com\/blog\/?p=333"},"modified":"2019-04-12T20:57:22","modified_gmt":"2019-04-12T20:57:22","slug":"securing-your-network-connections-using-openvpn","status":"publish","type":"post","link":"https:\/\/bootstrap-it.com\/blog\/?p=333","title":{"rendered":"Securing your network connections using OpenVPN"},"content":{"rendered":"
<\/a><\/a><\/a><\/a><\/a><\/div>\n

This article, which also appears on my Medium account<\/a>, is excerpted from chapter 10 of my Manning book, <\/em>Linux in Action<\/em><\/a>. Besides the book, you can also work through\u00a0<\/em>Linux in Motion<\/em><\/a>\u200a\u2014\u200aa hybrid course made up of more than two hours of video and around 40% of the text of Linux in Action.<\/em><\/p>\n\n\n\n

They tell us we live in a hyper-mobile world. Not that I\u2019d know: I rarely leave my home office. But of course I only get to enjoy the comforts of my home office because all the server resources I could possibly need are available remotely.<\/p>\n\n\n\n

Apparently I\u2019m not alone. Almost everyone whose work touches IT will access their professional tools from remote locations from time to time. And given that the public networks through which you access those remote locations are by their nature insecure, you\u2019re going to want to carefully control those connections.<\/p>\n\n\n\n

Website encryption is about making sure that the data consumed by your remote clients is reliably transferred and invisible to anyone who might be lurking on the connecting network. VPNs, by sharp contrast, focus on making sure that the data consumed by your remote clients is reliably transferred and invisible to anyone who might be lurking on the connecting network. Do you see the difference? Neither do I.<\/p>\n\n\n\n

In fact, there are all kinds of technologies devoted to securing network communication, and the principle of _defence in depth_ teaches us that you should never rely on just one. So here\u2019s where you\u2019ll learn about _adding new_ layers of protection for your remote activities. Specifically, using encryption to build a virtual private network (VPN) tunnel to permit secure and invisible remote connections.<\/p>\n\n\n\n

Building an OpenVPN tunnel<\/h4>\n\n\n\n

My Linux in Action book<\/a> talks a lot about encryption. SSH and SCP can protect data transferred through remote connections (chapter 3), file encryption can protect data at rest (chapter 8), and TLS\/SSL certificates can protect data in transit between websites and client browsers (chapter 9). But sometimes your requirements demand protection across a broader range of connections, because sometimes you\u2019ve got different kinds of work to do.<\/p>\n\n\n\n

F\u2019rinstance? Some members of your team need to work from the road using public WiFi hotspots. It\u2019s definitely not smart to assume that random WiFi access points are secure, but your people do need a way to connect with company resources. VPNs to the rescue.<\/p>\n\n\n\n

A properly designed VPN tunnel provides a direct connection between remote clients and a server in a way that hides data as it\u2019s transferred across an insecure network. But so what? You\u2019ve already seen lots of tools that can do that using encryption. The real value of a VPN is that once you\u2019ve opened a tunnel, it\u2019s possible to connect remote networks as though they\u2019re all together locally. In a way, you\u2019re circumventing that dodgy coffee shop hot spot.<\/p>\n\n\n\n

Using such an extended network, admins can get their work done on their servers no matter where they might happen to be. But more importantly, as you can see in the figure, a company with resources spread through multiple branch offices can make them all both visible and accessible to all the teams who need them\u2026wherever they are.<\/p>\n\n\n\n

\"\"\/
Tunnel connecting remote private connections through a public network<\/figcaption><\/figure>\n\n\n\n

The mere existence of a tunnel alone doesn\u2019t guarantee security. But one of a number of encryption standards can be incorporated into the design, making things a great deal better. Tunnels built with the open source OpenVPN package use the same TLS\/SSL encryption you\u2019ve already seen in use elsewhere. OpenVPN is not the only available choice for tunnelling, but it is among the best known, and it\u2019s widely assumed to be a bit faster and likely more secure than the alternative Layer 2 Tunnel Protocol using IPsec encryption.<\/p>\n\n\n\n

So that your team can safely connect with each other from out on the road or between multiple campuses, you\u2019re going to build an OpenVPN server to permit sharing both applications and access to the server\u2019s local network environment. To make it work, it should be sufficient to fire up two VMs or containers. One to play the role of a server\/host and the other of the client.<\/p>\n\n\n\n

Building a VPN involves quite a few steps, so taking a few moments to think about the big picture of how this is going to work will probably be worthwhile.<\/p>\n\n\n\n

Configuring an OpenVPN server<\/h4>\n\n\n\n

Before getting started, here\u2019s a helpful tip. If you\u2019re going to follow along with this process on your own\u200a\u2014\u200aand I strongly recommend that you do\u200a\u2014\u200ayou\u2019ll probably find yourself working with multiple terminal windows open on your desktop, each logged into a different machine. Take it from me: at some point you\u2019re going to enter a command into the wrong window and totally mess up your environment.<\/p>\n\n\n\n

You can use the hostname command to change the machine name displayed on the command line to something that will visually remind you where you are. Once that\u2019s done, you\u2019ll need to exit the server and log back in again for the new setting to take effect.<\/p>\n\n\n\n

ubuntu@ubuntu:~# hostname OpenVPN-Server
ubuntu@ubuntu:~$ exit 
<Host Workstation>$ ssh ubuntu@10.0.3.134
ubuntu@OpenVPN-Server:~# <\/pre>\n\n\n\n
Following that approach to assign appropriate names to each of the machines you\u2019re working with should help you keep track of where you are.<\/p>\n\n\n\n
Prepare your server for OpenVPN<\/h4>\n\n\n\n
Installing OpenVPN on your server requires two packages: openvpn and, to manage the encryption key-generation process, easy-rsa. CentOS users should, if necessary, first install the epel-release repository the way you did back in chapter 2. To give you an easy way to test access to a server application, you could also install the Apache webserver (apache2 for Ubuntu and httpd on CentOS).<\/p>\n\n\n\n
While you\u2019re setting up your server, you might as well do it right and activate a firewall that blocks all ports besides 22 (SSH) and 1194 (the default OpenVPN port). This example illustrates the way that will work on Ubuntu\u2019s ufw, but I\u2019m sure you still remember CentOS\u2019 firewalld from chapter 9.<\/p>\n\n\n\n
# ufw enable
# ufw allow 22
# ufw allow 1194<\/pre>\n\n\n\n
To permit internal routing between network interfaces on the server you\u2019ll need to uncomment a single line (net.ipv4.ip_forward=1) in the \/etc\/sysctl.conf file. This will allow remote clients to be redirected as needed once they\u2019re connected. To load the new setting, run sysctl -p.<\/p>\n\n\n\n
# nano \/etc\/sysctl.conf
# sysctl -p<\/pre>\n\n\n\n
The server environment is now all set up, but there\u2019s still a way to go before you\u2019re ready to flip the switch.<\/p>\n\n\n\n
Generate encryption keys<\/h4>\n\n\n\n
When you installed OpenVPN, a \/etc\/openvpn\/ directory was automatically created, but there isn\u2019t a whole lot in it just yet. However, both the openvpn and easy-rsa packages come with sample template files that you can use as a base for you configuration. To jump start the certification process, copy the easy-rsa template directory from \/usr\/share\/ to \/etc\/openvpn\/ and then change to the new easy-rsa\/ directory.<\/p>\n\n\n\n
# cp -r \/usr\/share\/easy-rsa\/ \/etc\/openvpn
$ cd \/etc\/openvpn\/easy-rsa<\/pre>\n\n\n\n
The first file you\u2019ll work with is called simply vars, and contains environment variables that easy-rsa will use when it generates its keys. You will want to edit the file to substitute your own values for the sample defaults that are already there. Here\u2019s what my file would look like:<\/p>\n\n\n\n
Key excerpts from the \/etc\/openvpn\/easy-rsa\/vars file:<\/p>\n\n\n\n
export KEY_COUNTRY=\u201dCA\u201d
export KEY_PROVINCE=\u201dON\u201d
export KEY_CITY=\u201dToronto\u201d
export KEY_ORG=\u201dBootstrap IT\u201d
export KEY_EMAIL=\u201dinfo@bootstrap-it.com<\/a>\u201d
export KEY_OU=\u201dIT\u201d<\/pre>\n\n\n\n
Running the vars file will pass its values to the shell environment from where they\u2019ll be incorporated into the contents of your new keys. When that\u2019s done, the script will encourage you to run the clean-all script to delete any existing contents in the \/etc\/openvpn\/easy-rsa\/keys\/ directory.<\/p>\n\n\n\n
$ cd \/etc\/openvpn\/easy-rsa\/
# . .\/vars 
NOTE: If you run .\/clean-all, I will be doing a rm -rf on \/etc\/openvpn\/easy-rsa\/keys<\/pre>\n\n\n\n
Naturally, your next step will be to run that clean-all script\u2026followed by build-ca that will use the pkitool script to create your root certificate. You\u2019ll be asked to confirm the identification settings provided by vars.<\/p>\n\n\n\n
# .\/clean-all
# .\/build-ca
Generating a 2048 bit RSA private key<\/pre>\n\n\n\n
Next, the build-key-server script, since it uses the same pkitool script along with the new root certificate, will ask you the same confirmation questions to generate a key pair. The keys will be given names based on the argument you pass\u200a\u2014\u200awhich, unless you\u2019re running multiple VPNs on this machine, would normally be server, as in this example.<\/p>\n\n\n\n
# .\/build-key-server server
[\u2026]
Certificate is to be certified until Aug 15 23:52:34 2027 GMT (3650 days)
Sign the certificate? [y\/n]:y
1 out of 1 certificate requests certified, commit? [y\/n]y
Write out database with 1 new entries
Data Base Updated<\/pre>\n\n\n\n
OpenVPN will use parameters generated using the Diffie-Hellman algorithm (by running build-dh) to negotiate authentication for new connections. The file that will be created here does not need to remain secret, but must have been generated using the build-dh script against the RSA keys that are currently active. If you create new RSA keys at some time in the future, you\u2019ll also need to update the Diffie-Hellman file.<\/p>\n\n\n\n
# build-dh<\/pre>\n\n\n\n
Your server-side keys will now have been written to the \/etc\/openvpn\/easy-rsa\/keys\/ directory, but OpenVPN doesn\u2019t know that. By default OpenVPN will lookfor them in \/etc\/openvpn\/, so copy them over.<\/p>\n\n\n\n
# cp \/etc\/openvpn\/easy-rsa\/keys\/server* \/etc\/openvpn
# cp \/etc\/openvpn\/easy-rsa\/keys\/dh2048.pem \/etc\/openvpn
# cp \/etc\/openvpn\/easy-rsa\/keys\/ca.crt \/etc\/openvpn<\/pre>\n\n\n\n
Prepare client encryption keys<\/h4>\n\n\n\n
As you\u2019ve already seen, TLS encryption uses matching key pairs, one installed on the server and the other on a remote client. That means you\u2019re going to need client keys, and our old friend pkitool is just the thing to cook some up. This example, run while still in the \/etc\/openvpn\/easy-rsa\/ directory, passes client as an argument to generate files called client.crt and client.key.<\/p>\n\n\n\n
# .\/pkitool client<\/pre>\n\n\n\n
The two client files, along with the original ca.crt file that\u2019s still in the keys\/ directory, will now have to be securely transferred to your client. Because of their ownership and permissions, this might be a bit complicated. The simplest approach is to manually copy the contents of the source file (and nothing but those contents) in a terminal running on your PC\u2019s desktop (by highlighting the text, right-clicking over it, and selecting copy from the menu) and then pasting it into a new file of the same name you create in a second terminal logged into your client.<\/p>\n\n\n\n
But anyone can cut and paste. Instead, think like an admin\u200a\u2014\u200aespecially since you won\u2019t always have access to a GUI where cutting and pasting is possible. Instead, copy the files to your user\u2019s home directory (so a remote scp operation can access them) and then use chown to change the ownership of the files from root to your regular, non-root user so that remote scp action can work. Make sure your files are all settled and comfy for now\u2026you\u2019ll move them over to the client a bit later.<\/p>\n\n\n\n
# cp \/etc\/openvpn\/easy-rsa\/keys\/client.key \/home\/ubuntu\/
# cp \/etc\/openvpn\/easy-rsa\/keys\/ca.crt \/home\/ubuntu\/
# cp \/etc\/openvpn\/easy-rsa\/keys\/client.crt \/home\/ubuntu\/
# chown ubuntu:ubuntu \/home\/ubuntu\/client.key
# chown ubuntu:ubuntu \/home\/ubuntu\/client.crt
# chown ubuntu:ubuntu \/home\/ubuntu\/ca.crt<\/pre>\n\n\n\n
With a full set of encryption keys ready for action, you\u2019ll need to tell your server how you want to build your VPN. That\u2019s done using the server.conf file.<\/p>\n\n\n\n
Configure server.conf file<\/h4>\n\n\n\n
How are you supposed to know what the server.conf file should look like? Well, remember the easy-rsa directory template you copied over from \/usr\/share\/? Well there are more goodies where that came from. The OpenVPN installation left a compressed template configuration file which you can copy over to \/etc\/openvpn\/.<\/p>\n\n\n\n
I\u2019ll use the fact that the template is compressed to introduce you to a useful tool: zcat. You\u2019re already know about printing a file\u2019s text contents to the screen with cat, but what if the file is compressed using gzip? Of course, you could always decompress the file and cat will then be happy to print it, but that\u2019s one or two steps too many. Instead, as you\u2019ve probably already guessed, you can use zcat to load the decompressed text into memory all in one step. In our case, rather than print it to the screen, you\u2019ll redirect the text to a new file called server.conf.<\/p>\n\n\n\n
# zcat \\
 \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz
 > \/etc\/openvpn\/server.conf
$ cd \/etc\/openvpn<\/pre>\n\n\n\n
Leaving out the extensive and helpful documentation that comes with the file, here\u2019s how it might look once you\u2019re done editing. Note that a semicolon (;) tells OpenVPN _not_ to read and execute the line that follows.<\/p>\n\n\n\n
The active settings from a \/etc\/openvpn\/server.conf file:<\/p>\n\n\n\n

port 1194
# TCP or UDP server?
proto tcp
;proto udp
;dev tap
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push \u201croute 10.0.3.0 255.255.255.0\u201d
keepalive 10 120
comp-lzo
port-share localhost 80 
user nobody 
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log 
;log-append openvpn.log
verb 3 <\/pre>\n\n\n\n
Let\u2019s work through some of those one at a time.<\/p>\n\n\n\n