VPN with VM CentOS

·

7 min read

  • VPN Concept

  • VPN (Virtual Private Network): Technology for secure data transmission over a public network

  • Purpose: Allow remote users to securely connect to the internal network, enhancing security through data encryption

Certificate Flow Diagram

1. Client
   |
   |  <--- CA Certificate, Server Certificate, Diffie-Hellman Parameters, TLS Authentication Key
   |
2. Server
   |
   |  <--- Client Certificate
   |
3. Client
   |
   |  <--- Data Transmission (Encrypted Tunnel)
   |
4. Server

VPN Connection Process

  1. Client -> Server: Authentication request

  2. Server -> Client: CA Certificate, Server Certificate, Diffie-Hellman Parameters, TLS Authentication Key

  3. Client: Verifies the server certificate using the CA certificate.

  4. Server: Verifies the client certificate.

  5. Server <-> Client: Secure data transmission begins through the VPN tunnel.

VPN Tunnel Internal IP Address Allocation

When a VPN connection is established, virtual network interfaces (TUN/TAP) are created on both the client and the server, and these interfaces are assigned IP addresses. These IP addresses are only valid within the VPN.

Role of VPN Tunnel Internal IP Address Allocation

  1. Virtual Network Interface:

    • Client and server communicate through virtual network interfaces.

    • Interfaces are created using dev tun or dev tap settings.

  2. IP Address Allocation:

    • Client and server are assigned IP addresses on the virtual network interfaces.

    • These IP addresses are only valid within the VPN and are not used in the external network.

  3. VPN Internal Communication:

    • Client and server use the assigned virtual IP addresses to communicate through the encrypted tunnel.

    • The VPN server defines an IP pool in the server.conf file to allocate IP addresses to clients.

IP Address Allocation Example

Server Configuration File (server.conf)

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0  # IP pool configuration
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth /etc/openvpn/server/ta.key 0
cipher AES-256-CBC
auth SHA512
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3

Client Configuration File (client.conf)

client

dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
key-direction 1
verb 3
  1. Server Configuration (server 10.8.0.0 255.255.255.0):

    • Allocates IP addresses from the 10.8.0.0 network range to clients.

    • Clients receive IP addresses within this range.

  2. Client Connection:

    • When the client connects to the server, it is assigned an IP address from the 10.8.0.0/24 network range.

    • For example, the first client may be assigned 10.8.0.2, and the second client 10.8.0.3.

  3. VPN Internal Communication:

    • The client uses the assigned IP address to communicate with the server through the VPN tunnel.

    • All data is encrypted and transmitted using these virtual IP addresses.

Diagram Explanation

Client (10.8.0.2) <---- VPN Tunnel (Encrypted) ----> Server (10.8.0.1)
  1. Client: Receives IP address 10.8.0.2 through the VPN tunnel.

  2. Server: Receives IP address 10.8.0.1 through the VPN tunnel.

  3. Communication: Client and server securely exchange data using the assigned IP addresses.

Thus, the internal IP addresses in the VPN tunnel are used to facilitate secure communication between the client and the server, forming a virtual network separate from the actual network.

Summary of Certificates Used and Their Roles

  • CA (Certificate Authority): Issues certificates and verifies identities

  • Server Certificate: Verifies the server's identity and ensures secure communication with the client

  • Client Certificate: Verifies the client's identity and ensures secure communication with the server

  • Diffie-Hellman Key: Securely exchanges keys to create a shared secret

  • TLS Authentication Key: Ensures data integrity and security through TLS


Practice

Install OpenVPN and easy-rsa

  • OpenVPN: Open-source VPN software that encrypts network traffic through a secure tunnel

  • easy-rsa: Certificate management tool used with OpenVPN to easily create and manage PKI-based certificates

      yum install -y install epel*
      yum install -y openvpn easy-rsa
    

Create Server Certificate

  • Server Certificate: Ensures secure communication between the client and the server

  • Create easy-rsa directory and link:

      mkdir ~/easy-rsa
      ln -s /usr/share/easy-rsa/* ~/easy-rsa/
      chmod 777 ~/easy-rsa
    

Initialize PKI and Create CA

  • PKI (Public Key Infrastructure): System for managing and safeguarding public key encryption and certificates

  • CA (Certificate Authority): Trusted entity that issues certificates to verify identities

      cd ~/easy-rsa
      ./easyrsa init-pki
      ./easyrsa build-ca nopass
    

Generate Server Key and Certificate

  • Server Key and Certificate: Used to verify the server's identity and establish secure communication with the client

  • Generate key and request certificate:

      ./easyrsa gen-req server nopass
      ./easyrsa sign-req server server
    
  • Copy files

      cp pki/issued/server.crt /etc/openvpn/server/
      cp pki/ca.crt /etc/openvpn/server/
    

Generate and Copy Diffie-Hellman Key Exchange File

  • Diffie-Hellman Key Exchange: Cryptographic method for securely exchanging keys

      ./easyrsa gen-dh
      cp pki/dh.pem /etc/openvpn/server/
    

Generate TLS Authentication Key File

  • TLS Authentication Key File: Ensures data integrity and security through Transport Layer Security (TLS)

  •       openvpn --genkey --secret ta.key
          cp ta.key /etc/openvpn/server/
    

Generate Client Certificate

  • Client Certificate: Verifies the client's identity and ensures secure communication with the server

  • Create directory and change permissions:

      mkdir -p ~/client-configs/keys
      chmod -R 777 ~/client-configs
    
  • Generate client certificate and copy files:

      cd ~/easy-rsa
      ./easyrsa gen-req client1 nopass
      ./easyrsa sign-req client client1
      cp pki/private/client1.key ~/client-configs/keys/
      cp pki/issued/client1.crt ~/client-configs/keys/
      cp ta.key ~/client-configs/keys/
      cp /etc/openvpn/server/ca.crt ~/client-configs/keys/
    

Modify Server Configuration File

  • Server Configuration File: Defines how the OpenVPN server operates

  • Copy and modify configuration file:

      cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/
      vi /etc/openvpn/server.conf
    
  • Key modifications

      port 1194                                    # Port for OpenVPN to listen on
      proto udp                                    # Use UDP protocol
      dev tun                                      # Use tunnel device
      ca /etc/openvpn/server/ca.crt                # Path to CA certificate
      cert /etc/openvpn/server/server.crt          # Path to server certificate
      key /etc/openvpn/server/server.key           # Path to server key
      dh /etc/openvpn/server/dh.pem                # Path to Diffie-Hellman parameters
      topology subnet                              # Set network topology
      tls-auth /etc/openvpn/server/ta.key 0        # Path to TLS authentication key
      cipher AES-256-CBC                           # Encryption algorithm
      auth SHA512                                  # Authentication algorithm
      push "redirect-gateway def1 bypass-dhcp"     # Route all traffic through VPN
      push "dhcp-option DNS 8.8.8.8"               # Set DNS server
      push "dhcp-option DNS 8.8.4.4"               # Set DNS server
      duplicate-cn                                 # Allow duplicate client connections
    

Configure IP Forwarding and Firewall

  • IP Forwarding: Enables network packets to be forwarded to another network interface

  • Firewall Configuration: Ensures network security by configuring the firewall

      vi /etc/sysctl.conf
      net.ipv4.ip_forward=1
      sysctl -p
      systemctl restart network
    
      systemctl start firewalld
      systemctl status firewalld
    

Create Client Configuration File

  • Client Configuration File: Contains the necessary configuration for the client to connect to the VPN server

  • Create directory and copy configuration file:

      mkdir -p ~/client-configs/files/
      cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf ~/client-configs/base.conf
      vi ~/client-configs/base.conf
    
      client
      dev tun
      proto udp
      remote YOUR_SERVER_IP 1194                    # VPN server IP address
      user nobody                                   # Set user permissions
      group nogroup                                 # Set group permissions
      auth SHA512                                   # Authentication algorithm
      key-direction 1                               # Set key direction
    
    • Meaning of key-direction Value

      • key-direction 0: Server-side key configuration

      • key-direction 1: Client-side key configuration

Create Client Configuration Script

  • Client Configuration Script: Automatically generates client configuration files

  • Write the script:

      vi ~/client-configs/make_config.sh
    
  • Script content:

  •       #!/bin/bash
    
          KEY_DIR=/root/client-configs/keys
          OUTPUT_DIR=/root/client-configs/files
          BASE_CONFIG=/root/client-configs/base.conf
    
          CLIENT_NAME="$1"
          OUTPUT_FILE="${OUTPUT_DIR}/${CLIENT_NAME}.ovpn"
    
          cat ${BASE_CONFIG} > ${OUTPUT_FILE}
    
          echo '<ca>' >> ${OUTPUT_FILE}
          cat "${KEY_DIR}/ca.crt" >> ${OUTPUT_FILE}
          echo '</ca>' >> ${OUTPUT_FILE}
          echo '<cert>' >> ${OUTPUT_FILE}
          cat "${KEY_DIR}/${CLIENT_NAME}.crt" >> ${OUTPUT_FILE}
          echo '</cert>' >> ${OUTPUT_FILE}
          echo '<key>' >> ${OUTPUT_FILE}
          cat "${KEY_DIR}/${CLIENT_NAME}.key" >> ${OUTPUT_FILE}
          echo '</key>' >> ${OUTPUT_FILE}
          echo '<tls-auth>' >> ${OUTPUT_FILE}
          cat "${KEY_DIR}/ta.key" >> ${OUTPUT_FILE}
          echo '</tls-auth>' >> ${OUTPUT_FILE}
    
  • Grant execute permission and run the script:

  •       chmod 777 ~/client-configs/make_config.sh
          cd ~/client-configs
          ./make_config.sh client1
    

Start OpenVPN

  •       systemctl start openvpn@server.service
          systemctl status openvpn@server.service
    

Connect from Windows Client

  • Copy .ovpn and ta.key files to the Windows client's OpenVPN configuration folder:

      C:\Program Files\OpenVPN\config
    

VPN Setup Complete

  • Successfully set up a VPN using OpenVPN on Linux

  • Securely connect to the internal network from a Windows client