VPN with VM CentOS
VPN Concept
VPN (Virtual Private Network): Technology for secure data transmission over a public network
Purpose: Allow remote users to securely connect to the internal network, enhancing security through data encryption
Certificate Flow Diagram
1. Client
|
| <--- CA Certificate, Server Certificate, Diffie-Hellman Parameters, TLS Authentication Key
|
2. Server
|
| <--- Client Certificate
|
3. Client
|
| <--- Data Transmission (Encrypted Tunnel)
|
4. Server
VPN Connection Process
Client -> Server: Authentication request
Server -> Client: CA Certificate, Server Certificate, Diffie-Hellman Parameters, TLS Authentication Key
Client: Verifies the server certificate using the CA certificate.
Server: Verifies the client certificate.
Server <-> Client: Secure data transmission begins through the VPN tunnel.
VPN Tunnel Internal IP Address Allocation
When a VPN connection is established, virtual network interfaces (TUN/TAP) are created on both the client and the server, and these interfaces are assigned IP addresses. These IP addresses are only valid within the VPN.
Role of VPN Tunnel Internal IP Address Allocation
Virtual Network Interface:
Client and server communicate through virtual network interfaces.
Interfaces are created using
dev tun
ordev tap
settings.
IP Address Allocation:
Client and server are assigned IP addresses on the virtual network interfaces.
These IP addresses are only valid within the VPN and are not used in the external network.
VPN Internal Communication:
Client and server use the assigned virtual IP addresses to communicate through the encrypted tunnel.
The VPN server defines an IP pool in the
server.conf
file to allocate IP addresses to clients.
IP Address Allocation Example
Server Configuration File (server.conf
)
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0 # IP pool configuration
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth /etc/openvpn/server/ta.key 0
cipher AES-256-CBC
auth SHA512
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
Client Configuration File (client.conf
)
client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
key-direction 1
verb 3
Server Configuration (
server 10.8.0.0 255.255.255.0
):Allocates IP addresses from the
10.8.0.0
network range to clients.Clients receive IP addresses within this range.
Client Connection:
When the client connects to the server, it is assigned an IP address from the
10.8.0.0/24
network range.For example, the first client may be assigned
10.8.0.2
, and the second client10.8.0.3
.
VPN Internal Communication:
The client uses the assigned IP address to communicate with the server through the VPN tunnel.
All data is encrypted and transmitted using these virtual IP addresses.
Diagram Explanation
Client (10.8.0.2) <---- VPN Tunnel (Encrypted) ----> Server (10.8.0.1)
Client: Receives IP address
10.8.0.2
through the VPN tunnel.Server: Receives IP address
10.8.0.1
through the VPN tunnel.Communication: Client and server securely exchange data using the assigned IP addresses.
Thus, the internal IP addresses in the VPN tunnel are used to facilitate secure communication between the client and the server, forming a virtual network separate from the actual network.
Summary of Certificates Used and Their Roles
CA (Certificate Authority): Issues certificates and verifies identities
Server Certificate: Verifies the server's identity and ensures secure communication with the client
Client Certificate: Verifies the client's identity and ensures secure communication with the server
Diffie-Hellman Key: Securely exchanges keys to create a shared secret
TLS Authentication Key: Ensures data integrity and security through TLS
Practice
Install OpenVPN and easy-rsa
OpenVPN: Open-source VPN software that encrypts network traffic through a secure tunnel
easy-rsa: Certificate management tool used with OpenVPN to easily create and manage PKI-based certificates
yum install -y install epel* yum install -y openvpn easy-rsa
Create Server Certificate
Server Certificate: Ensures secure communication between the client and the server
Create easy-rsa directory and link:
mkdir ~/easy-rsa ln -s /usr/share/easy-rsa/* ~/easy-rsa/ chmod 777 ~/easy-rsa
Initialize PKI and Create CA
PKI (Public Key Infrastructure): System for managing and safeguarding public key encryption and certificates
CA (Certificate Authority): Trusted entity that issues certificates to verify identities
cd ~/easy-rsa ./easyrsa init-pki ./easyrsa build-ca nopass
Generate Server Key and Certificate
Server Key and Certificate: Used to verify the server's identity and establish secure communication with the client
Generate key and request certificate:
./easyrsa gen-req server nopass ./easyrsa sign-req server server
Copy files
cp pki/issued/server.crt /etc/openvpn/server/ cp pki/ca.crt /etc/openvpn/server/
Generate and Copy Diffie-Hellman Key Exchange File
Diffie-Hellman Key Exchange: Cryptographic method for securely exchanging keys
./easyrsa gen-dh cp pki/dh.pem /etc/openvpn/server/
Generate TLS Authentication Key File
TLS Authentication Key File: Ensures data integrity and security through Transport Layer Security (TLS)
openvpn --genkey --secret ta.key cp ta.key /etc/openvpn/server/
Generate Client Certificate
Client Certificate: Verifies the client's identity and ensures secure communication with the server
Create directory and change permissions:
mkdir -p ~/client-configs/keys chmod -R 777 ~/client-configs
Generate client certificate and copy files:
cd ~/easy-rsa ./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1 cp pki/private/client1.key ~/client-configs/keys/ cp pki/issued/client1.crt ~/client-configs/keys/ cp ta.key ~/client-configs/keys/ cp /etc/openvpn/server/ca.crt ~/client-configs/keys/
Modify Server Configuration File
Server Configuration File: Defines how the OpenVPN server operates
Copy and modify configuration file:
cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/ vi /etc/openvpn/server.conf
Key modifications
port 1194 # Port for OpenVPN to listen on proto udp # Use UDP protocol dev tun # Use tunnel device ca /etc/openvpn/server/ca.crt # Path to CA certificate cert /etc/openvpn/server/server.crt # Path to server certificate key /etc/openvpn/server/server.key # Path to server key dh /etc/openvpn/server/dh.pem # Path to Diffie-Hellman parameters topology subnet # Set network topology tls-auth /etc/openvpn/server/ta.key 0 # Path to TLS authentication key cipher AES-256-CBC # Encryption algorithm auth SHA512 # Authentication algorithm push "redirect-gateway def1 bypass-dhcp" # Route all traffic through VPN push "dhcp-option DNS 8.8.8.8" # Set DNS server push "dhcp-option DNS 8.8.4.4" # Set DNS server duplicate-cn # Allow duplicate client connections
Configure IP Forwarding and Firewall
IP Forwarding: Enables network packets to be forwarded to another network interface
Firewall Configuration: Ensures network security by configuring the firewall
vi /etc/sysctl.conf net.ipv4.ip_forward=1 sysctl -p systemctl restart network systemctl start firewalld systemctl status firewalld
Create Client Configuration File
Client Configuration File: Contains the necessary configuration for the client to connect to the VPN server
Create directory and copy configuration file:
mkdir -p ~/client-configs/files/ cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf ~/client-configs/base.conf vi ~/client-configs/base.conf
client dev tun proto udp remote YOUR_SERVER_IP 1194 # VPN server IP address user nobody # Set user permissions group nogroup # Set group permissions auth SHA512 # Authentication algorithm key-direction 1 # Set key direction
Meaning of key-direction Value
key-direction 0: Server-side key configuration
key-direction 1: Client-side key configuration
Create Client Configuration Script
Client Configuration Script: Automatically generates client configuration files
Write the script:
vi ~/client-configs/make_config.sh
Script content:
#!/bin/bash KEY_DIR=/root/client-configs/keys OUTPUT_DIR=/root/client-configs/files BASE_CONFIG=/root/client-configs/base.conf CLIENT_NAME="$1" OUTPUT_FILE="${OUTPUT_DIR}/${CLIENT_NAME}.ovpn" cat ${BASE_CONFIG} > ${OUTPUT_FILE} echo '<ca>' >> ${OUTPUT_FILE} cat "${KEY_DIR}/ca.crt" >> ${OUTPUT_FILE} echo '</ca>' >> ${OUTPUT_FILE} echo '<cert>' >> ${OUTPUT_FILE} cat "${KEY_DIR}/${CLIENT_NAME}.crt" >> ${OUTPUT_FILE} echo '</cert>' >> ${OUTPUT_FILE} echo '<key>' >> ${OUTPUT_FILE} cat "${KEY_DIR}/${CLIENT_NAME}.key" >> ${OUTPUT_FILE} echo '</key>' >> ${OUTPUT_FILE} echo '<tls-auth>' >> ${OUTPUT_FILE} cat "${KEY_DIR}/ta.key" >> ${OUTPUT_FILE} echo '</tls-auth>' >> ${OUTPUT_FILE}
Grant execute permission and run the script:
chmod 777 ~/client-configs/make_config.sh cd ~/client-configs ./make_config.sh client1
Start OpenVPN
systemctl start openvpn@server.service systemctl status openvpn@server.service
Connect from Windows Client
Copy .ovpn and ta.key files to the Windows client's OpenVPN configuration folder:
C:\Program Files\OpenVPN\config
VPN Setup Complete
Successfully set up a VPN using OpenVPN on Linux
Securely connect to the internal network from a Windows client