LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   [HOW-TO]: Build a VPN on a server with multiple NICs (and other goodies). (http://www.linuxquestions.org/questions/linux-networking-3/%5Bhow-to%5D-build-a-vpn-on-a-server-with-multiple-nics-and-other-goodies-4175429130/)

Joaquim Almeida 09-26-2012 10:10 AM

[HOW-TO]: Build a VPN on a server with multiple NICs (and other goodies).
 
READ BEFORE CONTINUE
__________________________________________________


This topic will assume that you have a Red-Hat based distribution, at least 2 working NICs, you are root, you have forwarding enabled (net.ipv4.ip_forward=1), and basic knowledge of linux. If you do not recognize a command then first google man command; don't do without knowing.

This topic will help you (in a very basic manner) with:
  • openvpn (in tun mode)
  • iptables
This topic isn't meant to be straight forward; you can adapt it to your needs, even to other distributions.

__________________________________________________


Hi,

This is a continuation of this post.

The information was applied on a server running CentOS release 5.8 (Final) with Kernel Linux version 2.6.18-308.1.1.el5 (you can check your version by running these commands:
  • cat /etc/redhat-release
  • cat /proc/version
__________________________________________________

1. Synopsis:


Objective: Connect from Internet to Server and be able to reach anything within Subnet A and B (as if you were the PC inside Subnet B).

First, a schematic:
Code:

                        +---------------------+      +----------------------------------+
                        |      Subnet A      |      |            Subnet B              |
                        |---------------------|      |----------------------------------|
                        |                    |      |                                  |
                        |              +------|------|------+                          |
                        |              |      |Server|      |                          |
                        |              |------|------|------|                          |
                        |              |      |      |      |                          |
                        |              |  +--------------+  |                          |
                        |              |  |  |      |  |  |                          |
                        |              |  v  |      |  v  |                          |
                        | +--------+  |------|------|------|  +--------+  +----+    |
            Internet  | | Router |  | eth1 | ethN | eth0 |  | Switch |  | PC |    |
                        | +--------+  +------|------|------+  +--------+  +----+    |
                ^      |    ^  ^        ^  |      |  ^          ^  ^        ^        |
                |      +----|--|---------|---+      +--|----------|--|--------|--------+
                |            |  |        |            |          |  |        |
                |            |  |        |            |          |  |        |
                +------------+  +---------+            +----------+  +--------+

Router/Modem:
  • IP: 1.2.3.4
  • Mask: 255.255.255.0
  • Gateway: N/A
eth0 in Subnet B:
  • IP: 10.6.0.100
  • Mask: 255.255.0.0
  • Gateway: Special
eth1 in Subnet A:
  • IP: 1.2.3.100
  • Mask: 255.255.255.0
  • Gateway: Special
PC:
  • IP: 10.6.0.201
  • Mask: 255.255.0.0
  • Gateway: 10.6.0.100
Special:
With this typology, you should have something like the route table below:
Code:

Issue the command:
route

It displays:
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
1.2.3.0        *              255.255.255.0  U    0      0        0 eth1
10.6.0.0        *              255.255.0.0    U    0      0        0 eth0
default        1.2.3.4        0.0.0.0        UG    0      0        0 eth1

__________________________________________________

2. Install and configure VPN Server:

In order to connect to the server from the Internet we need to install a VPN server, like OpenVPN. The fact of having good security and being open source makes it one of the best.

So, for the installation we run the next codes (as in ServerWorld). Note: The bridge-utils are only needed if you intend to create a bridge rather than routing. Ignore them if you prefer:
Code:

Install from EPEL
yum --enablerepo=epel -y install openvpn bridge-utils

If you don't have this repository then follow these instructions.

Afterwards, we need to configure our VPNserver:
Code:

Copy some files (press tab after pasting in order to appear your installed version of OpenVPN)
cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/

Edit some lines in /etc/openvpn/server.conf. You can even erase your serv.conf and copy&paste the below
vi /etc/openvpn/server.conf

server.conf
Code:

#It is recommended to change the default port, as a minor security protection.
port 41532
#Make it use UDP protocol as it becomes faster a less traceable.
proto udp
#Make it use routing mode.
dev tun
#Use certificates to authenticate
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
#Use Diffie–Hellman key exchange
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
#Define your Virtual Router Server IP (make it whatever IP you want, doesn't need to be in Subnet A or B.
#In fact, I recommend to be in a different Subnet...

server 10.10.10.0 255.255.255.0
#Send to the VPNclient the routing parameters that he'll need to forward packets through VPN to a specific IP/Subnet.
#You can also push other directives like persist-key in order to the client activate that option
#even if he doesn't have it in his CLIENTconfig

push "route 10.6.0.0 255.255.0.0"
#VPN ping-pong
keepalive 10 120
#Compression
comp-lzo
#Don't terminate connection if a renegotiation occurs.
persist-key
persist-tun
#Keep a log file
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
Type of verbosity
verb 3

Now, create the CA Certificate & Key:
Code:

Copy some files
cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa

Change directory and create folder
cd /etc/openvpn/easy-rsa
mkdir keys

Edit vars and change some lines Change the ones colored red.
vi vars

export KEY_COUNTRY="your country"
export KEY_PROVINCE="your province"
export KEY_CITY="your city"
export KEY_ORG="your organization"
export KEY_EMAIL="your e-mail"
Note: These keys are going to be the default values from now on

Exit vi and issue the next command
source ./vars

It will say
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

Issue the next 2 commands and proceed as stated. Change the ones colored red.
./clean-all
./build-ca

Generating a 1024 bit RSA private key
.................++++++
......++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [your country]: »Press Enter«
State or Province Name (full name) [your province]: »Press Enter«
Locality Name (eg, city) [your city]: »Press Enter«
Organization Name (eg, company) [your organization]: »Press Enter«
Organizational Unit Name (eg, section) []: »Press Enter«
Common Name (eg, your name or your server's hostname) [your organization CA]: your domain name, like vpn.linuxquestions.org
Name []: server-ca
Email Address [your mail]: »Press Enter«

Create the Certificate & Key for Server:
Code:

Issue the command and proceed as stated Change the ones colored red.
./build-key-server server

Generating a 1024 bit RSA private key
........++++++
.......++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value, if you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [your country]: »Press Enter«
State or Province Name (full name) [your province]: »Press Enter«
Locality Name (eg, city) [your city]: »Press Enter«
Organization Name (eg, company) [your organization]: »Press Enter«
Organizational Unit Name (eg, section) []: »Press Enter«
Common Name (eg, your name or your server's hostname) [server]: your domain name, like vpn.linuxquestions.org
Name []: server
Email Address [your mail]: »Press Enter«
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: »Press Enter«
An optional company name []: »Press Enter«
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName          :PRINTABLE:'your country'
stateOrProvinceName  :PRINTABLE:'your province'
localityName        :PRINTABLE:'your city'
organizationName    :PRINTABLE:'your organization'
commonName          :PRINTABLE:'your domain name'
name                :PRINTABLE:'server'
emailAddress        :IA5STRING:'your mail'
Certificate is to be certified until May 17 20:20:18 2021 GMT (3650 days)
Sign the certificate? [y/n]: »Press y«
1 out of 1 certificate requests certified, commit? [y/n] »Press y«
Write out database with 1 new entries
Data Base Updated

Now, build the Diffie Hellman parameter:
Code:

Issue the next command
./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time

And, to end this process, build the Certificate & Key for Client:
Code:

Issue the command Change the ones colored red.
./build-key-pass client

Generating a 1024 bit RSA private key
..................++++++
..................++++++
writing new private key to 'client.key'
Enter PEM pass phrase: Insert a password
Verifying - Enter PEM pass phrase: Repeat the password
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [your country]: »Press Enter«
State or Province Name (full name) [your province]: »Press Enter«
Locality Name (eg, city) [your city]: »Press Enter«
Organization Name (eg, company) [your organization]: »Press Enter«
Organizational Unit Name (eg, section) []: »Press Enter«
Common Name (eg, your name or your server's hostname) [client]:your domain name, like vpn.linuxquestions.org
Name []: client
Email Address [your mail]: »Press Enter«
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []: »Press Enter«
An optional company name []: »Press Enter«
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName        :PRINTABLE:'your country'
stateOrProvinceName :PRINTABLE:'your province'
localityName        :PRINTABLE:'your city'
organizationName    :PRINTABLE:'your organization'
commonName          :PRINTABLE:'your domain name'
name                :PRINTABLE:'client'
emailAddress        :IA5STRING:'your mail'
Certificate is to be certified until May 17 20:33:28 2021 GMT (3650 days)
Sign the certificate? [y/n]: »Press y«
1 out of 1 certificate requests certified, commit? [y/n] »Press y«
Write out database with 1 new entries
Data Base Updated

Copy the next files located in /etc/openvpn/easy-rsa/keys/ to your client PC (for now, desktop will be fine):
  • ca.crt
  • client.crt
  • client.key
If you want to add more clients, repeat the Certificate & Key for Client process and copy the files mentioned above.

Warning: Don't overwrite the files in client PC unless you intend to because, as you repeat the above procedure, it will overwrite all client Certs/Keys in /etc/openvpn/easy-rsa/keys/ . That means server accepts 2 keys but you only have 1 of them...

__________________________________________________

3. iptables:


Warning: Working with iptables may cause your network (and even your system) to malfunction. It is recommended to make backup of your current configuration!
Issue the command: cp /etc/sysconfig/iptables /etc/sysconfig/iptables.BAK

Next, we need to change iptables in order to allow openvpn to work properly. I've been using a specific configuration which concentrate all chains into one (see an example here). If you have a "normal" configuration, you'll need to add in INPUT and FORWARD chain (for more information see OpenVPN Man Page in Firewall section).

I manage my iptables with vi but I'll put here the 2 versions for the ones that issue commands through console instead.
Careful with the state statement. If you do not use it you should remove it from the config below

Console version:
Code:

iptables -A RH-Firewall-1-INPUT -i tun0 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -i eth1 -m state --state NEW -m udp -p udp --dport 41532 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Vi version:
Code:

Issue the command:
vi /etc/sysconfig/iptables

Adapt the red lines to your config:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -o eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i tun0 -j ACCEPT

# openvpn
-A RH-Firewall-1-INPUT -i eth1 -m state --state NEW -m udp -p udp --dport 41532 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
# For better security use the line below instead the one above
#-A RH-Firewall-1-INPUT -j DROP
COMMIT

*nat
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT

Now, restart iptables, and check if all is good to proceed:
Code:

Issue the command:
service iptables restart

We're good to launch OpenVPN:
Code:

Issue 2 commands:
service openvpn restart
chkconfig openvpn on

__________________________________________________

4. Install and configure VPN Client:


I'm a big fan of portable applications so I'll use OpenVPN Portable client version for Windows below. If you prefer the normal one, download from Official OpenVPN download section.
They are pretty much the same, only with the portable difference (which is enough for me).

Paste the files you copied before to your desktop, into "..\OpenVPNPortable\data\config\".

Next, create a file named whatever-you-like.ovpn and paste the code below:
Code:

#What you are
client
#What type of VPN
dev tun
#What protocol
proto udp
#Here, you can test from inside Subnet A,
#or from the Internet (if you already have port forwarded to Server in Router).
#In this example I'm inside Subnet A

#What "remote [space] IP [space] PORT" to connect
remote 1.2.3.4 41532
#How many tries to resolve
resolv-retry infinite
#Don't bind port to the client
nobind
#Don't terminate connection if a renegotiation occurs.
persist-key
persist-tun
#Use Certificates and Keys to authentication
ca ca.crt
cert client.crt
key client.key
#Use compression
comp-lzo
#Use verbosity
verb 3

All done. Now let's run OpenVPN with administrator permissions (as it needs to install a virtual NIC in order to proceed). Afterwards just connect, type in your Certificate/Key Password and you're inside (you can see some Screenshots in Serverworlds website, client section).

Try pinging you "server IP", "PC IP", "router IP", whatever...

__________________________________________________

5. Why routing (tun) and not bridging (tap) ?


I'll just point the major disadvantage of using bridging with a quotation taken from a good book about this theme - OpenVPN 2 Cookbook - ISBN 978-1-849510-10-3:
Quote:

However, there are also disadvantages to using bridging, especially in terms of performance: the performance of a bridged 100 Mbps Ethernet adapter is about half the performance of a non-bridged adapter.
This, in enterprise circumstances, is not acceptable (at least with this typology).

And by doing this tutorial, you'll be able to do the same as if you were bridged since you're connecting directly to a server with forwarding enabled. It's just like if you were the PC in schematic...

Hope it helps, glad to.
Joaquim Almeida

Thor_2.0 09-27-2012 08:33 AM

If I may say: muito obrigado , I know :D , it's not English and according to the rules, non-english is not allowed, but I wanted to send a note of thanks...I kept this thread in file to find it back quickly.

Thor


All times are GMT -5. The time now is 08:33 AM.