Project 13 for CNIT 124: Setting Up an OpenVPN server on Linux (15 pts.)

What You Need

Purpose

This VPN is important as a way to make a secure point-to-point connection, through an untrusted network, and also through NAT.

In principle it can be installed on any OS, as both server or client. But the process varies, and I decided only to write instructions for Linux here.

Networking Setup

To see the benefit of a VPN, it's best if the Client linux machine is behind NAT and the Server linux machine isn't.

A simple way to achieve that is to use NAT networking on the Client machine, and Bridged networking on the Server machine.

Setting the Server Machine to Bridged Networking

Start a Linux machine. This will be the Server machine. Click VM, Settings and change the networking to "Bridged".

On your Linux Server, execute these commands: 

dhclient

ifconfig
Make a note of your IP address. In my example below, it was 192.168.3.10

Setting the Client Machine to NAT Networking

Start the other Linux machine. This will be the Client machine. Click VM, Settings and change the networking to "NAT".

On your Linux Client, execute these commands: 

dhclient

ifconfig
Make a note of your IP address. In my example below, it was 192.168.198.144

Ping Tests

On your Linux Client, ping the Linux Server.

You should see replies, as shown below:

Press Ctrl+C to stop the pings.

On your Linux Server, ping the Linux Client.

You should see no replies, as shown below:

Press Ctrl+C to stop the pings.

Installing openvpn

On your Linux Server, execute this command: 
sudo apt-get install openvpn -y

Configuring the Server for RSA Certificates

On your Linux Server, execute these commands: (Note: the "$USER" in the last command is an environment variable, and should be entered literally as shown) 
sudo mkdir /etc/openvpn/easy-rsa/

sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

sudo chown -R $USER /etc/openvpn/easy-rsa/
On your Linux Server, execute this command: 
sudo nano /etc/openvpn/easy-rsa/vars
Scroll to the bottom of the file. Here the location preferences are set. You can adjust them if you want, but the defaults are OK, as shown below:

Close the file with Ctrl+X.

Creating Server Certificates

On your Linux Server, execute these commands: 
cd /etc/openvpn/easy-rsa

sudo ln -s openssl-1.0.0.cnf openssl.cnf

source vars

./clean-all

./build-ca
You are now prompted for Country Name and other such details. I just pressed Enter several times to accept the defaults.

On your Linux Server, execute this command: 

./build-key-server myservername
You are now prompted for Country Name and other such details. I just pressed Enter several times to accept the defaults. The last two questions, "Sign the certificate? [y/n]:" and "1 out of 1 certificate requests certified, commit? [y/n]", require an answer of y

On your Linux Server, execute these commands: 

./build-dh

cd keys

sudo cp myservername.crt myservername.key ca.crt dh1024.pem /etc/openvpn/

Creating Client Certificates

You need to create certificates for each client machine.

On your Linux Server, execute these commands: 

cd /etc/openvpn/easy-rsa/

source vars

./build-key client1
You are now prompted for Country Name and other such details. I just pressed Enter several times to accept the defaults. The last two questions, "Sign the certificate? [y/n]:" and "1 out of 1 certificate requests certified, commit? [y/n]", require an answer of y

Server Configuration

On your Linux Server, execute these commands: 
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

sudo gzip -d /etc/openvpn/server.conf.gz

sudo nano /etc/openvpn/server.conf
Scroll down to find the section with these lines: 
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
In the second line, change "server.crt" to "myservername.crt"

In the third line, change "server.key" to "myservername.key" as shown below: 

ca ca.crt
cert myservername.crt
key myservername.key  # This file should be kept secret

Save the file with Ctrl+X, Y, Enter.

Starting the Server

On your Linux Server, execute these commands: 
sudo /etc/init.d/openvpn start

ifconfig tun0
You should see a tun0 interface, as shown below:

Opening Firewall Ports

If you are using BackTrack in a virtual machine, there is probably no firewall running.

If you are using a firewall, open port UDP 1194 on the server.

Preparing the Client Files for Download

On your Linux Server, execute these commands: 
sudo apt-get install p7zip-full -y

sudo apt-get install apache2 -y
On your Linux Server, execute these commands: 
mkdir /tmp/cert

cp /etc/openvpn/ca.crt /tmp/cert

cp /etc/openvpn/easy-rsa/keys/client1.crt /tmp/cert

cp /etc/openvpn/easy-rsa/keys/client1.key /tmp/cert
On your Linux Server, execute this command. When you are prompted to, enter a secure password of your choice, twice. 
7z a -p /tmp/client1.7z /tmp/cert
On your Linux Server, execute this command: 
mv /tmp/client1.7z /var/www
This serves a password-protected file from your server that you can download with a Web browser.

Downloading the Files on the Client

On your Linux Client, execute these commands, replacing the IP address in the third command with the IP address of your Linux Server: 
sudo apt-get install p7zip-full -y

cd /tmp

wget http://192.168.3.10/client1.7z

7z e client1.7z
Enter your zip password when you are prompted to.

Installing OpenVPN on the Client

On your Linux Client, execute these commands, replacing the IP address in the third command with the IP address of your Linux Server: 
sudo apt-get install openvpn -y

cp /tmp/client1.key /etc/openvpn

cp /tmp/client1.crt /etc/openvpn

cp /tmp/ca.crt /etc/openvpn

sudo nano /etc/openvpn/client.conf
Paste in this code, replacing the IP address in the fourth line with the IP address of your Linux Server: 
client
dev tun
proto udp
remote 192.168.3.10 1194
resolv-retry infinite
nobind
user nobody
#group nobody
persist-key
persist-tun
ca ca.crt
cert client1.crt
key  client1.key
comp-lzo
pull dhcp-options
Save the file with Ctrl+X, Y, Enter.

On your Linux Client, execute these commands: 

cd /etc/openvpn

openvpn /etc/openvpn/client.conf
You see several messages, ending with "Initialization Sequence Completed" as shown below:

On your Linux Client, open a new Terminal window, and execute this command: 

ifconfig
You now have a new adapter named "tun0" that connects the client and server machines, starting with 10.8.0, as shown below:

Ping Tests

On the Client machine, execute this command: 
ping 10.8.0.1
You should see replies. Press Ctrl+C to stop the pings. On the Server machine, execute this command: 
ping 10.8.0.6
You should see replies. Press Ctrl+C to stop the pings.

This is one benefit of VPNs--the two machines are now directly connected, punching through NAT.

Observing a Connected Client

On your Linux Server, execute this command: 
sudo cat /etc/openvpn/openvpn-status.log
You should see a connection to "Client1", as shown below:

Saving the Screen Image

Make sure the "Client1" message is visible.

Save a screen shot of this image with the filename

Proj 13 from Your Name

Turning In your Project

Email the image to cnit.124@gmail.com with a subject line of
Proj 13 from Your Name

Last modified 2:40 pm 11-1-12