DMZ Without the Risk - Part 1: Setting Up OpenVPN

[Eric Hansen]

A friend of mine recently showed me a fun little project he was working on involving an unused VPS and PPTP. What he did is set up his VPS in Dallas as a VPN server and act as a proxy to serve requests from his home in Maryland. As you might suspect there’s a bit of latency between requests while doing this, but if you want to have some fun this is the way to go!

While we set up OpenVPN before in an LXC container I'm not going to concern myself with that this time (though the same can be used here). Instead what we are going to do is start from scratch and have some fun with it. Since I have a small VPS I’ll use that as well.

Installing OpenVPN

I’m typing this guide up as if you’re using Ubuntu/Debian since that is the distro I run on all of my Linux servers.

First thing we need to do is install OpenVPN itself:

root@cs01:~# apt-get install openvpn

Set Up OpenVPN

Now we’ll make creating certificates so much easier:

root@cs01:~# cd /etc/openvpn/
root@cs01:/etc/openvpn# mkdir easy-rsa
root@cs01:/etc/openvpn# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* easy-rsa/
root@cs01:/etc/openvpn# cd easy-rsa/

What we need to do here is edit the vars file which holds a lot of useful exports for our environment. But what we are focused on are the following:

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"

Edit those to fit your needs then save and exit. Now we need to import them into our environment.

root@cs01:/etc/openvpn/easy-rsa# source vars

Now, I ran into an issue in that openssl.cnf was not found. To find out where the easy-rsa scripts will look for, do this:

echo $KEY_CONFIG

You should see something like this:

root@cs01:/etc/openvpn/easy-rsa# echo $KEY_CONFIG
/etc/openvpn/easy-rsa/openssl.cnf

If that file doesn’t exist, then find out what version of OpenSSL you’re using:

root@cs01:/etc/openvpn/easy-rsa# openssl version
OpenSSL 1.0.1 14 Mar 2012

Then copy or symlink that OpenSSL version in /etc/openvpn/easy-rsa/ to wherever its looking for openssl.cnf, for me I did this:

root@cs01:/etc/openvpn/easy-rsa# cp openssl-1.0.0.cnf openssl.cnf

Lets make sure everything is fresh:

root@cs01:/etc/openvpn/easy-rsa# ./clean-all

Finally, we’ll build the server-wide certificate (CA) file:

root@cs01:/etc/openvpn/easy-rsa# ./build-ca
Generating a 1024 bit RSA private key
............................................................................................++++++
..............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [[email protected]]:

Now we need to build the key for the server itself.

root@cs01:/etc/openvpn/easy-rsa# ./build-key-server thehive

Replace “thehive” with whatever hostname your machine has (I was just being cute here). The process is similar to building the CA file. If you want you can set a password for the certificate (recommended but you’ll have to enter it every time you start OpenVPN). There is something else different here, however.

You’ll see this:

Sign the certificate? [y/n]:

This is basically saying “do you want to validate this certificate with the CA file?” You’ll want to sign it.

Next, you’ll see this:

1 out of 1 certificate requests certified, commit? [y/n]

This is basically the “are you sure you’re sure you want to make this happen?” Again, do it. Lastly, you’ll see this lovely output:

Write out database with 1 new entries
Data Base Updated

All of the keys we’ve created so far exist in /etc/openvpn/easy-rsa/keys. You can keep them there or move them (most people recommend /etc/openvpn/). I just keep them due to laziness. Just make sure you set the correct permissions (chmod 0400 *.key *.csr).

The server will also need a Diffie-Hellman key file as well. By default it generates a 1024-bit file which is fine for our purposes:

root@cs01:/etc/openvpn/easy-rsa# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.................................+...................+...............................................................................................+.........+.......................................+...................................................................................................................................................................+........................................................+............................+.............................................+.............................................................................................+....................++*++*++*

You can find this as the “dh1024.pem” file in the aforementioned keys directory.

Configuring OpenVPN Server

Luckily for us OpenVPN already comes with a sample configuration file, so we’ll use that as a base:

root@cs01:/etc/openvpn/easy-rsa# cd ..
root@cs01:/etc/openvpn# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
root@cs01:/etc/openvpn# gzip -d server.conf.gz

The parts that we need to edit are for the paths to the key files we made. They are relative to the directory where the config file is found (in this case /etc/openvpn), so keep that in mind if you need to make any changes to the path of the key files.

ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/thehive.crt
key easy-rsa/keys/thehive.key
dh easy-rsa/keys/dh1024.pem

Start OpenVPN now:

root@cs01:/etc/openvpn# service openvpn start
* Starting virtual private network daemon(s)...
  *  Autostarting VPN 'server'

If you don’t see anything acknowledging that it start check netstat (or ss if you have that instead):

root@cs01:/etc/openvpn# netstat -ntlup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address  Foreign Address  State  PID/Program name
tcp  0  0 0.0.0.0:22  0.0.0.0:*  LISTEN  232/sshd 
tcp6  0  0 :::22  :::*  LISTEN  232/sshd 
udp  0  0 0.0.0.0:1194  0.0.0.0:*  660/openvpn

Next thing you want to check for is a tun interface (tun0 for me):

root@cs01:/etc/openvpn# ifconfig | grep '^tun'
tun0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

root@cs01:/etc/openvpn# ifconfig tun0
tun0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

If yours looks like this then you should be fine. If you are doing this on a VPS you might have to enable the TUN/TAP interface. This is out of the scope of this guide but is easy to do in SolusVM.

 

[DevynCJohnson]

I’m typing this guide up as if you’re using Ubuntu/Debian since that is the distro I run on all of my Linux servers.

First thing we need to do is install OpenVPN itself:

root@cs01:~# apt-get install openvpn

Debian-based systems are also the most popular. Even for non-Debian users, the directions are the same. Instead of

root@cs01:~# apt-get install openvpn

it would be

root@cs01:~# yum install openvpn

for RedHat-based systems.

Some of the directories may be different, but overall, these directions work for nearly any Linux distro. Maybe even some Unix systems.

 

[Eric Hansen]

Thanks For the most part they are but at the same time I don't have a RPM-based system readily available to test drive things on, so I like to CMA when doing things where things could differ.