Working with OpenVPN (and iptables)

Understanding Virtual Private Networks (VPsN) is essential for many advanced level certification tests. OpenVPN is a popular VPN solution that enjoys somewhat common use. This exercise focuses on configuring a basic VPN server and client.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Install and configure the OpenVPN server on `vpn-server`.

Install OpenVPN:

Run yum install -y openvpn.
Copy the server config: cp /usr/share/doc/openvpn-2.4.7/sample/sample-config-files/server.conf /etc/openvpn/
Edit the server config to contain the following topology configuration: topology subnet

Install the provided server certificates.

Run:

cp /home/cloud_user/certs/ca.crt /home/cloud_user/certs/server.crt /home/cloud_user/certs/server.key /etc/openvpn

Generate the required server keys.

Generate the dhparam key (this may take a few minutes):
```
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
```

Generate the key for tls-auth and copy it to client:

openvpn --genkey --secret /etc/openvpn/ta.key

scp /etc/openvpn/ta.key cloud_user:/home/cloud_user/ta.key

Make the necessary firewall and routing configurations for OpenVPN on `vpn-server`.

Run the following commands:

iptables -I INPUT -p udp --dport 1194 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

iptables-save > /etc/sysconfig/iptables

sysctl -w net.ipv4.ip_forward=1

Enable and start the OpenVPN server.

Run the following:

systemctl enable openvpn@server

systemctl start openvpn@server

Install and configure the OpenVPN client on `vpn-client`.

On vpn-client, perform the following steps:

Install OpenVPN:
```
yum install y openvpn
```

Copy the client.conf file from /usr/share/doc:

cp /usr/share/doc/openvpn-2.4.7/sample/sample-config-files/client.conf /etc/openvpn/

Update the remote command hostname directive in /etc/openvpn/client.conf as follows:
```
remote vpn-server 1194
```

Install the provided client and ca-certificates on `vpn-client`.

Copy the provided certificates off of vpn-server and to the noted directories on vpn-client with the following commands.

Run on the host vpn-client:

cp /home/cloud_user/ca.crt /etc/openvpn/

cp /home/cloud_user/client.key /etc/openvpn/

cp /home/cloud_user/client.crt /etc/openvpn/

Install the `tls` key from `vpn-server` on `vpn-client`.

Assuming you copied the tls key over to /home/cloud_user/ta.key when you created it in the earlier tasks, run cp /home/cloud_user/ta.key /etc/openvpn/ta.key.

If not, you will need to retrieve the file from vpn-server:/etc/openvpn/ta.key.

Enable and start the OpenVPN client.

Run the following commands:

systemctl enable openvpn@client

systemctl start openvpn@client

Additional Resources

You have finally grown tired of driving to the office to do anything in the data center. To make things easier, you will be deploying a VPN server along with a client-server to verify basic functionality using the OpenVPN solution. To your delight, it looks like your coworker has already started such a project and provided you with a server and a client machine named vpn-server and vpn-client respectively. You will find that all of the necessary SSL certificates (including the required CA certificate) have already been generated and are available in /home/cloud_user/certs.

In order to complete the configuration you will need to take care of the following:

Configure vpn-server as a simple VPN server by installing the openvpn package through yum. You can use the server configuration file server.conf found in /user/share/doc/openvpn-*.

You may use the default subnet 10.8.0.0/24 in the sample openvpn configuration file, but you will need to configure the server to use a subnet topology (it does not by default). You will need to generate dh parameters for the server as indicated in the server.conf file. You must also generate a tls key to be shared by the server and the test client.

You will need to open the default firewall port for OpenVPN (udp 1194) and configure NAT for the 10.8.0.0/24 subnet over eth0 as well as IPv4 forwarding via the kernel parameter. Note that you will need to use iptables for firewall configuration. Be sure the new firewall rules persist reboot.

Be sure to enable and start the OpenVPN server service.

You must also configure a basic VPN client on vpn-client by installing OpenVPN using yum. Use ca.crt, client.crt, and client.key available on vpn-server:/home/cloud_user/certs for SSL configuration. You must also copy the tls key generated on the server so that the client will be able to communicate with the server securely. You will also need to ensure that you enable and start the VPN client service on vpn-client.

Presuming everything is configured correctly, both the client and server service should start without error.

Please note that cloud_user has a pre-shared ssh key from vpn-server to vpn-client for your convenience. Also, the EPEL repository has already been configured for use with both hosts.

Summary tasks list:

Install and configure the OpenVPN server on vpn-server.

Install the provided server certificates for vpn-server.
Generate the required server keys.
Make the necessary firewall and routing configurations for OpenVPN on vpn-server.
Enable and start the OpenVPN server.
Install and configure an OpenVPN client on vpn-client.
Install the provided client and ca-certificates on vpn-client.
Install the tls key from vpn-server on vpn-client.
Enable and start the OpenVPN client.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Working with OpenVPN (and iptables)

About this Hands-on Lab

Learning Objectives

Additional Resources

What are Hands-on Labs

Newsletter