In this exercise, we will install and configure a VPN using OpenVPN. We will use our Linux machine as the VPN server, and any Windows workstation as the client.
- Use PuTTY to SSH to your Linux system (although, you can also complete this using the terminal whithin your VM). Once logged in, use the “su” command to change to a root user.
- For this lab to work, you will need to refer back to a previous lab, and set SELinux to “permissive” mode, and allow UDP port 1194 in your firewall.
- Install OpenVPN and easy-rsa using the dnf command: dnf install openvpn easy-rsa
- Once installed, you will begin by using easy-rsa to create your encryption keys:
- Use the “cd” command, and go to /usr/share/easy-rsa/3.0/pki
- Use the command ./easyrsa init-pki to initialize the PKI commands
- Use the command ./easyrsa build-ca to create a CA keypair/cert
- Generate your keys for the client and server using the following commands:
- ./easyrsa gen-req my_server nopass
- ./easyrsa gen-req my_client nopass
- Import the requests using the following command: ./easyrsa import-req /reqs
- Run the following command: ./easyrsa sign client my_client
- Run the following command: ./easyrsa sign server my_server
- Generate the dh parameters for the TLS handshake: .easyrsa gen-dh
- Once you have completed these steps, look in the pki directory, and find the server and client files (the file names may be slightly different):
- Server:
- Ca.crt
- Issued/my_server.crt
- Private/my_server.key
- Dh.pem
- Client
- Ca.crt (same as server)
- Issued/my_client.crt
- Private/my_client.key
- Server:
- Answer the following questions:
- The easy-rsa command is similar to what we did in an earlier exercise; compare this to the openssl tool. Which did you prefer? What was similar? Did they generate the same files?
- Copy the server files you found above into the /etc/openvpn/ directory.
- Copy the client files you found above to your own computer. You can use WinSCP to do this, which will allow you to use SSH to connect to the server and download the files. You may need to set the permissions on the files using the chmod command: chmod 777 filename
- What file is missing for the client? Why do you suppose we do not need that file?
- Explain each of the other three files.
- Use the ifconfig command, and note the IP address of your system
- Change to the /etc/openvpn directory, find the server.conf file, and open with vi or the text editor of your choice:
- Set the listening IP for openvpn
- Find the section of the config file where it sets the path to the three files you copied, and set to the full path file names you copied to /etc/openvpn
- Find the section that contains the DH parameters, and provide the full path to the DH file you copied to /etc/openvpn
- Install the openvpn service: systemctl enable openvpn@server
- Start the openvpn service: systemctl start openvpn@server
- Download the OpenVPN application to your Windows PC: https://openvpn.net/index.php/open-source/downloads.html
- Install and configure the OpenVPN client:
- After running the installer, find the OpenVPN directory in either “Program Files” or “Program Files (x86)”
- Locate the sample-config/client.ovpn file, and copy it to the config directory
- Copy the three “client” files you created on the server into the config directory
- Open the “client.ovpn” file, and edit the path to the client files, as well as the IP address for the remote server, then save the file.
- Open the OpenVPN GUI in Windows, and find the icon in your task tray (near the clock).
- Right click the icon, select “connect”
- Did this work? If not, explain what might be wrong.
- Explain how you can test if your VPN is working, and discuss any challenges you encountered while completing this assignment.