Linux Security: Working with OpenVPN (and iptables)
Install and Configure the OpenVPN server on ‘vpn-server’
Install OpenVPN:
- Run
yum install -y openvpn. - Copy the server config:
cp /usr/share/doc/openvpn-2.4.7/sample/sample-config-files/server.conf /etc/openvpn/ - Edit the server config to contain the following topology configuration:
topology subnet
Install the provided server certificates
Run cp /home/cloud_user/certs/ca.crt /home/cloud_user/certs/server.crt /home/cloud_user/certs/server.key /etc/openvpn.
Generate the required Server Keys
- Generate the dhparamopenssl dhparam -out /etc/openvpn/dh2048.pem 2048
- Generate the key for tls-auth and copy it to clientopenvpn –genkey –secret /etc/openvpn/ta.key
scp /etc/openvpn/ta.key cloud_user:/home/cloud_user/ta.key
Make the necessary firewall and routing configurations for OpenVPN on ‘vpn-server’
Run the following commands:
iptables -I INPUT -p udp --dport 1194 -j ACCEPTiptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADEiptables-save > /etc/sysconfig/iptablessysctl -w net.ipv4.ip_forward=1
Enable and start the OpenVPN server
Run the following:
systemctl enable openvpn@serversystemctl start openvpn@server
Install and configure the OpenVPN client on ‘vpn-server’
In vpn-client, perform the following steps:
- Install OpenVPN
yum install y openvpn
- Copy the
client.conffile from/usr/share/doccp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/client.conf /etc/openvpn/remote vpn-server 1194- Update the
remotecommand hostname diretive in/etc/openvpn/client.confas follows:
- Update the
Install the provided client and ca-certificates on ‘vpn-client’
Copy the provided certificates off of vpn-server and to the noted directories on vpn-client with the following commands.
Run on the host vpn-client:
scp cloud_user@vpn-server:/home/cloud_user/ca.crt /etc/openvpn/ca.crtscp cloud_user@vpn-server:/home/cloud_user/client.key /home/cloud_user/client.keyscp cloud_user@vpn-server:/home/cloud_user/client.crt /home/cloud_user/client.crt
