Linux Security: Working with OpenVPN (and iptables)

Linux Security: Working with OpenVPN (and iptables)

Install and Configure the OpenVPN server on ‘vpn-server’

Install OpenVPN:

  1. Run yum install -y openvpn.
  2. Copy the server config: cp /usr/share/doc/openvpn-2.4.7/sample/sample-config-files/server.conf /etc/openvpn/
  3. Edit the server config to contain the following topology configuration: topology subnet

Install the provided server certificates

Run cp /home/cloud_user/certs/ca.crt /home/cloud_user/certs/server.crt /home/cloud_user/certs/server.key /etc/openvpn.

Generate the required Server Keys

  1. Generate the dhparamopenssl dhparam -out /etc/openvpn/dh2048.pem 2048
  2. Generate the key for tls-auth and copy it to clientopenvpn –genkey –secret /etc/openvpn/ta.key
    scp /etc/openvpn/ta.key cloud_user:/home/cloud_user/ta.key

Make the necessary firewall and routing configurations for OpenVPN on ‘vpn-server’

Run the following commands:

  • iptables -I INPUT -p udp --dport 1194 -j ACCEPT
  • iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
  • iptables-save > /etc/sysconfig/iptables
  • sysctl -w net.ipv4.ip_forward=1

Enable and start the OpenVPN server

Run the following:

  • systemctl enable openvpn@server
  • systemctl start openvpn@server

Install and configure the OpenVPN client on ‘vpn-server’

In vpn-client, perform the following steps:

  1. Install OpenVPN
yum install y openvpn
  1. Copy the client.conf file from /usr/share/doccp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/client.conf /etc/openvpn/remote vpn-server 1194
    1. Update the remote command hostname diretive in /etc/openvpn/client.conf as follows:

Install the provided client and ca-certificates on ‘vpn-client’

Copy the provided certificates off of vpn-server and to the noted directories on vpn-client with the following commands.

Run on the host vpn-client:

  • scp cloud_user@vpn-server:/home/cloud_user/ca.crt /etc/openvpn/ca.crt
  • scp cloud_user@vpn-server:/home/cloud_user/client.key /home/cloud_user/client.key
  • scp cloud_user@vpn-server:/home/cloud_user/client.crt /home/cloud_user/client.crt

Share Tweet Send
You've successfully subscribed to Songer Tech
Great! Next, complete checkout for full access to Songer Tech
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.