Linux Security: Working with OpenVPN (and iptables)

Linux Security: Working with OpenVPN (and iptables)

Install and Configure the OpenVPN server on ‘vpn-server’

Install OpenVPN:

  1. Run yum install -y openvpn.
  2. Copy the server config: cp /usr/share/doc/openvpn-2.4.7/sample/sample-config-files/server.conf /etc/openvpn/
  3. Edit the server config to contain the following topology configuration: topology subnet

Install the provided server certificates

Run cp /home/cloud_user/certs/ca.crt /home/cloud_user/certs/server.crt /home/cloud_user/certs/server.key /etc/openvpn.

Generate the required Server Keys

  1. Generate the dhparamopenssl dhparam -out /etc/openvpn/dh2048.pem 2048
  2. Generate the key for tls-auth and copy it to clientopenvpn –genkey –secret /etc/openvpn/ta.key
    scp /etc/openvpn/ta.key cloud_user:/home/cloud_user/ta.key

Make the necessary firewall and routing configurations for OpenVPN on ‘vpn-server’

Run the following commands:

  • iptables -I INPUT -p udp --dport 1194 -j ACCEPT
  • iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
  • iptables-save > /etc/sysconfig/iptables
  • sysctl -w net.ipv4.ip_forward=1

Enable and start the OpenVPN server

Run the following:

  • systemctl enable openvpn@server
  • systemctl start openvpn@server

Install and configure the OpenVPN client on ‘vpn-server’

In vpn-client, perform the following steps:

  1. Install OpenVPN
yum install y openvpn
  1. Copy the client.conf file from /usr/share/doccp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/client.conf /etc/openvpn/remote vpn-server 1194
    1. Update the remote command hostname diretive in /etc/openvpn/client.conf as follows:

Install the provided client and ca-certificates on ‘vpn-client’

Copy the provided certificates off of vpn-server and to the noted directories on vpn-client with the following commands.

Run on the host vpn-client:

  • scp cloud_user@vpn-server:/home/cloud_user/ca.crt /etc/openvpn/ca.crt
  • scp cloud_user@vpn-server:/home/cloud_user/client.key /home/cloud_user/client.key
  • scp cloud_user@vpn-server:/home/cloud_user/client.crt /home/cloud_user/client.crt