OpenVPN Lab continued from Page 2
Build the client keys using easy-rsa
You can build separate client keys for each client you wish to allow to connect to your server.
25. Navigate to the easy-rsa directory and build your client keys.
Copy the client keys to the client’s computer
26. Change directories to the keys folder and verify your client keys. You should see files named myclient.crt and myclient.key
27. Copy the files ca.crt, myclient.crt, and myclient.key to the remote client computer using a flash drive, emailing the files or using an SSH/SCP client like Filezilla. To copy the files using Filezilla you will may first need to copy the files to a folder like Documents that does not require root access and then change the file permissions on myclient.key so that group and public have read access. The client computer used to connect to the OpenVPN server can be a computer running Windows, Linux, or OSX.
cp ca.crt myclient.crt myclient.key /home/student/Documents
chmod 644 myclient.key
Now from a remote computer you can use a program like Filezilla to copy the files from the server.
Create the client OpenVPN configuration file used to connect to the server
28. Using a text editor like nano in Linux or notepad in Windows create the text file myclient.ovpn and place it in the same directory as the ca.crt, myclient.crt, and myclient.key files that you copied from the Centos 7 server.
add the following lines.:
remote <centos server ip address> 1194
On the server, enable Centos 7 to forward packets through its network interfaces
29. Use sysctl to allow IP packet forwarding. Add the following line to the sysctl.conf file
edit -> net.ipv4.ip_forward = 1
Enable the OpenVPN pam authentication module to add user authentication
30. Using the OpenVPN auth-pam module the OpenVPN server can authenticate using the Linux system users. To do this you will need to create a PAM service file:
then add the following two lines:
auth required pam_unix.so shadow nodelay
account required pam_unix.so
31. Add the following line to the end of the OpenVPN server.conf file
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
On the server, add and uncomment two lines in the OpenVPN server.conf file
32. In server.conf add a line to push a route to the server’s inside LAN network and uncomment a line to allow client to client communication between tunneled users
add/uncomment the following two lines:
push “route 192.168.10.0 255.255.255.0”
Ctrl+x, type y and press enter to save.
33. Now restart the OpenVPN server
systemctl stop email@example.com
systemctl start firstname.lastname@example.org
systemctl status email@example.com
Connect the the OpenVPN Server from a client computer
34. With root access use the following command to connect to the server from a Linux host. Notice, in the example command below the path to the myclient.ovpn file is the current directory. If the ovpn config file is in a different directory you will need to provide the path. You may need to install openvpn and easy-rsa if openvpn is not already installedon your linux client.
OpenVPN is now running in that terminal window, to close the OpenVPN connection press Ctrl+c, or to continue working you will need to open a new terminal window. You can also close OpenVPN and the tunnel connection using the pkill program.
35. In a new terminal window examine your tunnel interface using ifconfig. You should see a tun0 interface with a 10.8.0.0 range IP address.
36. Test to see if you can ping the router’s tunnel interface at 10.8.0.1, as well communicate to the inside LAN network at 192.168.10.1
37. To connect to the OpenVPN server from a Windows client computer you will need to download and install the openvpn client program from http://openvpn.net. You will find the the windows client installer at the website under community downloads. After installing the OpenVPN client for Windows you will need to copy the ca.crt, myclient.crt, myclient.key, and myclient.ovpn files to the C:\Programs and Files (x86)\OpenVPN\config\ folder, or if you installed the 64bit version of the OpenVPN client the location will be C:\Programs and Files\OpenVPN\config\.
38. Now start the Windows OpenVPN client. It will launch into the System Tray. You will right click the OpenVPN icon in the System Tray, choose the config file and select Connect.
Start > Programs > OpenVPN GUI
Right click the OpenVPN icon in the system stray, and select Connect.
Configure the iptables firewall to allow OpenVPN connections
Earlier in the lab, I shutdown the iptables firewall with the intention of turning it back, after configuring it to allow OpenVPN connections.
39. to be posted soon…