Install OpenVPN in a Centos 7 Virtual

Machine -Page 1

Install OpenVPN Overview

OpenVPN is an incredible tool for creating securely encrypted, remote
network-to-network and client-to-network tunneled connections. You can think
of it like this, if you have an OpenVPN connection to a network, then you have
a secure connection to that network and all the resources on that network, like
printers, file servers, other host computers, etc.. To set it up, you need to
install an OpenVPN access server on one computer, and then on a separate
computer, install an OpenVPN client for connecting to the server remotely.
The goal of the lab is to install and configure an OpenVPN server, and then
from a second computer, open a tunnel to the server using an OpenVPN
client. To do this, you will first need to install Centos 7 (64bit) in a VMware
Player virtual machine. Since this is a test case scenario, during the Centos 7
installation, I recommend installing the Gnome Desktop instead of the default,
minimal install. When creating the virtual machine with VMware Player you
will need to add an additional virtual network interface (NIC) to your virtual
machine. After creating the virtual machine, edit the virtual machine settings,
add a second network adapter, then change it from Bridged mode to LAN
Segment mode. You will need to create/add a LAN Segment, name it
VLAN10, and then configure the network adapter to the LAN Segment
(VLAN10) setting. The virtual machine will have two network adapters, the
first in Bridged Mode, and the second in LAN Segment mode (VLAN10).

Install Centos in a VM
Start up your VMware Centos 7 virtual machine, run through the installation,
install the Gnome desktop environment, create a student account as well as a
root password. After the install, start Centos and login. At the desktop, go to
Applications and open a terminal window. In the terminal issue an ifconfig
command to verify the presence of the two network adapters, they will
probably show up as eno16777736 and eno33554960. If the second network
adapter did not appear after issuing the ifconfig command then shutdown
Centos, edit the virtual machine settings in VMware Player, remove and then
re-add the second network adapter, until the second network adapter
registers as present from within Centos.
  
The diagram below represents a network hosted from a single computer using
virtual machines. The single physical host computer is the laptop represented
by the laptop icon and the black rectangular outline. The virtual machines are
running inside the laptop using VMware Player, VMware Workstation, or
Virtualbox. Notice the Centos 7 Server has two Ethernet network adapters.
The bridged mode network adapter places the Centos 7 eth0 interface on the
network just like any other physical computer. Notice that by configuring eth0
with a DHCP client it will obtain an IP address just like the laptop. The eth1
network adapter is in LAN Segment mode which will allow it to communicate
with any other virtual machines that are similarly configured with an identical
LAN Segment network adapter. In this scenario, if the the Interior Client virtual
machine wishes to connect to the internet, it will need to go through the
Centos 7 Server, making the Centos 7 Server a transparent proxy or gateway
for any virtual machines on the LAN Segment. With 8Gb of RAM and a quad
core processor on the host computer it is possible to run two virtual machines
simultaneously.

Lab Steps

Change the server’s hostname

=========================
1. Get root super-user access using su. Everything in this exercise is done
with root access.

   su
2. Change localhost.localdomain to a server name of your choice (eg.
danscentos-s2)

   nano /etc/hostname

3. Add your new hostname to the file (eg. 127.0.0.1 danscentos-s2 localhost
localhost.localdomain …)

   nano /etc/hosts

Change the Network Interfaces to eth0 and eth1

=======================================
For some strange reason the network interfaces show up as: eno16777736
and eno33554960. Thanks to some great websites, I was able to find a fix.

4. In the following file search for the line “GRUB_CMDLINE_LINUX” and

append the following: net.ifnames=0 biosdevname=0
note: make sure to append the text within the ending quotation mark as
such: net.ifnames=0 biosdevname=0″

   nano /etc/default/grub

   grub2-mkconfig -o /boot/grub2/grub.cfg

   reboot

5. After rebooting, use su for root access. Enter the hostname command to
verify your new hostname. Do an ifconfig and you should see the following
network interfaces: eth0, eth1, and Lo. If not go back to step 4 an try again.

Configure the Network Interfaces

===========================
6. To configure the network interfaces we need the network-scripts directory

   cd /etc/sysconfig/network-scripts/

7. Rename the ifcfg-en016777736 file to ifcfg-eth0 then do an ls command to

verify

   mv /etc/sysconfig/network-scripts/ifcfg-eno16777736 /etc/sysconfig/network-
scripts/ifcfg-eth0

8. Copy the ifcfg-eth0 file to ifcfg-eth1 so now you have a config file for each
network interface. Do an ls command to verify

   cp /etc/sysconfig/network-scripts/ifcfg-eth0 ifcfg-eth1
9. Edit the ifcfg-eth1 file {loadposition adposition6}

    nano ifcfg-eth1

//change the contents of ifcfg-eth1 to the following, exit and save:

TYPE=”Ethernet”
DEVICE=”eth1″
BOOTPROTO=”static”
IPADDR=”192.168.10.1″
NETMASK=”255.255.255.0″
IPV4_FAILURE_FATAL=”no”
IPV6INIT=”yes”
IPV6_AUTOCONF=”yes”
IPV6_DEFROUTE=”yes”
IPV6_PEERDNS=”yes”
IPV6_PEERROUTES=”yes”
IPV6_FAILURE_FATAL=”no”
NAME=”eth1″
ONBOOT=”yes”

10. Edit the ifcfg-eth0 file

    nano ifcfg-eth0

//change the contents of ifcfg-eth0 to the following, exit and save:

TYPE=”Ethernet”
DEVICE=”eth0″
BOOTPROTO=”dhcp”
DEFROUTE=”yes”
PEERDNS=”yes”
PEERROUTES=”yes”
IPV4_FAILURE_FATAL=”no”
IPV6INIT=”yes”
IPV6_AUTOCONF=”yes”
IPV6_DEFROUTE=”yes”
IPV6_PEERDNS=”yes”
IPV6_PEERROUTES=”yes”
IPV6_FAILURE_FATAL=”no”
NAME=”eth0″
ONBOOT=”yes”

Remove the Network Manager

=========================
11. Since this is a server, I recommend removing the Network Manager and
relying on manual network configurations instead
    systemctl stop NetworkManager
systemctl disable NetworkManager
service network restart

12. Reboot, then login and verify network connectivity and internet access.
You should see that eth0 received an IP address through DHCP and that eth1
has the IP address 192.168.10.1. If not, then re-edit your ifcfg-eth0 and ifcfg-
eth1 configuration files.

    reboot
ifconfig
ping yahoo.com

Note: you can manually bring a network interfaces up or down with the
following commands
   ifconfig eth0 down
ifconfig eth0 up
   ifconfig eth1 down
ifconfig eth1 up

Install the EPEL Repositories

========================

To install OpenVPN you will need the EPEL repositories

13. Using yum install EPEL

yum install epel-release

Disable firewalld and use iptables

===========================

14. Centos 7 has the new firewalld dynamic firewall daemon installed by
default. Firewalld has many new updated and advanced features that you
would want in a firewall, however if you are more familiar with the iptables
firewall service you can disable firewalld and use iptables. The following
commands assume root access through su.

   systemctl stop firewalld

systemctl disable firewalld

   yum install iptables-services   //iptables should already be installed, if not then type
y to install.

systemctl enable iptables

systemctl start iptables
systemctl status iptables
systemctl stop iptables

Stop iptables with the intention of configuring it later in the lab.

Install and Configure the OpenVPN Server
===================================

15. Install OpenVPN server

yum install openvpn

16. Copy the sample OpenVPN server configuration file to the /etc/openvpn
folder

   cd /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/
ls
cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn

17. Edit the OpenVPN server.conf file

   cd /etc/openvpn
nano server.conf
edit -> uncomment the following lines and change the DNS server addresses
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
user nobody
group nobody
Install Easy-RSA to create certificate of authority, server certificates,
and keys
===========================================================
=====

18. Install easy-rsa to handle encryption, certificates, and keys

   yum install easy-rsa

mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

19. Change the variables file in the easy-rsa folder

   nano /etc/openvpn/easy-rsa/vars

edit -> change the following lines (the following settings are just my example
settings)
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”OR”
export KEY_CITY=”Portland”
export KEY_ORG=”danscourses”
export KEY_EMAIL=”webadmin@danscentos-s2.danscourses.com”
export KEY_OU=”danscourses”

20. Build your security your server security certificates and keys. You will
accept the default settings.

   cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server $( hostname )
./build-dh

21. Copy your server certificates and keys to the openvpn folder

   cd /etc/openvpn/easy-rsa/keys
cp ca.crt danscentos-s2.crt danscentos-s2.key dh2048.pem /etc/openvpn

Start the OpenVPN Server

=====================

22. Restore SE Linux security context and create symbolic link for systemd

   restorecon -Rv /etc/openvpn

ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-
user.target.wants/openvpn\@server.service

23. Edit the OpenVPN server.conf file and change the names of the server
certificate and server key, to match the certificates and keys that you created.
Save the file and exit.

   cd /etc/openvpn
nano server.conf

in server.conf change the following lines:

cert server.crt
key server.key    # This file should be kept secret 
replace the word “server” with your server’s hostname which should be the
name of your server certificate and key files:
cert danscentos-s2.crt
key danscentos-s2.key    # This file should be kept secret 
24. Start the OpenVPN server
   systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service

Build the client keys using easy-rsa 

=============================

You can build separate client keys for each client you wish to allow to connect
to your server.

25. Navigate to the easy-rsa directory and build your client keys.

   cd /etc/openvpn/easy-rsa
source ./vars
./build-key myclient

Copy the client keys to the client’s computer

=====================================

26. Change directories to the keys folder and verify your client keys. You
should see files named myclient.crt and myclient.key

   cd /etc/openvpn/easy-rsa/keys
ls

27. Copy the files ca.crt, myclient.crt, and myclient.key to the remote client
computer using a flash drive, emailing the files or using an SSH/SCP client
like Filezilla. To copy the files using Filezilla you will may first need to copy the
files to a folder like Documents that does not require root access and then
change the file permissions on myclient.key so that group and public have
read access. The client computer used to connect to the OpenVPN server can
be a computer running Windows, Linux, or OSX.

   cp ca.crt myclient.crt myclient.key /home/student/Documents

cd /home/student/Documents
ls -l
chmod 644 myclient.key   

Now from a remote computer you can use a program like Filezilla to copy the
files from the server.

Create the client OpenVPN configuration file used to connect to the

server
===========================================================
==

28. Using a text editor like nano in Linux or notepad in Windows create the
text file myclient.ovpn and place it in the same directory as the ca.crt,
myclient.crt, and myclient.key files that you copied from the Centos 7 server.

   nano myclient.ovpn

add the following lines.:

client
dev tun
proto udp
remote <centos server ip address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert myclient.crt
key myclient.key
auth-user-pass

On the server, enable Centos 7 to forward packets through its network

interfaces 
===========================================================
=======

29. Use sysctl to allow IP packet forwarding. Add the following line to the
sysctl.conf file

   nano /etc/sysctl.conf
  edit -> net.ipv4.ip_forward = 1

   sysctl -p

 
Enable the OpenVPN pam authentication module to add user
authentication
===========================================================
===

30. Using the OpenVPN auth-pam module the OpenVPN server can
authenticate using the Linux system users. To do this you will need to create
a PAM service file:

   touch /etc/pam.d/openvpn
nano /etc/pam.d/openvpn

then add the following two lines: 

auth    required    pam_unix.so    shadow    nodelay
account required    pam_unix.so

31. Add the following line to the end of the OpenVPN server.conf file

   nano /etc/openvpn/server.conf

    plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

On the server, add and uncomment two lines in the OpenVPN

server.conf file
===========================================================
==== 

32. In server.conf add a line to push a route to the server’s inside LAN
network and uncomment a line to allow client to client communication
between tunneled users

   cd /etc/openvpn
nano server.conf

add/uncomment the following two lines:

push “route 192.168.10.0 255.255.255.0” 

            client-to-client                                      

Ctrl+x, type y and press enter to save.

33. Now restart the OpenVPN server

   systemctl stop openvpn@server.service

systemctl start openvpn@server.service
systemctl status openvpn@server.service
 

Connect the the OpenVPN Server from a client computer

===============================================

34. With root access use the following command to connect to the server from
a Linux host. Notice, in the example command below the path to the
myclient.ovpn file is the current directory. If the ovpn config file is in a different
directory you will need to provide the path. You may need to install openvpn
and easy-rsa if openvpn is not already installedon your linux client.

   openvpn myclient.ovpn   

OpenVPN is now running in that terminal window, to close the OpenVPN

connection press Ctrl+c, or to continue working you will need to open a new
terminal window. You can also close OpenVPN and the tunnel connection
using the pkill program.

   pkill openvpn

35. In a new terminal window examine your tunnel interface using ifconfig.
You should see a tun0 interface with a 10.8.0.0 range IP address.

   ifconfig

36. Test to see if you can ping the router’s tunnel interface at 10.8.0.1, as well
communicate to the inside LAN network at 192.168.10.1

   ping 10.8.0.1
ping 192.168.10.1

37. To connect to the OpenVPN server from a Windows client computer you
will need to download and install the openvpn client program from
http://openvpn.net. You will find the the windows client installer at the website
under community downloads. After installing the OpenVPN client for Windows
you will need to copy the ca.crt, myclient.crt, myclient.key, and myclient.ovpn
files to the C:\Programs and Files (x86)\OpenVPN\config\ folder, or if you
installed the 64bit version of the OpenVPN client the location will be
C:\Programs and Files\OpenVPN\config\.

38. Now start the Windows OpenVPN client. It will launch into the System
Tray. You will right click the OpenVPN icon in the System Tray, choose the
config file and select Connect.

Start > Programs > OpenVPN GUI

Right click the OpenVPN icon in the system stray, and select Connect.
 

Configure the iptables firewall to allow OpenVPN connections

===================================================

Earlier in the lab, I shutdown the iptables firewall with the intention of turning it
back, after configuring it to allow OpenVPN connections.