Tuesday, 19 May 2015

OpenVPN - Point-to-Point VPN using SSL/TLS mode in RHEL7

OpenVPN has 2 authentication modes:
1) Static Key Mode: uses a pre-shared key for authentication. A pre-shared key is generated and shared between both OpenVPN peers.

2) TLS/SSL mode: uses digital certificates for authentication and key exchange. An SSL session is established with both client and server authenticating each other with digital certificates.

In this tutorial, we will establish a point-to-point VPN tunnel using TLS/SSL mode, between two hosts:
Server: 192.168.3.2
Client:  192.168.3.1

The tunnel endpoints will be as follows:
Server: 10.8.0.2
Client:  10.8.0.1  

The VPN tunnel end-points represent a secure alternate path between the two hosts. For example, from client, you can 'telnet' to the server over the VPN by using the tunnel endpoint address of the server, as shown below:
telnet 10.8.0.2

Or, you can 'telnet' directly to the server, by using the server's ip address, as shown below:
telnet 192.168.3.2

NOTE: Ensure that the address you use for the tunnel endpoints is not part of any existing subnet on both the machines. 
 
In this tutorial, we use the sample keys and certificates from the dir '/usr/share/doc/openvpn-2.3.6/sample/sample-keys/'.

Server Configuration: (192.168.3.2)


1) Install EPEL Repository
[root@zserver1 ~]# yum install epel-release

2) Install packages
[root@zserver1 ~]# yum --disablerepo=\* --enablerepo=epel install openvpn

3) Files needed on the server. Sample files from the dir. '/usr/share/doc/openvpn-2.3.6/sample/sample-keys/'
a) CA's certificate (ca.crt)
b) Server's Certificate (server.crt)
c) Server's Private Key (server.key)
d) Diffie-Hellman Parameters (dh2048.pem)

4) Create the server config file '/etc/openvpn/server.conf'. Add the following entries.
dev tun 

ifconfig 10.8.0.2  10.8.0.1

tls-server
 

dh /usr/share/doc/openvpn-2.3.6/sample/sample-keys/dh2048.pem

ca /usr/share/doc/openvpn-2.3.6/sample/sample-keys/ca.crt
 

cert /usr/share/doc/openvpn-2.3.6/sample/sample-keys/server.crt
 

key /usr/share/doc/openvpn-2.3.6/sample/sample-keys/server.key


5) Start VPN Server
[root@zserver1 openvpn]#  systemctl start openvpn@server.service

6) Configure firewall. Open UDP port 1194 and enable virtual device 'tun0'.
[root@zserver1 openvpn]# firewall-cmd --zone=public --add-port=1194/udp --permanent
[root@zserver1 openvpn]#firewall-cmd --zone=public --add-interface=tun0 --permanent
[root@zserver1 openvpn]# firewall-cmd --reload


Client Configuration: (192.168.3.1)


1) Install EPEL Repository
[root@meru ~]# yum install epel-release

2) Install packages
[root@meru ~]# yum --disablerepo=\* --enablerepo=epel install openvpn

3) Files needed on the client. Sample files from the dir. '/usr/share/doc/openvpn-2.3.6/sample/sample-keys/'.
a) CA's certificate (ca.crt)
b) Client's Certificate (client.crt)
c) Client's Private Key (client.key)

4) Create the client config file '/etc/openvpn/client.conf'. Add the following entries.
remote 192.168.3.2  

dev tun

ifconfig 10.8.0.1  10.8.0.2

tls-client
 

ca /usr/share/doc/openvpn-2.3.6/sample/sample-keys/ca.crt
 

cert /usr/share/doc/openvpn-2.3.6/sample/sample-keys/client.crt
 

key /usr/share/doc/openvpn-2.3.6/sample/sample-keys/client.key


5) Connect to the VPN Server
[root@meru ~]#  openvpn --config /etc/openvpn/client.conf

6) Open another terminal window. And configure firewall. Enable virtual device 'tun0'.
[root@meru ~]# firewall-cmd --zone=public --add-interface=tun0 --permanent
[root@meru ~]# firewall-cmd --reload

7) To test the VPN, ping 10.8.0.2 from the client and 10.8.0.1 from the server
[root@meru ~]# ping 10.8.0.2

2 comments:

  1. FastestVPN offers Best VPN for Linux with an easy setup that lets you experience the internet with freedom, anonymity, security and privacy!

    ReplyDelete
  2. Nikmati Bonus Menarik Dari Bolavita Sekarang...
    -Nikmati Bous New member 10%
    -Nikmati Bonus Cashback Hingga 10%
    -Nikmati Juga Bonus jackpot Hingga Ratusan juta Rupiah Setiap harinya...

    Info Lengkap Hubungi:
    WA : 0812-2222-995
    Line : cs_bolavita
    Link : www.bolavita1.com

    TERIMA KASIH

    ReplyDelete