Lab 10 - Tunnels. Remote Network Security

Objectives

Today, we're going to learn how to configure two of the most widely used open-source VPN solutions: OpenVPN and WireGuard!

  • Set up OpenVPN and WireGuard servers on a Linux machine;
  • Configure clients to connect to each VPN;
  • Customize routing through the VPN.

Tasks

As we will need at least two Linux systems (one for the VPN server, another for the client – for OpenVPN, at least), you will need to work in pairs!

[20p] 0. Setup & EasyRSA certificate generation

1. Install the openvpn and wireguard-tools packages from the APT repository.

2. We'll use EasyRSA to generate a PKI with CA & leaf certificates for server + clients:

git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3
cp vars.example vars
vim vars  # or nano, uncomment & edit COUNTRY, CITY, ORG etc.
./easyrsa init-pki
./easyrsa build-ca   # and enter a min. 4 char password + remember it!
# verify CA details:
./easyrsa show-ca

Generally, the CA needs to be created by the VPN server provider, while the certificate requests must be done by each client, then transfer it to the server to be signed. But for simplity, we'll do them all on the same machine.

3. Now use the official instructions here to request & sign both a “Server” and a “Client” certificate (use whatever Common Names you want, but make them at least descriptive). Note: you must supply a password, though you can disable this by editing the vars file and uncommenting the EASYRSA_NO_PASS 1 line ;) .

Make sure to set the proper client or server certificate type for sign-req's argument!

Also note the generated certificates path! You must transfer the CA + Client certificate + private key to the client machine (VM) – you can do it now, or a bit later when told!

[40p] 1. OpenVPN Configuration

We will use EasyRSA to generate a CA:

Now choose your role (and help your colleague!):

A. OpenVPN Server

Note: Must do all these steps logged in as root!

1. First, copy the server private key + certificate and the CA certificate to the OpenVPN's server configuration directory:

root in /etc/openvpn/server …
➜ ls -l
total 16K
-rw------- 1 root root 1.2K 2024-12-08 19:56 ca.crt
-rw------- 1 root root 4.5K 2024-12-08 19:56 Server.crt
-rw------- 1 root root 1.7K 2024-12-08 19:56 Server.key

2. Copy the OpenVPN example server.conf:

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/server.conf

Open the config with your favorite editor, then:

  • ensure that the ca, cert and key point to the ones copied from EasyRSA (note: Linux is CaSe SeNsItiVe!);
  • read the comments and generate ta.key;
  • read the comments and generate the Diffie-Hellman parameters file (dh2048.pem);

3. Start/restart the service:

systemctl restart openvpn-server@server.service

If it didn't complain, the congratulations! You're done with the server!

Use journalctl -u openvpn-server@server -n 100 -f to display the log flow of the OpenVPN server (also check it in case of any service startup error).

B. OpenVPN Client

1. Transfer the Server CA (ca.crt), Client.key and Client.crt from the Server (check easyrsa's pki/ directory).

Note: SSH is unusable without public key, so you'll need to do this using another service (e.g., paste bin, Teams / Discord / Messenger, netcat client/server text messaging etc.).

2. Copy the example client configuration from /usr/share/doc/openvpn/examples/sample-config-files/client.conf somewhere you want (e.g., in your home, or inside /etc/openvpn/client, it doesn't really matter).

3. Edit the config and enter the server's external IP address (the VLAN9 network IP address if on OpenStack) specified using the remote variable, then also check (and modify) the ca, cert and key variables to point to where you have these files (which you've transfered earlier, RIGHT?).

4. Try to run your client using openvpn <path-to-client.conf>. Inspect the error… Something about ta.key – yep, that's right, bring it from the server :(

5. Finally, connect to the VPN and (from another terminal, unless you spawned OpenVPN in daemon mode), ping it:

ping 10.8.0.1

[40p] 2. WireGuard

Wireguard is one of the latest open-source VPN technology, increasingly popular for its low complexity, straight-forward , security and performance due to its use of some modern cryptographic primitives (ChaCha20+Poly1305 for symmetric encryption, Curve25519 for ECDH, BLAKE2s for hashing).

Authentication is done by simply exchanging public keys. Let's go!

1. Both pairs should generate a private and public key pair and share the public counterpart. This is best done using the wg CLI utility:

wg genkey | tee wg-priv.key | wg pubkey | tee wg-pub.key
# Q: what does `tee` do? (`man` it!)

Only the public key is displayed on console (both are stored as files for backup!). Share it with your colleague!

2. Time to create our configuration file. Create a .conf file inside /etc/wireguard/ (your choice of naming, though wg-isc sounds quite okay).

Use the following code template and fill the variables (also remove/replace the <..> placeholders!):

[Interface]
PrivateKey = <paste-your-private-key>
ListenPort = 55820

[Peer]
PublicKey = <paste-your-colleagues's-pub-key>
Endpoint = <colleague-VM-IP>:55820
AllowedIPs = <your-tunnel-subnet>/<mask>

Use a private space as the tunnel subnet address, e.g., 10.12.34.252/30.

3. We'll create the wireguard interfaces the iproute2 way (i.e., using the ip Linux utility):

ip link add wg-isc type wireguard
wg setconf wg-isc /etc/wireguard/wg-isc.conf  # or whatever you named your config
ip address add <your-address>/<mask> dev wg-isc

4. Connectivity test!

ping <colleague-private-tunnel-ip>
sudo wg  # show wireguard statistics

Note: there are even simpler ways of configuring Wireguard, like wg-quick (automates interface creation & IP address/routes configuration using a similar .conf file) and wg-easy (Web GUI for Wireguard) – but we wanted to demonstrate its purest form (:

isc/labs/10.txt · Last modified: 2024/12/11 10:20 by radu.mantu
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0