OpenVPN Summary + Amazon Linux2

Overview#

--OpenVPN encapsulates L2 and L3 protocols such as IP / TCP with SSL / TLS and securely connects between the OpenVPN server and the OpenVPN client.

--OpenVPN uses PKI.

--Files required for OpenVPN --CA (Certificate Authority): CA certificate, CA private key --OpenVPN server: CA certificate, server certificate, server private key, DH parameters --OpenVPN client: CA certificate, client certificate, client private key

--Connection type

Routing connection Bridge connection
A way to connect to different networks via a virtual tunnel network.
Since the connection is made via the routing process, the OpenVPN server and OpenVPN client can use different networks.
It is suitable for applications that connect LANs to each other, and is suitable for large-scale access control.		 This is a method of connecting with a virtual interface.
By assigning the IP address of the same network segment as the connected network to the virtual interface of the OpenVPN client, the OpenVPN client can join the connected network.
You will receive a broadcast, so you can use Samba, Windows server, etc. Easy to use for small networks and individuals.

OpenVPN server side

Create a certificate authority etc. using the ** easy-rsa ** package

# /usr/share/easy-rsa/3/easy-rsa init-pki
# /usr/share/easy-rsa/3/easy-rsa build-ca

Create a server certificate

# /usr/share/easy-rsa/3/easy-rsa build-ca build-server-full vpnsrv nopass

Create client certificate

# /usr/share/easy-rsa/3/easy-rsa build-ca build-client-full vpncli nopass

Create DH parameters.

# /usr/share/easy-rsa/3/easy-rsa gen-dh

Copy the created certificate file to ** etc / openvpn / server **.

# cp -r /usr/share/easy-rsa/3/pki etc/openvpn/server

Create a TLS key.

# openvpn --genkey --secret /etc/openvpn/server/pki/ta.key

Settings in /etc/openvpn/server/server.conf. Copy the sample from /usr/share/doc/openvpn/2.4.9/sample/sample-config-files and use it.

/etc/openvpn/server/server.conf



#port number
port 1194

#protocol
proto udp

#Bridge connection
dev tap

#CA private key
ca ca.crt

#Server certificate
cert issued/vpnsrv.crt

#Server private key
key private/vpnsrv.key

#DH parameter
dh dh.pem

#Network used for VPN
server 192.168.250.0 255.255.255.0
push "route 192.168.250.0 255.255.255.0"

#TLS authentication key
tls-auth ta.key

#A file that outputs a list of connected clients
status /var/log/openvpn-status.log

#File to output log (output to syslog if not specified)
log /var/log/openvpn.log

Start OpenVPN.

# systemctl start openvpn-server@server
# systemctl -w net.ipv4.ip_forward=1

OpenVPN client side

Transfer the following files to the OpenVPN client side.

Files required for transfer Explanation
Client certificate /etc/openvpn/server/pki/issued/vpncli1.crt
Client private key /etc/openvpn/server/pki/private/vpncli1.key
CA private key /etc/openvpn/server/pki/ca.crt
TLS authentication key /etc/openvpn/server/pki/ta.key

/etc/openvpn/client.conf



#Specifying to be a client.
client

#Bridge connection
dev tap

#protocol
proto udp

#Connection destination server, port
remoto server.naata.com 1194

#Certificate authority certificate file
ca     ca.crt
#Client certificate file
cert   issued/vpncli1.crt
#Client private key file
key    private/vpncli1.key

#tls authentication key
tls-auth ta.key

Start OpenVPN.

# /sbin/openvpn /etc/openvpn/client.conf

Build OpenVPN (Amazon Linux2)

1. Installation

Enable EPEL Repository (https://aws.amazon.com/jp/premiumsupport/knowledge-center/ec2-enable-epel/)

OpenVPN installation

sudo yum install openvpn -y

Install easy-rsa

sudo yum install easy-rsa --enablerepo=epel -y

2. Certificate authority and key creation

Certificate Authority Initialization

sudo -s
cd /usr/share/easy-rsa/3
./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/share/easy-rsa/3/pki

Creating a certificate authority

./easyrsa build-ca

Creating DH parameters

./easyrsa gen-dh

Creating a TLS authentication key

openvpn --genkey --secret /etc/openvpn/ta.key

Creating a server certificate and private key

./easyrsa build-server-full server nopass

Creating client certificate and private key

 ./easyrsa build-client-full client

3. Settings in /etc/openvpn/server.conf

Edit /etc/openvpn/server.conf

cp /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf /etc/openvpn/

/etc/openvpn/server.conf


port 1194
proto udp
dev tun
ca /usr/share/easy-rsa/3/pki/ca.crt 
cert /usr/share/easy-rsa/3/pki/issued/server.crt
key /usr/share/easy-rsa/3/pki/private/server.key
dh /usr/share/easy-rsa/3/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.0"
keepalive 10 120
#tls-auth ta.key 0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

4. Start and confirm openVPN

Forwarding settings

/etc/sysctl.conf


net.ipv4.ip_forward = 1

network restart

systemctl restart network 

restart openvpn

systemctl start openvpn@server
systemctl enable openvpn@server

Check openvpn status

systemctl list-unit-files -t service | grep openvpn

5. AWS settings

--Allow port 1194 in the security group of the instance where OpenVPN is installed

--Private network --Route table: Set the routing from the segment on the VPN client side to the server on which OpenVPN is installed. --Security group: Allow packets coming from the VPN client side segment

--Disable the source / destination change check on the server on which OpenVPN is installed.

Reference: https://it.hirokun.net/entry/ec2-openvpn-easyrsa3#OpenVPN-6

6. Verify with Tunnelblick (MAC)

Connect with Tunnelbrick.

client
dev tun
proto udp
remote OpenVPN server IP address 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
keepalive 10 60
verb 3
mssfix 1280

Recommended Posts

OpenVPN Summary + Amazon Linux2
Linux Summary
Linux Command Summary
[Linux] Basic command summary
Summary of Linux distribution types
Put jenv on Amazon Linux
Linux FD event API summary
[Linux] [Initial Settings] [Flutter] Summary
Install tomcat 5.5 on Amazon Linux.
Make Amazon Linux 2 (CentOS) GUI
Use sshpass on Amazon linux2
Install Homebrew on Amazon Linux 2
A brief summary of Linux
Install strongSwan 5.9.1 on Amazon Linux 2
Run Amazon Linux 2 in VirtualBox
[Linux] User / group command summary
[Linux] [C / C ++] backtrace acquisition method summary
Prepare pipenv environment with amazon Linux 2
Install Python Pillow on Amazon Linux
Install oracle java8 on amazon linux2
Try installing OpenAM on Amazon Linux
How to install wkhtmltopdf (Amazon Linux2)
Put only kubectl in Amazon Linux 2
Install pyenv on EC2 (Amazon Linux)
Summary of installing PHP7.2 on EC2 (Amazon Linux 2) and setting php.ini
Linux
Introducing Amplify to Amazon Linux 2 AMI
[Note] Install Imagick on Amazon Linux2
[Note] Run Django on Amazon Linux 2
Run docker-compose on Amazon Linux2 on ARM64
Introduce Python 3.5.2 environment on Amazon Linux
Linux server construction link summary (CentOS7)
Run cron on Amazon Linux (set on Linux)
[Python/Django] Summary of frequently used commands (4) -Part 2- <Production operation: Amazon EC2 (Amazon Linux 2)>
[Python/Django] Summary of frequently used commands (4) -Part 1- <Production operation: Amazon EC2 (Amazon Linux 2)>
I'll install Ruby on EC2 (Amazon Linux2) 2020
Building a Python3 environment with Amazon Linux2
[Linux] Summary of middleware version confirmation commands
[Linux command summary] Command list [Must-see for beginners]
How to update php on Amazon linux 2
Build an LNPP environment on Amazon Linux 2
Learn sshd_config and authorized_keys (on Amazon Linux 2)
Upgraded mysql on Cloud9 (Amazon Linux) (5.5 to 5,7)
Linux operation for beginners Basic command summary
How to install Anisble on Amazon Linux 2
Summary of petit techniques for Linux commands
Run Keycloak on Amazon Linux 2 without Docker
[Amazon Linux] Switching from Python 2 series to Python 3 series
Install Python 3.8, Pip 3.8 on EC2 (Amazon Linux 2)
[Linux] Build a Docker environment with Amazon Linux 2