{"id":5245,"date":"2015-10-04T14:26:23","date_gmt":"2015-10-04T06:26:23","guid":{"rendered":"http:\/\/rmohan.com\/?p=5245"},"modified":"2015-10-04T14:26:23","modified_gmt":"2015-10-04T06:26:23","slug":"setup-your-own-private-network-with-openvpn","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=5245","title":{"rendered":"Setup Your Own Private Network With OpenVPN"},"content":{"rendered":"

private network connectivity for servers running at the same location. But sometimes you want two servers in different countries \/ datacenters to be able to communicate in a private and secure way. This tutorial will show you how to achieve that with the help of OpenVPN. The operating systems used here are Debian and CentOS, just to show you two different configurations. This can be easily adapted for Debian -> Debian, Ubuntu -> FreeBSD and so on.<\/p>\n

Machine 1: Debian, will act as server (Location: NL)
\nMachine 2: CentOS, will act as client (Location: FR)
\nMachine 1
\nStart on machine 1 by installing OpenVPN:<\/p>\n

apt-get install openvpn
\nThen, copy the example configuration and the tool for generating keys, easy-rsa, to \/etc\/openvpn:<\/p>\n

cp -r \/usr\/share\/doc\/openvpn\/examples\/easy-rsa\/ \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz \/etc\/openvpn
\nThe default values for your keys aren’t exactly safe anymore, to fix this open \/etc\/openvpn\/easy-rsa\/2.0\/vars with your favorite text editor and modify the following line:<\/p>\n

export KEY_SIZE=4096
\nNext, ensure that the values are loaded into your current session, clean up eventually existing keys, and generate your certificate authority:<\/p>\n

cd \/etc\/openvpn\/easy-rsa\/2.0
\nsource .\/vars
\n.\/clean-all
\n.\/build-ca
\nYou will be prompted for information. Make your life easier by supplying information about your server, for example, where it’s located and what the FQDN is\/will be. This is useful for when you have to debug problems:<\/p>\n

Country Name (2 letter code) [US]:NL
\nState or Province Name (full name) [CA]:-
\nLocality Name (eg, city) [SanFrancisco]:Vultr Datacenter NL
\nOrganization Name (eg, company) [Fort-Funston]:-
\nOrganizational Unit Name (eg, section) [changeme]:-
\nCommon Name (eg, your name or your server’s hostname) [changeme]:yourserver1.yourdomain.tld
\nName [changeme]:-
\nEmail Address [mail@host.domain]:youraddress@yourdomain.tld
\nAnother necessity is parameters for the Diffie-Hellman key exchange. Those need to be generated too:<\/p>\n

.\/build-dh
\nImportant: The build-dh command is a relatively complex process that can take up to ten minutes, depending on your server’s resources.<\/p>\n

To further improve the security of this connection, we will generate a static secret that needs to be distributed amongst all clients:<\/p>\n

mkdir \/etc\/openvpn\/keys
\nopenvpn –genkey –secret \/etc\/openvpn\/keys\/ta.key
\nNow, you can generate the key for the server:<\/p>\n

.\/build-key-server server1
\nThis command will prompt for some information:<\/p>\n

Country Name (2 letter code) [US]:NL
\nState or Province Name (full name) [CA]:-
\nLocality Name (eg, city) [SanFrancisco]:Vultr Datacenter NL
\nOrganization Name (eg, company) [Fort-Funston]:-
\nOrganizational Unit Name (eg, section) [changeme]:-
\nCommon Name (eg, your name or your server’s hostname) [server1]:yourserver1.yourdomain.tld
\nName [changeme]:-
\nEmail Address [mail@host.domain]:youraddress@yourdomain.tld
\nThe final step is to sign the certificate request that was just generated with the CA’s key:<\/p>\n

1 out of 1 certificate requests certified, commit? [y\/n]y
\nCopy the necessary keys and certificates into a separate folder:<\/p>\n

cd \/etc\/openvpn\/easy-rsa\/2.0\/keys
\ncp dh4096.pem ca.crt server1.crt server1.key \/etc\/openvpn\/keys\/
\nchmod 700 \/etc\/openvpn\/keys
\nchmod 600 \/etc\/openvpn\/keys\/*
\nNow for the configuration, unzip it …<\/p>\n

cd \/etc\/openvpn
\ngunzip server.conf.gz
\n… and open the resulting server.conf with your favorite text editor. The configuration should look similar to this:<\/p>\n

port 1194
\nproto udp
\ndev tun<\/p>\n

ca keys\/ca.crt
\ncert keys\/server1.crt
\nkey keys\/server1.key
\ndh keys\/dh4096.pem
\nserver 10.8.100.0 255.255.255.0
\nifconfig-pool-persist ipp.txt<\/p>\n

# Uncomment this if you have multiple clients
\n# and want them to be able to see each other
\n;client-to-client<\/p>\n

keepalive 10 120
\ntls-auth keys\/ta.key 0 <\/p>\n

tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
\ncipher AES-256-CBC
\nauth SHA384
\ncomp-lzo<\/p>\n

user nobody
\ngroup nogroup<\/p>\n

persist-key
\npersist-tun
\nverb 3
\nmute 20
\nAfter restarting the service you should watch your log a bit …<\/p>\n

service openvpn restart && tail -f \/var\/log\/syslog
\n… to make sure everything is working. If no errors are detected, then you can generate the keys for your second server:<\/p>\n

cd \/etc\/openvpn\/easy-rsa\/2.0
\nsource .\/vars
\n.\/build-key server2
\nAgain, you will be prompted for information:<\/p>\n

Country Name (2 letter code) [US]:FR
\nState or Province Name (full name) [CA]:-
\nLocality Name (eg, city) [SanFrancisco]:Vultr Datacenter FR
\nOrganization Name (eg, company) [Fort-Funston]:-
\nOrganizational Unit Name (eg, section) [changeme]:-
\nCommon Name (eg, your name or your server’s hostname)
\n[server2]:yourserver2.yourdomain.tld
\nName [changeme]:-
\nEmail Address [mail@host.domain]:youraddress@yourdomain.tld
\nNow, you need to transfer the necessary files to your second server, preferably encrypted:<\/p>\n

cd \/etc\/openvpn\/easy-rsa\/2.0\/keys
\ncp \/etc\/openvpn\/keys\/ta.key .
\ntar -cf vpn.tar ca.crt server2.crt server2.key ta.key
\nscp vpn.tar yourusername@server2:~\/
\nrm vpn.tar
\nMachine 2
\nTime to switch to the SSH-connection of your second server. The first step is to install OpenVPN …<\/p>\n

yum install openvpn
\n… and to deactivate firewalld. The replacement will be plain iptables.<\/p>\n

systemctl stop firewalld
\nsystemctl disable firewalld
\nUnpack the archive that you just moved to the server and properly set permissions on the files:<\/p>\n

cd \/etc\/openvpn
\nmkdir keys
\nchmod 700 keys
\ncd keys
\ntar -xf ~\/vpn.tar -C .
\nchmod 600 *
\nCreate \/etc\/openvpn\/client.conf with your favorite text editor. It should look like this:<\/p>\n

client
\ndev tun
\nproto udp<\/p>\n

remote yourserver yourport
\nresolv-retry infinite
\nnobind
\nuser nobody
\ngroup openvpn<\/p>\n

persist-key
\npersist-tun<\/p>\n

ca keys\/ca.crt
\ncert keys\/server2.crt
\nkey keys\/.key<\/p>\n

ns-cert-type server
\ntls-auth keys\/ta.key 1<\/p>\n

tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
\ncipher AES-256-CBC
\nauth SHA384<\/p>\n

remote-cert-tls server<\/p>\n

comp-lzo
\nverb 3
\nmute 20
\nThe last step is to start and enable the service:<\/p>\n

systemctl start openvpn@client.service
\nsystemctl enable openvpn@client.service
\nIf everything is working, then you should have no problem pinging the first server:<\/p>\n

PING 10.8.100.1 (10.8.100.1) 56(84) bytes of data.
\n64 bytes from 10.8.100.1: icmp_seq=1 ttl=64 time=17.8 ms
\n64 bytes from 10.8.100.1: icmp_seq=2 ttl=64 time=17.9 ms
\n64 bytes from 10.8.100.1: icmp_seq=3 ttl=64 time=17.8 ms
\nYou now have a private connection over the Internet!<\/p>\n

If you need to troubleshoot any errors, try checking the logs with the following command:<\/p>\n

journalctl -xn<\/p>\n","protected":false},"excerpt":{"rendered":"

private network connectivity for servers running at the same location. But sometimes you want two servers in different countries \/ datacenters to be able to communicate in a private and secure way. This tutorial will show you how to achieve that with the help of OpenVPN. The operating systems used here are Debian and CentOS, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5245"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5245"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5245\/revisions"}],"predecessor-version":[{"id":5246,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5245\/revisions\/5246"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}