Basic CentOS Setup
First, you'll need a CentOS 7 server. You can use one from almost
anywhere – a machine with Digital Ocean, AWS or Azure, or one in your
friend's apartment. Assuming you're starting from scratch, you'll need
to get the software updated and the EPEL repo installed.
# sudo yum update -y # sudo yum install epel-release -y # sudo yum update -yThen you'll want to install openvpn, easyrsa, iptables and (recommended) a few network troubleshooting tools.
# sudo yum install -y openvpn easy-rsa iptables iptables-services wget yum-cron net-tools bind-utils nc mtr
Setting up OpenVPN
Now, you'll want to configure the OpenVPN server. To do this, copy the following file to
/etc/openvpn/server.conf. # Secure OpenVPN Server Config # Basic Connection Config dev tun proto udp port 1194 keepalive 10 120 max-clients 5 # Certs ca ca.crt cert server.crt key server.key dh dh.pem tls-auth ta.key 0 # Ciphers and Hardening reneg-sec 0 remote-cert-tls client crl-verify crl.pem tls-version-min 1.2 cipher AES-256-CBC auth SHA512 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 # Drop Privs user nobody group nobody # IP pool server 192.168.200.0 255.255.255.0 topology subnet ifconfig-pool-persist ipp.txt client-config-dir ccd # Misc persist-key persist-tun comp-lzo # DHCP Push options force all traffic through VPN and sets DNS servers push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" # Logging log-append /var/log/openvpn.log verb 3
Make the Client Config Directory
This directory can hold client-specific configs, if desired:
# mkdir /etc/openvpn/ccd
Generating the Keys and Certificates
OpenVPN provides a tool called EasyRSA, which lets you generate the keys you need. You installed it above, so time to get going:
First, Init PKI:
First, Init PKI:
# cd ~ # /usr/share/easy-rsa/3/easyrsa init-pkiNow, build the certificate authority. You'll be asked for a common name; I use 'VPN'. If you want to be extra secure, you can set this to be the FQDN of your host, and then turn on an option to make sure that the CN of the certificate matches the FQDN of the server, but I prefer not to do this, so my certificates are portable:
# /usr/share/easy-rsa/3/easyrsa build-ca nopassGenerate the Diffie-Helllman parameters:
# /usr/share/easy-rsa/3/easyrsa gen-dhGenerate the server keys (vpn-server should be the name of your server):
# /usr/share/easy-rsa/3/easyrsa build-server-full vpn-server nopassGenerate one or more client keys (vpn-client-01 should be the name of your client machine):
# /usr/share/easy-rsa/3/easyrsa build-client-full vpn-client-01 nopassGenerate the certificate revocation list:
# /usr/share/easy-rsa/3/easyrsa gen-crlGenerate a pre-shared key. This helps harden your VPN; for details see the details about
–tls-auth on the OpenVPN Hardening page.
# openvpn --genkey --secret pki/ta.key
Copying the Keys
Now you need to copy your keys to the OpenVPN config directory. Everything should be in
~/pki:
# sudo cp pki/ca.crt /etc/openvpn/ca.crt # sudo cp pki/dh.pem /etc/openvpn/dh.pem # sudo cp pki/issued/vpn-server.crt /etc/openvpn/server.crt # sudo cp pki/private/vpn-server.key /etc/openvpn/server.key # sudo cp pki/ta.key /etc/openvpn/ta.key # sudo cp pki/crl.pem /etc/openvpn/crl.pem
Setup OpenVPN to Start Automatically
Next up, you'll want to startup OpenVPN. To do so:
# sudo systemctl -f enable openvpn@server.service # sudo systemctl start openvpn@server.serviceIf it doesn't start, check the log for clues:
# sudo tail -f /var/log/openvpn.logOptionally, you may want to skip ahead to Setting up the Client, so you can test things out. At this point you should be able to connect to your VPN server, and ping it from your client (
172.31.100.1
if you've followed the steps above ). You won't be able to pass live
traffic through the VPN until you complete the routing steps below, but
this can be a good point to make sure that everything is working.
Setting up Routing w/ iptables
Since your server will be a VPN server, you probably want to block most
inbound connections, except over SSH and the OpenVPN port. You'll also
want to allow packet forwarding from VPN clients to the wider internet,
or else your client could only talk to your VPN server itself. We do
that with iptables.
Enable IPv4 Forwarding
First, edit
/etc/sysctl.conf and add the following lines:
# Packet forwarding net.ipv4.ip_forward = 1Save the file, and then run
sysctl -p to load the changes. You can verify forwarding is enabled by doing more /proc/sys/net/ipv4/ip_forward which should return 1 if its enabled.
Configure IPTables
Now, we run a series of commands to configure
iptables. Thanks again to Tristor for his work here, which forms the basis of this. Note that you MUST do this as part of a bash script which gets run all at once,
if you type these commands line by line you'll cut yourself off from
SSH access before you can enter the commands to open it up. Also, if
you're not using 172.31.100.0/24 for your VPN subnet, you'll need to change that below.
*nat :PREROUTING ACCEPT [67:5118] :INPUT ACCEPT [3:170] :OUTPUT ACCEPT [1:76] :POSTROUTING ACCEPT [1:76] -A POSTROUTING -s 192.168.200.0/24 -o ens33 -j MASQUERADE -A POSTROUTING -s 192.168.200.0/24 -o ens192 -j MASQUERADE -A INPUT -i tun0 -j ACCEPT COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i ens33 -j ACCEPT -A INPUT -i tun0 -j ACCEPT # LOGDROPPER #-N LOGNDROP #-A LOGNDROP -j LOG --log-prefix "LOGNDROP: " #-A LOGNDROP -j DROP #-A INPUT -m state --state INVALID -j LOGNDROP #-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOGNDROP #-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOGNDROP #-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOGNDROP #-A INPUT -p tcp --tcp-flags ALL NONE -j LOGNDROP #-A INPUT -p tcp --tcp-flags ALL ALL -j LOGNDROP #-A INPUT -p tcp ! --syn -m state --state NEW -j LOGNDROP #-A INPUT -p tcp -m length --length 0 -j LOGNDROP #-N syn_flood #-A INPUT -p tcp --syn -j syn_flood #-A syn_flood -m limit --limit 300/s --limit-burst 1500 -j RETURN #-A syn_flood -m limit --limit 300/s --limit-burst 1500 -j LOG --log-prefix DDoS-DROP: #-A syn_flood -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 2020 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3000 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3328 -j ACCEPT #-A INPUT -j REJECT --reject-with icmp-host-prohibited #-A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMITFinally, enable that config as a service.
sudo systemctl enable iptables sudo systemctl start iptables sudo service iptables save
Setting up the Client
Getting the VPN server running is only half the battle. Actually, it's
about 90% of the battle, but you still have to do the client side work.
Assuming you're using Mac or Windows, you pretty much want to use Viscosity. It's an excellent third party VPN client, and my favorite. It's $9, but pay it. It's worth it.
First, on the server, make a directory and copy the client config and client certificates into it:
First, on the server, make a directory and copy the client config and client certificates into it:
# cd ~ # mkdir vpn-client-01-config # cp pki/ca.crt vpn-client-01-config/ca.crt # cp pki/issued/vpn-client-01.crt vpn-client-01-config/client.crt # cp pki/private/vpn-client-01.key vpn-client-01-config/client.key # cp pki/ta.key vpn-client-01-config/ta.keyNow, create the config file, at
vpn-client-01-config/client.ovpn. Be sure to change the remote line to point to your vpn server!
# Secure OpenVPN Client Config #viscosity dns full #viscosity usepeerdns true #viscosity dhcp true tls-client pull client dev tun proto udp remote 123.123.123.123 1194 redirect-gateway def1 nobind persist-key persist-tun comp-lzo verb 3 ca ca.crt cert client.crt key client.key tls-auth ta.key 1 remote-cert-tls server ns-cert-type server key-direction 1 cipher AES-256-CBC tls-version-min 1.2 auth SHA512 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256Now tar up the config, and download it to your Mac or Windows machine:
# tar cvfz vpn-client-01-config.tgz vpn-client-01-configThen, simply import the
client.opvn into Viscosity, and you'll be all set.
Không có nhận xét nào:
Đăng nhận xét