In order to enable mutual access between the internal servers and office computers of the company and the branch, we plan to use VPN. For VPN, PPTP was used a lot in the past; but PPTP is not as secure as openvpn compared to openvpn, and PPTP is under linux The command line support is not very good, and the stability is not as good as openvpn. So in the end, I chose openvpn to build a VPN.

As shown in the figure above, the red line is the effect of VPN access, and the black line is the effect of general network access.

PS: This article is installed on ubuntu 22.04, and the openvpn server address is 172.26.14.242.

The running effect is as follows:

PC client

Server:

1. The principle of openvpn

OpenVPN encrypts data by using a public key (asymmetric key, different keys are used for encryption and decryption, one is called Public key and the other is Private key). This method is called TLS encryption

The working process of openvpn using TLS encryption is that first, the VPN server and the VPN client must have the same CA certificate, and the two sides exchange certificates to verify the legitimacy of both parties, which is used to decide whether to establish a VPN connection.

Then use the other party's CA certificate to encrypt the data using the current data encryption method and send it to the other party. Since the other party's CA certificate is used for encryption, only the Private key corresponding to the other party's CA certificate can decrypt the data, thus ensuring the encryption. The security of the key, and the key is changed regularly, for the eavesdropper, the key may not be cracked, and the two parties of the VPN communication may have changed the key.

2. Install openvpn

The installation of openvpn is divided into apt-get method and source code method. Below we only explain the installation of apt-get method. For the source code installation of openvpn, you can use Baidu.

To install in apt-get mode, we can use the following command:

sudo apt-get -y install openvpn libssl-dev openssl

After openvpn is installed, let's check the version of openvpn, as follows:

(Refer to this version number when downloading openvpn client)

openvpn --version

From the picture above, we can see that the current version of openvpn is 2.5.5. It is recommended to remember this version number.

Let's look at the files generated during openvpn installation, as follows:

dpkg --list openvpn

dpkg -L openvpn | more

From the above figure, we can clearly see that openvpn already has a template for related configuration.

After openvpn is installed, let's install easy-rsa again.

easy-rsa is used to make openvpn related certificates.

To install easy-rsa, use the following command:

sudo apt-get -y install easy-rsa

Check the version installed by easy-rsa:

dpkg --list easy-rsa

View the files installed by easy-rsa, as follows:

dpkg -L easy-rsa |more

3. Make relevant certificates

According to the working principle of openvpn in the first chapter, we can know that the certificate of openvpn is divided into three parts: CA certificate, server certificate and client certificate.

Let's make them separately through easy-rsa.

3.1 Create a CA certificate

After the installation of openvpn and easy-rsa, we need to create the easy-rsa folder in the /etc/openvpn/ directory, as follows:

sudo mkdir /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/

Then copy all the files in the /usr/share/easy-rsa/ directory to /etc/openvpn/easy-rsa/, as follows:

sudo cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/

Of course, we can also directly create relevant certificates in /usr/share/easy-rsa/, but for the convenience of subsequent certificate management, we still put easy-rsa in the openvpn startup directory.

Note: Since we are using the ubuntu system now, we must switch to the root user to create relevant certificates, otherwise easy-rsa will report an error. If it is a centos system, this problem does not exist.

Switch to the root user and use the following command:

sudo su cp vars.example vars

Before starting to make the CA certificate, we also need to edit the vars file and modify the following related options. as follows:

vim vars

Revise

Add to

The vars file is mainly used to set the relevant organization information of the certificate, and the content in the red part can be modified according to your actual situation.

Among them, export KEY_NAME=”vpnairgens” should be remembered, we will use it when making the server-side certificate below.

Note: For the above content, we can also use the system default, that is to say, it can be used without modification.

Note: Different easy-isa versions may use different processes. For specific usage methods, please refer to the description in the installation document.

See the step-by-step description in the installation documentation:

cat /usr/share/doc/easy-rsa/README.Debian

The make command is as follows:

./easyrsa init-pki ls

./easyrsa build-ca nopass 
ls

3.2 Create a server-side certificate

./easyrsa build-server-full vpnairgens nopass

Note: vpnairgens in the above command is the KEY_NAME set in our previous vars file

View the generated server-side certificate, as follows

ls pki/issued/ 
ls pki/private/

In this way, the server-side certificate is created.

3.3 Create a client certificate

After the server-side certificate is created, we now start to create the client-side certificate, as follows:

./easyrsa build-client-full airgens nopass

Note: airgens in the above command is the name of the client. This is customizable.

ls pki/issued/ 
ls pki/private/

View the generated certificate as follows:

From the above figure, we can clearly see that many encryption-related files have been generated

Among them, the three files ca.crt private/airgens.key issued/airgens.crt are what we want to use.

In this way, the client certificate is created.

Now generate the Diffie-Hellman file for the encrypted exchange for the server, as follows:

./easyrsa gen-dh

ls pki/dh.pem -l

View the generated files, as follows:

3.4 Put related files in the same directory

cd /etc/openvpn/ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf . ls

cp easy-rsa/pki/ca.crt ./ 
cp easy-rsa/pki/issued/vpnairgens.crt ./ 
ls

cp easy-rsa/pki/private/vpnairgens.key . 
cp easy-rsa/pki/dh.pem ./ 
cp easy-rsa/pki/dh.pem ./dh2048.pem

3.5 Configure VPN Server

vim server.conf

tunnel port

open tcp close udp

Modify the key file name

Modify the IP address segment of the VPN (or not)

3.6 Run VPN SERVER

After configuration, run openvpn server

nohup /usr/sbin/openvpn --config /etc/openvpn/server.conf &

Open log display

tail -f /var/log/openvpn/openvpn.log

3.7 tftp download key file

cp /etc/openvpn/ca.crt /etc/openvpn/easy-rsa/pki/issued/airgens.crt tmp_dir/

Four VPN CLIENT installation

4.1 Download openvpn client

Download URL: https://build.openvpn.net/downloads/releases/OpenVPN-2.5.5-I602-amd64.msi

(The version is the same as the server above) Install the software

Copy the file to the directory where the software is installed

4.2 Create a configuration file

Create the airgens.ovpn file, open it with Notepad, and add the following content

client

dev tun

proto tcp

remote 172.26.14.242 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert airgens.crt

key airgens.key

comp-lzo

verb 3