In order to enable mutual access between the internal servers and office computers of the company and the branch, we plan to use VPN. For VPN, PPTP was used a lot in the past; but PPTP is not as secure as openvpn compared to openvpn, and PPTP is under linux The command line support is not very good, and the stability is not as good as openvpn. So in the end, I chose openvpn to build a VPN.
As shown in the figure above, the red line is the effect of VPN access, and the black line is the effect of general network access.
PS: This article is installed on ubuntu 22.04, and the openvpn server address is 172.26.14.242.
The running effect is as follows:
PC client
Server:
1. The principle of openvpn
OpenVPN encrypts data by using a public key (asymmetric key, different keys are used for encryption and decryption, one is called Public key and the other is Private key). This method is called TLS encryption
The working process of openvpn using TLS encryption is that first, the VPN server and the VPN client must have the same CA certificate, and the two sides exchange certificates to verify the legitimacy of both parties, which is used to decide whether to establish a VPN connection.
Then use the other party's CA certificate to encrypt the data using the current data encryption method and send it to the other party. Since the other party's CA certificate is used for encryption, only the Private key corresponding to the other party's CA certificate can decrypt the data, thus ensuring the encryption. The security of the key, and the key is changed regularly, for the eavesdropper, the key may not be cracked, and the two parties of the VPN communication may have changed the key.
2. Install openvpn
The installation of openvpn is divided into apt-get method and source code method. Below we only explain the installation of apt-get method. For the source code installation of openvpn, you can use Baidu.
To install in apt-get mode, we can use the following command:
sudo apt-get -y install openvpn libssl-dev openssl
After openvpn is installed, let's check the version of openvpn, as follows:
(Refer to this version number when downloading openvpn client)
openvpn --version
From the picture above, we can see that the current version of openvpn is 2.5.5. It is recommended to remember this version number.
Let's look at the files generated during openvpn installation, as follows:
dpkg --list openvpn
dpkg -L openvpn | more
From the above figure, we can clearly see that openvpn already has a template for related configuration.
After openvpn is installed, let's install easy-rsa again.
easy-rsa is used to make openvpn related certificates.
To install easy-rsa, use the following command:
sudo apt-get -y install easy-rsa
Check the version installed by easy-rsa:
dpkg --list easy-rsa
View the files installed by easy-rsa, as follows:
dpkg -L easy-rsa |more
3. Make relevant certificates
According to the working principle of openvpn in the first chapter, we can know that the certificate of openvpn is divided into three parts: CA certificate, server certificate and client certificate.
Let's make them separately through easy-rsa.
3.1 Create a CA certificate
After the installation of openvpn and easy-rsa, we need to create the easy-rsa folder in the /etc/openvpn/ directory, as follows:
sudo mkdir /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/
Then copy all the files in the /usr/share/easy-rsa/ directory to /etc/openvpn/easy-rsa/, as follows:
sudo cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
Of course, we can also directly create relevant certificates in /usr/share/easy-rsa/, but for the convenience of subsequent certificate management, we still put easy-rsa in the openvpn startup directory.
Note: Since we are using the ubuntu system now, we must switch to the root user to create relevant certificates, otherwise easy-rsa will report an error. If it is a centos system, this problem does not exist.
Switch to the root user and use the following command:
sudo su cp vars.example vars
Before starting to make the CA certificate, we also need to edit the vars file and modify the following related options. as follows:
vim vars
Revise
Add to
The vars file is mainly used to set the relevant organization information of the certificate, and the content in the red part can be modified according to your actual situation.
Among them, export KEY_NAME=”vpnairgens” should be remembered, we will use it when making the server-side certificate below.
Note: For the above content, we can also use the system default, that is to say, it can be used without modification.
Note: Different easy-isa versions may use different processes. For specific usage methods, please refer to the description in the installation document.
See the step-by-step description in the installation documentation:
cat /usr/share/doc/easy-rsa/README.Debian
The make command is as follows:
./easyrsa init-pki ls
./easyrsa build-ca nopass
ls
3.2 Create a server-side certificate
./easyrsa build-server-full vpnairgens nopass
Note: vpnairgens in the above command is the KEY_NAME set in our previous vars file
View the generated server-side certificate, as follows
ls pki/issued/
ls pki/private/
In this way, the server-side certificate is created.
3.3 Create a client certificate
After the server-side certificate is created, we now start to create the client-side certificate, as follows:
./easyrsa build-client-full airgens nopass
Note: airgens in the above command is the name of the client. This is customizable.
ls pki/issued/
ls pki/private/
View the generated certificate as follows:
From the above figure, we can clearly see that many encryption-related files have been generated
Among them, the three files ca.crt private/airgens.key issued/airgens.crt are what we want to use.
In this way, the client certificate is created.
Now generate the Diffie-Hellman file for the encrypted exchange for the server, as follows:
./easyrsa gen-dh
ls pki/dh.pem -l
View the generated files, as follows:
3.4 Put related files in the same directory
cd /etc/openvpn/ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf . ls
cp easy-rsa/pki/ca.crt ./
cp easy-rsa/pki/issued/vpnairgens.crt ./
ls
cp easy-rsa/pki/private/vpnairgens.key .
cp easy-rsa/pki/dh.pem ./
cp easy-rsa/pki/dh.pem ./dh2048.pem
3.5 Configure VPN Server
vim server.conf
tunnel port
open tcp close udp
Modify the key file name
Modify the IP address segment of the VPN (or not)
3.6 Run VPN SERVER
After configuration, run openvpn server
nohup /usr/sbin/openvpn --config /etc/openvpn/server.conf &
Open log display
tail -f /var/log/openvpn/openvpn.log
3.7 tftp download key file
cp /etc/openvpn/ca.crt /etc/openvpn/easy-rsa/pki/issued/airgens.crt tmp_dir/
Four VPN CLIENT installation
4.1 Download openvpn client
Download URL: https://build.openvpn.net/downloads/releases/OpenVPN-2.5.5-I602-amd64.msi
(The version is the same as the server above) Install the software
Copy the file to the directory where the software is installed
4.2 Create a configuration file
Create the airgens.ovpn file, open it with Notepad, and add the following content
client
dev tun
proto tcp
remote 172.26.14.242 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert airgens.crt
key airgens.key
comp-lzo
verb 3
4.3 Open the client software
4.4 Configuration file
4.5 Check connection status
Server connection status:
PC client connection status:
4.6 Testing
Reference documents:
Mud: Build an OpenVPN server on ubuntu 14.04 - Mud World
Mud: Detailed explanation of openvpn configuration files - Mud Traveling World