OpenVPN Server op Debian 10 installeren en instellen
OpenVPN is open-source software die gebruikt kan worden om veilig het internet op te gaan als je verbonden bent met een onvertrouwd netwerk. OpenVPN stelt je in staat je online gegevens veilig te houden door ze door versleutelde servers te tunnelen. OpenVPN gebruikt SSL/TLS voor sleuteluitwisseling en is in staat om netwerk adres vertalers te doorkruisen. Er zijn veel VPN software op de markt, maar ze zijn allemaal duur, en/of lastig in te stellen en te beheren. Terwijl OpenVPN een gratis, eenvoudig in te stellen, te configureren en te beheren programma is.
In deze handleiding wordt uitgelegd hoe je een OpenVPN server op een Debian 10 server kunt instellen.
Vereisten
- Twee server die Debian 10 draait.
- Een statisch IP adres 192.168.0.103 wordt ingesteld op de VPN server en 192.168.0.102 wordt ingesteld op de VPN client.
- Een root wachtwoord is op beide servers ingesteld.
Installeer OpenVPN
Eerst moet je IP forwarding inschakelen om netwerkpakketten goed door te sturen. Je kunt dit doen door het bestand /etc/sysctl.conf te bewerken:
nano /etc/sysctl.conf
Verander de volgende regel:
net.ipv4.ip_forward=1
Bewaar en sluit het bestand, als je klaar bent. Pas dan de nieuwe instellingen toe door het volgende commando uit te voeren:
sysctl -p
Installeer vervolgens het OpenVPN pakket door gewoon het volgende commando uit te voeren:
apt-get install openvpn -y
Als de installatie voltooid is, kun je verder gaan met de volgende stap.
Genereer server certificaat en sleutel
Eerst moet je de EasyRSA directory kopiëren naar /etc/openvpn/. Je kunt dat doen met het volgende commando:
cp -r /usr/share/easy-rsa /etc/openvpn/
Verander vervolgens de directory in easy-rsa en hernoem het bestand vars.example:
cd /etc/openvpn/easy-rsa mv vars.example vars
Open vervolgens het vars bestand:
nano vars
Voeg de volgende regels toe:
export KEY_COUNTRY="INDIA" export KEY_PROVINCE="CA" export KEY_CITY="Junagadh" export KEY_ORG="Howtoforge" export KEY_EMAIL="[email protected]" export KEY_OU="OpenVPN"
Sla het bestand op en sluit het als je klaar bent. Initialiseer dan PKI met het volgende commando:
./easyrsa init-pki
Je zou de volgende uitvoer moeten zien:
Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
Bouw vervolgens de CA zonder wachtwoord zoals hieronder:
./easyrsa build-ca nopass
Je zou de volgende uitvoer moeten zien:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 Generating RSA private key, 2048 bit long modulus (2 primes) ...................................+++++ ..............+++++ e is 65537 (0x010001) Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG 140449484268672:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/etc/openvpn/easy-rsa/pki/.rnd You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt
Genereer vervolgens de server sleutel met het volgende commando:
./easyrsa gen-req server nopass
Je zou de volgende uitvoer moeten zien:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 Generating a RSA private key ...+++++ ................................................................................................................+++++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.uQ7rqU8ryK' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/server.req key: /etc/openvpn/easy-rsa/pki/private/server.key
Onderteken vervolgens het servercertificaat met het volgende commando:
./easyrsa sign-req server server
Je zou de volgende uitvoer moeten zien:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 1080 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Sep 5 15:43:29 2022 GMT (1080 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
Bouw vervolgens een Diffie-Hellman sleuteluitwisseling met het volgende commando:
./easyrsa gen-dh
Je zou de volgende uitvoer moeten zien:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ...................+.............................................+..........................................................................................................................................................................................................................................................+.......+................................................................................+................+....................................+..........................+........................................+............................................................................................+.......................................................+............................+......................................................................................................+...................................................................................+.................+............+.+............................+...............................................................................................................................................+............+...............................................+................................................................................................................................................................................+.....................................................................................................................+...................................................................................................................................................................................................+.............................................+..................................................................................................................................+......................................................................................................................................+....................................+..................................................................................................................................................................................+................................................................................................+..............................................................................................+............................................................................................................................................................................................+...........+.................+.....+..........................................................................................................+..........................................................+............+......................................+............................................................................................................................................................................................................................................................................................................+..................................+.................................................................................+.............................+.....................................................................................................................................................................................................................+..........................+.......................................................+......................+.................................+..............................................................+.............................................................................................................................................................+........................................................................+...............................+...............................................................................................................+..............................................+......................................................+.......................+......................................................................................................................................................................................................................+............................................................................................................................+..........................+......................................................................................................................................................................+..........................................................................................+..........................................................++*++*++*++* DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
Genereer vervolgens een HMAC handtekening met het volgende commando:
openvpn --genkey --secret ta.key
Kopieer tenslotte al het certificaat en de sleutel naar de /etc/openvpn directory:
cp ta.key /etc/openvpn/ cp pki/ca.crt /etc/openvpn/ cp pki/private/server.key /etc/openvpn/ cp pki/issued/server.crt /etc/openvpn/ cp pki/dh.pem /etc/openvpn/
Genereer cliëntcertificaat en sleutel
Genereer vervolgens Client certificaat met het volgende commando:
./easyrsa gen-req client nopass
Je zou de volgende uitvoer moeten zien:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 Generating a RSA private key ..........................................+++++ ...............+++++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.wU45j6E0Dt' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/client.req key: /etc/openvpn/easy-rsa/pki/private/client.key
Onderteken vervolgens het Client certificaat met het volgende commando:
./easyrsa sign-req client client
Je zou de volgende uitvoer moeten zien:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 1080 days: subject= commonName = client Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client' Certificate is to be certified until Sep 5 12:28:25 2022 GMT (1080 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt
Kopieer vervolgens alle cliëntcertificaat en sleutel naar de map /etc/openvpn/client/:
cp pki/ca.crt /etc/openvpn/client/ cp pki/issued/client.crt /etc/openvpn/client/ cp pki/private/client.key /etc/openvpn/client/
Configureer OpenVPN Server
Al het benodigde certificaat en de sleutel voor server en client zijn nu gegenereerd. Vervolgens moet je een OpenVPN configuratiebestand maken. Je kunt het maken met het volgende commando:
nano /etc/openvpn/server.conf
Voeg de volgende inhoud toe:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1
Sla het bestand op en sluit het. Start dan de OpenVPN dienst met het volgende commando:
systemctl start [email protected]
Verifieer vervolgens de OpenVPN server met het volgende commando:
systemctl status [email protected]
Uitvoer:
? [email protected] - OpenVPN connection to server Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled) Active: active (running) since Sat 2019-09-21 08:46:47 EDT; 6s ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 5040 (openvpn) Status: "Initialization Sequence Completed" Tasks: 1 (limit: 1138) Memory: 1.7M CGroup: /system.slice/system-openvpn.slice/[email protected] ??5040 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server. Sep 21 08:46:47 debian systemd[1]: Starting OpenVPN connection to server... Sep 21 08:46:47 debian systemd[1]: Started OpenVPN connection to server.
Installeer en configureer OpenVPN client
Log vervolgens in op het OpenVPN client systeem en installeer het OpenVPN pakket met het volgende commando:
apt-get install openvpn -y
Eenmaal geïnstalleerd maak je een nieuw configuratiebestand voor OpenVPN Client:
nano /etc/openvpn/client.conf
Definieer je server IP adres en je cliënt certificaat bestand zoals hieronder:
client dev tun proto udp remote 192.168.0.103 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ca ca.crt cert client.crt key client.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC verb 3
Sla het bestand op en sluit het. Kopieer dan al het cliëntcertificaat en sleutelbestand van de OpenVPN server naar het OpenVPN cliënt systeem met het volgende commando:
scp [email protected]:/etc/openvpn/client/ca.crt /etc/openvpn/ scp [email protected]:/etc/openvpn/client/client.crt /etc/openvpn/ scp [email protected]:/etc/openvpn/client/client.key /etc/openvpn/ scp [email protected]:/etc/openvpn/ta.key /etc/openvpn/
Start vervolgens OpenVPN client service met het volgende commando:
systemctl start [email protected]
Nu kun je het nieuwe IP adres zien dat door OpenVPN server is toegewezen met het volgende commando:
ifconfig
Je zou de volgende uitvoer moeten zien:
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.102 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fe80::a00:27ff:fe99:dc40 prefixlen 64 scopeid 0x20 ether 08:00:27:99:dc:40 txqueuelen 1000 (Ethernet) RX packets 447 bytes 42864 (41.8 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 334 bytes 47502 (46.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 57 bytes 9754 (9.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 57 bytes 9754 (9.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5 inet6 fe80::52b5:a1d2:fa23:f51e prefixlen 64 scopeid 0x20 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9 bytes 472 (472.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Ga vervolgens naar het OpenVPN server systeem en controleer het OpenVPN log met het volgende commando:
tail -f /var/log/openvpn/openvpn.log
Je zou de volgende uitvoer moeten krijgen:
Sun Sep 22 19:46:08 2019 192.168.0.103:45700 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Sun Sep 22 19:46:08 2019 192.168.0.103:45700 [_] Peer Connection Initiated with [AF_INET]192.168.0.103:45700 Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled) Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI: Learn: 10.8.0.6 -> _/192.168.0.103:45700 Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI: primary virtual IP for _/192.168.0.103:45700: 10.8.0.6 Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 PUSH: Received control message: 'PUSH_REQUEST' Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 SENT CONTROL [_]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1) Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Data Channel: using negotiated cipher 'AES-256-GCM' Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Gefeliciteerd! je hebt met succes OpenVPN server en Client geïnstalleerd en ingesteld op Debian 10.