OpenVPN Server op Debian 10 installeren en instellen

OpenVPN is open-source software die gebruikt kan worden om veilig het internet op te gaan als je verbonden bent met een onvertrouwd netwerk. OpenVPN stelt je in staat je online gegevens veilig te houden door ze door versleutelde servers te tunnelen. OpenVPN gebruikt SSL/TLS voor sleuteluitwisseling en is in staat om netwerk adres vertalers te doorkruisen. Er zijn veel VPN software op de markt, maar ze zijn allemaal duur, en/of lastig in te stellen en te beheren. Terwijl OpenVPN een gratis, eenvoudig in te stellen, te configureren en te beheren programma is.

In deze handleiding wordt uitgelegd hoe je een OpenVPN server op een Debian 10 server kunt instellen.

Vereisten

  • Twee server die Debian 10 draait.
  • Een statisch IP adres 192.168.0.103 wordt ingesteld op de VPN server en 192.168.0.102 wordt ingesteld op de VPN client.
  • Een root wachtwoord is op beide servers ingesteld.

Installeer OpenVPN

Eerst moet je IP forwarding inschakelen om netwerkpakketten goed door te sturen. Je kunt dit doen door het bestand /etc/sysctl.conf te bewerken:

nano /etc/sysctl.conf

Verander de volgende regel:

net.ipv4.ip_forward=1

Bewaar en sluit het bestand, als je klaar bent. Pas dan de nieuwe instellingen toe door het volgende commando uit te voeren:

sysctl -p

Installeer vervolgens het OpenVPN pakket door gewoon het volgende commando uit te voeren:

apt-get install openvpn -y

Als de installatie voltooid is, kun je verder gaan met de volgende stap.

Genereer server certificaat en sleutel

Eerst moet je de EasyRSA directory kopiëren naar /etc/openvpn/. Je kunt dat doen met het volgende commando:

cp -r /usr/share/easy-rsa /etc/openvpn/

Verander vervolgens de directory in easy-rsa en hernoem het bestand vars.example:

cd /etc/openvpn/easy-rsa
 mv vars.example vars

Open vervolgens het vars bestand:

nano vars

Voeg de volgende regels toe:

export KEY_COUNTRY="INDIA"
export KEY_PROVINCE="CA"
export KEY_CITY="Junagadh"
export KEY_ORG="Howtoforge"
export KEY_EMAIL="[email protected]"
export KEY_OU="OpenVPN"

Sla het bestand op en sluit het als je klaar bent. Initialiseer dan PKI met het volgende commando:

./easyrsa init-pki

Je zou de volgende uitvoer moeten zien:

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

Bouw vervolgens de CA zonder wachtwoord zoals hieronder:

./easyrsa build-ca nopass

Je zou de volgende uitvoer moeten zien:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c  28 May 2019
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
..............+++++
e is 65537 (0x010001)
Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
140449484268672:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/etc/openvpn/easy-rsa/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

Genereer vervolgens de server sleutel met het volgende commando:

./easyrsa gen-req server nopass

Je zou de volgende uitvoer moeten zien:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c  28 May 2019
Generating a RSA private key
...+++++
................................................................................................................+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.uQ7rqU8ryK'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key

Onderteken vervolgens het servercertificaat met het volgende commando:

./easyrsa sign-req server server

Je zou de volgende uitvoer moeten zien:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c  28 May 2019


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 1080 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Sep  5 15:43:29 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt

Bouw vervolgens een Diffie-Hellman sleuteluitwisseling met het volgende commando:

./easyrsa gen-dh

Je zou de volgende uitvoer moeten zien:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c  28 May 2019
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................+.............................................+..........................................................................................................................................................................................................................................................+.......+................................................................................+................+....................................+..........................+........................................+............................................................................................+.......................................................+............................+......................................................................................................+...................................................................................+.................+............+.+............................+...............................................................................................................................................+............+...............................................+................................................................................................................................................................................+.....................................................................................................................+...................................................................................................................................................................................................+.............................................+..................................................................................................................................+......................................................................................................................................+....................................+..................................................................................................................................................................................+................................................................................................+..............................................................................................+............................................................................................................................................................................................+...........+.................+.....+..........................................................................................................+..........................................................+............+......................................+............................................................................................................................................................................................................................................................................................................+..................................+.................................................................................+.............................+.....................................................................................................................................................................................................................+..........................+.......................................................+......................+.................................+..............................................................+.............................................................................................................................................................+........................................................................+...............................+...............................................................................................................+..............................................+......................................................+.......................+......................................................................................................................................................................................................................+............................................................................................................................+..........................+......................................................................................................................................................................+..........................................................................................+..........................................................++*++*++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

Genereer vervolgens een HMAC handtekening met het volgende commando:

openvpn --genkey --secret ta.key

Kopieer tenslotte al het certificaat en de sleutel naar de /etc/openvpn directory:

cp ta.key /etc/openvpn/
 cp pki/ca.crt /etc/openvpn/
 cp pki/private/server.key /etc/openvpn/
 cp pki/issued/server.crt /etc/openvpn/
 cp pki/dh.pem /etc/openvpn/

Genereer cliëntcertificaat en sleutel

Genereer vervolgens Client certificaat met het volgende commando:

./easyrsa gen-req client nopass

Je zou de volgende uitvoer moeten zien:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c  28 May 2019
Generating a RSA private key
..........................................+++++
...............+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.wU45j6E0Dt'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/client.req
key: /etc/openvpn/easy-rsa/pki/private/client.key

Onderteken vervolgens het Client certificaat met het volgende commando:

./easyrsa sign-req client client

Je zou de volgende uitvoer moeten zien:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c  28 May 2019


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 1080 days:

subject=
    commonName                = client


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client'
Certificate is to be certified until Sep  5 12:28:25 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt

Kopieer vervolgens alle cliëntcertificaat en sleutel naar de map /etc/openvpn/client/:

cp pki/ca.crt /etc/openvpn/client/
 cp pki/issued/client.crt /etc/openvpn/client/
 cp pki/private/client.key /etc/openvpn/client/

Configureer OpenVPN Server

Al het benodigde certificaat en de sleutel voor server en client zijn nu gegenereerd. Vervolgens moet je een OpenVPN configuratiebestand maken. Je kunt het maken met het volgende commando:

nano /etc/openvpn/server.conf

Voeg de volgende inhoud toe:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

Sla het bestand op en sluit het. Start dan de OpenVPN dienst met het volgende commando:

systemctl start [email protected]

Verifieer vervolgens de OpenVPN server met het volgende commando:

systemctl status [email protected]

Uitvoer:

? [email protected] - OpenVPN connection to server
   Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-09-21 08:46:47 EDT; 6s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 5040 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 1138)
   Memory: 1.7M
   CGroup: /system.slice/system-openvpn.slice/[email protected]
           ??5040 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.

Sep 21 08:46:47 debian systemd[1]: Starting OpenVPN connection to server...
Sep 21 08:46:47 debian systemd[1]: Started OpenVPN connection to server.

Installeer en configureer OpenVPN client

Log vervolgens in op het OpenVPN client systeem en installeer het OpenVPN pakket met het volgende commando:

apt-get install openvpn -y

Eenmaal geïnstalleerd maak je een nieuw configuratiebestand voor OpenVPN Client:

nano /etc/openvpn/client.conf

Definieer je server IP adres en je cliënt certificaat bestand zoals hieronder:

client
dev tun
proto udp
remote 192.168.0.103 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

Sla het bestand op en sluit het. Kopieer dan al het cliëntcertificaat en sleutelbestand van de OpenVPN server naar het OpenVPN cliënt systeem met het volgende commando:

scp [email protected]:/etc/openvpn/client/ca.crt /etc/openvpn/
 scp [email protected]:/etc/openvpn/client/client.crt /etc/openvpn/
 scp [email protected]:/etc/openvpn/client/client.key /etc/openvpn/
 scp [email protected]:/etc/openvpn/ta.key /etc/openvpn/

Start vervolgens OpenVPN client service met het volgende commando:

systemctl start [email protected]

Nu kun je het nieuwe IP adres zien dat door OpenVPN server is toegewezen met het volgende commando:

ifconfig

Je zou de volgende uitvoer moeten zien:

enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.102  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::a00:27ff:fe99:dc40  prefixlen 64  scopeid 0x20
        ether 08:00:27:99:dc:40  txqueuelen 1000  (Ethernet)
        RX packets 447  bytes 42864 (41.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 334  bytes 47502 (46.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 57  bytes 9754 (9.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 57  bytes 9754 (9.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
        inet6 fe80::52b5:a1d2:fa23:f51e  prefixlen 64  scopeid 0x20
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9  bytes 472 (472.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Ga vervolgens naar het OpenVPN server systeem en controleer het OpenVPN log met het volgende commando:

tail -f /var/log/openvpn/openvpn.log

Je zou de volgende uitvoer moeten krijgen:

Sun Sep 22 19:46:08 2019 192.168.0.103:45700 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sun Sep 22 19:46:08 2019 192.168.0.103:45700 [_] Peer Connection Initiated with [AF_INET]192.168.0.103:45700
Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI: Learn: 10.8.0.6 -> _/192.168.0.103:45700
Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI: primary virtual IP for _/192.168.0.103:45700: 10.8.0.6
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 PUSH: Received control message: 'PUSH_REQUEST'
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 SENT CONTROL [_]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Gefeliciteerd! je hebt met succes OpenVPN server en Client geïnstalleerd en ingesteld op Debian 10.