OpenVPN in Linux
Virtual Private Network in Linux1 H 45 M
See a step-by-step configuration of an Ubuntu-based OpenVPN server shown in AWS and Ubuntu, along with common problems and troubleshooting techniques.
Install / Configure OpenVPN in Linux
- Episode Description
In this episode, Justin and Daniel discuss the some of the prerequisites for using OpenVPN such as the following: updating and upgrading the EC2 instance, modifying the security group to allow access, obtaining a sample configuration file, and modifying the configuration file.
Welcome to ITProTV, I'm your host, Don Pezet. [CROSSTALK] [MUSIC] >> You're watching ITProTV. >> Greetings, everyone, and welcome to another exciting episode of ITProTV. I'm your host Justin Dennison, and in today's episode, well, we're gonna install and configure open VPN in a Linux server or a Linux instance, however you wish to describe them. And luckily, we have the man with the plan in the studio with us, Mr. Daniel Lowrie. How are you doing today, Daniel? >> Man, I'm doing great, this is actually gonna be a lot of fun. Looking forward to doing this episode because, let me tell you what I needed to do this, install open VPN. Get a VPN connection going on for another show that I'm working on. And, I was like, that'll be simple. That'll be an easy thing, and then I realized I've never done it before, I never needed to at least not this way, right. And it was extremely difficult, and there was a lot of stumbling blocks. And I thought, man, this'll probably make a really great show. So I thought, let's throw that into tech skill and see who salutes on that flagpole. So here we are today with OpenVPN inside of Linux. Let me set the stage for you just a little bit. Basically what I'm working with is Ubuntu 16.04, it is inside of AWS. It is just a T2 micro, I believe, very simple Linux installation. A lot of what we're gonna look at today is going to be Ubuntu or Debian based system specific. Although a lot of it will transfer over too if you're running a Red Hat type of system. There are a few caveats on that, so consult your documentation, or just Google it out there on the web. Maybe I'll come back and we'll do a Red Hat specific one, if I feel so inclined. But, we are gonna walk you from soup to the nuts, taking you from basically logging in to our Linux instance out in AWS. Getting the server configured, generating keys, generating configurations for the server, generating keys for the client. Copy them over to the client, and then getting that client installed and running. And if we have time, we'll also look at a little bit of troubleshooting. Just some trouble that I'd ran across when I was working with this, some mistakes that I made. And I thought, you know what, you guys might benefit from that as well. So I'll throw that on the heap if we can get to it. >> Now, Daniel, I'm actually kind of looking forward to the troubleshooting if we have time for it because it's something that tends to be very frustrating to me. I'm like this should work, what part did I miss? What did I miss? And it could even be, well I found great documentation for a Red Hat flavor Linux. But I really need a Debian based Linux, or that's all I have available to me. So there's some stumbling blocks there, so I'd be interested to see that. But ultimately, it doesn't matter to troubleshoot if we don't actually get anything installed and configured in the first place. >> Yeah, it's totally true. Justin hit the nail on the head. I found myself doing the exact same thing, where I'm staring at it going, why is this not working? What am I missing, what key is not in the right place, what tumbler is not falling to make this thing work? So troubleshooting is always a benefit to see it done in real life land. So even if we can't make the same [LAUGH] errors before, I'll take a look at some of the errors that I saw so that we can work our way through it. They probably are typical because I found very quickly that I wasn't the only one that had the same problem. So, all right, that being said, let's get started. Right, let's go ahead and jump into my machine. I am logged into the AWS console. I'm on EC2 dashboard right here. Very nice. I've got a couple of instances running. This is the first instance that I actually built this on. And then I have this one which I just spun up. It's a brand new instance, right? I've got my public IP address right there. Obviously, this is accessible from the Internet. And you can think of a myriad of ways, or reasons on why you would need a public facing VPN server, I sure know I can. Just if you wanna contact your home network from work, and not have to worry about anybody sniffing that traffic. Boom, there you go, it's a great reason to use something like this. So very cool, got all that, it is up and running. That is kind of a caveat, it needs to actually run. And make sure your status check's all okay, there's no problems with it. This thing's ready to go. Now the first thing we need to do is log in with SSH, which I have actually already done, here we are. You can see that my prompt has changed. Right here I'm logged in as root at my IP address, and I am in /home/ubuntu. Just a word of advice, if you've never done AWS stuff before, we've got a whole bunch of AWS content here at ITProTV. So check that out if you need some help getting that up and running. That is a bit of assumed knowledge, but it's not that difficult. And if you've never used it before and you're an Amazon customer, well guess what? You can play with it for a year, for free. So this is stuff that you can do that's a lot of fun. Get you into the cloud and start working with cloud-based stuff. So I like that. I like being able to spin stuff up in the cloud instead of having to build everything as a Virtual Server locally to my machine. Because you never know when you need that public facing IP address or just something that's not local to your machine taking up resources. So just keep that in mind. The first thing I did when I logged into this was update and upgrade, right? So this instance in Ubuntu, you do your good old, I got it right here I believe, there you go. Apt-get update and if you do &&, it's basically a logical operator. Also apt-get upgrade. So apt-get update to check for new packages, and then apt-get upgrade to actually install them. Do that first, okay? Make sure that the server is nice and secure, there's no running vulnerabilities. We wanna make sure you guys aren't getting smoked. Remember, public facing Internet stuff. >> Now Daniel, just as a reminder. I've actually had an experience. If you don't do the update, if you have to install in it. Let's say I wanna throw up nginx and start a web server or something, it won't actually let me install anything. It'll say, I don't know what you're talking about. So the first update, in my experience is necessary for actual aptitude, to know what you're talking about when you say apt-install, blah, blah, blah. So always do that, but especially do that because of the security updates that are typically hiding around there all the time. >> Yeah, it's fun. I do security just a little wee bits and that's exactly what I'm looking for if I'm a bad guy. I'm looking out there and going, I was able to scan this machine and it's lo to glory be, it's right there on the Internet for me, and it has this open and this open and this open. And I did some banner grabbing, and that's running an older service there. I can look for a known vulnerability and see if I can exploit it that way. So, best thing to do is just upgrade everything, it's a fresh, clean install so might as well, right? All right, let's move on. The next thing we need to do is modify the security group in AWS. Again if you need to know a great deal about security groups in AWS jump over to our Amazon web services content, check that out. All that is in there, I think Don did most of that if not all of it. He knows that stuff stone cold, and you're learning from the best, that's definitely for sure. But basically a security group is where we configure the networking and fire-walling and things of that nature, all right? So let's jump back over to that. So, what I wanna do is, the easy way to get to it for me is I click on my instance. You'll notice I have my instance right here, and I have it selected down here in the bottom you see Security groups. I'm sorry, that kinda jumping over there. Right there, you have Security groups, and there's the security group. I can just click on that and it will take me to Security groups. Another good way to get to it is from over here on the side, there is Network and Security, and you can click Security Groups. You can get there. But, I would then have to guess, well which one is the security group I'm in? Well, it's already right here in front of me, so I just have to click on it if I wanna make some changes. So I'll just click on there, launch wizard 11. I just went with the defaults install, I didn't use a security group that I've already created. Just makes things easy, everything's clean, right? So now we wanna touch on this inbound area, because we're gonna be accepting inbound connections that we need to. And there is something interesting, there's only one port open on this. It's right here, SSH, TCP, port 22 from anywhere in the world. That's so that wherever I'm at if I'm at a cafe somewhere, I'm in McDonald's doing whatever and I wanna log in I can. I can SSH into it regardless what network that I'm on so but we need to make some changes here we gotta poke some holes in the firewall so that we can allow the VPN service to have connections come in, right? So let's do that. All we have to do is click the edit button here. And what we're gonna do is we're gonna change this. I'm sorry, we're gonna add a rule, and then we're gonna change this type to Custom UDP. Now, open VPN does run on TCP and UDP But for simplicity's sake, I'm just going with UDP cuz that's the defaults and it does work. So, there you go. So I'm gonna add a custom UDP rule, so that changes the protocol for me to UDP. Now I'm gonna say what's the port or port range. If it's just one port, it's port 1194. Like so, just type that in, and then move on over here to Source. Remember, we wanna be able to access this from anywhere, so we're going to, hey, how about that? Anywhere, click that in there, you'll notice it does give us both the IPv4 and IPv6. Types of anywheres. 0.0.0.0, I think I've got enough zeroes in there. Slash zero, lot's of zeroes. And then of course, the IPv6::4/0. That looks good. I now just have to hit save. And now I have my two custom UDP rules. It does split it up for whatever reason, but that's fine. AWS does what AWS does. And, but our ports are right, the UDP port 1194 cuz that is our default. >> Now, Daniel, I've got a quick question, you said open BPN will work on TCP, or UDP is there an advantage of choosing one over the other, or just going with the default just to make things a little nicer, so we don't have to worry about it. >> Yeah, I am going with the default to make things run smoothly for this episode, the show because I just want things to go. I don't wanna have a bunch of hiccups. TCP will be a probably more stable connection, but UDP will probably be a little bit faster, so if you're seeing a slow, you can use whatever you like. Go for broke. If you see some slowness in your TCP connection, maybe change it to UDP and see if that doesn't speed things up. So usually, that's what typically you'll hear about. All right, so we've got our rules in place, we've done our updates, what is the next thing we need to do? Well, guess what? We are up at that point where we're installing OpenVPN. We're also gonna install another piece of software as well called Easy-RSA. Let me get out of here. OpenVPN that's our software that will help us actually serve up OpenVPN connections. But EasyRSA will help us create the keys, the certificate authority, all the other great stuff that we need in place so that we can have a VPN. Remember, this is all cryptography PKI, good stuff, right? Public key infrastructure, public key infrastructure, or whatever you'd like to name it. We gotta have all that in place and set up, in Windows, if you've ever done it, it's actually pretty simple. But in Linux, people look at that black box and say, typing, typing's no fun, but, it's not that bad. It's actually pretty simple. So, let's get it installed. I'm going to run. You'll notice, I am logged as root, typically security, the boxes don't log in as root. I have SU'd into root. I logged in as the standard user Ubuntu. I am using a key pair that generated, when I created so it's not a password enabled thing. And only Ubuntu can log in from SSA. So I'm pretty secure but I need to elevate my privileges a lot. Instead of doing a bunch of SUDU's and forgetting one, I just went ahead and SU'd. Cuz I know I'm gonna be doing a lot of administrative tasks. I would suggest that as well. As soon as you are done, drop your privileges, go back to your standard Ubuntu user who is a SUDU-user there. And then we should be just fine. So that caveat aside, you can SUDU if you like, but I like to SU cuz I'm doing a lot of administrative tasks. So here we go. What do we need to do when we install the OpenVPN and the Easy-RSA software? So I'm just gonna say apt get install open-vpn And easy SRSA. Just, I'm sorry it's not dash vpn. I got easy. There we go. That should look a little better. We going, okay we found the packages, would you like to do this, I hit yes, and it's off to the races. This shouldn't take very long, it all depends on your network connectivity obviously. But looks like I'm already done, right? Very, very simple. I like how it says, we're starting the VPN service, but it's not running or something's going on here. No VPN is running. Well that's good, that's fine, just wanted the service installed and now that should be done. I got no errors, if you have errors you're gonna wanna check maybe network connectivity, maybe you got a repository, something like that is not where it should be. But this is a standard install from AWS and it finds it just fine, so you should have the same thing. If you're using Digital Ocean or any other cloud-based service, you're probably gonna have a very similar experience. Okay, let's move on here. Where are we at? So we got everything. The next thing we're gonna want to do is extract a sample server config file. The cool thing is, is that open VPN when you install it has a bunch of configuration files and they have sample ones that you can basically just copy and paste into where ever you like, typically that's slash open VPN area of your world to play around with. It has a bunch, it's very well commented. They did a great job over at OpenVPN to help you figure out what each thing does, and why you would or would not do it. So let's do that, let's copy that over. So. I can cd into user dash share, this is where it resides, doc slash open, VPN. There we go. Example slash sample dash config, dash files. I don't know if I typed that correctly, Examples, the examples. That's the problem. It wasn't tab auto completing, it was like, no sir, that's not right. I think that'll work for us. There we go. So I just, I just kind of changed into that directory so that we can see what's in it and play around. It's probably full of stuff. There you go. A couple of cool things in here, but the one thing we're definitely looking for Is this guy right here, server.conf.gz. So it's a gzipped file. We'll have to copy it and extract the files inside of that. So let's do that. Let's copy that to our /etsy/openvpn directory. So let's do this, cp server.conf.gz/etc/openvpn/, there we go. Now we should be able to see into that directory, And hey look at that, there is server.conf.gz. Now it's time to extract it. I will just run good old gunzip, there we go. And it's -c server.conf. I think that should be good, there we go. I just let me do the extract. I think it's, what is it? >> I think it's x, isn't it? >> X, yeah, I think it is. No, let's do man gunzip. [INAUDIBLE] Not the way to say it. Let's see here, extract. Extract the zip, [SOUND] let's go to the next one. Let's say, you know what I gotta do? I might have to put it into a file, that's cool, let's do that. That will be an easy way to do it. Bada bing. And just one into server.conf. And now, yeah, cuz I gotta take the stupid x out and put a c. Helps if you do it right, just saying. >> That it does, and this is one of those things that you were talking about the ease of Windows. I've never actually done this on Windows, but I've played around in Linux a little bit. People get frustrated at this point, but it's not really that, you mess up. That's all right, just man it, figure it out, it's totally fine. >> I thought you were gonna say, man up [LAUGH]. Yeah, the documentation is there, I could look through that. I don't have a ton of time for the show. I get confused a lot about, because I don't really do a lot of gunzipping to be honest with you. So I typically forget the argument it takes to extract it. That's fine. I know -c works, I just needed to work around the problem. And that's a great thing about Linux. I'm looking at the wrong screen here [INAUDIBLE]. But that's the great thing about Linux is there's a lot of different ways to do the same thing. And if you just use your head and a little bit of logic, you'll work around these things pretty simply. All right, so now we should have our file, do an ls. There we go, server.conf, you can cat that, server.conf. And there is the file. Again, it's just a flat file, a basic text-based file with a certain extension that OpenVPN is looking for in a certain directory. That's all there is to it. That's what I do like about this stuff, this configuration, like I said, very well documented. As you can see, super documentation going on here. Lots of stuff, all these hash marks is basically the comments inside of this. And you'll notice that there's a whole lot more hash marks than there are actual things like dev-node MyTap, right? But it tells you exactly, Windows needs the TAP-Win adapter name from the Network Connections panel if you have more than one. On XP SP2 or higher, you may need to selectively disable the Windows firewall for the TAP adapter. Non-Windows systems usually don't need this. So if you need that, you un-comment that, which would, it's interesting inside these files, the semicolon is also a type of commenting. So you can just remove that semicolon, and that would be enabled in our configuration file. That's we're gonna use. We have it copied, we have it there. I'm going to remove that server.conf. I'll leave it there, cuz you never know, maybe we're gonna mess up something we need to clean. It's never bad to have a backup copy right where you need it, right? Okay, so let's move on. We're gonna make some changes in that configuration file. Use your editor of choice. I think, what the heck, I'll go with VI for this one. Why not, right? I love making things difficult for myself, even though I love VI. It was my first, right? It's my first. >> And I will tell you, if you get decently proficient at VI, or I use VIM, or- >> Yeah. >> Flavors of VI. >> Well, I think that VI's an alias now. >> Yeah, yeah. >> I think technically, it is an alias for VIM. You don't get the old style editor. But you can get pretty fast, pretty proficient. I can move around. >> He's quick. >> I can move around pretty good. >> I've been using this for years, and he is like smoke daddy. I never seen anything like it, so he's right. You can get very proficient when you spend a little time behind the keyboard. All right, so let's do this, vi server.conf. There we go. Go ahead and login. I do get some nice color coding, again, by default. Nice thing, right? So let's look at some lines that we need to change. I'm gonna go ahead and scroll around. We're going to look for the DH. It's a very important file that we need to find. So, I'm just gonna scroll around. >> Now, Daniel, I'm gonna interject a little bit. >> Yeah. >> That color coding works well for you, but if you can make that text a little bit bigger, it kinda, I'm wondering if it might cause some visual issues on the screen. >> Well, I think we might be good. >> If we can just blow that up a little bit. >> I don't know if I can do it on the quick, but I don't know how to do it in a Mac. >> Cmd+Shift+Plus. >> God love them. There we go. How's that looking? Or more? >> Maybe just a wee, ah-ha, there we go. >> There we go. >> We got a little pop, so there we go. Thank you. >> Now, I learned something new. That's fun. I'm used to Linux. I'm in a Mac right now, so there you go. In Linux, it's Shift+Ctrl+plus, and Ctrl+minus to lower it down. Okay, so let's find that, I'm not really good at searching around. There it is, dh2048.pem. You wanna make sure that that is what that says. If it says, dh1024. Well, we're not gonna use, this is Diffie-Hellman algorithm. So we're not gonna use 1024. So, we're gonna use 2048, because why use the older scheme when we have the newer one that's available and it works? And it's very well supported. So let's do that. That's a good thing, make sure that's that way. We are going to do some uncommenting. [SOUND]. We need to look for push redirect gateway def1 bypass-dhcp, which is coming up very shortly. Almost there, I'm gonna just start scrolling hard. There's some push commands. We like the push commands. DId I pass it? I think no, nothing yet gotta find DHCP. There it is. So, notice again, it's commented out with the semicolon character, so we gotta get rid of that. I'll go into insert mode, say, hasta luego. Then the next thing we need to do is come down to these push dhcp-option DNS. It does have some DNS servers put in there. I'm sure they're fine. I like using Google's servers, because they're accessible from anywhere and they work really well, so I will do that. Again, uncomment these, uncomment that one. And then just come over here and change these to whatever DNS server you want to use. So, I will go with 22.214.171.124, and this one will be, 126.96.36.199, I think, yep. 188.8.131.52. I forgot a dot, .4, .4 again. There we go. A lot of fun typing on the show, yeah, ladies and gents. Okay, so that's good, what else do we need to do? We need to do some more uncommenting. There's this interesting little area. That says, user and group nobody. We need to uncomment that. There they are right there. It's a good idea to reduce the OpenVPN daemon's privileges after installation. You can uncomment this out on non-Windows systems. Well, guess what, I'm using a Linux client and a Linux server. So I'm gonna uncomment this out. So just remove that. And what else do we need to do? I think that's everything. So the server.conf file is set up for our purposes right now. And I think I left in some issues, so that we can see some of that troubleshooting when we get to the end. So we will be revisiting this, because I like to throw that troubleshooting nugget on the fire there. So let's go ahead and save that. That is escape and wq. And there we go. We have written the file and everything should be good. My file is still there. And that is a wonderful thing. That being said, I am looking at our clock, I think this is actually a very good stopping spot for us. Because we've got some more stuff to do and I don't wanna get you guys all bound up. Let me get this done. I think, this is a good segue spot. So we will leave the rest of the configuration to the next episode. >> Well, Daniel, I think you've made a good decision, because there's minor little tweaks and nuanced behaviors here that it's probably really good to have this, make sure you're at a stopping point, and then we'll come back, because I know we have to do some firewall stuff and some other things like that. So thank you so much for getting us started. But we're definitely not finished, so definitely stay tuned. But for now, signing off for ITProTV, I've been your host Justin Dennison. >> And I'm Daniel Lowrie. >> And we'll see you next time. [MUSIC] >> Thank you for watching ITPROTV.