Tech Tutorial: 334.4 Virtual Private Networks (VPN) #

Introduction #

In this tutorial, we’ll delve into the fundamental aspects of Virtual Private Networks (VPNs) in a Linux environment. VPNs are essential for creating secure connections over a public network, such as the internet. They enable users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

Exam Objective #

The objective of this section of the exam is to ensure candidates have a thorough understanding of setting up and configuring VPNs using various utilities available in Linux.

Key Knowledge Areas #

• Understanding VPN technologies (OpenVPN, WireGuard)
• Configuration and operation of VPNs
• Troubleshooting VPN connections

Utilities #

• openvpn
• wg (part of WireGuard)

Step-by-Step Guide #

Setting Up OpenVPN #

OpenVPN is one of the most popular VPN solutions. It is an open-source VPN technology that supports a wide range of configurations.

1. Installation #

First, install the OpenVPN package on your Linux server. Depending on your Linux distribution, you can use one of the following commands:

# For Debian/Ubuntu
sudo apt-get install openvpn

# For CentOS/RHEL
sudo yum install openvpn

# For Fedora
sudo dnf install openvpn

2. Configuration #

You’ll need to configure both the server and client. Here’s how to set up a basic server configuration:

1. Generate Server and Client Certificates and Keys

   • You can use EasyRSA for this task. Clone the EasyRSA repository and initiate a new PKI environment:

   git clone https://github.com/OpenVPN/easy-rsa.git
   cd easy-rsa/easyrsa3
   ./easyrsa init-pki
   ./easyrsa build-ca
   ./easyrsa gen-req server nopass
   ./easyrsa sign-req server server
   ./easyrsa gen-req client nopass
   ./easyrsa sign-req client client
   

2. Server Configuration File

   • Create a server configuration file (/etc/openvpn/server.conf):

   port 1194
   proto udp
   dev tun
   ca ca.crt
   cert server.crt
   key server.key
   dh dh.pem
   server 10.8.0.0 255.255.255.0
   ifconfig-pool-persist ipp.txt
   push "redirect-gateway def1 bypass-dhcp"
   push "dhcp-option DNS 208.67.222.222"
   keepalive 10 120
   comp-lzo
   user nobody
   group nogroup
   persist-key
   persist-tun
   status openvpn-status.log
   verb 3
   explicit-exit-notify 1
   

3. Start the OpenVPN Service

   • Enable and start the OpenVPN service:

   sudo systemctl enable --now openvpn@server
   

3. Client Configuration #

• Transfer the client certificates and configuration file to the client machine.
• Use a similar configuration for the client, adjusting paths to the client keys and certificates.

Setting Up WireGuard #

WireGuard is a newer, simpler, and faster VPN solution that integrates well into the Linux kernel.

1. Installation #

# For Debian/Ubuntu
sudo apt install wireguard

# For CentOS/RHEL
sudo yum install wireguard-tools

# For Fedora
sudo dnf install wireguard-tools

2. Configuration #

1. Generate Keys

   • Generate private and public keys for both server and client:

   wg genkey | tee privatekey | wg pubkey > publickey
   

2. Create Configuration Files

   • Server (/etc/wireguard/wg0.conf):

   [Interface]
   Address = 10.200.200.1/24
   ListenPort = 51820
   PrivateKey = <server-private-key>
   PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
   PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
   
   [Peer]
   PublicKey = <client-public-key>
   AllowedIPs = 10.200.200.2/32
   

   • Client (/etc/wireguard/wg0.conf):

   [Interface]
   Address = 10.200.200.2/24
   PrivateKey = <client-private-key>
   
   [Peer]
   PublicKey = <server-public-key>
   Endpoint = <server-ip>:51820
   AllowedIPs = 0.0.0.0/0
   PersistentKeepalive = 25
   

3. Start and Enable WireGuard

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Conclusion #

Setting up VPNs on Linux using OpenVPN or WireGuard requires careful handling of keys and certificates, along with proper configuration and understanding of networking principles. Whether you choose OpenVPN for its robust feature set and widespread support or WireGuard for its simplicity and performance, both options provide secure and efficient means of connecting networks.