Tech Tutorial: 334.4 Virtual Private Networks (VPN) #
Introduction #
In this tutorial, we’ll delve into the fundamental aspects of Virtual Private Networks (VPNs) in a Linux environment. VPNs are essential for creating secure connections over a public network, such as the internet. They enable users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.
Exam Objective #
The objective of this section of the exam is to ensure candidates have a thorough understanding of setting up and configuring VPNs using various utilities available in Linux.
Key Knowledge Areas #
- Understanding VPN technologies (OpenVPN, WireGuard)
- Configuration and operation of VPNs
- Troubleshooting VPN connections
Utilities #
openvpn
wg
(part of WireGuard)
Step-by-Step Guide #
Setting Up OpenVPN #
OpenVPN is one of the most popular VPN solutions. It is an open-source VPN technology that supports a wide range of configurations.
1. Installation #
First, install the OpenVPN package on your Linux server. Depending on your Linux distribution, you can use one of the following commands:
# For Debian/Ubuntu
sudo apt-get install openvpn
# For CentOS/RHEL
sudo yum install openvpn
# For Fedora
sudo dnf install openvpn
2. Configuration #
You’ll need to configure both the server and client. Here’s how to set up a basic server configuration:
Generate Server and Client Certificates and Keys
- You can use EasyRSA for this task. Clone the EasyRSA repository and initiate a new PKI environment:
git clone https://github.com/OpenVPN/easy-rsa.git cd easy-rsa/easyrsa3 ./easyrsa init-pki ./easyrsa build-ca ./easyrsa gen-req server nopass ./easyrsa sign-req server server ./easyrsa gen-req client nopass ./easyrsa sign-req client client
Server Configuration File
- Create a server configuration file (
/etc/openvpn/server.conf
):
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 explicit-exit-notify 1
- Create a server configuration file (
Start the OpenVPN Service
- Enable and start the OpenVPN service:
sudo systemctl enable --now openvpn@server
3. Client Configuration #
- Transfer the client certificates and configuration file to the client machine.
- Use a similar configuration for the client, adjusting paths to the client keys and certificates.
Setting Up WireGuard #
WireGuard is a newer, simpler, and faster VPN solution that integrates well into the Linux kernel.
1. Installation #
# For Debian/Ubuntu
sudo apt install wireguard
# For CentOS/RHEL
sudo yum install wireguard-tools
# For Fedora
sudo dnf install wireguard-tools
2. Configuration #
Generate Keys
- Generate private and public keys for both server and client:
wg genkey | tee privatekey | wg pubkey > publickey
Create Configuration Files
- Server (
/etc/wireguard/wg0.conf
):
[Interface] Address = 10.200.200.1/24 ListenPort = 51820 PrivateKey = <server-private-key> PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = <client-public-key> AllowedIPs = 10.200.200.2/32
- Client (
/etc/wireguard/wg0.conf
):
[Interface] Address = 10.200.200.2/24 PrivateKey = <client-private-key> [Peer] PublicKey = <server-public-key> Endpoint = <server-ip>:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25
- Server (
Start and Enable WireGuard
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0
Conclusion #
Setting up VPNs on Linux using OpenVPN or WireGuard requires careful handling of keys and certificates, along with proper configuration and understanding of networking principles. Whether you choose OpenVPN for its robust feature set and widespread support or WireGuard for its simplicity and performance, both options provide secure and efficient means of connecting networks.