VAPP VPN setup

Architecture

There are two Virtual Appliances, the first, an Application Delivery Controller (ADC) that will perform LoadBalancing NAT-Traversal (which we'll call NAT-T) between the public network and DMZ while the other will contain the VPN component (which we will call SERVER VPN) between the DMZ and the intranet, which will allow access to the company's computer systems (see Figure 1). Easy RSA has been installed within the latter, which will be used for creating and verifying certificates. When a client wants to connect to the VPN, it will first switch to NAT-T who has a public listener listening in port 45483. All connections to this port will be forwarded to SERVER VPN 1194. At this point, we will check the certificate of the client that you want to connect to the VPN and, if valid, SERVER VPN assign the client an IP address of 10.8.0.X. As soon as the client receives the IP assignment, they will be able to access the corporate intranet. This architecture allows you to completely separate the two public and intranet environments using the DMZ as a security band.

image1 Figure 1: Vpn

To ensure that the VPN remains up and running at all-time time, SERVER VPN can be duplicated and must be assigned a different IP address than the previous one. Through the OPLON ADC balancer if a SERVER VPN stops working for any reason, even for maintenance, traffic will be forwarded to the other SERVER VPN maintaining business continuity (see Figure 2).

image2 Figure 2: VPN balanced

Compatibility Matrix and Freeware License Sizing

VaPP distributed and available directly from download are for the most popular virtual platforms on the market today, other virtual images can be requested to Oplon through email: customercare@oplon.net.

Images directly available from the site:

  • VMware Compatibility ESXi 5.1 and later (with basic OS "Powered by CentOS")

  • Virtual BOX all versions (with basic OS "Powered by CentOS")

Virtual appliances are licensed for these resources:

  • CPU: max 2

  • RAM: max 5120MB

If you assign multiple resources, the application delivery controller will not run the start

First steps

From LBL_VAPP_NATT_setup_ita.pdf manual, run paragraphs 4 to 12, and then continue.

Certificate Authority (CA) Setup

Easy RSA uses a script set to generate keys and certificates. First you need to configure the CA. To do this, you need to access the Virtual Appliance command line SERVER VPN and go to /etc/VPN server/easy-rsa by writing:

cd /etc/VPN server/easy-rsa

Then create a new file by calling it vars with the following command:

nano vars or vi vars

Add the following text by entering the information instead of the text written in red:

set_var "$PWD" EASYRSA

set_var EASYRSA_PKI "$EASYRSA/pki"

set_var EASYRSA_DN "cn_only"

set_var EASYRSA_REQ_COUNTRY "Italy"

set_var EASYRSA_REQ_PROVINCE "Padua"

set_var EASYRSA_REQ_CITY "Padua"

set_var EASYRSA_REQ_ORG "OPLON CERTIFICATE AUTHORITY"

set_var EASYRSA_REQ_EMAIL "admin@oplon.net"

set_var EASYRSA_REQ_OU "OPLON EASY CA"

set_var EASYRSA_KEY_SIZE 2048

set_var EASYRSA_ALGO rsa

set_var EASYRSA_CA_EXPIRE 7500

set_var EASYRSA_CERT_EXPIRE 365

set_var EASYRSA_NS_SUPPORT "No"

set_var EASYRSA_NS_COMMENT "OPLON CERTIFICATE AUTHORITY"

set_var EASYRSA_EXT_DIR "/etc/VPN server/easy-rsa/x509-types"

set_var EASYRSA_SSL_CONF "/etc/VPN server/easy-rsa/openssl-easyrsa.cnf"

set_var EASYRSA_DIGEST "sha256"

Save the file when finished. Run the following command to create the PKI:

./easyrsa init-pki

Output:

Notes: using Easy-RSA configuration from: ./vars

complete init-pki; you may now create a CA or requests.

Your newly created PKI dir is: /pki

Now you need to create the CA certificate using the following command:

./easyrsa build-ca

You'll get output similar to this:

Notes: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019

Enter New CA Key Passphrase:

Re-Enter New CA Key Passphrase:

Generating RSA private key, 2048 bit long modulus (2 primes)

....................................................................+++++

..........................................................................................................................................+++++

and is 65537 (0x010001)

Can't load /etc/VPN server/easy-rsa/pki/.rnd into RNG

140218549745472:error:2406F079:random number
generator:RAND_load_file:Cannot open
file:crypto/randfile.c:98:Filename//etc/VPN server/easy-rsa/pki/.rnd

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a
DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Common Name (eg: your user, host, or server name]:

CA creation complete and you may now import and sign cert requests.

Your new CA certificate file for publishing is at:

/pki/ca.crt

The newly executed command generates two files called ca.key and ca.crt. These files will be used to sign server and client certificates.

Generating the Server Certificate

Now you need to generate a key pair and a certificate request for the server. Run the following command to generate the files by calling them "servers":

./easyrsa gen-req server nopass

Output:

Notes: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019

Generating a RSA private key

...........................+++++

...............................................................................................................................................................................................................................................................................................+++++

writing new private key to '/pki/private/server.key.kOlBTwtY6a'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a
DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Common Name (eg: your user, host, or server name) [server]:

Keypair and certificate request completed. Your files are:

req: /pki/reqs/server.req

key: /pki/private/server.key

Sign the Server request using the CA

Now you need to sign the newly generated server request using the CA certificate by running the following command:

./easyrsa sign-req server server

Output:

Notes: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019

You are about to sign the following certificate.

Please check over the details shown below for accuracy. Note that this
request has not been cryptographically verified. Please be sure it came
from a trusted source or that you have verified the request checksum
with the sender.

Request subject, to be signed as a server certificate for 365 days:

subject-commonName - server

Type the word 'yes' to continue, or any other input to abort.

Confirm request details: yes

Using configuration from /pki/safessl-easyrsa.cnf

Enter pass phrase for /pki/private/ca.key:

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

commonName :ASN.1 12:'server'

Certificate is to be certified until Feb 16 05:00:50 2021 GMT (365 days)

Write out database with 1 new entries

Data Base Updated

Certificate created at: /pki/issued/server.crt

Verify the newly generated certificate:

openssl verify -CAfile pki/ca.crt pki/issued/server.crt

If all is successful, you should get the following output:

pki/issued/server.crt: OK

Now, to add an extra layer of security, generate a Diffie-Hellman key that is used for key exchange:

./easyrsa gen-dh

Output:

Notes: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019

Generating DH parameters, 2048 bit long safe prime, generator 2

This is going to take a long time

....+................................+........................................+.....++*++*++*++*

DH parameters of size 2048 created at /pki/dh.pem

Now you have to copy all the files you created, inside the directory /etc/VPN server/server/:

cp pki/ca.crt /etc/VPN server/server/

cp pki/dh.pem /etc/VPN server/server/

cp pki/private/server.key /etc/VPN server/server/

cp pki/issued/server.crt /etc/VPN server/server/

Generate Client Certificates and Keys

Now you need to generate the keys and certificate for the clients. First of all you generate the keys and the certificate request with, instead of "client", the name you want (we will use the word client for simplicity):

./easyrsa gen-req client nopass

Output:

Notes: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019

Generating a RSA private key

......................................................+++++

...+++++

writing new private key to '/pki/private/client.key.e38GUtzHie'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a
DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Common Name (eg: your user, host, or server name) [client]:

Keypair and certificate request completed. Your files are:

req: /pki/reqs/client.req

key: /pki/private/client.key

You now sign the client request using the CA certificate:

./easyrsa sign-req client client

Output:

Notes: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019

You are about to sign the following certificate.

Please check over the details shown below for accuracy. Note that this
request

has not been cryptographically verified. Please be sure it came from a
trusted

source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 365 days:

subject-commonName - client

Type the word 'yes' to continue, or any other input to abort.

Confirm request details: yes

Using configuration from /pki/safessl-easyrsa.cnf

Enter pass phrase for /pki/private/ca.key:

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

commonName :ASN.1 12:'client'

Certificate is to be certified until Feb 16 05:11:19 2021 GMT (365 days)

Write out database with 1 new entries

Data Base Updated

Certificate created at: /pki/issued/client.crt

Now copy all the certificates and client keys to the /etc/VPN server/client/:

cp pki/ca.crt /etc/VPN server/client/

cp pki/issued/client.crt /etc/VPN server/client/

cp pki/private/client.key /etc/VPN server/client/

Configure Server VPN

To configure VPN within the server, open the file /etc/VPN server/server/server.conf and, in line 11, where "push" is written, replace the address in red with the internal address you want to route to.

push "route 192.168.1.0 255.255.255.0"

Save the file after making the change. You can add multiple push commands.

Run the VPN service

To start the VPN service, run the following commands:

systemctl start VPN server-server@server

systemctl enable VPN server-server@server

To verify that the VPN service has actually started, run:

server-server@server VPN status

You should get the following output:

- server@server VPN server service for server

Loaded: loaded (/usr/lib/systemd/system/VPN server-server@.service;
enabled; vendor preset: disabled)

Active: active (running) since Mon 2020-02-17 00:29:26 EST; 39min Aug

Docs: man:VPN server(8)

https://community.VPN server.net/VPN server/wiki/VPN server24ManPage

https://community.VPN server.net/VPN server/wiki/HOWTO

Main PID: 32405 (VPN server)

Status: "Initialization Sequence Completed"

Tasks: 1 (limit: 12552)

Memory: 1.9M

CGroup: /system.slice/system-VPN server-x2dserver.slice/VPN
server-server@server.service

└─32405 /usr/sbin/VPN server --status /run/VPN
server-server/status-server.log --status-version 2
--suppress-timestamps --cipher AES-256->

Feb 17 00:29:26 100 systemd[1]: Starting VPN server service for
server...

Feb 17 00:29:26 100 systemd[1]: Started VPN server service for server.

Once the VPN service is enabled, a network interface called tun0 will be automatically created. You can verify it with the following command:

ifconfig

You should see the tun0 interface:

eth0: flags -4163 mtu 1500

inet 100.245.36.127 netmask 255.255.255.0 broadcast 104.245.36.255

inet6 fe80::200:68ff:fef5:247f prefixlen 64 scopeid 0x20

ether 00:00:68:f5:24:7f txqueuelen 1000 (Ethernet)

RX packets 1926738 bytes 314886412 (300.2 MiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 174907 bytes 29557250 (28.1 MiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags-73 mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

inet6 ::1 prefixlen 128 scopeid 0x10

loop txqueuelen 1000 (Local Loopback)

RX packets 216 bytes 40041 (39.1 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 216 bytes 40041 (39.1 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tun0: flags-4305 mtu 1500

inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2

inet6 fe80::4152:a673:b260:d9e6 prefixlen 64 scopeid 0x20

unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100
(UNSPEC)

RX packets 0 bytes 0 (0.0 B)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 4 bytes 304 (304.0 B)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Change the Client configuration

Inside the /etc/VPN server/client/ directory you will find a file called client.ovpn, change line number 4 by adding the public listener address of the Virtual Appliance NAT-T:

Remote 0.0.0.0 45483

Also change row 6 and row 7 to the correct certificate and key name:

Cert Client.crt file

Key Client.key property

Save the file.

Connect from the Client

From client download and install SERVER VPN from the following link https://VPN server.net/community-downloads/. Also download all files that are in the directory /etc/VPN server/client server, C:\Users\<username>\VPN server\config folder. Done this start SERVER VPN, a screen icon with a padlock will appear in the windows bar. If it does not appear, check the windows processes for a process that is called SERVER VPN, if you, close the process and restart SERVER VPN, the icon should now appear. Right-click the icon and then connect. If the following error appears:

ERROR: Windows route add command failed [adaptive]: returned error code 1

Start SERVER VPN administrator.