Architecture
There are two Virtual Appliances, the first, an Application Delivery
Controller (ADC) that will perform LoadBalancing NAT-Traversal (which
we'll call NAT-T) between the public network and DMZ while the
other will contain the VPN component (which we will call SERVER VPN)
between the DMZ and the intranet, which will allow access to the
company's computer systems (see Figure 1).
Easy RSA has been installed within the latter, which will be used for
creating and verifying certificates.
When a client wants to connect to the VPN, it will first switch to
NAT-T who has a public listener listening in port 45483. All
connections to this port will be forwarded to SERVER VPN 1194. At
this point, we will check the certificate of the client that you want
to connect to the VPN and, if valid, SERVER VPN assign the client an
IP address of 10.8.0.X.
As soon as the client receives the IP assignment, they will be able to
access the corporate intranet.
This architecture allows you to completely separate the two public and
intranet environments using the DMZ as a security band.
Figure 1: Vpn
To ensure that the VPN remains up and running at all-time time, SERVER VPN can be duplicated and must be assigned a different IP address than the previous one. Through the OPLON ADC balancer if a SERVER VPN stops working for any reason, even for maintenance, traffic will be forwarded to the other SERVER VPN maintaining business continuity (see Figure 2).
Figure 2: VPN balanced
Compatibility Matrix and Freeware License Sizing
VaPP distributed and available directly from download are for the most popular virtual platforms on the market today, other virtual images can be requested to Oplon through email: customercare@oplon.net.
Images directly available from the site:
VMware Compatibility ESXi 5.1 and later (with basic OS "Powered by CentOS")
Virtual BOX all versions (with basic OS "Powered by CentOS")
Virtual appliances are licensed for these resources:
CPU: max 2
RAM: max 5120MB
If you assign multiple resources, the application delivery controller will not run the start
First steps
From LBL_VAPP_NATT_setup_ita.pdf manual, run paragraphs 4 to 12, and
then continue.
Certificate Authority (CA) Setup
Easy RSA uses a script set to generate keys and certificates.
First you need to configure the CA.
To do this, you need to access the Virtual Appliance command line
SERVER VPN and go to /etc/VPN server/easy-rsa by writing:
cd /etc/VPN server/easy-rsa
Then create a new file by calling it vars with the following command:
nano vars
or
vi vars
Add the following text by entering the information instead of the text written in red:
set_var "$PWD" EASYRSA
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "Italy"
set_var EASYRSA_REQ_PROVINCE "Padua"
set_var EASYRSA_REQ_CITY "Padua"
set_var EASYRSA_REQ_ORG "OPLON CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL "admin@oplon.net"
set_var EASYRSA_REQ_OU "OPLON EASY CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_NS_SUPPORT "No"
set_var EASYRSA_NS_COMMENT "OPLON CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "/etc/VPN server/easy-rsa/x509-types"
set_var EASYRSA_SSL_CONF "/etc/VPN server/easy-rsa/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST "sha256"
Save the file when finished. Run the following command to create the PKI:
./easyrsa init-pki
Output:
Notes: using Easy-RSA configuration from: ./vars
complete init-pki; you may now create a CA or requests.
Your newly created PKI dir is: /pki
Now you need to create the CA certificate using the following command:
./easyrsa build-ca
You'll get output similar to this:
Notes: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
....................................................................+++++
..........................................................................................................................................+++++
and is 65537 (0x010001)
Can't load /etc/VPN server/easy-rsa/pki/.rnd into RNG
140218549745472:error:2406F079:random number
generator:RAND_load_file:Cannot open
file:crypto/randfile.c:98:Filename//etc/VPN server/easy-rsa/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/pki/ca.crt
The newly executed command generates two files called ca.key and ca.crt. These files will be used to sign server and client certificates.
Generating the Server Certificate
Now you need to generate a key pair and a certificate request for the server. Run the following command to generate the files by calling them "servers":
./easyrsa gen-req server nopass
Output:
Notes: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019
Generating a RSA private key
...........................+++++
...............................................................................................................................................................................................................................................................................................+++++
writing new private key to '/pki/private/server.key.kOlBTwtY6a'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /pki/reqs/server.req
key: /pki/private/server.key
Sign the Server request using the CA
Now you need to sign the newly generated server request using the CA certificate by running the following command:
./easyrsa sign-req server server
Output:
Notes: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this
request has not been cryptographically verified. Please be sure it came
from a trusted source or that you have verified the request checksum
with the sender.
Request subject, to be signed as a server certificate for 365 days:
subject-commonName - server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /pki/safessl-easyrsa.cnf
Enter pass phrase for /pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Feb 16 05:00:50 2021 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /pki/issued/server.crt
Verify the newly generated certificate:
openssl verify -CAfile pki/ca.crt pki/issued/server.crt
If all is successful, you should get the following output:
pki/issued/server.crt: OK
Now, to add an extra layer of security, generate a Diffie-Hellman key that is used for key exchange:
./easyrsa gen-dh
Output:
Notes: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
....+................................+........................................+.....++*++*++*++*
DH parameters of size 2048 created at /pki/dh.pem
Now you have to copy all the files you created, inside the directory
/etc/VPN server/server/:
cp pki/ca.crt /etc/VPN server/server/
cp pki/dh.pem /etc/VPN server/server/
cp pki/private/server.key /etc/VPN server/server/
cp pki/issued/server.crt /etc/VPN server/server/
Generate Client Certificates and Keys
Now you need to generate the keys and certificate for the clients. First of all you generate the keys and the certificate request with, instead of "client", the name you want (we will use the word client for simplicity):
./easyrsa gen-req client nopass
Output:
Notes: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019
Generating a RSA private key
......................................................+++++
...+++++
writing new private key to '/pki/private/client.key.e38GUtzHie'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:
Keypair and certificate request completed. Your files are:
req: /pki/reqs/client.req
key: /pki/private/client.key
You now sign the client request using the CA certificate:
./easyrsa sign-req client client
Output:
Notes: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this
request
has not been cryptographically verified. Please be sure it came from a
trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 365 days:
subject-commonName - client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /pki/safessl-easyrsa.cnf
Enter pass phrase for /pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Feb 16 05:11:19 2021 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /pki/issued/client.crt
Now copy all the certificates and client keys to the /etc/VPN server/client/:
cp pki/ca.crt /etc/VPN server/client/
cp pki/issued/client.crt /etc/VPN server/client/
cp pki/private/client.key /etc/VPN server/client/
Configure Server VPN
To configure VPN within the server, open the file /etc/VPN server/server/server.conf and, in line 11, where "push" is written, replace the address in red with the internal address you want to route to.
push "route 192.168.1.0 255.255.255.0"
Save the file after making the change. You can add multiple push commands.
Run the VPN service
To start the VPN service, run the following commands:
systemctl start VPN server-server@server
systemctl enable VPN server-server@server
To verify that the VPN service has actually started, run:
server-server@server VPN status
You should get the following output:
- server@server VPN server service for server
Loaded: loaded (/usr/lib/systemd/system/VPN server-server@.service;
enabled; vendor preset: disabled)
Active: active (running) since Mon 2020-02-17 00:29:26 EST; 39min Aug
Docs: man:VPN server(8)
https://community.VPN server.net/VPN server/wiki/VPN server24ManPage
https://community.VPN server.net/VPN server/wiki/HOWTO
Main PID: 32405 (VPN server)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 12552)
Memory: 1.9M
CGroup: /system.slice/system-VPN server-x2dserver.slice/VPN
server-server@server.service
└─32405 /usr/sbin/VPN server --status /run/VPN
server-server/status-server.log --status-version 2
--suppress-timestamps --cipher AES-256->
Feb 17 00:29:26 100 systemd[1]: Starting VPN server service for
server...
Feb 17 00:29:26 100 systemd[1]: Started VPN server service for server.
Once the VPN service is enabled, a network interface called tun0 will be automatically created. You can verify it with the following command:
ifconfig
You should see the tun0 interface:
eth0: flags -4163 mtu 1500
inet 100.245.36.127 netmask 255.255.255.0 broadcast 104.245.36.255
inet6 fe80::200:68ff:fef5:247f prefixlen 64 scopeid 0x20
ether 00:00:68:f5:24:7f txqueuelen 1000 (Ethernet)
RX packets 1926738 bytes 314886412 (300.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 174907 bytes 29557250 (28.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags-73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 216 bytes 40041 (39.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 216 bytes 40041 (39.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags-4305 mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::4152:a673:b260:d9e6 prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100
(UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 304 (304.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Change the Client configuration
Inside the /etc/VPN server/client/ directory you will find a file called
client.ovpn, change line number 4 by adding the public listener address
of the Virtual Appliance NAT-T:
Remote 0.0.0.0 45483
Also change row 6 and row 7 to the correct certificate and key name:
Cert Client.crt file
Key Client.key property
Save the file.
Connect from the Client
From client download and install SERVER VPN from the following link
https://VPN
server.net/community-downloads/.
Also download all files that are in the directory /etc/VPN server/client
server, C:\Users\<username>\VPN server\config folder.
Done this start SERVER VPN, a screen icon with a padlock will appear
in the windows bar. If it does not appear, check the windows processes
for a process that is called SERVER VPN, if you, close the process and
restart SERVER VPN, the icon should now appear.
Right-click the icon and then connect.
If the following error appears:
ERROR: Windows route add command failed [adaptive]: returned error code 1
Start SERVER VPN administrator.