VPN is a good way to protect your cloud infrastructure from attacks. In the method below I will list down the step how to log in to your vpn machine and access the cloud LAN from you laptop.
I am using Debian on Google Cloud as an example. The setup process should be similar on other clouds. The cloud lan is in the network 10.240.0.0/16 and the vpn lan will be in the network 10.8.0.0/16.
- Setup firewall rules to allow connection to vpn machine:
Networks > your network (usually named default) > Firewall rules:
Create new: Name: VPN Traffic Source IP Ranges: 0.0.0.0/0 Allowed Protocols/Ports: tcp:1194 Target Tags: vpn
- Spawn a new debain machine, go to advanced and tag it vpn. Also enable IP Forwarding.
Log in and run this:
“sudo sysctl -w net.ipv4.ip_forward=1“
Make the same change in “/etc/sysctl.conf“
- Install openvpn:
sudo apt-get update sudo apt-get install openvpn
- Set up openvpn
-
Create a new directory with the command
sudo mkdir /etc/openvpn/easy-rsa/
. -
Copy the necessary files with the command
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
. -
Change the ownership of the newly copied directory with the command
sudo chown -R $USER /etc/openvpn/easy-rsa/
. -
Edit the file
/etc/openvpn/easy-rsa/vars
and change the variables listed below.
The variables to edit are:
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Uberlabs" export KEY_EMAIL="name@host.com" export KEY_CN="FooBar"
Once the file has been edited and saved, we’ll run several commands must be entered in order to create the certificates:
cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys sudo openvpn --genkey --secret ta.key sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
Client Certificates
The clients will need to have certificates in order to authenticate to the server. To create these certificates, do the following:
change KEY_CN
in vars file everytime you create a new client cert, else you will notice that hostname.crt is of 0 bytes. Or you can use KEY_CN=someuniqueclientcn ./pkitool client1.
cd /etc/openvpn/easy-rsa/ source vars ./pkitool hostname
Files needed to setup client
-
/etc/openvpn/ca.crt
-
/etc/openvpn/easy-rsa/keys/hostname.crt (Where hostname is the hostname of the client).
-
/etc/openvpn/easy-rsa/keys/hostname.key (Where hostname is the hostname of the client).
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
Open /etc/openvpn/server.conf and make the below change. SSH does not work properly in udp mode.
proto tcp server 10.8.0.0 255.255.0.0 push "route 10.240.0.0 255.255.0.0" #this is a change client-to-client
While udp is recommended by openvon but ssh was failing when I tried to ssh on some other hosts on the cloud.
Configure iptables to allow traffic from VPN to LAN
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
TIP: Restart openvpn every time you make a change in iptables they are not reflected instantly.
sudo service openvpn restart
Client setup:
Install openvpn on your laptop. Copy Sample client.conf to /etc/openvpn. Save the client files in /etc/openvpn/
proto tcp remote 146.148.64.124 1194 ca ca.crt cert roshan-home.crt key roshan-home.key
sudo service openvpn restart
sudo ifconfig in 30 seconds you will see a new vpn interface tun0. You should be able to ping 10.240.x.x and ssh.
Additional Debugging:
-
Use routing table info to see if it is set correctly route -n or netstat -rn
-
tcpdump to see if icmp packets are received tcpdump -i any icmp
-
netcat or telnet to see if vpn port is open
netcat -z -v 146.148.64.124 1194 telnet 146.148.64.124 1194
References:
-
http://www.linux.com/learn/tutorials/457103-install-and-configure-openvpn-server-on-linux
-
https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
-
https://openvpn.net/index.php/open-source/documentation/howto.html#install
-
http://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
-
http://blog.kenyap.com.au/2012/07/txtdb-error-number-2-when-generating.html
Leave a Reply