303
CHAPTER 12
Configuring Ubuntu Server
As a VPN Server
Networking Securely over
the Internet
I
f you need to connect securely to a server that is not on your site, one option is to
purchase a dedicated line. Unfortunately, dedicated lines are expensive. A cheap and
very common alternative is to configure a Virtual Private Network (VPN), a connection
between two sites or two computers that goes over the Internet. VPNs are available as
hardware appliances, but it is relatively easy to configure Linux as a VPN server.
Because the Internet by nature is an unsecured network, you have to implement
security measures when setting up a VPN. These security measures are applied by using
encryption. Several solutions are available to create a VPN. You are probably already
familiar with one of them: when you establish an SSH session with your server and start
a program on your server that displays its output on the local workstation, basically you
are using a VPN. However, an SSH VPN is not the most versatile VPN solution. A very
popular and versatile Linux VPN solution is OpenVPN, which uses functionality from the
OpenSSL package to ensure its security. In this chapter you’ll learn how to set up a VPN
that is based on OpenVPN.
Installing and Configuring OpenVPN
As with most software on Ubuntu Server, installing OpenVPN is not too hard: just run
]lp)capejop]hhklajrlj
to download and install the software. The installation process
installs all software and also starts the
klajrlj
daemon. You can manipulate the process
from its
ejep
scripts as well. For example, you can start it with
Before going any further, you should determine if you want to use a routed VPN or
a bridged VPN. OpenVPN offers both options. However, in most situations you will use
routing. Routing is easier to set up and offers better flexibility with regard to access con-
trol. Bridging is useful only if you need to use very specific features of your VPN, such as
in the following cases:
CHAPTER 12
N
CONFIGURING UBUNTU SERVER AS A VPN SERVER
305
s 4HE60.NEEDSTOHANDLEPROTOCOLSOTHERTHAN)0SUCHAS)08
s 9OUARERUNNINGAPPLICATIONSTHATRELYON,!.BROADCASTSOVERTHE60.
s 9OUWANTTOBROWSETO7INDOWSSHARESWITHOUTSETTINGUPA3AMBAOR7).3nam-
ing server.
Generating Certificates
OpenVPN heavily relies on the use of certificates, so before you start to configure the
VPN, you should set up a public key infrastructure (PKI). Before the mutual trust that is
required on the VPN can be established, the server and client must exchange their PKI
certificates.
N
Note
Although this chapter refers to a client/server VPN setup, a VPN can also be established between
sites, in which case one site is configured as the client and the other is configured as the server.
In Chapter 11 you learned how to set up a certificate authority (CA). Because
OpenVPN has its own scripts to set up the complete PKI infrastructure, this chapter also
covers setting up the CA. If you already have a CA, you can skip this configuration and
proceed to creating certificates for the client and the server.
Configuring the Certificate Authority
By default, you’ll find the OpenVPN scripts that help you to build the CA and its keys in
the directory
+qon+od]na+`k_+klajrlj+at]ilhao+a]ou)no]+.
pnaa*
atlknpA=OU[NO=9\ls`\
Pdeor]ne]^haodkqh`lkejppk
pdanamqaopa`ata_qp]^hao
atlknpKLAJOOH9klajooh
atlknpLG?O--PKKH9lg_o--)pkkh
atlknpCNAL9cnal
Pdeor]ne]^haodkqh`lkejppk
pdaklajooh*_jbbehaej_hq`a`
sepda]ou)no]*
atlknpGAU[?KJBEC9\ A=OU[NO=+sde_dklajooh_jb A=OU[NO=\
A`eppdeor]ne]^hapklkejppk
ukqnokkj)pk)^a)_na]pa`gau
`ena_pknu*
CHAPTER 12
N
CONFIGURING UBUNTU SERVER AS A VPN SERVER
307
S=NJEJC6_ha]j)]hhsehh`k
]ni)nbkjpdeo`ena_pknu
oki]gaoqnaukq`abeja
ep_knna_phu
atlknpGAU[@EN9 A=OU[NO=+gauo
Eooqani)nbs]njejc
a_dkJKPA6Ebukqnqj*+_ha]j)]hh(Esehh^a`kejc]ni)nbkj GAU[@EN
Ej_na]oapdeopk.,04ebukq
]nal]n]jke`*Pdeosehhohks
Of these commands, the first two just clean up the current configuration and pass
to your current environment the variables you’ve set in
+ap_+klajrlj+a]ou)no]+r]
rs. The
latter command generates the CA for you. Listing 12-2 gives an example of the output of
these commands.
Listing 12-2. Generating the Certificate Authority with the easy- rsa Scripts
nkkp<iah6+ap_+klajrlj+a]ou)no]okqn_a*+r]no
JKPA6Ebukqnqj*+_ha]j)]hh(Esehh^a`kejc]ni)nbkj+ap_+klajrlj+a]ou)no]+gauo
nkkp<iah6+ap_+klajrlj+a]ou)no]*+_ha]j)]hh
nkkp<iah6+ap_+klajrlj+a]ou)no]*+^qeh`)_]
Cajan]pejc]-,.0^epNO=lner]pagau
*************************************''''''
****************************************''''''
snepejcjaslner]pagaupk#_]*gau#
)))))
Ukq]na]^kqppk^a]oga`pkajpanejbkni]pekjpd]psehh^aej_knlkn]pa`
ejpkukqn_anpebe_]panamqaop*
Sd]pukq]na]^kqppkajpaneosd]peo_]hha`]@eopejcqeoda`J]iakn]@J*
Pdana]namqepa]basbeah`o^qpukq_]jha]raokia^h]jg
Bknokiabeah`opdanasehh^a]`ab]qhpr]hqa(
Ebukqajpan#*#(pdabeah`sehh^ahabp^h]jg*
)))))
?kqjpnuJ]ia$.happan_k`a%WJHY6
Op]paknLnkrej_aJ]ia$bqhhj]ia%WJ>Y6
Hk_]hepuJ]ia$ac(_epu%WNkkoaj`]]hY6
Knc]jev]pekjJ]ia$ac(_kil]ju%Wo]j`anY6
Knc]jev]pekj]hQjepJ]ia$ac(oa_pekj%WY6
?kiikjJ]ia$ac(ukqnj]iaknukqnoanran#odkopj]ia%Wo]j`an?=Y6
Ai]eh=``naooWi]eh<o]j`an*bnY6
)))))
?kqjpnuJ]ia$.happan_k`a%WJHY6
Op]paknLnkrej_aJ]ia$bqhhj]ia%WJ>Y6
Hk_]hepuJ]ia$ac(_epu%WNkkoaj`]]hY6
Knc]jev]pekjJ]ia$ac(_kil]ju%Wo]j`anY6
Knc]jev]pekj]hQjepJ]ia$ac(oa_pekj%WY6
?kiikjJ]ia$ac(ukqnj]iaknukqnoanran#odkopj]ia%WiahY6
Ai]eh=``naooWi]eh<o]j`an*bnY6
Lha]oaajpanpdabkhhksejc#atpn]#]ppne^qpao
pk^aoajpsepdukqn_anpebe_]panamqaop
=_d]hhajcal]ooskn`WY6
=jklpekj]h_kil]juj]iaWY6
Qoejc_kjbecqn]pekjbnki+ap_+klajrlj+a]ou)no]+klajooh*_jb
?da_gpd]ppdanamqaopi]p_daopdaoecj]pqna
Oecj]pqnakg
PdaOq^fa_p#o@eopejcqeoda`J]iaeo]obkhhkso
_kqjpnuJ]ia6LNEJP=>HA6#JH#
op]paKnLnkrej_aJ]ia6LNEJP=>HA6#J>#
hk_]hepuJ]ia6LNEJP=>HA6#Nkkoaj`]]h#
knc]jev]pekjJ]ia6LNEJP=>HA6#o]j`an#
_kiikjJ]ia6LNEJP=>HA6#iah#
ai]eh=``naoo6E=1OPNEJC6#i]eh<o]j`an*bn#
?anpebe_]paeopk^a_anpebea`qjpeh=qc.0,360260..,-4CIP$/21,`]uo%
Oecjpda_anpebe_]pa;Wu+jY6u
Copyright: Tài liệu đại học ©