Appendix C. Configuring a Separate VPN Server

Command examples for CentOS are listed below. For other OS use equivalent commands.

To configure a separate VPN server

1.Switch to account with administrative access to the system:

$ su

2.Install EPEL repository:

# yum install epel-release

3.Install OpenVPN and Easy-RSA utility:

# yum install openvpn easy-rsa

4.Change to the directory with installed Easy-RSA utility:

# cd /usr/share/easy-rsa/3

5.Create PKI key infrastructure:

# ./easyrsa init-pki

6.Create root certificate authority (CA):

# ./easyrsa build-ca

7.At the request Enter New CA Key Passphrase, set a password for signing certificates.

8.Generate a certificate request for the server without using a password:

# ./easyrsa gen-req server nopass

9.Sign a CA request:

# ./easyrsa sign-req server server

10.Enter the password from CA if it was set earlier.

11.Generate Diffie-Hellman key:

# ./easyrsa gen-dh

12.Copy created files to OpenVPN server directory:

# cp pki/ca.crt /etc/openvpn/ca.crt

# cp pki/dh.pem /etc/openvpn/dh.pem

# cp pki/issued/server.crt /etc/openvpn/server.crt

# cp pki/private/server.key /etc/openvpn/server.key

13.Generate TLS Control Channel encryption key:

# openvpn --genkey --secret /etc/openvpn/tc.key

14.Generate keys for OpenVPN server client:

# ./easyrsa gen-req vxcube nopass

# ./easyrsa sign-req client vxcube

15.Copy client keys (vxcube.key, vxcube.crt) and server key (ca.crt) to the directory with Dr.Web vxCube distribution kit (directory ~/confs) from the following directories:

# /usr/share/easy-rsa/3/pki/private/vxcube.key

# /usr/share/easy-rsa/3/pki/issued/vxcube.crt

# /etc/openvpn/ca.crt

16.Create OpenVPN config file:

nano /etc/openvpn/server/server.conf

Values:

port 1194

proto udp

dev tap

ca /etc/openvpn/ca.crt

cert /etc/openvpn/server.crt

key /etc/openvpn/server.key

dh /etc/openvpn/dh.pem

server 10.42.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

log-append /var/log/openvpn.log

verb 1

17.Start the server:

# systemctl start openvpn-server@server.service

18.Make sure that server is running:

# netstat -tulnp | grep 1194

19.Make sure that server has IP forwarding enabled:

# nano /etc/sysctl.conf

Add string:

net.ipv4.ip_forward = 1

20.Force re-read the configuration of sysctl:

# sysctl -p /etc/sysctl.conf

21.Make sure that there are no other services accepting connections from the external interface or access to them is blocked by the system firewall settings:

# netstat -nlpt

22.If there are such services, add a rule to block access to them from a VPN tunnel:

# iptables -A INPUT -i tap0 -j DROP

23.Configure masquerading for packets from a subnet of a VPN tunnel to the default interface:

# iptables -t nat -A POSTROUTING -s 10.42.0.0/24 -o eth0 -j MASQUERADE