Thursday, May 21, 2009

Securing Your VOIP Connections with VPN (Installation and SetUp of OpenVPN)

In this tutorial I'll be discussing on how to install and setup OpenVPN.

What is VPN anyway? VPN stands for Virtual Private Network. It is a network within a network. A VPN allows the creation of a virtual network that can use other networks (e.g. the public internet) for transport. VPNs often encrypt any data they send over the transport network. In other words data being transmitted of WAN is encrypted thus it is secured.

For the instruction on how to install Asterisk, kindly refer to my other tutorials on this blog (http://consciencespeaks.blogspot.com/2009/01/asterisk-installation.html).

Before getting any further we will first discuss a quick start on how to setup the OpenVPN. So here are the steps:

1. Install the OpenVPN package. You may have it via yum or you can have it from source.

yum install openvpn

2. Copy configuration files.

#cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
#cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/

3. Make all the files under directory easy-rsa executables

chmod -R 755 /etc/openvpn/easy-rsa

4. CA configuration

cd /etc/openvpn/easy-rsa/
vi vars

then scroll down to the bottom, edit as you like.

export KEY_COUNTRY=US
export KEY_PROVINCE=CA
export KEY_CITY=CALIFORNIA
export KEY_ORG=”LINUX”
export KEY_EMAIL=”rowell@mindragon.com”

#. ./vars (note a space between . . )
#./clean-all

5. Build CA

#./build-ca

Generating a 1024 bit RSA private key
………………………++++++
…………………….++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [VIC]:
Locality Name (eg, city) [MELBOURNE]:
Organization Name (eg, company) [THROXVPN]:
Organizational Unit Name (eg, section) []:Throx
Common Name (eg, your name or your server’s hostname) []:throx.net
Email Address [name@mail.com]:

Some information above already entered in step 4, hust hit enter and go to next line.

6. Next we will build the server key and certificate

./build-key-server asteriskus

7. Building Diffie Hellman

#./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time

(Wait until it finished)

8. Next edit the server.conf to point all the generated files to the proper path. Take note that the keys and certificate are located at /etc/openvpn/easy-rsa/keys

you should have something like this:

port 1194
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/asteriskus.crt
key easy-rsa/keys/asteriskus.key
dh easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd ; note we will need this so as to have a fix IP address for each connecting vpn clients


Save the file

9. Next we will generate the key and certificate for our connecting clients.

./build-key asteriskph

Here you will be asked somewhat similat to what we had at step 5 but assigned a different "Common Name" for this / each client. Say for instance I assigned this as with common name asteriskph. (we will use this later on)

We will have the following files

asteriskph.crt, asteriskph.key, asteriskph.csr

10. Now create a directory ccd so as to have

/etc/openvpn/ccd

then under that directory create a file with filename equal to the Common Name of cert of the connectiong client (which we created at step 9.

so

vi /etc/openvpn/ccd/asteriskph

then add this entry

ifconfig-push 10.8.0.10 10.8.0.11 ; in this case the client will have an IP address of 10.8.0.10 everytime it connects to VPN

11. Now you can start the openvpn by issuing

/sbin/service openvpn start

12. Be sure to open up the port 1194 on the firewall to allow connections

Next will set up the VPN at the client side.

1. Download and install OpenVPN at the client side

2. Copy the client key, csr and crt and ca.crt from the OpenVPN server to the client server.

3. Copy the client configuration file

cp /usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf /etc/openvpn/

4. create keys directory under openvpn folder so as to have /etc/openvpn/keys

copy or move all the client's key, crt and ca.crt to that folder

5. Edit the client.conf

You must have something like this:

client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194 ; here the IP of the remote (OpenVPN server)


6. Then you may now start the openvpn client

/sbin/service openvpn start

7. In order to verify that your vpn client is running, issue

/sbin/ifconfig

and you should have something like:

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.10 P-t-P:10.8.0.11 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:4774 errors:0 dropped:0 overruns:0 frame:0
TX packets:4759 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:876230 (855.6 KiB) TX bytes:884454 (863.7 KiB)

if you want to verify also of that of server you can issue the same command and something like above should show up.

Of course to verify further ping the other server using the VPN IP address assigned. (e.g. ping 10.8.0.1 it should have reply...)

[rowell@MDPHAsterisk openvpn]$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=202 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=203 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=204 ms

Now you have a running OpenVPN. Hope you find this stuffs useful. Thanks, Cheers and God Bless!!!

No comments: