Installing VPN on Ubuntu. Setting up a VPN connection on Linux Setting up a server side on Ubuntu Linux
A true virtual private network (VPN) is an encrypted interconnected tunnel between two networks that connects two trusted points. It is not the web protocol HTTPS, which is considered trusted by all clients. Only those clients with special access keys can connect to the VPN.
VPNs have become very sprawling these days with the advent of virtual private networks that trust everyone and the proliferation of HTTPS. Many VPNs are commercial solutions with minimal configuration to provide remote employee access. But not everyone trusts these solutions. A private virtual network connects two networks into one, such as an office network and an employee's home network. The VPN server is required so that the server and client can authenticate with each other.
Configuring server and client authentication requires a lot of work, and therefore commercial solutions with a minimum of settings fail in this regard. But it really isn't that hard to set up an OpenVPN server. You will need two nodes on different networks to set up a test environment, for example, you can use multiple virtual machines or real servers. As you already understood, this article will cover setting up OpenVPN in Ubuntu to create a complete private virtual network.
Both machines must have OpenVPN installed, it is a fairly popular program, so you can install it from the official repositories. We also need Easy-RSA to work with private keys. To install programs on Ubuntu use the following command:
sudo apt install openvpn easy-rsa
Both packages must be installed on both server and client. You will need them to configure the program. The first stage of the article, installing and configuring openvpn is complete.
Setting up a certification authority
The first thing to do is create the correct public key infrastructure on the server. We consider the server to be the machine to which users will connect. There are several advantages to having your own CA, you will have your own CA that makes it easy to distribute and manage keys. For example, you can revoke client certificates on a server. Also, now you do not need to store all client certificates, the CA will only need to know that the certificate is signed by a CA. In addition to a complex key system, you can use static keys if you only need to grant access to a few users.
Please note that all private keys must be kept in a safe place. In OpenVPN, the public key is called a certificate and has the .crt extension, and the private key is called a key, its extension is .key.
First, create a folder to store Easy-RSA certificates. In fact, OpenVPN configuration is done manually, so the folder can be placed anywhere:
sudo mkdir /etc/openvpn/easy-rsa
Then copy all the necessary easy-rsa scripts to this folder:
cd /etc/openvpn/easy-rsa/
- sudo -i
- # source ./vars
- # ./clear-all
- # ./build-ca
With the first command we switch to the console on behalf of the superuser, with the second we load the environment variables from the. / Vars file. The. / Clear-all command creates the keys folder if it does not exist and clears its contents. And the last command initializes our certification authority. Now all the necessary keys have appeared in the .keys folder:
Configuring client certificates
sudo cp -R /usr/share/easy-rsa/etc/openvpn/
Now we need to copy the certificate, the .crt file to the /etc/openvpn folder on all clients. For example, let's download this file for our client using scp:
sudo scp user @ host: /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/ keys
Only now you can create your own private key based on the CA certificate:
cd /etc/openvpn/easy-rsa/
sudo -i
# source ./vars
# build-req Sergiy
Please note that ca.crt must be in the keys folder, otherwise nothing will work. Now the utility will create a key, based on which you can connect to the OpenVPN server, but you still have to sign it on the server. Send the resulting .csr file to the server using the same scp:
scp /etc/openvpn/easy-rsa/keys/Sergiy.csr user @ host: ~ /
Then, on the server, in the /etc/openvpn/easy-rsa folder, you need to execute the certificate signing command:
./sign-req ~ / Sergiy
The signature of the certificate must be confirmed. Then the program will report that it has been signed and added to the database. The .crt file will appear in the folder with the csr certificate, which must be returned back to the client machine:
sudo scp user @ host: /home/Sergiy.crt/etc/openvpn/easy-rsa/keys
Only after that the server and client have all the necessary keys to connect and establish communication. There are still a few settings left. If you plan to use TLS encryption, then you need to create a Diffie-Huffman dataset on the server, for this use the command:
OpenVPN setup
Now setting up the OpenVPN server. By default, there is nothing in the OpenVPN config files folder. You need to create them yourself, depending on what you plan to configure, server or client. Required file OpenVPN configurations can be found at /usr/share/doc/openvpn/examples/sample-config-files /. First, let's create a config file for the server:
zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
You need to configure a few parameters here:
port and proto - port and protocol used by the program;
port 1194
proto udp
All created keys must be registered in the configuration file. Our keys are stored at / etc / openvpn / easy-rsa / keys:
cert /etc/openvpn/easy-rsa/keys/ca.crt
key /etc/openvpn/easy-rsa/keys/ca.key
dh /etc/openvpn/easy-rsa/keys/dh.pem
We configure the range of addresses for the virtual network, our server will be available on the first of them - 10.8.0.1:
server 10.8.0.0 255.255.255.0
After completing the configuration, save the changes to the file, you can either paste all this configuration yourself or edit the example file. Ready working server settings:
port 1194
proto udp
comp-lzo
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/ca.crt
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.conf
You can create multiple client configuration files to connect to different servers. Open the configuration file and change the following parameters in it:
remote - this is your OpenVPN server address, the address and port must match those configured on the server, for example:
remote 194.67.215.125 1194
ca - the key that you received from the certification authority, we placed it in the /etc /openvpn/ folder.
cert and key - these are the public and private keys of the client, with the help of which you will connect to the server. As you remember, we saved them in the /etc/openvpn/easy-rsa/keys/ folder.
ca /etc/openvpn/easy-rsa/keys/ca.crt
The rest of the settings can be left as they are. Here is the complete configuration file that you can copy:
client
dev tun
proto udp
remote 194.67.215.125 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/Sergiy.crt
key /etc/openvpn/easy-rsa/keys/Sergiy.key
tls-auth ta.key 1
comp-lzo
verb 3
Save the settings, the client is now ready to connect. Please note that the configuration files must match as much as possible, the absence of certain options in one of the files can lead to errors. This does not mean that the files will be identical, but the basic parameters of openvpn should be the same. You just need to run OpenVPN on this machine using this config file:
openvpn /etc/openvpn/client.conf
Done, now everything works, if you run ifconfig, you will see that the tun0 interface has been added:
You can also try to ping 10.8.0.1 addresses, this is the address we configured for our OpenVPN server, ping packets will be sent normally. If the packets are not coming, or something else is not working, pay attention to the output of both programs, perhaps there were some errors or warnings, also make sure that the server's firewall allows external access via udp for port 1194. You can also start the server or the client, setting the level of detail in the config to a maximum of verb 9. Very often this helps to understand why something does not work. But you cannot route traffic through the tunnel yet. To do this, you need to enable forwarding and add some iptables rules. First, we allow the transit of packets on the server:
sysctl -w net.ipv4.ip_forward \u003d 1
Then add rules like this. We allow everyone to connect to our server:
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
Allow OpenVPN users to access the Internet:
iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
# iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
conclusions
In this article, we looked at how to install and configure OpenVPN Ubuntu, as well as how to configure openvpn to work with key authentication. The organization of private virtual networks can be very useful not only in organizations, but also, say, for exchanging data between two of your computers or for improving network security.
If ($ answer_counter \u003d\u003d 1):?\u003e Endif; ?\u003e
UPDATE... As for Sierra, macOS no longer supports PPTP vpn. This answer is not valid for macOS Sierra clients and others.
PPTP over PoPToP easy
apt-get install pptpd
edit /etc/pptpd.conf and set remoteip to a value on your network that is NOT served by your DHCP server.
edit / etc / ppp / chap-secrets and add username and password
eg.
Vpnuser pptpd vpnpassword *
That's all it takes to install pptp. Now test it with your OS X client.
Jay _silly_evarlast_ Wren
WARNING: PPTP IS AN INSECURE PROTOCOL! Not only has the encryption been breached, but it sends your authentication in clear text and is easily intercepted. It has been estimated that the amount of time required to brute-force the password is roughly equivalent to the time required to brute-force a single DES key. Consider using OpenVPN or another VPN architecture instead of PPTP!
Qasimanswered 06/10/2013 at 04:09 PM
The other answers on this thread were only partial answers in my case. Here is what worked for me on Ubuntu 12.04.3
Sudo apt-get install pptpd
Add the following to /etc/pptpd.conf: (The IP address doesn't matter, these are only the IP addresses for your ppp0 interface.)
Localip 10.0.0.1 remoteip 10.0.0.100-200
Add DNS servers to / etc / ppp / pptpd-options
Ms-dns 8.8.8.8 ms-dns 8.8.4.4
Enable IP forwarding
sudo vim /etc/sysctl.conf
Uncomment this line
Sudo sysctl -p /etc/sysctl.conf
Modify / etc / ppp / chap-secrets add VPN user in this format:
# Secrets for authentication using CHAP # client server secret IP addresses username pptpd supersecretpassword *
Restart PPTP
Service pptpd restart
Run ifconfig and find your default interface, in my case it was br0 (I changed it to allow virtual machines on my physical machine to share the interface. It will probably be en0)
Iptables backup
Iptables-save\u003e ~ / iptables.save
Now make the iptables changes use their default interface as shown by ifconfig.
From time to time, some active Internet users are faced with the need to organize a secure encrypted anonymous connection, often with the obligatory replacement of the IP address with a host of a certain country. A technology called VPN helps in the implementation of this task. The user only needs to install all the necessary components on the PC and make the connection. After that, access to the network with the already changed network address will be available.
Developers of their own servers and programs for VPN connection provide services for owners of computers running the Ubuntu distribution based on linux kernel... The installation does not take much time, and there are also a large number of free or cheap solutions on the network to accomplish the task. Today we would like to touch upon three working methods of organizing a private secure connection in the mentioned OS.
Method 1: Astrill
Astrill is one of free software with a graphical interface, which is installed on a PC and automatically replaces the network address with a random or specially specified by the user. The developers promise a choice of more than 113 servers, security and anonymity. The download and installation procedure is quite simple:
- Go to Astrill's official website and select the Linux version.
- Please select a suitable assembly. For owners of one of latest versions Ubuntu 64-bit DEB package is fine. Once selected, click on "Download Astrll VPN".
- Save the file to a convenient location or open it directly through the standard application for installing DEB packages.
- Click the button "Install".
- Confirm authenticity with a password account and wait for the procedure to complete. For alternative options for adding DEB packages to Ubuntu, see our other article at the link below.
- The program has now been added to your computer. It remains only to launch it by clicking on the corresponding icon in the menu.
- During the download, you should have created a new account for yourself, in the Astrill window that opens, enter your data to log in.
- Specify the optimal server for the connection. If you need to select a specific country, use the search bar.
- This software can work with various tools that allow you to establish a VPN connection in Ubuntu. If you are unsure which option to choose, leave the default.
- Start the server by moving the slider to the position "ON", and go to work in the browser.
- Notice that there is now a new icon on the taskbar. Clicking on it opens the Astrill control menu. Here you can not only change the server, but also configure additional parameters.
The considered method will be the most optimal for novice users who have not yet figured out the subtleties of setting and working in "Terminal" operating system... For the purposes of this article, Astrill's solution has been presented as an example only. On the Internet, you can find many more similar programs that provide more stable and faster servers, but are often paid.
In addition, it should be noted the periodic workload of popular servers. We recommend reconnecting to other sources that are located as close as possible to your country. Then the ping will be less, and the speed of transferring and receiving files can significantly increase.
Method 2: System Tool
Ubuntu has built-in VPN connectivity. However, to do this, you will still have to find one of the publicly available working servers, or buy space through any convenient web service that provides such services. The whole connection procedure looks like this:
- Click on the button on the taskbar "Connection" and select item "Settings".
- Move to section "Network"using the menu on the left.
- Find the VPN section and click on the plus button to proceed to creating a new connection.
- If your service provider has provided you with a file, you can import the configuration through it. Otherwise, all data will have to be entered manually.
- In section "Identification" all required fields are present. In field "Are common" — "Gateway" enter the provided IP address, and in "Additional" - received username and password.
- In addition, there are additional parameters, but they should only be changed on the recommendation of the server owner.
- In the picture below you see examples free serversthat are freely available. Of course, they are often unstable, loaded or slow, but this is the best option for those who do not want to pay money for a VPN.
- After creating a connection, all that remains is to activate it by moving the corresponding slider.
- For authentication, you need to enter the password from the server in the window that appears.
- You can also manage the secure connection through the taskbar by clicking on the corresponding icon with the left mouse button.
Method 3: Own server via OpenVPN
Some companies that provide encrypted connection services use OpenVPN technology and their clients install the appropriate software on their computer to successfully establish a secure tunnel. Nothing prevents you from creating a server yourself on one PC and configuring the client part on others to get the same result. Of course, the setup procedure is quite complicated and takes a long time, but in some cases this will be the best solution. We suggest you read the Ubuntu Server and Client Installation Guide by clicking on the following link.
You are now familiar with three options for using a VPN on a PC under ubuntu management... Each option has its own advantages and disadvantages and will be optimal in some situations. We advise you to familiarize yourself with all of them, decide on the purpose of using such a tool and already proceed to following the instructions.
Instructions
Check if PPP support exists in your operating system kernel. The easiest way to do this is by looking at the values \u200b\u200bof the options with the CONFIG_PPP prefix in the current kernel configuration file. It is usually installed in the / boot directory and has a name starting with config. Find out the name of this file using the command
ls / boot
or
ls / boot | grep conf
Print the lines you want with cat, filtering it with grep. For example:
cat /boot/config-2.6.30-std-def-alt15 | grep PPP
Parse the lines containing the CONFIG_PPP, CONFIG_PPP_ASYNC, CONFIG_PPP_SYNC_TTY options. If there is no # symbol in front of them, the corresponding functionality is supported (for values \u200b\u200bof m - as an external module, for values \u200b\u200bof y - it is included in the kernel).
Check if the client software for establishing VPN connections is installed on the system. The required package usually has a name starting with pptp. Use apt-cache with the search option to find the required package in the available repositories and rpm with the -qa option to check if the package is installed.
When working in a graphical environment, it may make sense to use programs such as synaptic.
Install the missing software. Use an appropriate package manager (apt-get, rpm in the console, synaptic in a graphical environment, etc.). If you installed the ppp package with kernel modules to support the appropriate protocol, restart your computer.
Try configuring the VPN using configuration scripts such as pptp-command or pptpsetup. They are often included in VPN client software packages. For help on parameters command line of these utilities, use them to run with the --help option. For example:
pptpsetup --help
If no configuration scripts have been installed, proceed to the next step to manually configure the VPN.
Create a directory / etc / ppp with a file named chap-secrets. Open the file in text editor... Add a line like this to it:
LOGIN SERVER PASSWORD *
The LOGIN and PASSWORD values \u200b\u200bare username and password. They must be provided by your VPN service provider. Replace SERVER with an arbitrary connection name or *.
Create a directory / etc / ppp / peers. Create a file in it that has the same name as the SERVER value from the previous step (or an arbitrary name if * was specified). Edit this file to add information like:
pty "pptp SERVER --nolaunchpppd"
name LOGIN
ipparam SERVER
remotename SERVER
lock
noauth
nodeflate
nobsdcomp
The LOGIN and SERVER values \u200b\u200bhere are the same as in step 5. This completes the VPN configuration on Linux.
Having considered the theoretical issues in the previous parts, let's move on to practical implementation. Today we will look at creating a PPTP VPN server on the Ubuntu Server platform. This material is intended for readers with Linux skills, so we will not be distracted by the things we have described in other articles, such as network configuration, etc. If you are experiencing difficulties - first study our other materials.
We'll start our practical acquaintance with VPN with PPTP, which is the easiest to implement. Keep in mind, however, that this is a weakly secure protocol and should not be used to access critical data.
Consider the circuit that we created in our test laboratory for a practical acquaintance with this technology:
We have a local network 10.0.0.0/24 with a terminal server 10.0.0.2 and 10.0.0.1, which will act as a VPN server, for VPN we have reserved the 10.0.1.0/24 network. The external server interface has a conditional dedicated IP address X.X.X.X. Our goal is to provide remote clients with access to the terminal server and shared resources on it.
PPTP server setup
Install the pptpd package that implements the PPTP VPN functionality:
Sudo apt-get install pptpd
Now let's open the file /etc/pptpd.confand set the basic settings for the VPN server. Let's go to the very end of the file, where we indicate the server address in the VPN network:
Localip 10.0.1.1
And the range of addresses to issue to clients:
Remoteip 10.0.1.200-250
Addresses must be allocated at least as many as possible simultaneous connections, preferably with a small margin, since their increase without restarting pptpd is impossible. We also find and uncomment the line:
Bcrelay eth1
This will allow the VPN clients to broadcast packets on the internal network.
You can also use the options listen and speed, the first allows you to specify the IP address of the local interface to listen for incoming PPTP connections, the second to specify the speed of VPN connections in bps. For example, let's allow the server to accept PPTP connections only from the external interface:
Listen X.X.X.X
More subtle settings are in the file / etc / ppp / pptpd-options... The default settings are quite consistent with our requirements, but we will briefly review some of them so that you have an idea of \u200b\u200btheir purpose.
Section #Encryptionresponsible for data encryption and authentication. These options prohibit the use of the legacy and insecure PAP, CHAP and MS-CHAP protocols:
Refuse-pap
refuse-chap
refuse-mschap
Require-mschap-v2
require-mppe-128
Next section #Network and Routing, here you should pay attention to the option ms-dnswhich allows the use of a DNS server on the internal network. This can be useful when the domain structure of the network or the presence of a DNS server in it that contains the names of all PCs in the network, which makes it possible to refer to computers by their names, and not just by IP. In our case, this option is useless and commented out. Similarly, you can set the WINS server address with the option ms-wins.
Here is the option proxyarp, which includes, as you might guess from the name, server support Proxy ARP.
In the section #Miscellaneous contains option lock, which limits the client to one connection.
Ivanov * 123 *
petrov * 456 10.0.1.201
The first entry allows the user ivanov to connect to the server with the password 123 and assigns him an arbitrary IP address, the second creates the user petrov with the password 456, which will be assigned the permanent address 10.0.1.201 upon connection.
Restart pptpd:
Sudo /etc/init.d/pptpd restart
Important note! If pptpd does not want to restart, freezing at the start, but in /var/log/syslog adding the line long config file line ignored be sure to add to the end of the file /etc/pptpd.confline break.
Our server is ready to go.
Configuring Client PCs
Further, depending on the structure of the network, you need to specify static routes and the default gateway. These questions were discussed in detail in the previous parts.
We establish a VPN connection and try to ping any PC in local network, we got access to the terminal server without any difficulty:
In general, it is sufficient to configure the VPN connection with the default options. However, we advise you to explicitly specify the type of connection and disable unnecessary encryption protocols.
Now for another important addition. In most cases, access to computers on the local network will be possible only by IP addresses, i.e. the path \\\\ 10.0.0.2 will work, but \\\\ SERVER will not. This can be inconvenient and unusual for users. There are several ways to solve this problem.
If the local network has a domain structure, it is enough to specify the DNS server for the VPN connection to the DNS server of the domain controller. Use the option ms-dns in /etc/ppp/pptpd-options server and settings data will be received by the client automatically.
If there is no DNS server in the local network, then you can create and use a WINS server, information about it can also be automatically transferred to clients using the option ms-wins... And finally, if there are few remote clients, use the files on client PCs hosts(C:\\Windows\System32\drivers\etc\ hosts), where you should add lines like.
0 Comments