How to Install and Configure OpenVPN Server on Linux CentOS

How to Install and Configure OpenVPN Server on Linux CentOS

In this article we will cover the installation and configuration of the OpenVPN server based on Linux CentOS, and show how to connect two remote computers (or offices) behind NAT into one network using OpenVPN server. We will also use certificates for encrypted connection. If you are a Windows user, check out the guide about configuring VPN in Windows server operating system.

Contents

  • What is OpenVPN
  • How to Install OpenVPN and Easy-RSA
  • How to Configure Easy-RSA and Issue a Certificate
  • How to Create Keys and Certificates for the OpenVPN Server
  • How to Configure OpenVPN Server
  • How to Configure Firewall with OpenVPN
  • How to Connect Computers and Networks using OpenVPN

What is Open VPN

Virtual Private Network (VPN) – a set of technologies that allow you to build a secure network over public networks or the Internet. With a VPN, you can consolidate Internet-divided segments of networks into a single local network.
OpenVPN – one of the implementations of open source VPN technology based on SSL/TLS. With the help of OpenVPN it is possible to connect in a single network both remote offices and separate local PCs, which are behind firewall with Network Address Translation (NAT).

How to Install OpenVPN and Easy-RSA

First thing you need to do is to connect the Extra Packages for Enterprise Linux (EPEL) repository and update the system:

sudo yum install epel-release -y
sudo yum update -y

When the system is updated, you need to use the yum package manager to install OpenVPN and Easy-RSA to implement a Public Key Infrastructure (PKI) infrastructure on the VPN server.

sudo yum install openvpn easy-rsa -y
Easy-RSA Installation

How to Configure Easy-RSA and Issue a Certificate

Copy all the Easy-RSA scripts into /etc/openvpn/:

sudo cp -r /usr/share/easy-rsa /etc/openvpn/

Let’s go to /etc/openvpn/easy-rsa/3/ and create a file named vars there:

cd /etc/openvpn/easy-rsa/3/
sudo nano vars

Let’s fill this file with the following parameters (you can edit the location and company parameters for yourself):

set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "CA"
set_var EASYRSA_REQ_CITY "LA"
set_var EASYRSA_REQ_ORG "MyCompany"
set_var EASYRSA_REQ_EMAIL "admin@domain.com".
set_var EASYRSA_REQ_OU "IT Department"
set_var EASYRSA_KEY_SIZE 4096
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST "sha512"

Press Ctrl+x to exit the file then y to save it and then hit Enter. The file must be executable, so next step is to execute the following:

sudo chmod +x vars


How to Create Keys and Certificates for the OpenVPN Server

Before creating the key, we need to initialize the Public Key Infrastructure (PKI) directory and create the CA key:

cd /etc/openvpn/easy-rsa/3/
sudo ./easyrsa init-pki
Initializing PKI Directory

Now let’s create a CA key:

sudo ./easyrsa build-ca

After running the command, we will need to specify a password to generate the certificates and key. The password will be required in the future to sign the certificates.

Creating CA Key

After that the system will ask to enter Distinguished Name (DN) enter your server and domain name for example server.domain.com and create a server key with nopass option which disables the password for domain.com:

sudo ./easyrsa gen-req server.domain.com nopass
Creating Server Key

During the certificate issuance process, you will be asked to enter Common Name, just press Enter to continue.

Sign the domain.com key using our CA certificate:

sudo ./easyrsa sign-req server server.domain.com
Server Key Signing

First you need to confirm the request by typing “yes”. After that you will need to enter the password that we set when the CA certificate was issued:

To make sure that the certificates were generated without errors, run the command:

sudo openssl verify -CAfile pki/ca.crt pki/issued/server.domain.com.crt 

The output must be “pki/issued/server.domain.com.crt: OK
Now all OpenVPN server certificates are created.

  • The root certificate is located: ‘pki/ca.crt
  • The server private key is located: ‘pki/private/server.domain.com.key
  • The server certificate is located: ‘pki/issued/server.domain.com.crt

To generate a client key, you need to execute the following command and specify the client name (“admin” in our example):

sudo ./easyrsa gen-req admin nopass

As with the server key, you must sign it using a CA certificate:

sudo ./easyrsa sign-req client admin
Signing key via CA certificate

Similar to the server certificate we need to type “yes” and enter CA password. Now the certificate for the user is created.

Additionally, you must generate a Diffy-Hellman key to be used for key exchange:

sudo ./easyrsa gen-dh

Note that it’s been generated for a long time.

After that we need to generate a TLS certificate:

sudo openvpn --genkey --secret ta.key

If we plan to revoke client certificates in the future, we need to generate a CRL key:

sudo ./easyrsa gen-crl
Generating CRL key

To revoke a certificate, you must execute a command:

sudo ./easyrsa revoke admin

Where “admin” is the certificate name.

So all necessary certificates are created, let’s copy them into working directories:

Server certificates:

cp pki/ca.crt /etc/openvpn/server/
cp pki/issued/server.domain.com.crt /etc/openvpn/server/
cp pki/private/server.domain.com.key /etc/openvpn/server/
cp pki/private/dh.pem /etc/openvpn/server/
cp pki/private/ta.key /etc/openvpn/server/
cp pki/crl.pem /etc/openvpn/server/

Client certificates:

cp pki/issued/admin.crt /etc/openvpn/client/
cp pki/private/admin.key /etc/openvpn/client/


PureVPN : UNLOCK THE BEST VPN DEAL

How to Configure OpenVPN Server

Let’s move on to the settings of the OpenVPN configuration file. First let’s create the OpenVPN configuration file named server.conf:

sudo cd /etc/openvpn/ && nano server.conf

Change the contents of the file to the following:

# Specify port, protocol and device
port 1194
proto udp
dev tun
# Specify path to server certificates
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.domain.com.crt
key /etc/openvpn/server/server.domain.com.key
# Paths to CRL and DH keys
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem
# Specify the network IP and mask which the VPN clients will enter
server 10.0.2.0 255.255.255.0
push "redirect-gateway def1"
# Enter the target DNS servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Allow users to connect with the same key
duplicate-cn
# TLS security
tls-auth /etc/openvpn/server/ta.key 0
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
# Other config
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody
# Log file path
log-append /var/log/openvpn.log
verb 3

Then we save the file. I specified the default UDP port 1194 for the VPN server, but for OpenVPN you can specify any free port on the server.

How to Configure Firewall with OpenVPN

What remains is to configure firewall rules to allow connection and routing between segments.

If you are using Firewalld, you must first activate the kernel module forwarding:

sudo echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sudo sysctl -p

Add the openvpn service to Firewalld, and the tun0 interface to the trusted zone.

sudo firewall-cmd --permanent --add-service=openvpn
sudo firewall-cmd --permanent --zone=trusted --add-interface=tun0

Activate ‘MASQUERADE’ for the trusted Firewalld zone:

sudo firewall-cmd --permanent --zone=trusted --add-masquerade

Activate NAT:

sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.0.2.0/24 -o IP server -j MASQUERADE
sudo firewall-cmd -reload

If you are using iptables without Firewalld, you need to execute the following:

sudo iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE
sudo iptables -A INPUT -p tcp -dport 1194 -j ACCEPT
sudo service iptables save

Let’s run OpenVPN service and let it start when Linux boots up:

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Let’s check if port 1194 is available:

sudo lsof -i:1194

Let’s check the IP settings of the network interface:

sudo ip a

3: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100

link/none

inet 10.0.2.1 peer 10.0.2.2/32 scope global tun0

valid_lft forever preferred_lft forever

inet6 fe80::932a:e40b:ac2f:6b2/64 scope link flags 800

valid_lft forever preferred_lft forever

As you can see, the network specified in the configuration has been added to the tun0.

These are the minimum settings you need to make for OpenVPN to work.


How to Connect Computers and Networks using OpenVPN

How to connect to the OpenVPN server from two remote computers that are connected to the Internet via NAT, and organize a private network between them? To connect a Windows computer to the OpenVPN server you will need the official client from that can be downloaded from the official site. The installation is straightforward, so we will focus on the configuration.

After you have installed the client, you need to go to the configuration file, which you need to create along the way:

C:\Program Files\OpenVPN\config

Create a file with the name Client.ovpn and add the following content to it:

client
dev tun
proto udp
remote publicVPNserverIP 1194
resolv-retry infinite
nobind
block-outside-dns
perist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
tls-client
auth SHA512
tls-auth "C:\Program Files\OpenVPN\config.key" 1
remote-cert-eku "TLS Web Server Authentication"
ca "C:\Program Files\OpenVPN\config\ca.crt".
cert "C:\Program Files\OpenVPN\config\admin.crt".
key "C:\Program Files\OpenVPN\config\admin.key".
cipher AES-256-CBC
comp-lzo
verb 3

As you can see we need the client, security and server certificates and keys we created earlier to configure. They need to be downloaded from the OpenVPN server and placed in a C:\Program Files\OpenVPN\config\ directory.

After that we connect through the shortcut Open VPN client in the tray:

I connected and got the next IP for my PC:

IPv4 address . . . . . . . . . . . . . . . . . . . . . . . : 10.0.2.17

Subnet mask . . . . . . . . . . . . . . . : 255.255.255.252

On the second computer behind the NAT, we need to do the same thing by first creating a certificate for the second user. After connection the second computer has IP address in the same network:

IPv4 address . . . . . . . . . . . . . . . . . . . . . . . . . : 10.0.2.8
Subnet mask . . . . . . . . . . . . . . . . . : 255.255.255.252

Once connected, both computers are on the same network and ping each other. Both connected VPN clients can exchange packets and transfer files directly to each other. This way, we were able to combine two PCs located in different parts of the world into one local network.

On your OpenVPN server you can create an unlimited number of keys and certificates for users. If you need a new certificate, run the following commands in /etc/openvpn/easy-rsa/3:

sudo ./easyrsa gen-req client name nopass
sudo ./easyrsa sign-req client name

Remember to periodically revoke client certificates if they are not used to keep your network secure.


How to Configure Zabbix Monitoring System

How to Configure Zabbix Monitoring System

Zabbix is an open-source enterprise level monitoring system. At the moment Zabbix is one of the most popular and functional free monitoring systems, with its easy installation and configuration. Zabbix server can be used for monitoring large infrastructures with hundreds of servers, as well as for small environment. In this article we will cover how to install and configure free monitoring system Zabbix with Linux Ubuntu based web interface. Install Zabbix agents on Windows and Linux server, and add new hosts to the system for monitoring.

Contents

  • Zabbix structure and functionality
  • Installing Zabbix server on Linux
  • Configuring Zabbix web interface
  • Installing Zabbix agent on Windows
  • Adding a device on a Zabbix server
  • Installing Zabbix agent on Linux

Zabbix Structure and Functionality

Zabbix is rather simple to install and configure. It is written in C++ (server, proxy and agent) and PHP (frontend). Zabbix server and Zabbix proxy can only run on Linux systems. The agent can be installed on many supported operating systems and platforms.

The Zabbix server installation package consists of:

  • Zabbix server binary
  • MySQL (MariaDB)/PostgreSQL databases
  • Apache2/Nginx web server with PHP frontend
  • Frontend files – .php, .js, .css, etc…

The scheme of work looks like this:

  1. The Zabbix agent sends data to the server
  2. The Zabbix server receives and processes the data
  3. If the received data is subject to the specified conditions, a trigger is triggered
  4. An active trigger signals a problem. A notification is displayed on the frontend, the notification emails is sent and needed actions are automatically performed. This depends on the configuration, for example Zabbix agent can restart the service that is being monitored.

Zabbix can work with all known protocols, thanks to a system of external scripts.

Installing Zabbix Server on Linux

In this article we will take a look at an example installation of Zabbix Server on Linux (using Ubuntu Server) through a batch manager.

Go to the download page https://www.zabbix.com/download and select the repository corresponding to your Linux distribution. Ready-made packages are available for all popular distributions.

For example, to install Zabbix 5 on Ubuntu 18.04 you have to select :

Zabbix Version 5 ⇒ OS Distribution (Ubuntu) ⇒ OS Version (18.04 Bionic) ⇒ Database (MySQL) ⇒ Web Server (Nginx or Apache).

Download and add a repository:

wget https://repo.zabbix.com/zabbix/5.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_5.0-1+bionic_all.deb
dpkg -i zabbix-release_5.0-1+bionic_all.deb
apt update

Now you can install the necessary packages:

apt install zabbix-server-mysql zabbix-frontend-php zabbix-nginx-conf zabbix-agent

Create a database and give the rights to the service account under whom Zabbix will access the database:

mysql -uroot
mysql> create database zabbix character set utf8 collate utf8_bin;
mysql> grant all privileges on zabbix.* to zabbix@localhost identified by 'Your Password';
mysql> quit;

Import the Zabbix database. You will need to enter the password that you specified for the zabbix@localhost user.

zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p Zabbix

Edit the configuration file /etc/zabbix/zabbix_server.conf, specify the password from the newly created user.

DBPassword=users password

Since in this example the web server is nginx, you need to change nginx.conf by removing “#” from the following lines:


listen 80;

server_name example.com;

Also change “example.com” to the domain name you want to log in to Zabbix web console, in this example it’s “test.zabbix.local“.

Now let’s set the time zone in PHP. In the /etc/zabbix/php-fpm.conf file lets remove “#” from the following line:

php_value[date.timezone] = Europe/Moscow

Additionally, you can set the following PHP settings in /etc/php.ini:

  • memory_limit 128M
  • upload_max_filesize 8M
  • post_max_size 16M
  • max_execution_time 300
  • max_input_time 300
  • max_input_vars 10000

Add the zabbix-server service to autostart and run it:

systemctl enable zabbix-server zabbix-agent nginx php7.2-fpm
systemctl restart zabbix-server zabbix-agent nginx php7.2-fpm

Configuring Zabbix Web Interface

Now you need to configure the frontend (web interface) of Zabbix. Open the previously specified URL of Zabbix server in your browser. In our example it is test.zabbix.local. Do not forget to register it on your DNS server.

Make sure that all installer requirements are OK.

Enter the data to connect to the database. Use the user and password you created earlier.

Enter the name of the Zabbix server. I recommend not to change the standard port – TCP 10051.

Note. The default Zabbix system uses two ports:

  • TCP 10050 is a passive agent port, on which the zabbix server polls clients;
  • TCP 10051 – the port on which zabbix server receives data from clients (active agent).

After that press Next Step and Finish. After successful installation, you will need to log in. Use “Admin” as login and “zabbix” as password, these are the default credentials.

This concludes the installation of the Zabbix Server.

Installing Zabbix Agent on Windows Server

Let’s try to install Zabbix agent on a Windows server and add it to our Zabbix monitoring. Download Zabbix agent for Windows here: https://www.zabbix.com/download_agents.

Select the desired version of the agent for Windows. For this example we will choose the “.msi x64” format (without OpenSSL). If you plan to install zabbix agent on servers/computers via Group Policy or SCCM, you can download the zip archive with binary and configuration files.

Start the installer, accept the license agreement, specify the requested data. Note that in the “Server or Proxy for active checks” field I entered the IP address in “IP:PORT” format. Since I left the port as standard, it will be serverip:10051.

Then click Next and Install.

Now we need to make sure that our agent is installed. The Zabbix agent service should appear in the services.msc list.

On the Windows client Firewall, you need to allow incoming connections from the Zabbix server:

New-NetFirewallRule -DisplayName "Zabbix" -RemoteAddress "ZabbixserverIP" -Direction Inbound -Protocol TCP -LocalPort 10050 -Action Allow

To make sure that the agent is working, you need to add our host to the Zabbix server and assign it checks.

Note. There are two types of checks in the Zabbix:
Passive – the Zabbix server asks for some data from the agent;
Active – the agent sends data to the server;

While installing the agent, we specified a server in IP:PORT format just for active checks.

Adding Device on a Zabbix Server

So We’ve installed the agent, now we need to add it on the monitoring platform via web-interface. Go to Configuration Hosts ⇒ Click Create host and fill in the data. Note that the host’s name must match the host name of the server with the agent or the value of the Hostname parameter in the agent config.

On the Templates tab, add some built-in Windows templates. Templates in Zabbix are sets of values, triggers, graphs and detection rules that can be assigned to one or more hosts.

These integrated templates have “active” in the end, which means that active checks will be used.

Click Add. To avoid waiting for the server and agent to connect with each other (usually takes a couple of minutes), restart the Zabbix Agent service on monitored host and check the agent’s log (C:\Program Files\Zabbix Agent\zabbix_agentd.txt).

The message “started [active checks #1]” indicates that active checks for this host have been found on the server. Now let’s look at the data that came to the Zabbix server from the agent. To do this in Zabbix, go to MonitoringLatest Data and select the desired host in the Hosts field.

This section shows the latest data that came to the server by selected hosts or groups of hosts. Note that there is a notification on the Zabbix dashboard that the BITS service is not running. This notification appears because we have assigned standard templates to our host. One of the templates was monitoring the BITS service and the corresponding trigger, which is triggered if the BITS service is not in status Running.

This concludes the configuration of the Windows Agent.

Installing the Zabbix Agent on Linux

Now let’s install the Zabbix agent on Linux. To install the Zabbix agent in Ubuntu Server using the package manager you need to download and install the Zabbix repository. Then we will install the zabbix agent from the repository:

wget https://repo.zabbix.com/zabbix/5.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_5.0-1+bionic_all.deb
dpkg -i zabbix-release_5.0-1+bionic_all.deb
apt update
apt install zabbix-agent

Before we run the zabbix agent, we need to edit the /etc/zabbix/zabbix_agentd.conf configuration file. In this file you need to specify the IP address of the Zabbix server for active checks:

Server=ServerIP
ServerActive=IP:10051
Hostname=testagent

After that we need to start the agent service:

service zabbix-agent start

Make sure the agent is successfully launched.

cat /var/log/zabbix/zabbix_agentd.log

Cannot parse list of active checks” string indicates that there are no active checks for this host on the server.

Similar to the Windows agent, you need to add your Linux host to the Zabbix server settings. Note the Hostname parameter in the host configuration in the server’s Zabbix interface must match the Hostname parameter that we specify in the Zabbix config.

Reboot the Zabbix agent and check the log.

Check that the agent data has appeared on the Zabbix server.

This completes the configuration of the Zabbix agent on your Linux system.

How to Set up VPN Server on Windows Server

How to Set up VPN Server on Windows Server

In this article we will show you how to install and configure a simple Windows Server based VPN server that can be used in a small organization.

Note. This manual is not recommended as a guide for organizing a VPN server in a large corporate network. As an enterprise-class solution, it is preferable to deploy Direct Access and use it for remote access.

The first thing that you need to do is install the “Remote Access” role. You can do this through the Server Manager console or PowerShell.

With the Remote Access role, we are interested in the DirectAccess and VPN (RAS) service. Let’s install it! Open Server Manager go to Add Roles and Features -> Click Next two times-> We need to install the Remote Access and IIS web server roles.

Click Next three times and select DirectAccess and VPN (RAS), click next and Install.

When the wizard is finished, click the “Open the Getting Started Wizard” link and the RAS Server Configuration Wizard will start.

Install RAS Service Using PowerShell

You can install the RAS service using the following Powershell command:

Install-WindowsFeatures RemoteAccess -IncludeManagementTools

Configure Remote Access Service

Since we do not need to deploy the DirectAccess service, let us specify that we only need to install the VPN server.

The familiar Routing and Remote Access MMC console opens up. In the console, right click on the server name and click the Configure and Enable Routing and Remote Access option.

The RAS Server Setup Wizard is launched. In the wizard window, select “Custom configuration” and then select the “VPN Access” option.

When the wizard is finished, the system will offer to start the Routing and Remote Access service. Do it.

Configure Firewall to Allow VPN

If there is a firewall between your VPN server and the Internet from which clients will connect, you need to open the following ports and redirect traffic to these ports to your VPN server:

For PPTP: TCP - 1723 and Protocol 47 GRE (also called PPTP Pass-through)
For SSTP: TCP 443
For L2TP over IPSEC: TCP 1701 and UDP 500

After installing the server, you must allow VPN access in the user account properties (Dial-in tab) for those users which you want to connect via VPN. If the server is joined to an Active Directory domain, this should be done in the user properties of the ADUC console. If the server is local, you can find it in user properties of the Computer Management console (Network Access Permission – Allow access).

Configure DHCP for VPN

If you are not using a DHCP server that distributes IP addresses to vpn clients, you should enable “Static address pool” on the IPv4 tab of the VPN server properties and specify the range of addresses to be distributed.

Note. IP addresses distributed by the server for routing purposes must not overlap with IP addressing on the VPN client side.

So it is only remains is to configure the VPN client and test it.