Well, it was time for a change and I decided to rebuilt it into a bastion jump box, with a restructure of the home network as well. I started off by installing a second Network Interface Card (NIC) on it. Then installed a bare CentOS on it. I did a yum update on it to ensure the latest patches and stable packages we installed. Next went through the services and disabled all the unnecessary stuff.
The idea is to separate the internal network from the De-militarized Zone (DMZ). The purpose of the jump box is to sit on the DMZ between the access and choke routers. The jump box will provide Virtual Private Network (VPN) access into the network, as well as providing proxy services such as web proxy, syslog, ssh and other services.
In the network, both the access and choke router perform Network Address Translation (NAT), Quality of Serverice (QoS), as well as stateful packet inspection (SPI) firewall functions. In addition to SPI, the choke also performs some port forwards to the jump box and the sip phone. All other traffic is dropped.
So to get home from university, I need to VPN in, then use SCP to transfer my files (assignments, reports, etc) and get out again.
To install OpenVPN, perform the following tasks;
- sudo wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
- sudo yum --enablerepo=kbs-CentOS-Testing install openvpn
- sudo find / -name "easy-rsa" # returns something like "/usr/share/openvpn/easy-rsa/"
- sudo cp -R /usr/share/openvpn/easy-rsa /etc/openvpn/
- sudo cd /etc/openvpn/easy-rsa/2.0/
- sudo mkdir keys
- sudo vi ./vars
- Change the following variables
- export KEY_SIZE=2048
- export KEY_COUNTRY=""
- export KEY_PROVINCE=""
- export KEY_CITY=""
- export KEY_ORG=""
- export KEY_EMAIL=""
- sudo bash
- source ./vars
- ./build-key-server server #server is the unique name to identify the server
- ./build-key client #client is the unique name to identify the client (repeat for each client)
- find / -name "server.conf" # returns something like "/usr/share/doc/openvpn-2.1/sample-config-files/server.conf"
- cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn
- Edit the file to suit
- Copy the Diffie-Hellman pem file (dh2048.pen), the server key file (server.key), and the CA certificate file (ca.crt) to the working directory and start the OpenVPN server (/etc/rc.d/init.d/openvpn start).