Linux Jump Box VPN

With the Linux Desktop out of the way, and my impending studies in Network Security coming up, I thought I'd preempt the studies with some initial ground work on my old Linux Server. Previously we had an old server at home, that was used mostly as a web proxy (Squid) and Windows (Samba) server to share files and the home printer.

Well, it was time for a change and I decided to rebuilt it into a bastion jump box, with a restructure of the home network as well. I started off by installing a second Network Interface Card (NIC) on it. Then installed a bare CentOS on it. I did a yum update on it to ensure the latest patches and stable packages we installed. Next went through the services and disabled all the unnecessary stuff.

The idea is to separate the internal network from the De-militarized Zone (DMZ). The purpose of the jump box is to sit on the DMZ between the access and choke routers. The jump box will provide Virtual Private Network (VPN) access into the network, as well as providing proxy services such as web proxy, syslog, ssh  and other services.

In the network, both the access and choke router perform Network Address Translation (NAT), Quality of Serverice (QoS), as well as stateful packet inspection (SPI) firewall functions. In addition to SPI, the choke also performs some port forwards to the jump box and the sip phone. All other traffic is dropped.

So to get home from university, I need to VPN in, then use SCP to transfer my files (assignments, reports, etc) and get out again.

To install OpenVPN, perform the following tasks;
  1. sudo wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
  2. sudo yum --enablerepo=kbs-CentOS-Testing install openvpn
  3. sudo find / -name "easy-rsa" # returns something like "/usr/share/openvpn/easy-rsa/"
  4. sudo cp -R /usr/share/openvpn/easy-rsa /etc/openvpn/
  5. sudo cd /etc/openvpn/easy-rsa/2.0/
  6. sudo mkdir keys
  7. sudo vi ./vars
  8. Change the following variables
    1. export KEY_SIZE=2048
    2. export KEY_COUNTRY=""
    3. export KEY_PROVINCE=""
    4. export KEY_CITY=""
    5. export KEY_ORG=""
    6. export KEY_EMAIL=""
  9. sudo bash
  10. source ./vars
  11. ./clean-all
  12. ./build-ca
  13. ./build-key-server server #server is the unique name to identify the server
  14. ./build-key client #client is the unique name to identify the client (repeat for each client)
  15. ./build-dh
  16. find / -name "server.conf" # returns something like "/usr/share/doc/openvpn-2.1/sample-config-files/server.conf"
  17. cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn
  18. Edit the file to suit
  19. Copy the Diffie-Hellman pem file (dh2048.pen), the server key file (server.key), and the CA certificate file (ca.crt) to the working directory and start the OpenVPN server (/etc/rc.d/init.d/openvpn start).

No comments:

Post a Comment