This unit provides an introduction on how to setup VPNs on Linux systems.
In this step you will install and start openvpn service on our lab VM. Use the script provided openvpn server setup for this lab which is based on instructions found in the Ubuntu LTS server docs. If you run into issue with the script, please refer to the Ubuntu LTS server docs and OpenVPN How-to for troubleshooting.
Retrieve and run the script with the server option first to setup your vpn server with openvpn. It is designed to be run on the lab VM I provided for this course.
Retrieve the script from the course github website and make it executable
wget -O ~/vpn-config.sh https://gorbehnare.github.io/NETS1028-updated-labs/vpn-config.sh chmod +x vpn-config.sh
wget -O ~/vpn-config.sh https://gorbehnare.github.io/NETS1028-updated-labs/vpn-config.sh
chmod +x vpn-config.sh Run the script to set up the vpn service for the hostname nets1028-vpnserver on it 172.16.5.2 address
sudo ./vpn-config.sh -s nets1028-vpnserver
sudo ./vpn-config.sh -s nets1028-vpnserver Start the vpn service running and allow the vpn port through the firewall
sudo ufw allow 1194/udp sudo systemctl start openvpn@nets1028-vpnserver
sudo ufw allow 1194/udp
sudo systemctl start openvpn@nets1028-vpnserverIf there is a passphrase on the private key, you need to use systemd’s messed up method of supplying the passphrase. You may need to stop the VPN service, apply the following setting, and then start the service again. You should be notified to use the systemd-tty-ask-password-agent tool to supply the passphrase. Use systemd-tty-ask-password-agent tool to provide the passphrase - screenshot
sudo systemd-tty-ask-password-agent --query # stop and start the service, and you should be notified to use the `systemd-tty-ask-password-agent` tool to supply the passphrase
sudo systemd-tty-ask-password-agent --query
# stop and start the service, and you should be notified to use the `systemd-tty-ask-password-agent` tool to supply the passphraseVerify the service is running without any errors: - screenshot
systemctl status openvpn@nets1028-vpnserver sudo cat /var/log/openvpn/openvpn-status.log
systemctl status openvpn@nets1028-vpnserver
sudo cat /var/log/openvpn/openvpn-status.log Create a tarfile containing the bundle of files for the vpn client to use
sudo ./vpn-config.sh -c nets1028-vpnclient nets1028-vpnserver
sudo ./vpn-config.sh -c nets1028-vpnclient nets1028-vpnserver Do these steps on the Linux backups server VM created in a previous lab. We will use it as our vpn client to save creating another VM.
Install the openvpn package
sudo apt update sudo apt install openvpn
sudo apt update
sudo apt install openvpn Retrieve the config file bundle for the client from the vpn server
scp student@vpn-server-ip-address:/etc/openvpn/nets1028-vpnclient-vpnfiles.tgz .
scp student@vpn-server-ip-address:/etc/openvpn/nets1028-vpnclient-vpnfiles.tgz . Install the config files where openvpn expects them to be and remove the tarfile
sudo tar xf nets1028-vpnclient-vpnfiles.tgz -C /etc/openvpn rm nets1028-vpnclient-vpnfiles.tgz
sudo tar xf nets1028-vpnclient-vpnfiles.tgz -C /etc/openvpn
rm nets1028-vpnclient-vpnfiles.tgz Make sure the vpn client can resolve the hostname for the vpnserver by adding nets1028-vpnserver with address 172.16.5.2 to your /etc/hosts file on the backups server
sudo vi /etc/hosts
sudo vi /etc/hosts Add a route from the backups server to the private vlan network 172.16.5.0/24 via the lab VM
sudo ip r add to 172.16.5.0/24 via <lab-vm-ip-address>
sudo ip r add to 172.16.5.0/24 via <lab-vm-ip-address> NOTICE: Since the ip command is used, this route will clear after a reboot and you will need to reissue this command every time. If you want to make this route permanent, you can add this to the netplan configuration files instead!
Verify that the backups server can now reach the private address for our vpn service on our lab VM
ping -c 3 nets1028-vpnserver
ping -c 3 nets1028-vpnserver Start the client vpn running and give the password for the client’s private key.
sudo systemctl start openvpn@nets1028-vpnclient
sudo systemctl start openvpn@nets1028-vpnclient If there is a passphrase on the private key, you need to use systemd’s messed up method of supplying the passphrase. You may need to stop the VPN service, apply the following setting, and then start the service again. You should be notified to use the systemd-tty-ask-password-agent tool to supply the passphrase. Use systemd-tty-ask-password-agent tool to provide the passphrase - screenshot
sudo systemd-tty-ask-password-agent --query # stop and start the VPN service, and you should be notified to use the `systemd-tty-ask-password-agent` tool to supply the passphrase
sudo systemd-tty-ask-password-agent --query
# stop and start the VPN service, and you should be notified to use the `systemd-tty-ask-password-agent` tool to supply the passphraseVerify the service is running without errors: - screenshot
systemctl status openvpn@nets1028-vpnclient ip address show # Look at the log file on the VPN-server to see what is displayed: sudo cat /var/log/openvpn/openvpn-status.log
systemctl status openvpn@nets1028-vpnclient
ip address show
# Look at the log file on the VPN-server to see what is displayed:
sudo cat /var/log/openvpn/openvpn-status.logSubmit your results and screenshots as per instructions posted on Blackboard. Everywhere there is a screenshot marker in the instructions above, you must capture enough to show the command(s) you ran and the full relevant results of running them.