Exercise 31: Configuring and Testing VPN Connections

Objective

Set up a secure VPN using OpenVPN and test its functionality by verifying encrypted traffic. Understand the role of VPNs in securing remote access.

Scenario

As a network administrator, you need to secure remote access for employees working outside the office. VPNs provide encrypted tunnels to protect sensitive data transmitted over public networks. In this exercise, you’ll install and configure OpenVPN, establish a secure VPN connection, and verify encryption using tcpdump.

⚠️ Important: Perform this exercise in a legal and controlled lab environment. Unauthorized VPN setups or traffic interception may violate policies.

Lab Instructions

Step 1: Install OpenVPN

a. On the VPN Server

sudo apt update
sudo apt install openvpn easy-rsa -y

b. On the VPN Client

sudo apt update
sudo apt install openvpn -y

Step 2: Configure the VPN Server

a. Set Up the Certificate Authority (CA)

make-cadir ~/openvpn-ca
cd ~/openvpn-ca
source vars
./clean-all
./build-ca

b. Generate Server Keys and Certificates

./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key

c. Configure OpenVPN Server

Copy the sample server configuration:

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

Edit /etc/openvpn/server.conf to include:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
persist-key
persist-tun
status openvpn-status.log
verb 3

Enable and start the OpenVPN service:

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Step 3: Configure the VPN Client

a. Generate Client Certificate and Key

cd ~/openvpn-ca
source vars
./build-key client1

Transfer the following files to the client:

• ca.crt
• client1.crt
• client1.key
• ta.key

b. Create Client Configuration

sudo nano /etc/openvpn/client.conf

Add the following:

client
dev tun
proto udp
remote <VPN_SERVER_IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
verb 3

Step 4: Establish and Verify VPN Connection

a. Start the VPN Client

sudo systemctl start openvpn@client

Verify the connection:

ifconfig tun0

• You should see a tun0 interface with an assigned IP.

b. Verify Encrypted Traffic with tcpdump

On the VPN Server, monitor VPN traffic:

sudo tcpdump -i tun0

• Observe encrypted packets moving through the tunnel.

Step 5: Discuss the Importance of VPNs

• Encryption: VPNs encrypt data between remote users and the organization.
• Authentication: Use of certificates ensures secure access.
• Privacy: VPNs mask IP addresses, protecting user identity.
• Access Control: Enables secure remote access to internal resources.

Solution & Explanation

How VPNs Work

• VPNs create encrypted tunnels between remote devices and a server.
• OpenVPN uses SSL/TLS for key exchange and encryption.

Key Components

• CA: Issues certificates for authentication.
• TLS Authentication: Prevents unauthorized connections.
• AES-256-CBC: Provides strong encryption.

Benefits of VPNs

• Confidentiality: Encrypts sensitive data.
• Integrity: Prevents data tampering.
• Remote Access: Provides secure access to internal networks.

Testing & Verification

• Confirm the VPN connection is active (ifconfig tun0).
• Verify encrypted traffic using tcpdump on tun0.
• Test access to internal resources over the VPN.

Security Best Practices

1. Use Strong Encryption: Prefer AES-256-GCM over AES-256-CBC.
2. Enable TLS Authentication: Use a ta.key for added security.
3. Limit Access: Define client-specific access rules.
4. Regularly Rotate Keys: Regenerate certificates periodically.

Additional Script (Optional)

Automate OpenVPN server setup:

#!/bin/bash
# OpenVPN Server Setup Script
sudo apt update
sudo apt install openvpn easy-rsa -y
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key
sudo cp keys/{server.crt,server.key,ca.crt,dh2048.pem,ta.key} /etc/openvpn/
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Run the script:

chmod +x setup_openvpn.sh
sudo ./setup_openvpn.sh

Conclusion

In this exercise, you successfully configured and tested an OpenVPN server and client. You established a secure, encrypted tunnel and verified traffic using tcpdump. VPNs play a critical role in securing remote access and protecting sensitive organizational data.