Configuring a VPN Server

The following scenario walks through how to set up an IPsec or OpenVPN VPN server. Once a VPN server is configured, a secure connection can be established between an internal network and the production environment on Liferay Cloud. This example uses Ubuntu Server 18.0.4 as a proof of concept. Please read the VPN Integration Overview article for an overview on Liferay Cloud’s Client-to-Site VPNs functionality.

warning

Configuration commands and values are subject to change and should be adapted for your specific environment.

EAP-TLS and EAP-MSCHAPV2 authentication protocols are both supported for VPN connections.

Basic Setup for an IPsec Server

To configure an IPsec test server:

  1. Save the following file as ~/ipsec.conf and replace the leftid value with your VPN server’s external IP.

    config setup
      charondebug="ike 1, knl 1, cfg 0"
      uniqueids=no
    
    conn ikev2-vpn
      auto=add
      compress=no
      type=tunnel
      keyexchange=ikev2
      fragmentation=yes
      forceencaps=yes
      dpdaction=clear
      dpddelay=300s
      rekey=no
      left=%any
      leftid=18.188.145.101
      leftcert=server-cert.pem
      leftsendcert=always
      leftsubnet=0.0.0.0/0
      right=%any
      rightid=%any
      rightauth=eap-mschapv2
      rightsourceip=10.10.10.0/24
      rightdns=8.8.8.8,8.8.4.4
      rightsendcert=never
      eap_identity=%identity
    

    If you want to use the EAP-TLS protocol instead of only EAP-MSCHAPv2, add eap-tls to the rightauth line of the configuration:

    rightauth=eap-mschapv2,eap-tls!
    
  2. On your server, replace the SERVER_EXTERNAL_IP with your VPN server’s external IP and USERNAME/PASSWORD with your values:

    SERVER_EXTERNAL_IP="18.188.145.101"
    USERNAME="myuser"
    PASSWORD="mypassword"
    
  3. Install the necessary dependencies:

    sudo apt-get update
    sudo apt install -y strongswan strongswan-pki
    sudo apt install -y libstrongswan-extra-plugins
    
  4. Set up the security certificates and keys.

    If you want to use EAP-MSCHAPV2, then run these commands to generate the certificate:

    mkdir -p ~/pki/{cacerts,certs,private}
    chmod 700 ~/pki
    ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/ca-key.pem
    ipsec pki --self --ca --lifetime 3650 --in ~/pki/private/ca-key.pem \ --type rsa --dn "CN=VPN root CA" --outform pem > ~/pki/cacerts/ca-cert.pem
    
    ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/server-key.pem
    
    
    ipsec pki --pub --in ~/pki/private/server-key.pem --type rsa \
    |   ipsec pki --issue --lifetime 1825 \
      --cacert ~/pki/cacerts/ca-cert.pem \
      --cakey ~/pki/private/ca-key.pem \
      --dn "CN=$SERVER_EXTERNAL_IP" --san "$SERVER_EXTERNAL_IP" \
      --flag serverAuth --flag ikeIntermediate --outform pem \
    >  ~/pki/certs/server-cert.pem
    
    sudo cp -r ~/pki/* /etc/ipsec.d/
    

    Otherwise, to use EAP-TLS, run these commands:

    mkdir -p ~/pki/certs
    chmod 700 ~/pki
    cd ~/pki/certs
    
    ipsec pki --gen --outform pem > caKey.pem
    ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem
    
    openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo
    
    export PASSWORD="password"
    export USER_NAME="client"
    
    ipsec pki --gen --outform pem > "${USER_NAME}Key.pem"
    ipsec pki --pub --in "${USER_NAME}Key.pem" \
    | ipsec pki --issue --cacert caCert.pem \
      --cakey caKey.pem \
      --dn "CN=${USER_NAME}" \
      --san "${USER_NAME}" \
      --flag clientAuth \
      --outform pem \
    > "${USER_NAME}Cert.pem"
    
    openssl pkcs12 -in "${USER_NAME}Cert.pem" \
      -inkey "${USER_NAME}Key.pem" \
      -certfile caCert.pem \
      -export -out "${USER_NAME}.p12" \
      -password "pass:${PASSWORD}"
    
    cd ..
    sudo cp -r ./certs/* /etc/ipsec.d/
    
  5. If you are using EAP-TLS for your VPN connection, then add this to your /etc/ipsec.secrets file (using your VPN password):

    : P12 client.p12 'password' # key filename inside /etc/ipsec.d/private directory
    
  6. Configure StrongSwan (see the server.conf file described above).

    sudo cp ~/ipsec.conf /etc/ipsec.conf
    
  7. Configure the VPN server’s authentication.

    echo -e ": RSA \"server-key.pem\"\n$USERNAME : EAP \"$PASSWORD\"" | sudo tee /etc/ipsec.secrets
    
    sudo systemctl restart strongswan
    
  8. Configure the OS kernel.

    sudo sed -i 's/#net\/ipv4\/ip_forward=1/net\/ipv4\/ip_forward=1/g' /etc/ufw/sysctl.conf
    sudo sed -i 's/#net\/ipv4\/conf\/all\/accept_redirects/net\/ipv4\/conf\/all\/accept_redirects/g' /etc/ufw/sysctl.conf
    echo "net/ipv4/conf/all/send_redirects=0" | sudo tee -a /etc/ufw/sysctl.conf
    echo "net/ipv4/ip_no_pmtu_disc=1" | sudo tee -a /etc/ufw/sysctl.conf
    
  9. Configure the OS’s firewall.

    networkInterfaceName=$(ip link | awk -F: '$0 !~ "lo|vir|^[^0-9]"{print $2a;getline}' | head -1)
    config="-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT"
    config="$config\n-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT"
    config="$config\nCOMMIT"
    config="$config\n*nat\n-A POSTROUTING -s 10.10.10.0/24 -o $networkInterfaceName -m policy --pol ipsec --dir out -j ACCEPT"
    config="$config\n-A POSTROUTING -s 10.10.10.0/24 -o $networkInterfaceName -j MASQUERADE"
    config="$config\nCOMMIT"
    config="$config\n*mangle"
    config="$config\n-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o $networkInterfaceName -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360"
    config="$config\nCOMMIT"
    sudo sed -i "s/COMMIT//g" /etc/ufw/before.rules
    echo -e $config | sudo tee -a /etc/ufw/before.rules
    
    sudo ufw allow 500,4500/udp
    sudo ufw allow OpenSSH
    sudo ufw disable
    sudo ufw enable
    
  10. Obtain a server certificate to use on the client.

    cat /etc/ipsec.d/cacerts/ca-cert.pem
    

The IPsec VPN server has been configured.

Basic Setup for an OpenVPN Server

Follow these steps if using an OpenVPN server:

  1. Create a ~/server.conf with the following values:

    #Port where the VPN server will answer requests
    port 1194
    
    #TCP or UDP - UDP is faster
    proto udp
    
    #This will create a routed IP tunnel instead of an ethernet tunnel
    dev tun
    
    #The VPN subnet range, all IPs that connected clients will have upon connection
    #The Server will take the first IP (in this case, 10.10.20.1),
    #and all other addresses are available to clients
    server 10.10.20.0 255.255.255.0
    
    #SSL root certificate (ca), certificate itself (cert) and private key (key)
    #All clients use the same CA, but have their own cert and key.
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server.crt
    key /etc/openvpn/keys/server.key
    
    #Diffie Hellman parameters, this file can be generated with
    #openssl dhparam -out dh2048.pem 2048
    dh /etc/openvpn/keys/dh2048.pem
    
    #Records the IP address of each client so clients can use the same IP address
    #in case of reconnection
    ifconfig-pool-persist ipp.txt
    
    #Keeps connection alive, sends a ping every 10 seconds, and assume the connection is
    #down if no ping is received in 120 seconds
    keepalive 10 120
    
    #Cryptographic cipher used. The Client must use the same cipher
    cipher AES-256-CBC
    
    #HMAC - Hashed Message Authentication Code - used to avoid UDP port flooding,
    #must be the same on client and server
    auth SHA256
    
    #Enable compression on the VPN link
    compress lz4-v2
    push "compress lz4-v2"
    
    #Allows username/password authentication via PAM (linux accounts, LDAP),
    #if not provided, authentication is done via x509 certificates
    plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so login
    
    #Explicitly disables x509 certificate authentication
    verify-client-cert none
    
    #Try to avoid accessing certain resources on restart,
    #since they may not be available
    persist-key
    persist-tun
    
    #Notify all clients when the service is restarting,
    #so they can try to reconnect automatically
    explicit-exit-notify 1
    
    #Short status file showing current connections, updated every minute
    status openvpn-status.log
    
    #Redirect log messages to a log file
    log-append  /var/log/openvpn.log
    
    #Log verbosity, 0 is silent, 9 is extremely verbose
    verb 7
    
  2. Install the necessary dependencies:

    sudo apt-get update
    sudo apt-get install -y openvpn easy-rsa
    
  3. Set up the certificates and keys.

    make-cadir ~/openvpn-ca
    cd ~/openvpn-ca
    source vars
    ./clean-all
    ln -s openssl-1.0.0.cnf openssl.cnf
    ./build-ca
    ./build-dh
    ./build-key-server server
    openvpn --genkey --secret keys/ta.key
    sudo mkdir -p /etc/openvpn/keys/ && sudo cp ~/openvpn-ca/keys/* /etc/openvpn/keys/
    
  4. Use the OpenVPN server.conf file from above.

    sudo cp ~/server.conf /etc/openvpn/
    
  5. Configure the OS kernel.

    sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
    sudo sysctl -p
    
  6. Configure the OS firewall

    networkInterfaceName=$(ip link | awk -F: '$0 !~ "lo|vir|^[^0-9]"{print $2a;getline}' | head -1)
    echo -e "*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 10.8.0.0/8 -o $networkInterfaceName -j MASQUERADE\nCOMMIT\n" | sudo tee -a /etc/ufw/before.rules
    sudo sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
    sudo ufw allow 1194/udp
    sudo ufw allow OpenSSH
    sudo ufw disable
    sudo ufw enable
    
  7. Start the VPN server service.

    sudo systemctl start openvpn@server
    
  8. Create the OS user to be used for authentication on the VPN.

    sudo adduser myuser
    

The OpenVPN server has been configured.

Capabilities

Product

Contact Us

Connect

Powered by Liferay
© 2024 Liferay Inc. All Rights Reserved • Privacy Policy