This article will describe a configuration of Virtual Private Network connection by using an OpenVPN application. Firstly, you will be exposed to some basic theory behind Virtual Private Networks. Then, the article will guide you with step-by-step instructions on how to setup a OpenVPN virtual private network by using Symmetric Key Encryption and Public Key Encryption. This article is meant for everybody who possesses a basic knowledge of linux administration and networking.
If you work in IT industry, it is very common that you do not use only a single computer sitting on your work desk, but you also utilize other systems connected to the same local area network. As long as you are sitting on your office chair this approach should not be a problem. However, this situation can become complicated once you are in hurry, and therefore, you need to take some of your work home. You are able to take you company laptop with you, but to fully utilize company resources you would also need to be connected to the company's local area network. The solution to this problem depends on what resources are needed to complete your job. If you need some shared files available on the company's network, you may just simply copy these file to your laptop's hard drive or to USB stick. In case you need to work on the system installed on your company's PC you can also use some virtualization tools such as VirtualBox or VMware. Soon enough you will realize that this approach is not as convenient as you would like it to be, and that you spent more time by copying files and synchronizing virtual systems than concentrating on your work. The ideal solution in this case should allow employees to access company's local resources from an external network. This can be done by forwarding ports of the local services via firewall. Exposing local ports to the Internet is not entirely the safest approach. The more ports are exposed from your local network to an external network such as the Internet, the more vulnerable your local system will become. The ideal approach in this situation could be a use of just single port for all services coupled with encryption and user authentication. This can be achieved, for example, by using a Virtual Private Network (VPN)
VPN networks are often operated as client-server applications. Good example could be an implementation of MS Windows PPTP or OpenVPN on the Linux Platform. VPN server is directly running on a firewall, where it creates virtual network interface and additional virtual network subnet. VPN server is waiting for connections on the external network interface of the firewall where it performs authentication of a VPN client application. After successful VPN client authentication a VPN client is given an IP address from a virtual subnet. Consequently, an encrypted tunnel is created between VPN client and VPN server, which is used for safe transfer of packets between two distant networks via the Internet. Services, which a VPN client can connect to, can furthermore be defined by firewall rules. This way firewall ensures that VPN client can connect only to services it is allowed to connect. If the previous couple sentences looked to you little difficult to understand, do not despair! Everything will become clearer once we see how encrypted tunnel works in an example.
VPN tunnels are generally considered as something mysterious and everybody who mentions them, is "cool" :-) However, there is nothing to be afraid about, in the fact principle of Virtual Private Network is very simple. Data in IP networks are exchanged in packets. Information about destination and a source of the packet can be found in the packet's header. The actual user data are carried as a payload. Let’s imagine that ssh client wants to talk to ssh server over the Virtual Private Network. Packets leaving a host's network interface located on the local network are sent with a destination port number 22. When this packet reaches a VPN tunnel it is encapsulated into the VPN packet where original packet is now treated as a payload. If the VPN server listens on the port 443, the VPN packet will carry a destination port 443.
When looking at the previous figure it is apparent that this kind of network data transfer over the VPN is a waste of transfer rate because original packet has a smaller payload space just because it needs to fit into the VPN tunnel packet. In VPN analogical sense this can be considered as a drawback.
One solution to this problem is to add a correct key for a particular server manually. If you feel 100% that this warring can be ingnored simply remove a line with a incorrect key. In this particular case below an offending key is on line 21. To remove a line 21 ( use your line number )use a following command:
sed -i '21d' ~/.ssh/known_hosts
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is a2:ef:d6:da:26:f0:9b:5f:d8:2a:f1:e5:1a:5b:39:2f. Please contact your system administrator. Add correct host key in /home/user_name/.ssh/known_hosts to get rid of this message. Offending key in /home/user_name/.ssh/known_hosts:21 RSA host key for 10.1.1.4 has changed and you have requested strict checking. Host key verification failed.
Next couple lines describes simplest process of getting started with Perl and CGI on Linux system in particular Debian Linux. Although the following steps are performed on a Debian Linux system they should be valid for all other distributions expect the step of Apache web server installation. First we need to install Apache Web server:
# apt-get install apache2
for RPM based distribution this step could involve yum
# yum install apache2
If you did not get any major errors the apache2 web server should be up and running at this point. Therefore we can navigate to /usr/lib/cgi-bin directory
# cd /usr/lib/cgi-bin
and create a following function based CGI program named hello.cgi:
#!/usr/bin/perl -T use strict; use CGI ':standard'; print header; print start_html('Hello World'); print h1('Hello World'); print end_html(); exit;
Here is an Object-Oriented alternative of the above program:
#!/usr/bin/perl -T use strict; use CGI; my $cgi = new CGI; print $cgi->header; print $cgi->start_html('Hello World'); print $cgi->h1('Hello World'); print $cgi->end_html(); exit;
At this stage we need to make our new CGI program executable:
# chmod 755 /usr/lib/cgi-bin/hello.cgi
All is now ready to launch our first CGI based web page by navigating our browser to and IP address of the apache server. In my case I'm running Apache locally so I use a localhost: