-
Don't forget to fill/complete your server.conf and roadwarrior-client.conf files (which you can check here)!
- 1. Connect the WiFi adapters
- 2. Client
- 3. Clone the VM
- 4. Setup the connections
- 5. Turn off your firewall before proceding
- 6. Prepare your server.conf and roadwarrior-client.conf
- 7. Install Wireshark on the Client VM (optional)
- 8. Two-Factor Authenticator
- 9. Apache
- 10. OCSP
-
Go to the settings page of your VM
-
Go to the network section and copy the following setup:
-
Afterwards, turn on your VM and connect both adapters:
- 2.1. Install openvpn:
yum install openvpn
- 2.2. Go to this folder:
cd /usr/share/doc/openvpn-2.4.12/
- 2.3. Go to this folder:
cd sample/sample-config-files/
- 2.4. And copy the server.conf file to another location (don't change the original)
cp server.conf {folder}
- 2.5. Change the permissions of the file in case you can't edit it (you may not need this step)
sudo chmod o+rwx {path/roadwarrior-client.conf}
- 2.6. Copy the roadwarrior-client.conf to the same location where you saved the server.conf file
cp roadwarrior-client.conf {path}
- 2.7. Change the permissions of the file in case you can't edit it (you may not need this step)
sudo chmod o+rwx {path/roadwarrior-client.conf}
- 2.8. Check if everything is in order with ifconfig (The first two entries show what you are looking for - enp0s3 and enp0s8):
ifconfig
- 2.9. Install Apache server (thecnically only needed on the VPN VM, but it's fine to have it on all of them):
yum install httpd
- Note: to run the apache server, afterwards, run the following command:
systemctl start httpd
- 3.1. Press right click on top of your VM and select clone (Ctrl + O).
- 3.2. Change the name accordingly to if it is the VPN or the Server VM. (not mandatory but it helps to keep track of the VMs)
- 3.3. change the MAC Address Policy to "Generate new MAC address for all network cards" and press next.
-
- Press "Full clone" and press finish.
- Follow the next steps to configure your network: 4.1. Click on wired settings;
4.2. Click on the enp0s8 settings;
4.3. Setup the addresses and networks for all your VMs.
- Tip - use the following image to help you setup your network:
systemctl stop firewalld
openvpn {path/roadwarrior-client.conf}
openvpn {path/server.conf}
and type your password when prompted.
yum install wireshark-gnome
sudo wireshark
- This is ALL made on the VPN Server machine ONLY
yum install google-autenticator*
useradd gauth
mkdir /etc/openvpn/google-authenticator
cd /etc/openvpn && chown gauth:gauth google-authenticator && chmod 700 google-authenticator
semanage fcontext -a -t openvpn_etc_rw_t -ff '/etc/openvpn/google-authenticator(/.*)?'
nano /root/create_gauth.sh
#!/bin/sh
# Parse arguments
USERNAME="$1"
if [ -z "$USERNAME" ]; then
echo "Usage: $(basename $0) <username>"
exit 2
fi
# Set the label the user will see when importing the token:
LABEL='OpenVPN Server'
su -c "google-authenticator -t -d -r3 -R30 -W -f -l \"${LABEL}\" -s /etc/openvpn/google-authenticator/${USERNAME}" - gauth
chmod 700 /root/create_gauth.sh
useradd -s /sbin/nologin cliente
passwd cliente
/root/create_gauth.sh cliente
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
nano /etc/pam.d/openvpn
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth required /lib64/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass debug
auth include system-auth
account include system-auth
password include system-auth
openvpn {path}/server.conf
openvpn {path}/roadwarrior-client.conf
-
8.10. CAREFUL! When asked for your password on the authentication place your password followed by the code generated! Source
- TODO
nano /etc/httpd/conf.d/ssl.conf
It most likely it is not there or may not have the proper setup.
-
In order to do so, run
sudo yum install mod_ssl
, if you don't have it installed yet. -
And paste the following commands on the same file:
// SSLVerifyClient on - only if needed, most likely it is not
SSLOCSPEnable on
//Change the URI for the Responder:
SSLOCSPDefaultResponder "http://responder.example.com:8888/responder"
SSLOCSPOverrideResponder off
Run nano /etc/pki/tls/openssl.cnf
and paste (don't forget to change the URI) the last line:
(...)
[usr_cert]
# These extensions are added when "ca" signs a request.
[usr_cert]
authorityInfoAccess = OCSP;URI:http://responder.example.com // Copy this line and change the URI (just the domain)
(Check the 2nd PL slides)
- and check if the Authority Information Access has the URI you seted up for the OCSP:
run
openssl x509 -in {path}/client.crt -text | more
and search for the following output (or similar):
(...)
X509v3 extensions:
Authority Information Access
OCSP - URI:http://responder.example.com
-
DON'T FORGET TO IMPORT THE CERTIFICATE TO YOUR BORWSER!