• All of these configurations are made on CentOS 7, make sure to use the same image, which you can get it here and select the "CentOS-7-x86_64-Everything-2207-02.iso" image. Also, it was used VirtualBox which you can get here (you can use others like VmWare, but there might be some visual changes).

• Don't forget to fill/complete your server.conf and roadwarrior-client.conf files (which you can check here)!

• 1. Connect the WiFi adapters
• 2. Client
• 3. Clone the VM
• 4. Setup the connections
• 5. Turn off your firewall before proceding
• 6. Prepare your server.conf and roadwarrior-client.conf
• 7. Install Wireshark on the Client VM (optional)
• 8. Two-Factor Authenticator
• 9. Apache
• 10. OCSP

• Go to the settings page of your VM
  

  
  
  

• Go to the network section and copy the following setup:
  

  
  
  
  

• Afterwards, turn on your VM and connect both adapters:
  

  
  
  

• Both previous configurations and the Client configurations are needed on the the VPN and Server VMs. Do the following steps on the VM which will run as the client and then clone the VM

• 2.1. Install openvpn:

yum install openvpn

• 2.2. Go to this folder:

cd /usr/share/doc/openvpn-2.4.12/

• 2.3. Go to this folder:

cd sample/sample-config-files/

• 2.4. And copy the server.conf file to another location (don't change the original)

cp server.conf {folder}

• 2.5. Change the permissions of the file in case you can't edit it (you may not need this step)

sudo chmod o+rwx {path/roadwarrior-client.conf}

• 2.6. Copy the roadwarrior-client.conf to the same location where you saved the server.conf file

cp roadwarrior-client.conf {path}

• 2.7. Change the permissions of the file in case you can't edit it (you may not need this step)

sudo chmod o+rwx {path/roadwarrior-client.conf}

• 2.8. Check if everything is in order with ifconfig (The first two entries show what you are looking for - enp0s3 and enp0s8):

ifconfig

• 2.9. Install Apache server (thecnically only needed on the VPN VM, but it's fine to have it on all of them):

yum install httpd

• Note: to run the apache server, afterwards, run the following command:

systemctl start httpd

• 3.1. Press right click on top of your VM and select clone (Ctrl + O).
• 3.2. Change the name accordingly to if it is the VPN or the Server VM. (not mandatory but it helps to keep track of the VMs)
• 3.3. change the MAC Address Policy to "Generate new MAC address for all network cards" and press next.
  
  
• 4. Press "Full clone" and press finish.

• Follow the next steps to configure your network: 4.1. Click on wired settings;

4.2. Click on the enp0s8 settings;

4.3. Setup the addresses and networks for all your VMs.

• Tip - use the following image to help you setup your network:

systemctl stop firewalld

• 6.1. On the Client VM run:

openvpn {path/roadwarrior-client.conf}

• 6.2 On the Server VM run:

openvpn {path/server.conf}

and type your password when prompted.

yum install wireshark-gnome

• 7.1. Run Wireshark (as root in order to have full capabilities):

sudo wireshark

• 7.2. Select the following interfaces (enp0s8 and tun0) and press start:

• 7.3 Click on a package, with the right button of the mouse, with an OpenVPN protocol and select "Decode as":

• 7.4 Select "Do not decode" and press ok:

• 7.5 Should look something like this (you can look at what the teacher provided):

• This is ALL made on the VPN Server machine ONLY

• 8.1. Install google authenticator

yum install google-autenticator*

• 8.2. Add clients:

useradd gauth
mkdir /etc/openvpn/google-authenticator
cd /etc/openvpn && chown gauth:gauth google-authenticator && chmod 700 google-authenticator
semanage fcontext -a -t openvpn_etc_rw_t -ff '/etc/openvpn/google-authenticator(/.*)?'

• 8.3. Create file create_gauth.sh

nano /root/create_gauth.sh

• 8.3.1. Paste the following text:

#!/bin/sh

# Parse arguments
USERNAME="$1"

if [ -z "$USERNAME" ]; then
echo "Usage: $(basename $0) <username>"
exit 2
fi

# Set the label the user will see when importing the token:
LABEL='OpenVPN Server'

su -c "google-authenticator -t -d -r3 -R30 -W -f -l \"${LABEL}\" -s /etc/openvpn/google-authenticator/${USERNAME}" - gauth

• 8.4. Edit create_gauth.sh permissions

chmod 700 /root/create_gauth.sh

• 8.5. Add user

 useradd -s /sbin/nologin cliente
 passwd cliente
 /root/create_gauth.sh cliente

• 8.6. Add the following line on the VPN server.conf file:

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

• 8.7. Create and setup openvpn file on pam.d

• 8.7.1. Create file

 nano /etc/pam.d/openvpn

• 8.7.2. Paste the following text there:

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth required /lib64/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass debug
auth include system-auth
account include system-auth
password include system-auth

• 8.8. Install Google Authenticator on your smartphone and scan the generated QR code when you ran "/root/create_gauth.sh cliente". This should give you a key with 6 digits which will update from time to time.

• 8.9. Run the following commands:

• 8.9.1 On the VPN Server:

openvpn {path}/server.conf

• 8.9.2 On the Client:

openvpn {path}/roadwarrior-client.conf

• 8.10. CAREFUL! When asked for your password on the authentication place your password followed by the code generated! Source

• TODO

• 10.1. Search for the file ssl.conf (on the vpn server) on:

nano /etc/httpd/conf.d/ssl.conf

It most likely it is not there or may not have the proper setup.

• In order to do so, run sudo yum install mod_ssl, if you don't have it installed yet.

• And paste the following commands on the same file:

// SSLVerifyClient on - only if needed, most likely it is not
SSLOCSPEnable on
//Change the URI for the Responder:
SSLOCSPDefaultResponder "http://responder.example.com:8888/responder" 
SSLOCSPOverrideResponder off

• 10.2. OCSP information inclusion on the certificates

Run nano /etc/pki/tls/openssl.cnf and paste (don't forget to change the URI) the last line:

(...)
[usr_cert]
# These extensions are added when "ca" signs a request.
[usr_cert]
authorityInfoAccess = OCSP;URI:http://responder.example.com // Copy this line and change the URI (just the domain)

• 10.2.1. Generate a new user certificate with your private CA and convert it to PKCS12

(Check the 2nd PL slides)

• and check if the Authority Information Access has the URI you seted up for the OCSP: run openssl x509 -in {path}/client.crt -text | more and search for the following output (or similar):

(...)
    X509v3 extensions:
      Authority Information Access
        OCSP - URI:http://responder.example.com

• DON'T FORGET TO IMPORT THE CERTIFICATE TO YOUR BORWSER!

• 10.2.2. Generate a new Apache certificate with your private CA and convert it to PKCS12