VPN is a good way to protect your cloud infrastructure from attacks. In the method below I will list down the step how to log in to your vpn machine and access the cloud LAN from you laptop.
I am using Debian on Google Cloud as an example. The setup process should be similar on other clouds. The cloud lan is in the network 10.240.0.0/16 and the vpn lan will be in the network 10.8.0.0/16.
1. Setup firewall rules to allow connection to vpn machine:
Networks > your network (usually named default) > Firewall rules:
Create new: Name: VPN Traffic Source IP Ranges: 0.0.0.0/0 Allowed Protocols/Ports: tcp:1194 Target Tags: vpn
2. Spawn a new debain machine, go to advanced and tag it vpn. Also enable IP Forwarding.
Log in and run this:
“sudo sysctl -w net.ipv4.ip_forward=1“
Make the same change in “/etc/sysctl.conf“
3. Install openvpn:
sudo apt-get update sudo apt-get install openvpn
4. Set up openvpn
* Create a new directory with the command
sudo mkdir /etc/openvpn/easy-rsa/.
* Copy the necessary files with the command
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/.
* Change the ownership of the newly copied directory with the command
sudo chown -R $USER /etc/openvpn/easy-rsa/.
* Edit the file
/etc/openvpn/easy-rsa/vars and change the variables listed below.
The variables to edit are:
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Uberlabs" export KEY_EMAIL="firstname.lastname@example.org" export KEY_CN="FooBar"
Once the file has been edited and saved, we’ll run several commands must be entered in order to create the certificates:
cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys sudo openvpn --genkey --secret ta.key sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
The clients will need to have certificates in order to authenticate to the server. To create these certificates, do the following:
KEY_CN in vars file everytime you create a new client cert, else you will notice that hostname.crt is of 0 bytes. Or you can use
KEY_CN=someuniqueclientcn ./pkitool client1.
cd /etc/openvpn/easy-rsa/ source vars ./pkitool hostname
Files needed to setup client
* /etc/openvpn/easy-rsa/keys/hostname.crt (Where hostname is the hostname of the client).
* /etc/openvpn/easy-rsa/keys/hostname.key (Where hostname is the hostname of the client).
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
Open /etc/openvpn/server.conf and make the below change. SSH does not work properly in udp mode.
proto tcp server 10.8.0.0 255.255.0.0 push "route 10.240.0.0 255.255.0.0" #this is a change client-to-client
While udp is recommended by openvon but ssh was failing when I tried to ssh on some other hosts on the cloud.
Configure iptables to allow traffic from VPN to LAN
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
TIP: Restart openvpn every time you make a change in iptables they are not reflected instantly.
sudo service openvpn restart
Install openvpn on your laptop. Copy Sample client.conf to /etc/openvpn. Save the client files in /etc/openvpn/
proto tcp remote 220.127.116.11 1194 ca ca.crt cert roshan-home.crt key roshan-home.key
sudo service openvpn restart
sudo ifconfig in 30 seconds you will see a new vpn interface tun0. You should be able to ping 10.240.x.x and ssh.
* Use routing table info to see if it is set correctly route -n or netstat -rn
* tcpdump to see if icmp packets are received tcpdump -i any icmp
* netcat or telnet to see if vpn port is open
netcat -z -v 18.104.22.168 1194 telnet 22.214.171.124 1194