Task 4:
Finally, it is time to generate the client certificate and let the Root CA
approve it. Copy and paste the text below to the terminal screen in one line:
# Create a Certificate Signing Request (CSR) with Key for OpenVPN Client
openssl req -new -newkey rsa:2048 -nodes -keyout client.key \
-out client.csr -subj “/C=UK/ST=UK/L=LONDON/O=LAB101/CN=CLIENT”
Two files, named client.csr and client.key, will be created. Then, give
client.csr file to the Root CA for signing. Copy and paste the text below to
terminal screen in one line:
# Sign the CSR and create client.crt file which signed by CA
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
-set_serial 02 -sha256 -days 365 -text -out client.crt \
-extensions v3_vpn_client -extfile ./x509-extensions.cnf
Again, you will be prompted for a password for the root CA. Now, check the
directory. We should have a client.crt file now. Let’s check signing and other
information which is embedded by Root CA:
openssl x509 -in client.crt -text -noout
We will use this certificate with associated keys on the Kali Linux machine,
to use with OpenVPN. Copy those files to Kali Linux machine via the secure
way, SCP.
Task 5:
There is one file to be created in Ubuntu Server:
“tc.key”.
Copy and paste the command below to the terminal screen in one line:
openvpn --genkey --secret tc.key
Now, we have a “
tc.key
” file. Also, this file will be copied to the Kali Linux
machine via a secure way.
What about the dh.pem file? Since we’ve configured all the certificates to use
Elliptic Curve Cryptography, there is no need for a Diffie-Hellman seed file
in this instance.
The server side of our OpenVPN installation is done!
Task 6:
Now, we will prepare the OpenVPN client which is Kali Linux. We will
follow the steps similarly to how we followed them while preparing the
server. Open a terminal screen in Kali VM, then type this command:
sudo su –
Since following processes will require privileges, we switch to “root” user.
We must then be sure that openssl and openvpn packages have been installed
with the most up-to-date versions in the client’s machine:
apt install
apt upgrade openssl openvpn
Remember, there are two empty directories in “/etc/openvpn”, named
“server” and “client”, here. Since we will configure our Kali Linux machine
as a VPN client, we will create all our files under the “client” directory. Copy
the text lines below and paste them into the terminal screen of Ubuntu. Then,
hit enter:
cat << EOF > client.conf
remote 192.168.1.206 1194 udp4
resolv-retry infinite
client
dev tun
nobind
verb 3
auth-nocache
user nobody
group nogroup
auth SHA512
persist-key
persist-tun
cipher AES-256-GCM
tls-client
remote-cert-eku “TLS Web Server Authentication”
ca ca.crt
cert client.crt
key client.key
tls-crypt tc.key
dh none
EOF
A new file named “client.conf” should have been created here. Let’s check
the file content;
cat client.conf
See what some of the lines do:
On the top line, we see:
remote 192.168.1.206 1194 udp4
We will connect to this IP address or hostname given, via VPN from our Kali
Linux machine. Port number and protocol type are placed at the end of the
line.
resolv-retry infinite
Ensures it never gives up trying to connect to the server, and is useful for
unreliable internet connections and laptops.
client
Tells openvpn to act as a client.
user nobody
group nogroup
These two lines specify the user and group that will be the owner of the
“openvpn” process.
cipher AES-256-GCM
This line shows the preferred mechanism for encryption. It should be the
same on both the server and the client.
tls-client
Indicates that the TLS in this machine will be in the client role.
remote-cert-eku “TLS Web Server Authentication”
Attribute that we require to see in the server certificate. Otherwise, we will be
denied connection to the remote server.
The remaining parameters have been explained in Task 1.
Task 7:
Now, let’s copy the other files mentioned in the “client.conf” file to our Kali
machine. The first is the “ca.crt” file, which we created in Task 1. We also
created the client certificate and key pair in Task 4, and the tc.key file in
Task5. We will send them all to our Kali machine with scp.
Start SSH service in the Kali machine with this command in the terminal:
sudo systemctl start ssh
Switch to the Ubuntu Linux machine’s terminal screen. Be sure we are in the
“
/etc/openvpn/server
” directory, as our created files are left in there. Type these
commands to transfer the files to the Kali machine:
cd /etc/openvpn/server
sudo scp ca.crt client.crt client.key tc.key
kali@192.168.1.28:~/
In this instance, our Kali machine has an IP address of 192.168.1.28; replace
this with yours.
All four files are transferred to the Kali machine in a secure way. Then, move
the files to the “/etc/openvpn/client” directory in the Kali machine. Change
ownership to root user and be sure they have proper access modes. As you
can see, all our “key” files must be private except root user.
sudo mv -f ca.crt client.crt client.key tc.key /etc/openvpn/client/
cd /etc/openvpn/client/
sudo chown root: *
sudo chmod 0600 *.key
Since we have these certificates, the VPN server we will connect to will not
ask for any other credentials.
The client side of our OpenVPN installation is done!
Task 8:
Now, time to connect the two machines with VPN. Switch to server machine
(Ubuntu), type these commands on the terminal screen:
cd /etc/openvpn/server
sudo openvpn --config server.conf
Our VPN server starts and awaits client connections. 10.8.0.1 is the virtual IP
address of our server. This server also offers DHCP address space to their
clients, which starts from 10.8.0.2.
Switch to client machine (Kali), and type these commands on the terminal
screen:
cd /etc/openvpn/client
sudo openvpn --config client.conf
Our OpenVPN client has started successfully. 10.8.0.2 is our virtual IP
address, which is attached to tun0 interface. Logs show that all certificates
have been signed by authorized Root CA and has required attributes such as
“TLS Web Server Authentication”.
Now, try to ping the other side. Open a separate terminal screen, then type
these commands:
After the connection is established, logs like the following are generated on
the VPN server side:
If connecting to an internal network, such as that of a hacking site like
HackTheBox or TryHackMe, we will need an OpenVPN package file. Many
VPN servers will provide the client.conf file specially prepared for their
system for their convenience.
|