1
00:00:00,000 --> 00:00:18,080
Hey everyone and welcome back. So now what I want to do is to walk you through the actual

2
00:00:18,080 --> 00:00:25,000
configuration of a VPN. Now the VPN that we're going to be using, or the VPN solution that

3
00:00:25,000 --> 00:00:33,480
we're going to be using, is one called OpenVPN. Now there happens to be a few different solutions

4
00:00:33,480 --> 00:00:41,000
that we can use for VPN connectivity on Linux, but the reality is for the examination, OpenVPN

5
00:00:41,000 --> 00:00:48,079
is specified, therefore we want to have familiarity with this particular VPN solution. So with that

6
00:00:48,079 --> 00:00:55,359
said, how about we dive on and then now what I actually have here is you may recall I have one

7
00:00:55,359 --> 00:01:04,560
server which is server one and this is a Ubuntu based machine and I also have a server two which is

8
00:01:04,560 --> 00:01:10,759
again also an Ubuntu based machine. Now here is the problem with what we're going to do. There's

9
00:01:10,759 --> 00:01:17,120
going to be some type of limitation here because like I say these two machines are actually within

10
00:01:17,520 --> 00:01:23,480
the same network virtualized by VMware. As it transpires, both of these machines happen to be

11
00:01:23,480 --> 00:01:35,040
on the 192.1684.0 slash 22 network, I believe I have, meaning that this device here can already see

12
00:01:35,600 --> 00:01:41,439
this device here like they're on the same network because they're on the same network. So whilst

13
00:01:41,439 --> 00:01:48,879
we're going to try to build a VPN connection between these two devices so that they appear like

14
00:01:48,879 --> 00:01:53,759
they're on the same network, well they actually already are on the same network. So there's a

15
00:01:53,759 --> 00:01:58,560
little bit of tweaks that we're going to have to make, but we should still be able to create our

16
00:01:58,560 --> 00:02:05,680
tunnel connection and actually connect to each other, i.e. ping each other over that particular

17
00:02:05,680 --> 00:02:10,240
tunnel to demonstrate that we do have that connectivity. So I just want to be upfront from

18
00:02:10,240 --> 00:02:18,080
the get go is that like I say, whilst this is kind of playing fast and loose with how a VPN would

19
00:02:18,080 --> 00:02:24,480
really be implemented over a vast geographical expanse, the configurations at what we're doing

20
00:02:24,480 --> 00:02:30,719
are still going to be valid ultimately. I'll just point out the differences as we go along. So with

21
00:02:30,719 --> 00:02:37,040
that said, how about we begin looking at our servers and so like I say server one, let's bring this up.

22
00:02:37,039 --> 00:02:43,680
Here we have server one on the left. Let's grab server two and here we have server two on the

23
00:02:43,680 --> 00:02:49,120
right now just for posterity. Let me just show you the IP addressing that is in play here. In fact,

24
00:02:49,120 --> 00:02:59,199
let me just grip for 192. We can see here that the address of this server here is 192.1684.29

25
00:02:59,199 --> 00:03:09,359
and the one on the left if I do an IP adder and I grip for 192. This is 192.1684.30. So like I say,

26
00:03:09,359 --> 00:03:16,479
no problem and reality of these devices been able to connect. Server two can easily ping server one

27
00:03:16,479 --> 00:03:23,759
and vice versa ping 192.1684.30. So we're going to do a little bit of pretending here. Imagine that

28
00:03:23,759 --> 00:03:30,639
we did not have this type of connectivity inherent to this IP addressing. We're instead going to

29
00:03:30,639 --> 00:03:36,879
imagine that both of these interfaces are public facing interfaces and they have no connectivity.

30
00:03:36,879 --> 00:03:41,120
They are on entirely different networks. So the first thing we're going to do is we're going to

31
00:03:41,120 --> 00:03:47,120
install something called curl. So curl is going to allow us to download what we need to download.

32
00:03:47,120 --> 00:03:53,519
So I'll say sudo apt install curl and hit enter type in my password of course and I'll just say why

33
00:03:53,600 --> 00:04:00,080
hit enter again and if we slide on over to server two we'll do sudo apt install curl once again and

34
00:04:00,080 --> 00:04:07,760
just do a dash y here to confirm and again the password goes in. Okay cool. So we have curl

35
00:04:07,760 --> 00:04:15,040
installed on both servers now. What we now want to do is you want to go to a particular website.

36
00:04:15,040 --> 00:04:21,920
This is GitHub where we can actually download the script we need to begin installing open VPN. So

37
00:04:21,920 --> 00:04:26,800
let me show you how to get this if I just pull up my browser here. So if you happen to search for

38
00:04:26,800 --> 00:04:33,520
open VPN on GitHub if we go down to this one here I'm going to stand open VPN install if we click on

39
00:04:33,520 --> 00:04:38,879
this and let me just zoom in a little bit here so we can see a little bit better. There we go.

40
00:04:38,879 --> 00:04:45,759
So if you scroll on down you're going to see in the read me the top part here we see the usage and

41
00:04:45,759 --> 00:04:50,400
we're going to see this script right here again using curl which we've just installed. So if you

42
00:04:50,479 --> 00:04:55,039
just highlight this or even just click this link here we're going to copy this. Let's go back to

43
00:04:55,039 --> 00:05:00,879
our terminal windows just minimize you. Okay so let's maximize this one. So for now all I'm going

44
00:05:00,879 --> 00:05:08,159
to do is just paste this in and now if we do an LS we should now see this open VPN install.sh if we

45
00:05:08,159 --> 00:05:14,079
do an LS-L if you check the permissions we're going to see that this is not executable so we

46
00:05:14,079 --> 00:05:20,879
want to use our chmod command chmod plus x to add the executable on that particular file we hit

47
00:05:20,879 --> 00:05:26,800
enter we do an LS-L once again we can see the executable permissions have been set so we can

48
00:05:26,800 --> 00:05:34,879
now actually run this setup script. Similarly we go to the other server right here do the same thing.

49
00:05:34,879 --> 00:05:42,319
Okay paste this in hit enter if we do an LS we can see once again LS-L let's make it executable

50
00:05:42,319 --> 00:05:51,279
with chmod plus x open VPN and we check again now it is executable so all we can do here is if we say

51
00:05:51,279 --> 00:05:58,879
sudo for super user privileges and just say open VPN with the dot slash beforehand if we hit enter

52
00:05:58,879 --> 00:06:04,319
now we're going to run through this setup script. Now I'm just going to run through the defaults here

53
00:06:04,319 --> 00:06:08,480
because we're really just going to be doing a quite simple connection in this case we don't have to

54
00:06:08,480 --> 00:06:14,000
worry about modifying these defaults so right now we can see here the IP address it is showing here

55
00:06:14,000 --> 00:06:21,520
as the internal IP address of the server in my case that is 192.1684.30 if I just hit enter I'm

56
00:06:21,520 --> 00:06:26,879
just going to run through all of the defaults just hitting enter enter enable compression no

57
00:06:26,879 --> 00:06:33,120
customize encryption no anti-engining continue I'll run through the installation here we're then

58
00:06:33,120 --> 00:06:40,079
going to be prompted to specify a client name we're going to set up our certificates and our GPG

59
00:06:40,720 --> 00:06:45,439
okay so here is the part of the client name now again I'm not going to worry about this too much so

60
00:06:45,439 --> 00:06:52,240
I'll just maybe call this S2 since this is server 2 again use the defaults of enter and that is us

61
00:06:52,240 --> 00:06:57,600
for server 1 if we just follow the same process on the other server so sudo dot slash open VPN

62
00:06:57,600 --> 00:07:01,920
we'll run through the script just hit enter this time notice that the IP address is a little bit

63
00:07:01,920 --> 00:07:08,240
different again I'm just going to hit enter through all of these settings again client name I'll just

64
00:07:08,240 --> 00:07:13,360
say s1 doesn't actually matter we're not going to worry about that just now and again enter the game

65
00:07:13,920 --> 00:07:20,000
so both servers now actually have the installation going and we actually see here we have this dot

66
00:07:20,000 --> 00:07:25,759
o VPN file but actually not going to worry about that for our demonstration and what I want to say

67
00:07:25,759 --> 00:07:33,360
here just at the get go is to say sudo service open VPN stop make sure nothing's running do the same

68
00:07:33,360 --> 00:07:42,879
again on the server 2 right here so again sudo service open VPN stop hit enter cool we're doing ls

69
00:07:43,839 --> 00:07:49,920
right so what we actually want to do here is we want to generate a key for our authentication

70
00:07:49,920 --> 00:07:56,560
purposes so what I'm going to do is I'm going to generate the key on server 1 and then copy that

71
00:07:56,560 --> 00:08:01,360
key over to server 2 and the way we're going to copy this is what we've seen very very recently

72
00:08:01,360 --> 00:08:08,720
we're going to use scp which is going to transfer that server or rather transfer that certificate

73
00:08:08,720 --> 00:08:15,120
to the server over ssh now we'll recall that ssh will be an encrypted connection this is very

74
00:08:15,120 --> 00:08:20,800
important because we do not want to compromise the integrity of that certificate or rather of

75
00:08:20,800 --> 00:08:28,079
that key so the fact that the transferral of this data is secure is of primary importance so the

76
00:08:28,079 --> 00:08:33,200
first thing we'll do here is we will generate that key on server one so what we'll do is I will

77
00:08:33,200 --> 00:08:38,560
clear the screen now that we've installed open vpm we'll have access to the open vpm command so if we

78
00:08:38,639 --> 00:08:47,359
say open vpm and I do a dash dash gen key to generate the key and then dash dash secret this is going to

79
00:08:47,359 --> 00:08:53,359
be where we specify the name of the key we want to create so all I'll do is I'll just call this

80
00:08:54,159 --> 00:08:59,839
whatever you wish I'll just call this crypto dot key not that it matters choose any key name you want

81
00:08:59,839 --> 00:09:08,319
to so if I hit enter now and I do an ls if I happen to cat crypto key we can actually see we have

82
00:09:08,320 --> 00:09:16,960
this open vpm static key now this is the key we want to have available on the adjacent server that

83
00:09:16,960 --> 00:09:22,160
means when we have the connection we can authenticate and the connection can be established now what we

84
00:09:22,160 --> 00:09:31,360
want to do is to transfer that key like I say use insecure copy so I'm going to say scp and I am going

85
00:09:31,360 --> 00:09:37,440
to therefore specify the key which in my case is called crypto dot key and now what I have to do is to

86
00:09:37,440 --> 00:09:44,960
specify whereabouts I want to copy it to now on machine to the server to the username is still ipv0

87
00:09:44,960 --> 00:09:50,400
so that is the same I'm going to have to type in the ip address of the adjacent server which is 192

88
00:09:50,400 --> 00:09:57,920
1684 dot 30 and now I have to specify the path in which in that directory I want to transfer this

89
00:09:57,920 --> 00:10:02,400
file now I'm just going to put this in the user's home directory so that'll be forward slash home

90
00:10:02,480 --> 00:10:09,840
forward slash ipv0 forward slash if I hit enter I'm going to have to accept the fingerprint of

91
00:10:09,840 --> 00:10:16,000
that server say yes and now I'm going to have to type in the password for that user on the remote

92
00:10:16,000 --> 00:10:23,199
server so if I hit enter now we can see here that the transfer of that key has been successful

93
00:10:23,199 --> 00:10:28,960
if we move on over to the other server let's confirm that at the opposite end so we'll open

94
00:10:28,960 --> 00:10:35,519
this maximize to an ls within the home directory of server 2 we can now see the presence of that

95
00:10:35,519 --> 00:10:42,800
key and if we cat that key we can actually see that the open vpn static key one is indeed the same

96
00:10:42,800 --> 00:10:48,160
on both sides of the connection now we can actually begin looking at configuring the connection them

97
00:10:48,160 --> 00:10:55,519
so if we now go back to machine one what we're going to do is to create a particular configuration

98
00:10:55,519 --> 00:11:00,639
file now this doesn't actually have to be of any particular name although because this happens

99
00:11:00,639 --> 00:11:06,960
to be acting as a server where we generated the actual key we'll just call this server.conf that

100
00:11:06,960 --> 00:11:13,199
is a well known convention but you can reference any particular file you wish so I'll say sudo nano

101
00:11:13,199 --> 00:11:17,679
and I'll just call this server.conf I'm putting this within my home directory but again you can put

102
00:11:17,679 --> 00:11:24,639
it in any directory you want to so check this out remember in our introduction to VPNs we talked

103
00:11:24,639 --> 00:11:29,439
about how we want to create an actual tunnel connection in fact let me just briefly draw this

104
00:11:29,439 --> 00:11:35,519
for you once again to refresh this can be our server one right here and we're going to have

105
00:11:35,519 --> 00:11:41,840
server two over here and we want this tunnel connection remember this interface here is not

106
00:11:41,840 --> 00:11:47,279
going to be a physical interface that actually exists it's going to be just a logical construct

107
00:11:47,279 --> 00:11:54,000
so right here this interface is going to be called in our case ton zero this is what we're going to

108
00:11:54,080 --> 00:12:00,240
create and we want to give it an IP address and again this can be an arbitrary IP address you

109
00:12:00,240 --> 00:12:10,399
choose I believe in the example I said 102030.1 and adjacent on server two but also going to create

110
00:12:10,399 --> 00:12:17,360
a ton zero interface and again we're going to make sure that the tunnel interfaces on each

111
00:12:17,360 --> 00:12:22,320
server adjacent to one another is going to be in the same network so we're going to put this in 10

112
00:12:22,800 --> 00:12:28,879
2030.2 so if they're not in the same network we're not going to have connectivity over the tunnel

113
00:12:28,879 --> 00:12:37,200
this part is clearly very crucial so let's generate ton zero and we will specify the IP address of the

114
00:12:37,200 --> 00:12:44,560
tunnel of our local interface and we're going to specify the tunnel address of the adjacent

115
00:12:44,560 --> 00:12:48,960
interface to which we're going to connect to cool so that's exactly what we'll do just now let's

116
00:12:48,960 --> 00:12:54,639
clear the screen go back and begin typing so the way we generate our tunnel interface we just say

117
00:12:54,639 --> 00:13:01,840
dev ton so the device will be a tunnel we're going to use ifconfig and now we're going to specify the

118
00:13:01,840 --> 00:13:09,040
IP address of our tunnel interface now the first address we give is going to be our local interface

119
00:13:09,040 --> 00:13:14,320
the second one will be the remote try not to get these mixed up because you will confuse your connection

120
00:13:14,320 --> 00:13:22,080
and probably will make a mistake so just be careful so 10 20 30.1 that is the local interface of

121
00:13:22,080 --> 00:13:29,600
this actual server and it's going to connect to 10 20 30.2 the adjacent interface now that is not

122
00:13:29,600 --> 00:13:35,360
all we need this is just simply the connection of the interface we need to have our authentication

123
00:13:35,360 --> 00:13:41,120
in place so we're going to use the keyword secrets and now we're going to point to that particular

124
00:13:41,120 --> 00:13:48,480
key that we just generated using the open SSH command or rather the open VPN command so check

125
00:13:48,480 --> 00:13:52,879
this out now the actual path we're going to do is going to be in the home directory that is where

126
00:13:52,879 --> 00:13:58,639
the key actually resides and I believe I called the key crypto dot key again the key name doesn't

127
00:13:58,639 --> 00:14:03,360
matter as long as you reference the actual path and the correct file which has the information

128
00:14:03,360 --> 00:14:10,159
within it that's all you need so all I'm going to do is write this out save you exit back cool

129
00:14:10,159 --> 00:14:15,439
now what I'm going to do is I'm actually going to start up this particular server then the way I can

130
00:14:15,439 --> 00:14:21,600
do this is by saying pseudo open VPN I'll then do a dash dash config to specify the config

131
00:14:22,959 --> 00:14:28,399
and the config I'm going to specify is the name of the file which actually has those

132
00:14:28,399 --> 00:14:34,159
configurations now remember what it's called it's going to be called server dot conf so all this

133
00:14:34,159 --> 00:14:43,279
stuff here so I'll say pseudo open VPN dash dash config and because I'm within the directory in which

134
00:14:43,279 --> 00:14:50,079
this configuration file exists I can just give the relative path which is this here or alternatively

135
00:14:50,079 --> 00:14:56,319
I can provide the absolute path which would be home IPv0 server dot conf either which way is fine

136
00:14:56,319 --> 00:15:03,039
so if I enter now we're going to see that the connection has began to open we have device

137
00:15:03,039 --> 00:15:11,439
turn zero opened we can see the IP address has been set for the local interface is 10 2031 and the

138
00:15:11,439 --> 00:15:17,759
peer meaning that what we're going to connect to is going to have the IP address of 10 2032 now this

139
00:15:17,759 --> 00:15:23,839
is only one side of the connection we're going to have to do the same thing on server 2 so let's

140
00:15:23,839 --> 00:15:30,639
slide on over to that so if I just minimize this and we grab server 2 cool so we don't actually

141
00:15:30,639 --> 00:15:36,240
have to generate a key here because we have the key copied over from machine one what we do though

142
00:15:36,240 --> 00:15:42,080
is we're going to have to create a configuration file again you can call this any name you wish

143
00:15:42,080 --> 00:15:47,279
because we're going to reference it specifically I'm just going to call this client dot conf so

144
00:15:47,279 --> 00:15:52,720
so the nano client dot conf let's go in once again now here is the part which is going to be a little

145
00:15:52,720 --> 00:15:58,720
bit different so what we're going to have to do is to specify the IP address of the remote server now

146
00:15:58,720 --> 00:16:04,480
this is the part that's going to be confusing because I'm going to say remotes and then the IP

147
00:16:04,480 --> 00:16:11,519
address of that server now because I just happen to be within the same local network on my two virtual

148
00:16:11,519 --> 00:16:17,519
machines this is where I'm going to specify the adjacent machines private IP address which if you

149
00:16:17,519 --> 00:16:26,000
recall is 192 1684 dot 29 remember this server here I'm on is 4 dot 30 so I'm specifying the

150
00:16:26,080 --> 00:16:31,759
opposite servers IP address the problem here is that this happens to be a local address so we're

151
00:16:31,759 --> 00:16:38,240
not really providing much magic but if you happen to be able to find a path to an external IP address

152
00:16:38,240 --> 00:16:44,720
such as a knotted address on a router which would be a global public interface that you could reach

153
00:16:44,720 --> 00:16:49,519
via the internet you could specify this address here as long as you can reach this address you

154
00:16:49,519 --> 00:16:54,080
can begin to establish the connection and then build the tunnel so that's the part here which is

155
00:16:54,080 --> 00:17:00,320
a little bit confusing because again we happen to be using already accessible local addresses to

156
00:17:00,320 --> 00:17:05,759
ultimately establish a local connection via the tunnel which again is the problem with the demos

157
00:17:05,759 --> 00:17:10,720
we don't always get perfity environments but we do what we can so okay so like I say that's going to

158
00:17:10,720 --> 00:17:15,600
be the opposite side of the connection now we're going to create our tunnel by saying dev tun

159
00:17:15,600 --> 00:17:23,519
just as we did on the server and then I'm going to specify if config now remember the order we

160
00:17:23,519 --> 00:17:29,599
did it's in the first server it's going to be the same order but because this is the different server

161
00:17:29,599 --> 00:17:35,359
the numbers are going to be reversed so this time we still start with the local IP address so it's

162
00:17:35,359 --> 00:17:44,879
going to be 10 2032 on the tunnel here and from this vantage point the adjacent server will be 10

163
00:17:44,879 --> 00:17:51,359
2031 which is server one now again just like we saw before we're going to have to specify the

164
00:17:51,359 --> 00:17:57,679
secret for the authentication again they can provide the full path here so it's going to be home ipv0

165
00:17:58,240 --> 00:18:04,319
and the key we actually transferred over here was called crypto.key and if we happen to save

166
00:18:04,319 --> 00:18:10,639
this file and write it out we just exit in fact let me just save that without the backslash let's do

167
00:18:10,639 --> 00:18:18,399
this again and exit back out if I cat this particular file right here catclient.conf we can see

168
00:18:18,400 --> 00:18:25,200
this is the connection so what we now want to do is to use openvpn from this side to spin up this

169
00:18:25,200 --> 00:18:31,120
file client.conf which has all the details we need to make that connection what I'm going to do here

170
00:18:31,120 --> 00:18:37,040
is actually let you see this side by side on the left hand side here we're going to see the server

171
00:18:37,040 --> 00:18:42,240
one which is just waiting for this incoming connection once I actually make the connection

172
00:18:42,240 --> 00:18:48,240
from the server two side to finally establish the connection but actually see some validation on the

173
00:18:48,240 --> 00:18:55,279
left hand side too so on the right hand side we'll start with sudo openvpn and again dash dash config

174
00:18:55,279 --> 00:19:00,160
and now we just supply our configuration file which in this case is called client.conf so if we

175
00:19:00,160 --> 00:19:06,240
just hit client.conf and hit enter notice on the left hand side we can actually see the peer connection

176
00:19:06,240 --> 00:19:13,039
has been initiated and we can actually see here the initialization sequence has completed and by

177
00:19:13,039 --> 00:19:17,680
the way on the right hand side we can also see the initialization sequence completed what this now

178
00:19:17,680 --> 00:19:23,279
means is that we actually have this tunnel established so what I'm actually going to do here is I don't

179
00:19:23,279 --> 00:19:27,680
want to close these terminal windows because that's where the process happens to be running I'm going

180
00:19:27,680 --> 00:19:36,160
to create new ssh connections into both of these servers just for some validation so whilst leaving

181
00:19:36,160 --> 00:19:41,920
these two windows open I'm just going to minimize them but not kill them let me just ssh into my

182
00:19:41,920 --> 00:19:48,960
server this will be server one kill and over here look to the same I'm going to server two type in

183
00:19:48,960 --> 00:19:55,920
the password kill let me check this out if I just fill screen this and I do an ip adder look what we

184
00:19:55,920 --> 00:20:01,360
actually have here we have a regular ethernet connection with all of the ip address and just

185
00:20:01,360 --> 00:20:10,160
the same but notice we have this tunnel connection and we can see here the ip address is 10 20 31

186
00:20:10,160 --> 00:20:17,279
that is in server one now if we slide on over to the server two we can do the same thing ip adder

187
00:20:17,279 --> 00:20:25,519
we can see our ethernet still intact but we also have built this tunnel two connection 10 20 32 so

188
00:20:25,519 --> 00:20:33,519
if we try to ping our own side of the tunnel 10 20 33 or 10 20 32 sorry we can ping ourselves but

189
00:20:33,519 --> 00:20:39,519
really the test is can we ping the adjacent side so from server two let's try to ping the

190
00:20:39,519 --> 00:20:47,599
tunnel interface on the opposite server so I'll ping 10 20 31 hit enter and indeed we can see

191
00:20:47,599 --> 00:20:54,400
we can actually ping over the tunnel connection so like I say we happen to have to play a little

192
00:20:54,400 --> 00:21:00,400
bit fast and loose with the reality there because we were on the same network by virtue of having a

193
00:21:00,400 --> 00:21:06,079
virtual machine or two virtual machines within the same network but as long as we can reach the

194
00:21:06,159 --> 00:21:12,559
external ip address say over the internet we could ultimately build the same type of tunnel

195
00:21:12,559 --> 00:21:18,079
and receive the exact same benefits of what we're seeing right here ultimately a local connection

196
00:21:18,079 --> 00:21:25,599
built over a logical interface that is the tunnel interface all facilitated by open vpn now one thing

197
00:21:25,599 --> 00:21:32,319
I will say is that open vpn can be way way way way more complex than what we've just seen we can

198
00:21:32,319 --> 00:21:38,000
modify much more parameters we can work with certificates but the reality is for getting

199
00:21:38,000 --> 00:21:44,319
used to the open vpn software these are the basic steps that you need to begin getting you up and

200
00:21:44,319 --> 00:21:50,559
running so that is us for open vpn I hope it's been informative for you I'd like to thank you for viewing