LWM-Linux/12 - Network Configuration and Troubleshooting/Configuring VPN's and Tunnels.md

Configuring VPNs and Tunnels

1. Understanding VPNs and Tunnels

VPNs (Virtual Private Networks) and tunnels are technologies used to create secure, encrypted connections over a public network. They're essential for maintaining privacy, bypassing geographical restrictions, and securing communications.

2. Types of VPNs and Tunnels in Linux

• a) OpenVPN
• b) WireGuard
• c) IPsec/L2TP
• d) PPTP (less secure, not recommended for sensitive data)
• e) SSH Tunnels

3. OpenVPN Configuration

OpenVPN is one of the most popular and secure VPN solutions for Linux.

Installation:

sudo apt-get update
sudo apt-get install openvpn

Configuration:

1. Obtain .ovpn configuration file from your VPN provider
2. Move the .ovpn file to /etc/openvpn/
3. Connect using:

   sudo openvpn --config /etc/openvpn/your-config-file.ovpn
   

For automatic connection on boot:

1. Rename your .ovpn file to client.conf
2. Move it to /etc/openvpn/

3. Enable the OpenVPN service:

sudo systemctl enable openvpn@client
sudo systemctl start openvpn@client

4. WireGuard Configuration

WireGuard is a newer, high-performance VPN protocol.

Installation:

sudo apt-get update
sudo apt-get install wireguard

Configuration:

• 1. Generate private and public keys:

  wg genkey | tee privatekey | wg pubkey > publickey
  

• 2. Create a configuration file /etc/wireguard/wg0.conf:

  [Interface]
  PrivateKey = your_private_key
  Address = 10.0.0.2/24
  DNS = 1.1.1.1
  
  [Peer]
  PublicKey = server_public_key
  Endpoint = server_ip:51820
  AllowedIPs = 0.0.0.0/0
  

• 3. Start WireGuard:

  sudo wg-quick up wg0
  

5. IPsec/L2TP Configuration

IPsec/L2TP is widely supported and offers good security.

Installation:

sudo apt-get update
sudo apt-get install strongswan xl2tpd

Configuration:

• 1. Edit /etc/ipsec.conf:

  conn VPN
      keyexchange=ikev1
      authby=secret
      ike=aes128-sha1-modp1024!
      esp=aes128-sha1!
      left=%defaultroute
      leftprotoport=17/1701
      right=your_vpn_server_ip
      rightprotoport=17/1701
      auto=add
  

• 2. Edit /etc/ipsec.secrets:

  : PSK "your_preshared_key"
  

• 3. Edit /etc/xl2tpd/xl2tpd.conf:

  [lac vpn-connection]
  lns = your_vpn_server_ip
  ppp debug = yes
  pppoptfile = /etc/ppp/options.l2tpd.client
  length bit = yes
  

• 4. Create /etc/ppp/options.l2tpd.client:

  ipcp-accept-local
  ipcp-accept-remote
  refuse-eap
  require-mschap-v2
  noccp
  noauth
  idle 1800
  mtu 1410
  mru 1410
  defaultroute
  usepeerdns
  debug
  connect-delay 5000
  name your_username
  password your_password
  

• 5. Start the services:

  sudo systemctl restart strongswan
  sudo systemctl restart xl2tpd
  

6. SSH Tunnels

SSH tunnels are versatile for creating encrypted connections.

Local port forwarding:

ssh -L local_port:remote_host:remote_port username@ssh_server

Remote port forwarding:

ssh -R remote_port:local_host:local_port username@ssh_server

Dynamic port forwarding (SOCKS proxy):

ssh -D local_port username@ssh_server

7. Troubleshooting and Verification

• Check connection status:

  ip addr show
  

• Verify DNS resolution:

  nslookup example.com
  

• Check for IP leaks:

  curl ifconfig.me
  

• Monitor VPN logs:

  sudo journalctl -u openvpn
  

8. Security Considerations

• Keep your system and VPN software updated
• Use strong authentication methods (certificates, 2FA)
• Implement a kill switch to prevent data leaks if the VPN disconnects
• Regularly audit your VPN configurations
• Use perfect forward secrecy (PFS) when available

9. Performance Optimization

• Choose nearby servers for better latency
• Experiment with different protocols (e.g., UDP vs TCP)
• Adjust MTU settings if needed
• Consider using split-tunneling for non-sensitive traffic