UNIVERSITETI ALEKSANDR MOISIU DURRES

FAKULTETI I TEKNOLOGJISE SE INFORMACIONIT

TEKNOLOGJI INFORMACIONI
SIGURI INFORMACIONI DHE RRJETI

DETYRE KURSI

PERDORIMI I OpenVPN PERMES NJE AMBJENTI SERVER CentOS

PUNOI: ALBI ABDYLI

ANDI ZAIMAJ
ENDRI SALA
FABIO JANAQI

PRANOI: ERISELDA MALAJ

PERDORIMI I OPENVPN PERMES NJE AMBJENTI SERVER CENTOS ............................................1
ABSTRAKT..............................................................................................................................3
HYRJE ....................................................................................................................................4
PUNE TE LIDHURA ..................................................................................................................4
SUBJEKTI................................................................................................................................5
INSTALIMI I SISTEMIT......................................................................................................................... 5
KONFIGURIMI BAZ I PRDORUESIT ...................................................................................................... 7
INSTALIMI I OPENVPN SERVER ........................................................................................................... 7
KONFIGURIMI I OPENVPN SERVER ...................................................................................................... 7
INSTALIMI I PRITUNL DHE MONGODB................................................................................................ 10
KONFIGURIMI I PRITUNL DHE MONGODB........................................................................................... 10
TESTIMI DHE REZULTATET ....................................................................................................12
KONKLUZIONE ................................................................................................................................ 15
REFERENCAT ........................................................................................................................ 15

2
 Abstrakt

Ne kete detyr do t flasim pr implementimin e nj rrjeti VPN pr prdorim vetjak. Me

rritjen e kontrollit t trafikut nga ISP shumkush sht i interesuar n mbrojtjen e privatesis
s tij, por nuk sht ky qllimi i vetm i perdorimit t tij. VPN gjen nj prdorim t gjr n
ambientet e organizatave t mdha ku siguria sht primare dhe t dhnat duhet t jene t
mbrojtura n maksimum, permes tunelimit qe ofron VPN lejon q antart e organizats q
krkojn t aksesojn informacione t njihen si pjes e rrjetit t brndshm. OpenVPN
sht nj software open-source i cili implementon teknologjin VPN pr t krijuar lidhje
point-to-point ose site-to-site n konfigurime t ndryshme1. Me ndihmn e nj sistemi
operativ q ka si themel sigurin dhe stabilitetin si CentOS do t krijojm nj tunel VPN
prmes OpenVPN. Nga ky konfigurim do t kemi mundsi t aksesojm n internet ebsite
t cilat nuk mund t prdoren ne shqipri si psh. Spotify2. T lidhim disa prdorues t cilt
ndodhen n rrjeta t ndryshme, t komunikojn si t transmetojne t dhna si t ishin n
ambjentet e nj zyre. N prfundim do t kemi nje VPN server qe funksionon si nje tunel
per te maskuar trafikun dhe si nje ure lidhese mes prdoruesve t tij, pr komunikime t
brndshme dhe transmetim t dhnash.

1 OpenVPN - https://en.ikipedia.org/iki/OpenVPN
2 Spotify https://.spotify.com

3
Hyrje

Siguria sht nj ndr problemet m madhore t biznesit n ditt e sotme. Shum kompani
kan hasur thyerje t siguris pr shkak t keqkonfigurimit apo prdorimit t paissjeve t
paazhornuara. Shum nga kto thyerje t siguris mund t ishin shmangur nse kto
kompani do t perdornin nj izolim t rrjetit t tyre t brndshm duke e mbrojtur at nga
rreziqet q i kanosen nga aksesimi i drejtprdrejt nga interneti. VPN vjen n ndihme duke
krijuar tunele lidhjeje pr aksesimin e rrjetitt privat t organizats nga punonjsit e saj n
mnyr t kontrolluar dhe t garantuar. N ditt e sotme VPN po gjen prdorim edhe nga
individt t cilt krkojn t aksesojn prmbajtje t padisponueshme n rajonin e tyre ose
duan t mbrojn privatsin3 duke e enkapsuluar trafikun prmes tunelit VPN.
Permes nj ambjenti t sigurt si CentOS i cil na lejon t mbrojm informacionin pa shum
konfigurim mund t implementojm nj server OpenVPN pr t mbrojtur trafikun e
transmetuar nga paisja jone drejt Internetit dhe e kundrta. Njkohsisht ky tynel VPN
mund t prdoret dhe pr komunikim me miqt dhe persona t tjer me t cilt ndajm
aksesimin e ktij serveri.

Pune te lidhura

SECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSIS
nga Praveen Likhar mbi sigurimin e trafikut Wi-Fi permes nj lidhje VPN end-to-end.
TRUSTED ROUTING VS. VPN FOR SECURED DATA TRANSFER OVER IP-
NETWORKS/ INTERNET Osuolale mbi sigurine qe jep perdorimi i VPN kundrejt
rrugzimeve te sugurta.
PERFORMANCE INVESTIGATION OF VIRTUAL PRIVATE NETWORKS WITH
DIFFERENT BANDWITH nga Natarajan, Muthiah, & Nachiappanmbi performancn e
nj rrjeti VPN.

3 https://en.ikipedia.org/iki/Net_neutrality

4
 Subjekti

Pr t arritur n rezultatin e kerkuar testuam disa konfigurime:

Konfigurimi 1 2 3
Sistemi Operativ CentOS 6.9 CentOS 7.2 CentOS 7.2
OpenVPN OpenVPN AS 2.1.4 OpenVPN 2.3.4 OpenVPN 2.4.1
Aksesimi Access Server Command Line Pritunl
Shenim AS me pages pr E veshtir pr tu Menaxhim i
me shum se dy menaxhuar dhe thjesht por me
perdorues t supportuar pages pr Servers
njekoheshm prdoruesit Cluster

Pasi analizuam t tre mundsit e konfigurimit vemdosm t shkonim me alternativn e

tret duke br nj kompromis midis thjeshtsis dhe siguris dhe mundsis s zgjerimit
pasi Pritunl krkon nj licenc pr menaxhimin e serverave OpenVPN n m shum se
nj host. Programet e nevojshme pr kt konfigurim jan:
a. Sistemi Operativ : CentOS 7.2
b. Serveri VPN : OpenVPN 2.4.3
c. Gjenerimi i celsave t siguris: EasyRSA 2.x.x
d. Nderfaqe Menaxhimi : Pritunl
e. User Database : MongoDB
f. Firewall : firewalld

Puna u nda n disa faza:

1. Instalimi i Sistemit te Operimit

2. Konfigurimi bazik i perdoruesit te SO
3. Instalimi i OpenVPN server
4. Konfigurimi i OpenVPN server
5. Instalimi i Pritunl dhe MongoDB per menaxhimin e perdoruesve
6. Konfigurimi i Pritunl dhe MongoDB

Instalimi i Sistemit

Pr instalimin e sistemit operativ u shkarkua imazhi ISO nga faqja zyrtare e prodhuesit
CentOS4. Pas shkarkimit ndrtuam nj VM n Cloud Providerin e zgjedhur Vultr 5. Pr t
kursyer burimet dhe nj eficence sa m t lart t serverit vpn zgjodhm versionin minimal
te CentOS.
CentOS zotron nj procedur shum t thjsht dhe intuitive pr instalimin e sistemit t
operimit duke br t mundur q dhe prdoruesit t cilt vijn nga sistemet e tjara t

4 CentOS https://.centos.org
5 Vultr https://.vultr.com

5
operimit si Microsoft indos, Apple macOS apo Canonical Ubuntu t orientohen
lehtsisht dhe t jen produktiv n pak koh.
Instalimi vijoi si m posht:

1. Vendosem ISO-n n Makinn virtuale dhe zgjodhm instalo pr t filluar

2. Zgjodhm gjuhn e instalimit dhe tastiern q do t prdorim

3. Prcaktuam Time Zonn n t ciln ndodhet makina virtuale dhe aktivizuam kartn e
rrjetit me domainin perkates

4. Nisim instalimin duke klikuar mbi Begin installation

6
 Konfigurimi baz i prdoruesit
Gjat instalimit CentOS lejon caktimin e nj passordi pr prdoruesin root dhe krijimin
e nj useri i cili mund t ket akses n nivel administratori ose jo. Duke qn se perdorimi
i userit root nga nj makin remote sht i dekurajuar prdoruesit ton i japim akses
administratori.

Instalimi i OpenVPN server

Pr t instaluar OpenVPN nga CLI japim komanden:

$ sudo yum -y install epel-release

$ sudo yum -y install openvpn easy-rsa

Konfigurimi i OpenVPN server

Fillimisht procedohet me Easy-RSA

// fillimisht kopjojme skriptet e gjenerimit te kodeve nga /usr/share // ne /etc/openvpn/

# cp -r /usr/share/easy-rsa/ /etc/openvpn/
// me pas modifikojme variablat e easy-rsa per serverin tone
# cd /etc/openvpn/easy-rsa/2.*/
# vi vars

Editojm variablat sipas konfigurimit ton

export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048

7
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="AL"
export KEY_PROVINCE="DU"
export KEY_CITY="Durres"
export KEY_ORG="TeknologjiInformacioni "
export KEY_EMAIL="albi.abdyli@nethex.com"
export KEY_OU="SiguriRrjeti"
export KEY_NAME="albi"

Procedojm me krijimin e celsave:

// e rindrtojm nga e para vars pr tu thirrur nga applikationet e

// Easy-RSA
# source ./vars
// Pastrojme direktorin nga certifikatat e tjera
# ./clean-all
// Krijojm certificate authority pr serverin
# ./build-ca
// gjenerojm celsin dhe certifikatn per OpenVPN
# ./build-key-server SiguriRrjeti
// Krijojm celsat Diffie-Hellman
# ./build-dh

Gjenerojm celsat pr klientij dhe zhvendosim cka gjeneruam n direktorin e openvpn

# cd /etc/openvpn/easy-rsa/2.*/
# cp r keys/ /etc/openvpn/

Krijojme konfigurimin e serverit pr OpenVPN

$ vi /etc/openvmn/server.conf

port 11735
#You can use udp or tcp
proto udp

8
# "dev tun" will create a routed IP tunnel.
dev tun
#Certificate Configuration
#ca certificate
ca /etc/openvpn/keys/ca.crt
#Server Certificate
cert /etc/openvpn/keys/server.crt
#Server Key and keep this is secret
key /etc/openvpn/keys/SiguriRrjeti.key
#See the size a dh key in /etc/openvpn/keys/
dh /etc/openvpn/keys/dh2048.pem
#Internal IP will get when already connect
server 192.168.226.0 255.255.255.0
#this line will redirect all traffic through our OpenVPN
push "redirect-gateay def1"
#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
#Enable multiple client to connect with same key
duplicate-cn
keepalive 20 60
comp-lzo
persist-key
persist-tun
daemon
log-append /var/log/myvpn/openvpn.log
verb 3

Caktivizojm SELINUX duke modifikuar /etc/sysconfig/selinux variablen

SELINUX=disabled. Lejojme portat 80,443 dhe 11735 nga firewalld per te komunikuar
me jashte.

$ sudo firewall-cmd --zone=public --add-service=http --permanent

$ sudo firewall-cmd --zone=public --add-service=http

9
$ sudo firewall-cmd --zone=public --add-service=https --permanent
$ sudo firewall-cmd --zone=public --add-service=https
$ sudo firewall-cmd --zone=public --add-port=11735 --permanent
$ sudo firewall-cmd --zone=public --add-port=11735

Me konfigurimin e firewallit jemi gati pr t startuar serverin tone.

# systemctl start openvpn@SiguriInformacioni

Instalimi i Pritunl dhe MongoDB

Pr instalimin e Pritunl dhe MongoDB mjafton te ndjekim procedurn e dhn nga

dokumentacioni (Pritunl, s.d.) zyrtar:
sudo tee -a /etc/yum.repos.d/mongodb-org-3.4.repo << EOF
[mongodb-org-3.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/3.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://.mongodb.org/static/pgp/server-3.4.asc
EOF

sudo tee -a /etc/yum.repos.d/pritunl.repo << EOF

[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/7/
gpgcheck=1
enabled=1
EOF

sudo yum -y install epel-release

gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f
key.tmp
sudo yum -y install pritunl mongodb-org
sudo systemctl start mongod pritunl
sudo systemctl enable mongod pritunl

me kte konfigurim duke klikuar n serverin e konfiguruar http://albiabdyli.com do na

shfaqet ndrfaqa e Pritunl pr konfigurimin fillestar t aplikacionit.

Konfigurimi i Pritunl dhe MongoDB

Nga CLI kerkojm setup-key permes komands:
$ pritunl setup-key

10
Celesin e gjeneruar e vendosim n ndrfaqen e aksesimit t pritun dhe kryejm llogimin e
par:

Kryejm konfigurimin fillestar pr serverin ton

Me kto konfigurime jemi gati pr t krijuar prdoruesit pr VPN serverin ton.

11
 Testimi dhe Rezultatet
Me konfigurimin ton kemi mundsi t krijojm disa servera t ndryshm pr klient t
ndryshm duke prdorur n mnyr m eficente burimet n gjndje.
Per testim kemi krijuar dy perdorues , nje organizat t lidhur me nj server OpenVPN n
t njejtin host.

Pingimi mes dy klienteve t lidhur n njejtin host OpenVPN:

~ ping 192.168.226.2
PING 192.168.226.2 (192.168.226.2): 56 data bytes
64 bytes from 192.168.226.2: icmp_seq=0 ttl=64 time=170.976 ms
64 bytes from 192.168.226.2: icmp_seq=1 ttl=64 time=209.295 ms
64 bytes from 192.168.226.2: icmp_seq=2 ttl=64 time=181.688 ms
64 bytes from 192.168.226.2: icmp_seq=3 ttl=64 time=222.900 ms
64 bytes from 192.168.226.2: icmp_seq=4 ttl=64 time=252.518 ms
64 bytes from 192.168.226.2: icmp_seq=5 ttl=64 time=158.838 ms
64 bytes from 192.168.226.2: icmp_seq=6 ttl=64 time=193.547 ms
64 bytes from 192.168.226.2: icmp_seq=7 ttl=64 time=198.242 ms

Nga testimi vemw re se kemi njw humbje nw shpejtwsinw e transmetimit.

~ traceroute www.google.com
traceroute to www.google.com (172.217.22.100), 64 hops max, 52 byte packets
1 192.168.238.1 (192.168.238.1) 65.812 ms 63.357 ms 64.924 ms
2 ***
3 vl199-br1-cer.fkt3.choopa.net (104.207.130.1) 152.143 ms 301.818 ms 172.734 ms
4 xe-11-3-3-30.cr1-fra2.ip4.gtt.net (46.33.81.29) 61.540 ms 61.409 ms 61.702 ms
5 xe-1-0-1.cr3-fra2.ip4.gtt.net (89.149.186.38) 63.075 ms
xe-1-3-0.cr3-fra2.ip4.gtt.net (89.149.183.74) 62.301 ms
xe-1-1-1.cr3-fra2.ip4.gtt.net (89.149.184.86) 61.597 ms
6 72.14.221.74 (72.14.221.74) 62.461 ms 84.878 ms 67.601 ms
7 216.239.58.243 (216.239.58.243) 63.159 ms 62.965 ms
216.239.58.235 (216.239.58.235) 62.346 ms
8 72.14.234.113 (72.14.234.113) 62.114 ms
72.14.234.115 (72.14.234.115) 62.516 ms

12
 72.14.234.113 (72.14.234.113) 61.858 ms
9 fra15s18-in-f100.1e100.net (172.217.22.100) 62.081 ms 78.206 ms 61.958 ms
~ ping www.google.com
PING www.google.com (172.217.22.100): 56 data bytes
64 bytes from 172.217.22.100: icmp_seq=0 ttl=53 time=77.634 ms
64 bytes from 172.217.22.100: icmp_seq=1 ttl=53 time=77.367 ms
64 bytes from 172.217.22.100: icmp_seq=2 ttl=53 time=77.909 ms
64 bytes from 172.217.22.100: icmp_seq=3 ttl=53 time=77.142 ms
64 bytes from 172.217.22.100: icmp_seq=4 ttl=53 time=76.324 ms
64 bytes from 172.217.22.100: icmp_seq=5 ttl=53 time=74.956 ms
64 bytes from 172.217.22.100: icmp_seq=6 ttl=53 time=76.859 ms
--- www.google.com ping statistics ---
7 packets transmitted, 7 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 74.956/76.884/77.909/0.922 ms

Kundrejt njw lidhjeje tw drejtpwrdrejtw:

~ traceroute www.google.com
traceroute to www.google.com (172.217.23.68), 64 hops max, 52 byte packets
1 192.168.1.1 (192.168.1.1) 45.307 ms 2.805 ms 1.850 ms
2 217.21.144.6 (217.21.144.6) 4.255 ms 6.293 ms 5.091 ms
3 217.21.144.29 (217.21.144.29) 5.204 ms 5.708 ms 4.791 ms
4 217.24.245.125 (217.24.245.125) 8.813 ms 8.202 ms 7.758 ms
5 93.186.128.94 (93.186.128.94) 168.631 ms 154.893 ms 136.423 ms
6 100ge1-0-2-51.milano1.mil.seabone.net (195.22.192.188) 163.219 ms 166.983 ms
100ge1-0-2-50.milano1.mil.seabone.net (195.22.196.98) 126.862 ms
7 74.125.51.148 (74.125.51.148) 159.644 ms
72.14.209.236 (72.14.209.236) 38.777 ms
74.125.146.168 (74.125.146.168) 55.008 ms
8 108.170.245.81 (108.170.245.81) 51.403 ms 52.024 ms
108.170.245.65 (108.170.245.65) 38.881 ms
9 108.177.3.77 (108.177.3.77) 41.815 ms 40.776 ms
108.177.3.79 (108.177.3.79) 37.710 ms
10 mil04s22-in-f68.1e100.net (172.217.23.68) 37.279 ms 36.586 ms 38.890 ms

13
~ ping www.google.com
PING www.google.com (172.217.23.68): 56 data bytes
64 bytes from 172.217.23.68: icmp_seq=0 ttl=54 time=36.953 ms
64 bytes from 172.217.23.68: icmp_seq=1 ttl=54 time=49.095 ms
64 bytes from 172.217.23.68: icmp_seq=2 ttl=54 time=39.975 ms
64 bytes from 172.217.23.68: icmp_seq=3 ttl=54 time=37.279 ms
64 bytes from 172.217.23.68: icmp_seq=4 ttl=54 time=37.329 ms
64 bytes from 172.217.23.68: icmp_seq=5 ttl=54 time=37.838 ms
--- www.google.com ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 36.953/39.745/49.095/4.298 ms

Performancw e cila justifikon shtimin e sigurisw dhe mbrojtjen e privatwsisw.

Pa VPN Me VPN

14
 Konkluzione
Implementimi i VPN nuk wshtw mw njw e mirw vetwm pwr biznesin por edhe pwr
konsumatorwt e thjeshtw. Me njw procedurw disi tw thjeshtw cdokush mund tw
implementojw njw VPN server pa pasur nevojw tw shpenzojw shuma tw mwdha dhe ka
mundwsinw tw mbrojw veten nga monitorimi i ISP dhe tw krijojw kanale tw sigurta
komunikimi pwr veten dhe personat qw ndan kwtw aplikacion. Megjithwse VPN shton
njw shtresw sigurie pwr pwrdoruesin nuk mund tw themi asnjwherw se duke lundruar nw
internet jemi 100% tw mbrojtur nga cdo lloj rreziku qw na kanoset.

Referencat
CentOS. (n.d.). Documentation - CentOS. Retrieved from
https://wiki.centos.org/Documentation
Likhar, P., Yadav, R. S., & M, K. R. (n.d.). SECURING IEEE 802.11G WLAN USING
OPENVPN AND ITS IMPACT ANALYSIS. Bangalore, India.
Natarajan, M. C., Muthiah, R., & Nachiappan, A. (n.d.). Performance Investigation of
Virtual Private Networks with Different Bandwidth Allocations. Tamil Nadu,
India.
OpenVPN. (n.d.). OpenVPN Documentation. Retrieved from
https://openvpn.net/index.php/open-source/documentation.html
Osuolale, T. A. (n.d.). TRUSTED ROUTING VS. VPN FOR SECURED DATA
TRANSFER OVER IP-NETWORKS/ INTERNET. Shwn Petersburg, Rusi.
Pritunl. (n.d.). Pritunl Documentatuion. Retrieved from https://docs.pritunl.com

15