By now, hopefully we all know that the Remote Desktop Protocol (RDP) port shouldn't be exposed to the Internet. This is a simple guide that allows you to configure your servers so that they could only be accessed over RDP only from a local network that's going to be created using OpenVPN.
As an intermediate server, I am using a pretty small server running Ubuntu, whose only purpose is to make all of the servers work together in a virtual private network.
Server configuration
# Install prerequisites.
sudo apt install openvpn easy-rsa
# Make a directory where the keys will be stored.
make-cadir /etc/openvpn/easy-rsa
# Use a source for easy-rsa.
cd /etc/openvpn/easy-rsa
source ./vars
# Build the certificate authority and server configuration.
./build-ca
./build-key-server <openvpn_server_name>
./build-dh
# Generate the certificate for a client.
./build-key <client_name>File /etc/openvpn/openvpn.conf should look something like this:
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<openvpn_server_name>.crt
key /etc/openvpn/easy-rsa/keys/<openvpn_server_name>.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pemserver 10.10.10.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status /var/log/openvpn.log
verb 3
This will create a virtual private network and provide users with a 10.10.10.X IP address.
P.S. Don't forget to allow connections to the port 1194 in the firewall.
Setting static IP addresses to specific OpenVPN clients
Note that in this case, both servers and your end devices are considered as "clients" by OpenVPN.
To set static IP addresses to specific clients, add the following line to the openvpn.conf file:
client-config-dir <directory_name>
Create the directory you've specified under /etc/openvpn/ and within it, create a file for each of the clients you want to assign a private IP address for:
$ tree <directory_name>
.
├── server1
├── server2
└── server3
Each of those files only needs one line long setup: echo "ifconfig-push 10.10.10.100 255.255.255.0" > server1, which will set the IP address of the first server to 10.10.10.100.
Client configuration
Assuming you've already generated the certificate for a client (by using ./build-key <client_name> mentioned above), copy the following to the client machine from the keys directory:
ca.crt<client_name>.crt<client_name>.key
On a client machine, create an OpenVPN configuration file. It should look something like this and be named something like <openvpn_server_name>.ovpn:
client
dev tun
proto udp
remote <SERVER_IP> 1194
ca ca.crt
cert <client_name>.crt
key <client_name>.key
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3Your final task is to install that certificate to the client's computer.
Windows
- Install OpenVPN GUI and start it.
- Right click on the icon in the tray area, choose "import", and locate the
.ovpnfile you've created. - Manually copy the three files you've downloaded from the OpenVPN server into
C:\Users\<username>\OpenVPN\Config\<openvpn_server_name>. - Right-click on the icon in the tray area and click "connect".
elementary OS
Note that this process should be pretty similar on all distributions that use a GNOME-based desktop environment. I just happen to be using elementary OS .
- Click on the WiFi icon in the top panel and choose "Network Settings".
- Pick "VPN" from the left sidebar, click on "+" to add a new VPN connection.
- In a pop-up, choose the "Import a saved VPN configuration" and locate your
.ovpnfile. - Click on save, choose your newly created VPN connection from the WiFi icon in the top bar, and you're good to go.
Once both your client and your server are connected to the same virtual network, you can RDP into the server using its virtual private IP address provided by OpenVPN.
As a final step, disable RDP connection from your firewall and you're good to go.