By now, hopefully we all know that the Remote Desktop Protocol (RDP) port shouldn't be exposed to the Internet. This is a simple guide that allows you to configure your servers so that they could only be accessed over RDP only from a local network that's going to be created using OpenVPN.
As an intermediate server, I am using a pretty small server running Ubuntu, whose only purpose is to make all of the servers work together in a virtual private network.
# Install prerequisites. sudo apt install openvpn easy-rsa # Make a directory where the keys will be stored. make-cadir /etc/openvpn/easy-rsa # Use a source for easy-rsa. cd /etc/openvpn/easy-rsa source ./vars # Build the certificate authority and server configuration. ./build-ca ./build-key-server <openvpn_server_name> ./build-dh # Generate the certificate for a client. ./build-key <client_name>
/etc/openvpn/openvpn.conf should look something like this:
port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/<openvpn_server_name>.crt key /etc/openvpn/easy-rsa/keys/<openvpn_server_name>.key dh /etc/openvpn/easy-rsa/keys/dh2048.pemserver 10.10.10.0 255.255.255.0 push "dhcp-option DNS 18.104.22.168" keepalive 5 30 comp-lzo persist-key persist-tun status /var/log/openvpn.log verb 3
This will create a virtual private network and provide users with a 10.10.10.X IP address.
P.S. Don't forget to allow connections to the port 1194 in the firewall.
Setting static IP addresses to specific OpenVPN clients
Note that in this case, both servers and your end devices are considered as "clients" by OpenVPN.
To set static IP addresses to specific clients, add the following line to the
Create the directory you've specified under
/etc/openvpn/ and within it, create a file for each of the clients you want to assign a private IP address for:
$ tree <directory_name> . ├── server1 ├── server2 └── server3
Each of those files only needs one line long setup:
echo "ifconfig-push 10.10.10.100 255.255.255.0" > server1, which will set the IP address of the first server to 10.10.10.100.
Assuming you've already generated the certificate for a client (by using
./build-key <client_name> mentioned above), copy the following to the client machine from the keys directory:
On a client machine, create an OpenVPN configuration file. It should look something like this and be named something like
client dev tun proto udp remote <SERVER_IP> 1194 ca ca.crt cert <client_name>.crt key <client_name>.key resolv-retry infinite nobind persist-key persist-tun verb 3
Your final task is to install that certificate to the client's computer.
- Install OpenVPN GUI and start it.
- Right click on the icon in the tray area, choose "import", and locate the
.ovpnfile you've created.
- Manually copy the three files you've downloaded from the OpenVPN server into
- Right-click on the icon in the tray area and click "connect".
Note that this process should be pretty similar on all distributions that use a GNOME-based desktop environment. I just happen to be using elementary OS .
- Click on the WiFi icon in the top panel and choose "Network Settings".
- Pick "VPN" from the left sidebar, click on "+" to add a new VPN connection.
- In a pop-up, choose the "Import a saved VPN configuration" and locate your
- Click on save, choose your newly created VPN connection from the WiFi icon in the top bar, and you're good to go.
Once both your client and your server are connected to the same virtual network, you can RDP into the server using its virtual private IP address provided by OpenVPN.
As a final step, disable RDP connection from your firewall and you're good to go.