Linking Remote Sites With OpenVPN Matt Gracie Information Security Administrator Canisius College Buffalo, NY
The Problem Often, there are times when a geographically separate network needs to be able to access resources on your central campus network – and vice-versa.
Possible Solutions Install a fiber path Use microwave technology Lease a line from a telecom Use an independent Internet connection Use a VPN (Proprietary or Otherwise)
What is OpenVPN? From the OpenVPN web site: “OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to- site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. “
What is OpenVPN? Other important features of OpenVPN: It operates in user space Cross-platform compatibility Uses OpenSSL for encryption Free, open source, well-audited The same software is both client and server
Our Example Network
Our Example Network
Prerequisites Both sites must have commodity Internet access You must be able to configure the firewall and the border router at the main campus site You must be able to assign static IP addresses You must be able to publish DNS records for your domain
Initial Network Setup The computer that will be used as a VPN server (vpn.maincampus.edu) must have a static IP, a published DNS record, and be accessible from the Internet using port 1194/tcp. A static route for 172.16.0.0/24 needs to be installed on the border router, pointing to the IP address of vpn.maincampus.edu. This will allow computers on the maincampus.edu network to route traffic to computers at the remote office.
Building the OpenVPN Server This presentation assumes that the OpenVPN server will be a Linux environment, either running on dedicated hardware or as a virtual machine. These configuration directions were derived from an installation on Ubuntu 9.10. Other Linux variants may require slight changes in syntax.
Install the Software The necessary software is available in the standard Ubuntu repositories. Simply update your package cache and then install the “openvpn” and “openssl” packages along with any requirements. # apt-get update # apt-get install openvpn openssl
Establish the CA The OpenVPN software ships with default example SSL CA configurations that are usable in production. These commands will copy them from the documentation directory into the OpenVPN configuration directory. # cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/ # cd /etc/openvpn/easy-rsa/2.0
Establish the CA The file “vars” in /etc/openvpn/easy-rsa/2.0 contains some default configuration information for the CA. Edit the last configuration stanza to match your environment, then run the appropriate scripts to build the certificates for the CA. # vi vars # . ./vars # ./clean-all # ./build-ca # ./build-key-server server # ./build-dh
Move Keys By default, all of the keys that we've generated so far are in a subdirectory of /etc/openvpn. They need to be moved to the proper place in the filesystem so that the OpenVPN software can find them. # cd /etc/openvpn/easy-rsa/2.0/keys # cp ca.crt ca.key dh1024.pem server.crt \ server.key /etc/openvpn # cd /etc/openvpn # mkdir ccd
Configure the Software OpenVPN does come with several example configurations in the /usr/share/doc/openvpn directory. For purposes of this deployment, we'll be using something more abbreviated. Put the contents of the next slide into a file named “openvpn.conf” in the /etc/openvpn configuration directory.
Sample Configuration port 1194 proto tcp dev tun ca ca.crt cert server.crt key server.key dh dh1024.pem server 172.16.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo user nobody group users persist-key persist-tun status openvpn-status.log verb 3 client-to-client client-config-dir /etc/openvpn/ccd
Start the Server Daemon Now, the server should be configured and ready to launch. # /etc/init.d/openvpn start * Starting virtual private network daemon(s)... * Autostarting VPN 'openvpn' [OK]
Building the Client Gateway Now that the server is up and running, we need to configure a client gateway to connect to it and properly route traffic. For purposes of this presentation, I will assume the use of a Linksys WRT54GL router, reflashed with DD-WRT, and a cable Internet connection.
WRT54GL
DD-WRT DD-WRT is a third party firmware that works on the Linksys WRT54GL as well as many other models of home router. It is a full Linux distribution with a web-based GUI for ease of administration. There are many different versions of DD-WRT available, depending on the router that you're using. Make sure that you install one that supports OpenVPN as a client.
Flash Your Router Using the instructions provided on the DD-WRT web site, flash your router firmware with the newest stable version of the software. If you are using something besides a WRT54GL, be sure to completely read and understand the documentation; some models have odd quirks that must be dealt with to avoid bricking.
Build a Client Key Because OpenVPN uses SSL certificates for authentication, a certificate pair must be generated for each client. Here we build one for a client named “remote1”. # cd /etc/openvpn/easy-rsa/2.0 # ./build-key remote1
Retrieve Client Key Once the keys are generated, download them to your desktop computer. You will need the following files from the /etc/openvpn/easy-rsa/2.0/keys directory: ca.crt remote1.crt remote1.key
Install Client Keys Log into the DD-WRT web interface. Click on the Administration tab, then the Services subtab, and enable the OpenVPN client. Fill in the appropriate parameters: IP Address: vpn.maincampus.edu Port: 1194 LZO Compression: on Tunnel Protocol: tcp Public Server Cert: The contents of ca.crt Public Client Cert: The contents of remote1.crt Private Client Key: The contents of remote1.key
Install Routes on Server As part of the client configuration process, the OpenVPN configuration on the server must be modified so that it is aware of the remote network. Add the following to /etc/openvpn/openvpn.conf: push “route 192.168.1.0 255.255.255.0” #remote1 network route 192.168.2.0 255.255.255.0 push “route 192.168.2.0 255.255.255.0” Put this in /etc/openvpn/ccd/remote1: iroute 192.168.2.0 255.255.255.0
Restart OpenVPN Daemon Restart the OpenVPN daemon on the server so that your changes can take effect. # /etc/init.d/openvpn restart
Ingress Filtering Note that, by default, the DD-WRT appliance is a stateful firewall. This means that traffic initiated from the “outside” of the device will be dropped. If you want to exempt VPN-originated traffic from this, SSH into the router and type: # iptables --insert INPUT --in-interface tun0 -- protocol 0 -j ACCEPT # iptables --insert FORWARD --in-interface tun0 -- protocol 0 -j ACCEPT
Finished! That should be all that you need to do to set up a routed VPN between two sites using OpenVPN. To confirm that everything is operating properly, try pinging something on the main campus network from the remote network, and vice-versa.
Additional Information OpenVPN Homepage http://www.openvpn.net DD-WRT Project http://www.dd-wrt.com OpenVPN 2.0 HOWTO http://www.imped.net/oss/misc/openvpn-2.0- howto-edit.html
Additional Information OpenVPN on Debian http://www.annoying.dk/2007/10/14/quick- simple-tutorialhowto-on-openvpn- with-debian/ OpenVPN – Community Ubuntu Docs https://help.ubuntu.com/community/OpenVP N
Questions?
Information Security Administrator Contact Information Matt Gracie Information Security Administrator Canisius College ITS graciem@canisius.edu (716) 888-8378