Presentation is loading. Please wait.

Presentation is loading. Please wait.

Linking Remote Sites With OpenVPN

Published byNeil Bryan Modified over 6 years ago

Similar presentations

Presentation on theme: "Linking Remote Sites With OpenVPN"— Presentation transcript:

1 Linking Remote Sites With OpenVPN
Matt Gracie Information Security Administrator Canisius College Buffalo, NY

2 The Problem Often, there are times when a geographically separate network needs to be able to access resources on your central campus network – and vice-versa.

3 Possible Solutions Install a fiber path Use microwave technology
Lease a line from a telecom Use an independent Internet connection Use a VPN (Proprietary or Otherwise)

4 What is OpenVPN? From the OpenVPN web site:
“OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to- site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. “

5 What is OpenVPN? Other important features of OpenVPN:
It operates in user space Cross-platform compatibility Uses OpenSSL for encryption Free, open source, well-audited The same software is both client and server

6 Our Example Network

7 Our Example Network

8 Prerequisites Both sites must have commodity Internet access
You must be able to configure the firewall and the border router at the main campus site You must be able to assign static IP addresses You must be able to publish DNS records for your domain

9 Initial Network Setup The computer that will be used as a VPN server (vpn.maincampus.edu) must have a static IP, a published DNS record, and be accessible from the Internet using port 1194/tcp. A static route for /24 needs to be installed on the border router, pointing to the IP address of vpn.maincampus.edu. This will allow computers on the maincampus.edu network to route traffic to computers at the remote office.

10 Building the OpenVPN Server
This presentation assumes that the OpenVPN server will be a Linux environment, either running on dedicated hardware or as a virtual machine. These configuration directions were derived from an installation on Ubuntu Other Linux variants may require slight changes in syntax.

11 Install the Software The necessary software is available in the standard Ubuntu repositories. Simply update your package cache and then install the “openvpn” and “openssl” packages along with any requirements. # apt-get update # apt-get install openvpn openssl

12 Establish the CA The OpenVPN software ships with default example SSL CA configurations that are usable in production. These commands will copy them from the documentation directory into the OpenVPN configuration directory. # cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/ # cd /etc/openvpn/easy-rsa/2.0

13 Establish the CA The file “vars” in /etc/openvpn/easy-rsa/2.0 contains some default configuration information for the CA. Edit the last configuration stanza to match your environment, then run the appropriate scripts to build the certificates for the CA. # vi vars # . ./vars # ./clean-all # ./build-ca # ./build-key-server server # ./build-dh

14 Move Keys By default, all of the keys that we've generated so far are in a subdirectory of /etc/openvpn. They need to be moved to the proper place in the filesystem so that the OpenVPN software can find them. # cd /etc/openvpn/easy-rsa/2.0/keys # cp ca.crt ca.key dh1024.pem server.crt \ server.key /etc/openvpn # cd /etc/openvpn # mkdir ccd

15 Configure the Software
OpenVPN does come with several example configurations in the /usr/share/doc/openvpn directory. For purposes of this deployment, we'll be using something more abbreviated. Put the contents of the next slide into a file named “openvpn.conf” in the /etc/openvpn configuration directory.

16 Sample Configuration port 1194 proto tcp dev tun ca ca.crt
cert server.crt key server.key dh dh1024.pem server ifconfig-pool-persist ipp.txt keepalive comp-lzo user nobody group users persist-key persist-tun status openvpn-status.log verb 3 client-to-client client-config-dir /etc/openvpn/ccd

17 Start the Server Daemon
Now, the server should be configured and ready to launch. # /etc/init.d/openvpn start * Starting virtual private network daemon(s)... * Autostarting VPN 'openvpn' [OK]

18 Building the Client Gateway
Now that the server is up and running, we need to configure a client gateway to connect to it and properly route traffic. For purposes of this presentation, I will assume the use of a Linksys WRT54GL router, reflashed with DD-WRT, and a cable Internet connection.

19 WRT54GL

20 DD-WRT DD-WRT is a third party firmware that works on the Linksys WRT54GL as well as many other models of home router. It is a full Linux distribution with a web-based GUI for ease of administration. There are many different versions of DD-WRT available, depending on the router that you're using. Make sure that you install one that supports OpenVPN as a client.

21 Flash Your Router Using the instructions provided on the DD-WRT web site, flash your router firmware with the newest stable version of the software. If you are using something besides a WRT54GL, be sure to completely read and understand the documentation; some models have odd quirks that must be dealt with to avoid bricking.

22 Build a Client Key Because OpenVPN uses SSL certificates for authentication, a certificate pair must be generated for each client. Here we build one for a client named “remote1”. # cd /etc/openvpn/easy-rsa/2.0 # ./build-key remote1

23 Retrieve Client Key Once the keys are generated, download them to your desktop computer. You will need the following files from the /etc/openvpn/easy-rsa/2.0/keys directory: ca.crt remote1.crt remote1.key

24 Install Client Keys Log into the DD-WRT web interface. Click on the Administration tab, then the Services subtab, and enable the OpenVPN client. Fill in the appropriate parameters: IP Address: vpn.maincampus.edu Port: LZO Compression: on Tunnel Protocol: tcp Public Server Cert: The contents of ca.crt Public Client Cert: The contents of remote1.crt Private Client Key: The contents of remote1.key

25 Install Routes on Server
As part of the client configuration process, the OpenVPN configuration on the server must be modified so that it is aware of the remote network. Add the following to /etc/openvpn/openvpn.conf: push “route ” #remote1 network route push “route ” Put this in /etc/openvpn/ccd/remote1: iroute

26 Restart OpenVPN Daemon
Restart the OpenVPN daemon on the server so that your changes can take effect. # /etc/init.d/openvpn restart

27 Ingress Filtering Note that, by default, the DD-WRT appliance is a stateful firewall. This means that traffic initiated from the “outside” of the device will be dropped. If you want to exempt VPN-originated traffic from this, SSH into the router and type: # iptables --insert INPUT --in-interface tun0 -- protocol 0 -j ACCEPT # iptables --insert FORWARD --in-interface tun0 -- protocol 0 -j ACCEPT

28 Finished! That should be all that you need to do to set up a routed VPN between two sites using OpenVPN. To confirm that everything is operating properly, try pinging something on the main campus network from the remote network, and vice-versa.

29 Additional Information
OpenVPN Homepage DD-WRT Project OpenVPN 2.0 HOWTO howto-edit.html

30 Additional Information
OpenVPN on Debian simple-tutorialhowto-on-openvpn- with-debian/ OpenVPN – Community Ubuntu Docs N

31 Questions?

32 Information Security Administrator
Contact Information Matt Gracie Information Security Administrator Canisius College ITS (716)

Download ppt "Linking Remote Sites With OpenVPN"

Similar presentations

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
M2M Gateway Features Jari Lahti, CTO www.violasystems.com.

M2M Gateway Features Jari Lahti, CTO
hotEx RADIUS Manager Installation

hotEx RADIUS Manager Installation
Windows Server 2008 Chapter 8 Last Update 2012.05.31 1.0.0.

Windows Server 2008 Chapter 8 Last Update
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Untangle and OpenVPN. ‏ What is OpenVPN? Allows secure remote connection Based on SSL Uses UDP 1194 Supports – Site to Site (hardware to hardware) – Site.

Untangle and OpenVPN. ‏ What is OpenVPN? Allows secure remote connection Based on SSL Uses UDP 1194 Supports – Site to Site (hardware to hardware) – Site.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.

4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.
Linux Operations and Administration

Linux Operations and Administration
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Chapter 7: Using Windows Servers to Share Information.

Chapter 7: Using Windows Servers to Share Information.
© 2005,2006 NeoAccel Inc. Partners Presentation SSL VPN-Plus 2.0 Quick Start Guide.

© 2005,2006 NeoAccel Inc. Partners Presentation SSL VPN-Plus 2.0 Quick Start Guide.
Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.

Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

Similar presentations

Ads by Google