Upload
educause
View
218
Download
0
Embed Size (px)
Citation preview
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 1/32
Linking Remote Sites With
OpenVPN
Matt GracieInformation Security Administrator
Canisius College
Buffalo, NY
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 2/32
The Problem
Often, there are times when a geographicallyseparate network needs to be able to access
resources on your central campus network – andvice-versa.
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 3/32
Possible Solutions
● Install a fiber path
●
Use microwave technology
● Lease a line from a telecom
●
Use an independent Internet connection
● Use a VPN (Proprietary or Otherwise)
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 4/32
What is OpenVPN?
From the OpenVPN web site:
“OpenVPN is a full-featured open source SSLVPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale
remote access solutions with load balancing,failover, and fine-grained access-controls. “
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 5/32
What is OpenVPN?
Other important features of OpenVPN:
● It operates in user space● Cross-platform compatibility● Uses OpenSSL for encryption●
Free, open source, well-audited● The same software is both client and server
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 6/32
Our Example Network
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 7/32
Our Example Network
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 8/32
Prerequisites
● Both sites must have commodity Internet access
● You must be able to configure the firewall and
the border router at the main campus site
● You must be able to assign static IP addresses
● You must be able to publish DNS records for your domain
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 9/32
Initial Network Setup
● The computer that will be used as a VPN server (vpn.maincampus.edu) must have a static IP, apublished DNS record, and be accessible from
the Internet using port 1194/tcp.● A static route for 172.16.0.0/24 needs to be
installed on the border router, pointing to the IPaddress of vpn.maincampus.edu. This will allow
computers on the maincampus.edu network toroute traffic to computers at the remote office.
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 10/32
Building the OpenVPN Server
This presentation assumes that the OpenVPN
server will be a Linux environment, either runningon dedicated hardware or as a virtual machine.
These configuration directions were derived from
an installation on Ubuntu 9.10. Other Linuxvariants may require slight changes in syntax.
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 11/32
Install the Software
The necessary software is available in the
standard Ubuntu repositories. Simply update your package cache and then install the “openvpn” and“openssl” packages along with any requirements.
# apt-get update
# apt-get install openvpn openssl
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 12/32
Establish the CA
The OpenVPN software ships with defaultexample SSL CA configurations that are usable inproduction. These commands will copy them from
the documentation directory into the OpenVPNconfiguration directory.
# cp -R /usr/share/doc/openvpn/examples/easy-
rsa /etc/openvpn/# cd /etc/openvpn/easy-rsa/2.0
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 13/32
Establish the CA
The file “vars” in /etc/openvpn/easy-rsa/2.0contains some default configuration informationfor the CA. Edit the last configuration stanza to
match your environment, then run the appropriatescripts to build the certificates for the CA.
# vi vars
# . ./vars
# ./clean-all
# ./build-ca
# ./build-key-server server
# ./build-dh
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 14/32
Move Keys
By default, all of the keys that we've generated sofar are in a subdirectory of /etc/openvpn. Theyneed to be moved to the proper place in the
filesystem so that the OpenVPN software can findthem.
# cd /etc/openvpn/easy-rsa/2.0/keys
# cp ca.crt ca.key dh1024.pem server.crt \server.key /etc/openvpn
# cd /etc/openvpn
# mkdir ccd
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 15/32
Configure the Software
OpenVPN does come with several example
configurations in the /usr/share/doc/openvpndirectory. For purposes of this deployment, we'llbe using something more abbreviated. Put thecontents of the next slide into a file named
“openvpn.conf” in the /etc/openvpn configurationdirectory.
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 16/32
Sample Configurationport 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pemserver 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group userspersist-key
persist-tun
status openvpn-status.log
verb 3
client-to-clientclient-config-dir /etc/openvpn/ccd
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 17/32
Start the Server Daemon
Now, the server should be configured and readyto launch.
# /etc/init.d/openvpn start
* Starting virtual private network daemon(s)...
* Autostarting VPN 'openvpn' [OK]
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 18/32
Building the Client Gateway
Now that the server is up and running, we need to
configure a client gateway to connect to it andproperly route traffic.
For purposes of this presentation, I will assume
the use of a Linksys WRT54GL router, reflashedwith DD-WRT, and a cable Internet connection.
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 19/32
WRT54GL
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 20/32
DD-WRT
DD-WRT is a third party firmware that works onthe Linksys WRT54GL as well as many other models of home router. It is a full Linux distribution
with a web-based GUI for ease of administration.
There are many different versions of DD-WRTavailable, depending on the router that you'reusing. Make sure that you install one thatsupports OpenVPN as a client.
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 21/32
Flash Your Router
Using the instructions provided on the DD-WRTweb site, flash your router firmware with the
newest stable version of the software.
If you are using something besides a WRT54GL,be sure to completely read and understand the
documentation; some models have odd quirksthat must be dealt with to avoid bricking.
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 22/32
Build a Client Key
Because OpenVPN uses SSL certificates for authentication, a certificate pair must begenerated for each client. Here we build one for aclient named “remote1”.
# cd /etc/openvpn/easy-rsa/2.0
# ./build-key remote1
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 23/32
Retrieve Client Key
Once the keys are generated, download them toyour desktop computer. You will need thefollowing files from the /etc/openvpn/easy-rsa/2.0/keys directory:
ca.crt
remote1.crtremote1.key
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 24/32
Install Client Keys
Log into the DD-WRT web interface. Click on the Administration tab, then the Services subtab, andenable the OpenVPN client.
Fill in the appropriate parameters:
IP Address: vpn.maincampus.edu
Port: 1194
LZO Compression: on
Tunnel Protocol: tcp
Public Server Cert: The contents of ca.crt
Public Client Cert: The contents of remote1.crt
Private Client Key: The contents of remote1.key
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 25/32
Install Routes on Server
As part of the client configuration process, theOpenVPN configuration on the server must bemodified so that it is aware of the remote network.
Add the following to /etc/openvpn/openvpn.conf:push “route 192.168.1.0 255.255.255.0”
#remote1 network
route 192.168.2.0 255.255.255.0
push “route 192.168.2.0 255.255.255.0”
Put this in /etc/openvpn/ccd/remote1:iroute 192.168.2.0 255.255.255.0
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 26/32
Restart OpenVPN Daemon
Restart the OpenVPN daemon on the server sothat your changes can take effect.
# /etc/init.d/openvpn restart
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 27/32
Ingress Filtering
Note that, by default, the DD-WRT appliance is astateful firewall. This means that traffic initiatedfrom the “outside” of the device will be dropped.
If you want to exempt VPN-originated traffic fromthis, SSH into the router and type:
# iptables --insert INPUT --in-interface tun0
--protocol 0 -j ACCEPT# iptables --insert FORWARD --in-interface tun0
--protocol 0 -j ACCEPT
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 28/32
Finished!
That should be all that you need to do to set up a
routed VPN between two sites using OpenVPN.
To confirm that everything is operating properly,try pinging something on the main campus
network from the remote network, and vice-versa.
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 29/32
Additional Information
OpenVPN Homepagehttp://www.openvpn.net
DD-WRT Projecthttp://www.dd-wrt.com
OpenVPN 2.0 HOWTO
http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 30/32
Additional Information
OpenVPN on Debianhttp://www.annoying.dk/2007/10/14/quick-simple-tutorialhowto-on-openvpn-with-debian/
OpenVPN – Community Ubuntu Docs
https://help.ubuntu.com/community/OpenVPN
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 31/32
Questions?
7/29/2019 Linking Remote Sites with OpenVPN (166361733)
http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 32/32
Contact Information
Matt Gracie
Information Security Administrator Canisius College ITS
(716) 888-8378