Linking Remote Sites with OpenVPN (166361733)

7/29/2019 Linking Remote Sites with OpenVPN (166361733)

http://slidepdf.com/reader/full/linking-remote-sites-with-openvpn-166361733 1/32

Linking Remote Sites With

OpenVPN

Matt GracieInformation Security Administrator

Canisius College

Buffalo, NY



The Problem

Often, there are times when a geographicallyseparate network needs to be able to access

resources on your central campus network – andvice-versa.



Possible Solutions

● Install a fiber path

●

Use microwave technology

● Lease a line from a telecom

●

Use an independent Internet connection

● Use a VPN (Proprietary or Otherwise)



What is OpenVPN?

From the OpenVPN web site:

“OpenVPN is a full-featured open source SSLVPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale

remote access solutions with load balancing,failover, and fine-grained access-controls. “



What is OpenVPN?

Other important features of OpenVPN:

● It operates in user space● Cross-platform compatibility● Uses OpenSSL for encryption●

Free, open source, well-audited● The same software is both client and server



Our Example Network



Our Example Network



Prerequisites

● Both sites must have commodity Internet access

● You must be able to configure the firewall and

the border router at the main campus site

● You must be able to assign static IP addresses

● You must be able to publish DNS records for your domain



Initial Network Setup

● The computer that will be used as a VPN server (vpn.maincampus.edu) must have a static IP, apublished DNS record, and be accessible from

the Internet using port 1194/tcp.● A static route for 172.16.0.0/24 needs to be

installed on the border router, pointing to the IPaddress of vpn.maincampus.edu. This will allow

computers on the maincampus.edu network toroute traffic to computers at the remote office.



Building the OpenVPN Server

This presentation assumes that the OpenVPN

server will be a Linux environment, either runningon dedicated hardware or as a virtual machine.

These configuration directions were derived from

an installation on Ubuntu 9.10. Other Linuxvariants may require slight changes in syntax.



Install the Software

The necessary software is available in the

standard Ubuntu repositories. Simply update your package cache and then install the “openvpn” and“openssl” packages along with any requirements.

# apt-get update

# apt-get install openvpn openssl



Establish the CA

The OpenVPN software ships with defaultexample SSL CA configurations that are usable inproduction. These commands will copy them from

the documentation directory into the OpenVPNconfiguration directory.

# cp -R /usr/share/doc/openvpn/examples/easy-

rsa /etc/openvpn/# cd /etc/openvpn/easy-rsa/2.0



Establish the CA

The file “vars” in /etc/openvpn/easy-rsa/2.0contains some default configuration informationfor the CA. Edit the last configuration stanza to

match your environment, then run the appropriatescripts to build the certificates for the CA.

# vi vars

# . ./vars

# ./clean-all

# ./build-ca

# ./build-key-server server

# ./build-dh



Move Keys

By default, all of the keys that we've generated sofar are in a subdirectory of /etc/openvpn. Theyneed to be moved to the proper place in the

filesystem so that the OpenVPN software can findthem.

# cd /etc/openvpn/easy-rsa/2.0/keys

# cp ca.crt ca.key dh1024.pem server.crt \server.key /etc/openvpn

# cd /etc/openvpn

# mkdir ccd



Configure the Software

OpenVPN does come with several example

configurations in the /usr/share/doc/openvpndirectory. For purposes of this deployment, we'llbe using something more abbreviated. Put thecontents of the next slide into a file named

“openvpn.conf” in the /etc/openvpn configurationdirectory.



Sample Configurationport 1194

proto tcp

dev tun

ca ca.crt

cert server.crt

key server.key

dh dh1024.pemserver 172.16.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

user nobody

group userspersist-key

persist-tun

status openvpn-status.log

verb 3

client-to-clientclient-config-dir /etc/openvpn/ccd



Start the Server Daemon

Now, the server should be configured and readyto launch.

# /etc/init.d/openvpn start

* Starting virtual private network daemon(s)...

* Autostarting VPN 'openvpn' [OK]



Building the Client Gateway

Now that the server is up and running, we need to

configure a client gateway to connect to it andproperly route traffic.

For purposes of this presentation, I will assume

the use of a Linksys WRT54GL router, reflashedwith DD-WRT, and a cable Internet connection.



WRT54GL



DD-WRT

DD-WRT is a third party firmware that works onthe Linksys WRT54GL as well as many other models of home router. It is a full Linux distribution

with a web-based GUI for ease of administration.

There are many different versions of DD-WRTavailable, depending on the router that you'reusing. Make sure that you install one thatsupports OpenVPN as a client.



Flash Your Router

Using the instructions provided on the DD-WRTweb site, flash your router firmware with the

newest stable version of the software.

If you are using something besides a WRT54GL,be sure to completely read and understand the

documentation; some models have odd quirksthat must be dealt with to avoid bricking.



Build a Client Key

Because OpenVPN uses SSL certificates for authentication, a certificate pair must begenerated for each client. Here we build one for aclient named “remote1”.

# cd /etc/openvpn/easy-rsa/2.0

# ./build-key remote1



Retrieve Client Key

Once the keys are generated, download them toyour desktop computer. You will need thefollowing files from the /etc/openvpn/easy-rsa/2.0/keys directory:

ca.crt

remote1.crtremote1.key



Install Client Keys

Log into the DD-WRT web interface. Click on the Administration tab, then the Services subtab, andenable the OpenVPN client.

Fill in the appropriate parameters:

IP Address: vpn.maincampus.edu

Port: 1194

LZO Compression: on

Tunnel Protocol: tcp

Public Server Cert: The contents of ca.crt

Public Client Cert: The contents of remote1.crt

Private Client Key: The contents of remote1.key



Install Routes on Server

As part of the client configuration process, theOpenVPN configuration on the server must bemodified so that it is aware of the remote network.

Add the following to /etc/openvpn/openvpn.conf:push “route 192.168.1.0 255.255.255.0”

#remote1 network

route 192.168.2.0 255.255.255.0

push “route 192.168.2.0 255.255.255.0”

Put this in /etc/openvpn/ccd/remote1:iroute 192.168.2.0 255.255.255.0



Restart OpenVPN Daemon

Restart the OpenVPN daemon on the server sothat your changes can take effect.

# /etc/init.d/openvpn restart



Ingress Filtering

Note that, by default, the DD-WRT appliance is astateful firewall. This means that traffic initiatedfrom the “outside” of the device will be dropped.

If you want to exempt VPN-originated traffic fromthis, SSH into the router and type:

# iptables --insert INPUT --in-interface tun0

--protocol 0 -j ACCEPT# iptables --insert FORWARD --in-interface tun0

--protocol 0 -j ACCEPT



Finished!

That should be all that you need to do to set up a

routed VPN between two sites using OpenVPN.

To confirm that everything is operating properly,try pinging something on the main campus

network from the remote network, and vice-versa.



Additional Information

OpenVPN Homepagehttp://www.openvpn.net

DD-WRT Projecthttp://www.dd-wrt.com

OpenVPN 2.0 HOWTO

http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html



Additional Information

OpenVPN on Debianhttp://www.annoying.dk/2007/10/14/quick-simple-tutorialhowto-on-openvpn-with-debian/

OpenVPN – Community Ubuntu Docs

https://help.ubuntu.com/community/OpenVPN



Questions?



Contact Information

Matt Gracie

Information Security Administrator Canisius College ITS

[email protected]

(716) 888-8378

Documents

Linking Remote Sites with OpenVPN (166361733)