Setting up the VPN-Concentrator Appliance

Document Sample
Setting up the VPN-Concentrator Appliance Powered By Docstoc
					     Setting up the
VPN-Concentrator Appliance




        Author: Pieter Hotting
          Date: 27-7-2009




             Page 1 of 26
Contents
1About this document...........................................................................................................................................................3
2The Installation...................................................................................................................................................................4
3The OpenVPN-Web-GUI...................................................................................................................................................5
   3.1Creating the server-certificates..................................................................................................................................6
4Making client certificates...................................................................................................................................................8
   4.1Creating a certificate..................................................................................................................................................8
   4.2Revoking Certificates...............................................................................................................................................10
5Configuration....................................................................................................................................................................14
   5.1Server Setup.............................................................................................................................................................14
   5.2Routes......................................................................................................................................................................14
   5.3OpenVPN Configuration.........................................................................................................................................15
6Installing the installation package....................................................................................................................................17
   6.1Using the VPN-client-gui.........................................................................................................................................18
   6.2Running as a service................................................................................................................................................22
7Backup and Restore..........................................................................................................................................................24
   7.1Backup.....................................................................................................................................................................24
   7.2Restore.....................................................................................................................................................................25




                                                                                Page 2 of 26
1 About this document
This document describes how to setup an OpenVPN-appliance. It will take you by the hand to get a fully working VPN-
concentrator. It is not meant to be complete document of all features of the GUI, but it will show you the important parts
and how to use them.




                                                      Page 3 of 26
2 The Installation
The installation is the same as all VMWare appliances:
         Download the appliance from the web-site, unpack it and import it into VMWare.

When you start it for the first time it is likely to ask you is the virtual machine was moved or copied. You must choose
copied.

Very important note:
       There is a known issue with copying virtual machines and there ethernet cards. It will add new ethernet cards
       and leave the originals untouched. What you want is to delete the old ethernet card configuration and start
       using the newly generated ethernet cards.To resolve this you need to execute step 3 below.

Next you need to put in a basic configuration:
    1. Start the appliances from the VMWare console.
    2. Login to the appliance. The default username and password are:
                 username: root
                 password: openvpn

    3.   When copying a VMWare appliance, VMWare will generate a mac-address for the ethernet-card. The
         VMWare-appliance won't know about that. The best solution to this problem is to remove the following file:

                  rm /etc/udev/rules.d/70-persistent-net.rules

         After doing this, you need to reboot. Because there are more changes that need a reboot, we will do them first
         and reboot in step 7.

    4.   In the /opt/openvpn/bin/vars file you'll find a section where the defaults are stored for generating certificates.
         Setting the default right values will make it easier to quickly add users. Edit vars and set the red values to your
         preference:

                  export   KEY_COUNTRY="NL"
                  export   KEY_PROVINCE="Utrecht"
                  export   KEY_CITY="Nieuwegein"
                  export   KEY_ORG="OpenVPN-GUI"
                  export   KEY_OU="Support"

         If required you can also look at the other values and adjust them to your needs. Please be careful. The defaults
         should be ok.

    5.   Edit the OpenVPN-configuration file /opt/openvpn/bin/openvpn-config and modify the ETH0 section to
         match your local network. Please only modify the thing marked in red below:

             ETH0_IP=192.168.3.51
             ETH0_MASK=255.255.255.0

    6.   At this point the server will not yet understand routing. After rebooting you can connect to the OpenVPN-Web-
         GUI from the local network. If this is not enough, please also edit /etc/routes and add the required routing.
         However this is easier done from the GUI.

    7.   At this point you have installed all software. You are ready to start the OpenVPN-Web-GUI for the first time,
         but before you do it is a good idea to reboot, so you are sure you are starting with a clean machine:
              shutdown -r now

After the appliance is rebooted, you can start a web-browser and connect to the IP-address you entered in step 4.




                                                       Page 4 of 26
3 The OpenVPN-Web-GUI
Start a web-browser and connect tot the IP-address you entered in step 4 of the previous chapter. The default username
and password are:
         username: admin
         password: openvpn
The first thing you need to do is create the appropriate certificates:




                                                        Page 5 of 26
3.1 Creating the server-certificates.
After logging on you should see the following screen:




    1.   Click on Install OpenVPN tab.




    2.   Change the settings to whatever you like. Please note that this information will also be used as defaults for
         your client certificates. Two important notes:
             ●    Don't leave any fields blank !
             ●    The country code must be 2 positions !
         When you are done, click on Create Server Certificates on the left side of the screen under Available Tasks.




                                                        Page 6 of 26
3.   The certificates are created in the background. The web-browser will wait till it is finished. PLEASE BE
     PATIENT ! When the server certificates are created the screen will be updated to the one you see below:




                                                 Page 7 of 26
4 Making client certificates
Each remote user (client) should have it's on certificate. In this chapter we will startup the web-gui and create the
required certificates. At the end of this chapter an installation packages will be downloaded and installed on a client PC.


4.1 Creating a certificate
    1.   Click on the Certificates tab.




    2.   On the left, under Common Tasks, you see the option New Certificate. Click on it.




                                                       Page 8 of 26
    3.   Most of the options are defaults and you can leave them as they are. There is one imported field: Common
         Name. The best thing is to enter the name of the user. This field will also show up in the Status screen when
         the user connects. Optional, but useful is to fill in the e-mail address. This is handy if you need to reach the
         user for some reason. When your done, click on the Create THIS Certificate link.

    4.   On the right side you can see in green [client-config]. Clicking on it will enable you to download and
         installation package.

    5.   Clicking on it will download the installation packages. You will receive a zip-file. We will install it in the next
         chapter.
Please be aware that the installation packages is a ticket for free access to your network. Be extremely careful
with it. Don't lose it !!!




                                                       Page 9 of 26
4.2 Revoking Certificates
When a user is no longer granted access to the OpenVPN-server you can disable his certificates. This is called revoking.
Below you'll find the staps to revoke an user:


    1.   Go to the “Client-Certificates tab:




    2.   Click on the username of the user that you want to disable:




                                                     Page 10 of 26
    3.   On the bottom left you'll see the option: Revoke Certificate 02. The 02 indicates the certificates sequences
         number. When you click on this option the Certificates of the user will be revoked and you will be send back to
         the main Client-Certificates screen.




    4.   You can see that the certificate is now missing. To see also the revoked certificates, please click on “View all
         Certificates” on the bottom left of the screen:




    5.   Revoked certificates show up in red.


The only way to get the certificate active again is to do a restore of a backup in which the certificate was still active.
Otherwise the only option is to create a new certificate and do an fresh install of the userclient.



                                                        Page 11 of 26
Page 12 of 26
Page 13 of 26
5 Configuration
Bij selecting the configuration tab, you can modify the configuration of the OpenVPN server:




There are 3 area's on the screen:
    1. Server Setup
    2. Routes
    3. OpenVPN Configuration

In each heading it is stated what needs to be done to get a configuration change active.

5.1 Server Setup
In the section From Scratch, you can find a document that describes the 1 and 2 interface configuration in more detail.
Please refer to this document for a better understanding of the concept.
In this area you can modify the interface setup as well as the server name. Just click on edit behind a setting and you can
modify the values.




5.2 Routes
You can add and remove routes in this area. You should at least have a default gateway. This is normally the router that
leads to internet. On the bottom of the Available task you have the possibility to add a route. Editing an removing can be
done by selecting the edit/remove button behind a route.




                                                      Page 14 of 26
5.3 OpenVPN Configuration
This is the main part for configuring how the VPN-server operates. There are two configurations:
    1. Server config. Is the OpenVPN-server configuartion.
    2. Client template. Is used as a generic template to generate a client-configuration.

Details how to configure the configurations work can be found on:
         http://openvpn.net/index.php/open-source/documentation/howto.html#server
         http://openvpn.net/index.php/open-source/documentation/howto.html#client

After installation a default config will be in place. Below you find a few thing highlighted of this default configuration.

General:
- A # character at the beginning of a line will make the line comment. The statement behind it will be ignored.

Server options
 server 192.168.5.0 255.255.255.0                             DON'T CHANGE !
                                                              This is the IP-range that is used for the VPN-tunnels.
                                                              Instead of changing this, change the settings of tun0 in the
                                                              Server Setup.
Local 192.168.3.52                                            DON'T CHANGE !
                                                              This is the IP-address of the Public Interface. Instead of
                                                              changing this, change the settings of the public interface
                                                              in the Server Setup.
ca /etc/openvpn/keys/ca.crt                                   DON'T CHANGE !
cert /etc/openvpn/keys/server.crt                             The certificates are generated automatically. If you change
key /etc/openvpn/keys/server.key                              these setting the openvpn-server will stop working.
dh /etc/openvpn/keys/dh1024.pem
tls-auth /etc/openvpn/keys/ta.key 0
crl-verify /etc/openvpn/keys/crl.pem
status /var/log/openvpn/openvpn-status.log                    DON'T CHANGE !
log-append /var/log/openvpn/openvpn.log                       These lines define the status-updates and logging. These
                                                              are needed to make the logging in the GUI working
script-security 2                                             correct.
client-connect /opt/openvpn/scripts/client-connect.sh
client-disconnect /opt/openvpn/scripts/client-disconnect.sh

verb 1
# push “redirect-gateway def1”                                The server will set a default gateway on the client upon
push "route 0.0.0.0 128.0.0.0"                                connection. The official command: push “redirect-
push "route 128.0.0.0 128.0.0.0"                              gateway def1” didn't work for me in all configurations.
                                                              The solution is to push 2 routes that are more exact
                                                              (therefore preferred) than the default gateway. The 2
                                                              routes will force all traffic through the VPN tunnel.
push "dhcp-option DOMAIN hottinglocal"                        The domain name hotting.local will be pushed and the
push "dhcp-option DNS 192.168.3.8"                            DNS will be set to 192.168.3.8. This is optional.
push "route 192.168.3.0 255.255.255.0"                        Instead of pushing all traffic through a default gateway, I
push "route 172.16.0.0 255.240.0.0"                           would advise to use exact routing instead. People that
                                                              connect to the VPN-server normally already have internet.
                                                              Therefore only the internal networks are interesting.
                                                              Please only push the routes you really need and try to
                                                              avoid the option two boxes up.
cipher AES-256-CBC                                            This describes the encryption method to be used. AES-
                                                              256-CBC is considered a strong encryption, while none
                                                              just sends information not encrypted. There are more

                                                      Page 15 of 26
                  ciphers available. Please check the URLS I mentioned
                  earlier.
comp-lzo          Turn compression on. This helps for slow and links with
                  little bandwidth. You don't need this for fast links.




           Page 16 of 26
Client options
remote 192.168.3.51 1194           * * * * * PLEASE ADJUST * * * * *
                                   This is the IP-address (192.168.3.51) and port number
                                   (1194) that the client needs to connect to. Please set this to
                                   the correct value. The server doesn't know if it is behind a
                                   NAT-device or not. Therefore you have to set it manually.
cipher AES-256-CBC                 This describes the encryption method to be used. AES-
                                   256-CBC is considered a strong encryption, while none
                                   just sends information not encrypted. There are more
                                   ciphers available. Please check the URLS I mentioned
                                   earlier.
ca keys/ca.crt                     DON'T CHANGE !
cert keys/<certfile>.crt           The certificates are generated automatically. If you change
key keys/<certfile>.key            these setting the openvpn-client will not connect tot the
ns-cert-type server                server.
tls-auth keys/ta.key 1
                                   <certfile> is a reference to the certificates that are unique
                                   per client. During the generations of a client configuration
                                   the real names of the certificates will be filled in.
status openvpn-status.log          These statements refer to the client-side logging. These
verb 1                             logs are stored on the clients-PC. You can adjust this to
                                   your liking.
mute-replay-warnings               Wireless connecions will result in replay messages that are
                                   note the result of an attack, but only occur due to
                                   limitations to a wireless connection. Turn the option below
                                   on in that case. Protection against replaying will still
                                   work.




                            Page 17 of 26
6 Installing the installation package.
IMPORTANT NOTE:
Before you start installing clients, please verify the “remote” statement you can find in the Configuration tab →
OpenVPN-configuration section → Client template. Clients won't connect if this is not set write. A short explanation
can be found in chapter 4.2.3 in client option table

In 5.1 the installation is described in which the OpenVPN gui is used on the client. With the gui the user can choose
when to set up a connection by clicking on an icon.
In 5.2 the installation is described in which the OpenVPN-client runs as a service. In this mode the VPN-connection
will be established the moment Windows is started.




                                                     Page 18 of 26
6.1 Using the VPN-client-gui.
For demonstration purposes I stored the installation packaged temporary on the desktop of a standard Windows XP
machine:




    1.   Unzip the installation packages with your favorite unzipper and store the contents to a temporary folder




                                                     Page 19 of 26
2.   Start install.bat by double clicking on it.




3.   Likely a message from windows will appear to let you know that the software is not recognized. Just ignore it
     and click to continue to the next step.




4.   Click Next




5.   Click on I Agree.




                                                   Page 20 of 26
6.   Click on Next.




7.   The default is normally fine. Just click on Install.




8.   The hardware driver is not recognized by Windows, so it will complain. Just click that you accept that and
     want to continue.




                                                   Page 21 of 26
9.   The installation will go on. When it is finished the above screen will appear. Click on Next.




10. Click on Finish.




11. On the bottom right you will see a new icon appear. It looks like two PC's with a read screen. Right click on it.
12. A pop up menu will apear. The top item is called connect. Click on it and a connection will be established with
    the OpenVPN-server. First you will see a window with the status of the connection that is set up. The moment
    the connection is up, the window will disappear again. On the bottom right you will now see the same icon, but
    this time with green screens.




13. To disconnect you have to right click on the icon again. In the pop up menu you can now select the option
    disconnect.




                                                 Page 22 of 26
6.2 Running as a service
The client works fine, but sometimes you don't want the user to set up the connection manually. In that case you can
start the OpenVPN-client as a service the moment that Windows starts. Unfortunately the icon we saw in the previous
chapter will disappear.

    1.   If you have alread installed the installation package, please remove it first.
    2.   Follow the installation instructions from chapter 4.2 up to step 5.




    3.   Clear the checkbox of OpenVPN GUI and continue the installation up to and including step 10.
    4.   Select Start → Run.
    5.   In the textbox type: services.msc.




    6.   Browse down and select the OpenVPN Service.




                                                       Page 23 of 26
7.   Right click on it and select properties.
8.   Set the startup option to automatically. And close all open windows.
9.   This is a good point to reboot and test if it works.
10. The only way to test if the service works properly is to ping (or tracert) to a machine on the other end of the
    vpn-tunnel. Another way to test this is to look in the web-gui (see 4.1 point 1). The client connection will show
    up in the status-tab within a minute after a valid connection was made.




                                                   Page 24 of 26
7 Backup and Restore

7.1 Backup
Backups are something you have to do from the Linux command prompt. This chapter will describe how to do this:
    1. Login as root (default username root, password openvpn).
        You can do this from remote with a tool like putty, or just simply from the VMWare Console.
    2. Change to the right directory:
             cd /root/bin
    3.   Execute the backup command:
             ./CreateBackup.sh
This command will collect all necessary files, which you need to recover you system. The output will be saved in the /
directory, with a date stamp. Examples are:
         OpenVPNBackup-2009-05-17.tgz
         OpenVPNBackup-2009-06-14.tgz
         OpenVPNBackup-2009-07-27.tgz

It is advised to copy these files to some place safe, so you can still use them to recover/rebuild your system when it
crashed. Below I will describe how to do this to a Microsoft Windows or a Linux Samba server.

    1.   Change to the root directory
            cd /
    2.   Connect to the Microsoft Windows or a Linux Samba server
            mount -t cifs //<servername or ip-address>/<share name> /mnt -o username=<user>,password=<passwd>
         Please replace the following:
                  <servername or ip-address>          The name or the IP-address of the server you want to connect to.
                                                      Please note that in most likely the server can not translate the name
                                                      to an IP-address. Therefore the use of an IP-address is preferred.
                  <share name>                        The share name you want tot connect to.
                  <user>                              The required username
                  <passwd>                            The required password

    3.   Copy the Backups onto the server:
            cp /OpenVPNBackup* /mnt
    4.   Disconnect the connection to the server:
             umount /mnt




                                                      Page 25 of 26
7.2 Restore
The Backups are capable to restore a default appliance to your fully functional OpenVPN server.
Please note that a restore will lose all current configuration information. It might be a good idea to do a backup first,
before you start a restore. Also note that to get everything active, the server needs to be rebooted. All users that are
connected to the OpenVPN-server will be disconnected.
With the restore I will resume that the backup is already in the root of the OpenVPN server. If the backups are on a
remote Windows Server or a Samba Server, please use the following staps to get them there:

    1.   Login as root (default username root, password openvpn).
         You can do this from remote with a tool like putty, or just simply from the VMWare Console.
    2.   Change to the root directory
             cd /
    3.   Connect to the Microsoft Windows or a Linux Samba server
            mount -t cifs //<servername or ip-address>/<share name> /mnt -o username=<user>,password=<passwd>
         Please replace the following:
                  <servername or ip-address>           The name or the IP-address of the server you want to connect to.
                                                       Please note that in most likely the server can not translate the name
                                                       to an IP-address. Therefore the use of an IP-address is preferred.
                  <share name>                         The share name you want tot connect to.
                  <user>                               The required username
                  <passwd>                             The required password

    4.   Copy the Backups onto the server:
            cp /mnt/OpenVPNBackup* /
    5.   Disconnect the connection to the server:
             umount /mnt

Now we can restore the required backup.

    1.   To find out which backups there are type:
              cd /
              ls /OpenVPNBackup*
    2.   Choose the required backup. This backup will be called <OpenVPNBackup-date> below.
    3.   Restore the backup:
             tar -xvzf <OpenVPNBackup-date>
    4.   Restart the OpenVPN-server.
             Shutdown -r now

Advanced note. If you revoke certificates with the Web-GUI, you can get them back by using a restore. If the
configuration (stuff to be found on the Configuration tab) didn't change, you do not need to restart the server. The
certificate will be restored and active immediately. HOWEVER a restart is aways preferred. A certificate only restore
can be done with the following command:
              tar --wildcards -xvzf /OpenVPNBackup-2009-07-27.tgz opt/openvpn/bin/keys/*




                                                       Page 26 of 26

				
DOCUMENT INFO
Categories:
Tags:
Stats:
views:11
posted:1/5/2012
language:English
pages:26