OpenVPN
These are some notes on how I manage OpenVPN.
Overview
At home I have a Buffalo WZR-HP-G300NH router between my network and my Comcast cable modem. (I used to use a RouterBoard; the version I had was a single board computer with 3 ethernet ports running OpenWRT.) It's still performing the same function but it's at someone else's home now.
I run OpenVPN on the router.
At work I run OpenVPN on a Linux server.
My router is configured to keep a connection up to the work server at all times, and to route home traffic seamlessly across the connection to work, so that basically I always have access to all work resources from my home network. (And vice versa.)
The work server is configured to allow connections from my home network, and from any other employee who wants to have access.
Most of the other employees use a client that runs on Windows so when they connect, they are hooking up just the one machine to our work network. I also use a set up like this on my Macintosh when I am on the road.
The details
What follows is a copy of the wiki page that I wrote for internal use. I have scrubbed out stuff specific to my employer's set up. Anywhere you see "ourdomain.com" you'd have to insert your own domain.
The basic concept of OpenVPN
You install an OpenVPN client and a set of keys on your computer. When you run the client, it creates a virtual network interface on your computer and connects it via an encrypted "tunnel" to our server at AGI.
When your computer needs to talk to a computer on the other site of the connection, the packets are sent through the tunnel. The OpenVPN software takes care of encrypting packets as they enter the tunnel and decrypting them on the other side as they leave the tunnel.
When the connection is in place, you get direct access to any resource that you'd be able to reach inside the office - including all file servers, desktop systems, telephones, and printers.
All data is encrypted when it is passing over the Internet. Anyone spying on the traffic out on the Internet sees only the encrypted data, but any program running on your computer sees just another normal network connection.
One caveat: We manage the connection so that when it's up, our internal network names resolve correctly. Because you are probably in some other domain like comcast.net, you will have to use full names like "wiki.ourdomain.com" instead of just "wiki" when you are using a VPN connection.
Set up notes for Windows clients
These are notes for users. If you are the network administrator skip ahead for information on creating the special files. This doc assumes that the sysadmin has generated a set of files for your personal use ahead of time, and put them on a shared file server in a known location.
You can download an OpenVPN client directly from the Internet at the Community OpenVPN page but will still need our special server key.
Installation
- Run the openvpn installer that you will find in the folder.
- Copy the files ourdomain.ovpn and ca.crt to C:\Program Files\OpenVPN\config\
- Get your own personal key files (client.key and client.crt) from the subfolder named after you. Put them in the config folder as well.
Usage
- Windows XP - Double-click the OpenVPN GUI to launch it. (This adds an OpenVPN icon to the tray, you won't see much happen.)
- Windows Vista or Seven - Right click the icon and tell it to run as Admin. (This adds an OpenVPN icon to the tray, you won't see much happen.)
- Right-click the OpenVPN icon in the tray and select "Connect". This should bring up the VPN tunnel.
- When you are done using AGI resources you should right-click / disconnect.
(Leaving it running all the time is a security hole.)
When the connection is running you should be able to access any system on the AGI network.
Macintosh: There is a compatible client called TunnelBlick available for Macintosh users. I have gotten it going but have not written it up here yet. It's very similar in that you have to drop the same config files into a folder on the Mac.
Set up notes for Linux clients
As mentioned above at home I have since stopped using the Ubuntu box as a router, and now I use a Buffalo router running OpenWRT. It's easier to live with once it is set up. But this method still works for one computer or a laptop to get secure access while on the road in public places.
Step by step, Ubuntu or Debian or Mint
1. Using SSH#Create a key pair with SSH and send me your public key. I will put the public key into your home directory so you won't need a password on my system to get in. I will use your public key to encrypt the files that I send to you in step 3 so that I can just email them to you.
2. Install the software. Client or server, it's the same. Configuration determines if you are a client or server.
sudo apt-get install openvpn
3. Request keys from me. I will generate them and send them to you.
Create a folder to hold your keys. I use /etc/openvpn/keys
sudo mkdir /etc/openvpn/keys
4. Create a client access file. Put it in a file with the .conf extension in the folder /etc/openvpn/. Here is my template
client dev tun proto udp remote hupi.org 1194 name of the server you are connecting too resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ca keys/ca_hupi.crt cert keys/yourname.crt yes -- change your name to your username! key keys/yourname.key yes -- change your name to your username! comp-lzo verb 3 mute 20
Gory details for sysadmins
These are notes for your friendly system administrator.
Debugging a connection
On a Windows client in a command window, do ipconfig /all. This is the output from a desktop machine.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\bwilson>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : Umatilla Primary Dns Suffix . . . . . . . : ourdomain.com Node Type . . . . . . . . . . . . : Broadcast IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : ourdomain.com crestviewcable.com Ethernet adapter Wireless Network Connection: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Network Connection Physical Address. . . . . . . . . : 00-1C-BF-A3-84-40 Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : crestviewcable.com Description . . . . . . . . . . . : Intel(R) 82566MM Gigabit Network Connection Physical Address. . . . . . . . . : 00-1C-25-72-5F-65 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.0.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1 DHCP Server . . . . . . . . . . . : 192.168.0.1 DNS Servers . . . . . . . . . . . : 64.77.202.9 69.60.160.196 68.87.69.146 Lease Obtained. . . . . . . . . . : Tuesday, May 25, 2010 8:16:07 AM Lease Expires . . . . . . . . . . : Friday, May 28, 2010 8:16:07 AM Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Win32 Adapter V9 Physical Address. . . . . . . . . : 00-FF-66-21-BC-21 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled .
Creating a key for a new client system.
This is what I have to do to create the key pair that I give you.
- Log into the Linux file server and 'su' to get root access.
- Do this:
cd /etc/openvpn/easy-rsa source vars
- Run the command "./build-key client" where client is the client's name, like bwilson or jsmith. You can accept most of the defaults in this command.
- Use the client's name (eg bwilson) when it asks for "Common Name"
- Say yes when it asks if you want the key signed
- Say yes when it asks for commitment. For example
- Copy and rename the files. For example
cd /etc/openvpn/easy-rsa/keys mkdir shared_directory/OpenVPN/bwilson cp bwilson.crt shared_directory/OpenVPN/bwilson/client.crt cp bwilson.key shared_directory/OpenVPN/bwilson/client.key chown -R bwilson.users shared_directory/OpenVPN/bwilson
- Give a copy of those two files to the user. (They are now on the Samba shared drive if you used the above command) The client.key should be kept secret, it potentially gives the holder access to our network. Delete the /tmp copies after you have given them to the user.
We keep the shared_directory mapped to a drive letter so we can tell users something like this:
The Windows client and information on setting it up can be found in T:/OpenVPN
Network config details
The main OpenVPN server is at 10.8.0.1
By default OpenVPN will create a point to point link for each client from a pool in the same subnet, for example 10.8.0.13 and 10.8.0.14. From the client you can always see the OpenVPN server at 10.8.0.1 It's possible to nail down the client to a particular subnet if you want two way connections so that you can get access to your home machine from the office.
Server set up
Currently the main file server (running Linux and Samba) is running as a OpenVPN server, so that outside workers can get a VPN connection into our LAN. In the meantime there are NAT rules to make routing work on Kilchis.
On the file server you need to adjust these files
/etc/openvpn/server.conf /etc/dnsmasq.conf /etc/network/interfaces /etc/network/firewall.sh
/etc/openvpn/server.conf
At work, I run network numbers in the range 10.1.10.x. At home I use 192.168.123.x. The OpenVPN connections are 10.x.x.x, usually 10.8.0.x but for my own connection I use 10.128.x.x
Here are the parts I changed / added. I run everything over UDP so I have "proto udp" uncommented. I use the 'tun' device so I have the "dev tun" line uncommented.
# Certificates and key ca ca.crt cert ourdomain.crt key ourdomain.key # This file should be kept secret
# At work - internal LAN push "route 10.1.10.0 255.255.255.0"
# Brian Wilson at home (see also ccd/bwilson) route 10.128.0.0 255.255.255.0
# Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats push "dhcp-option DNS 10.8.0.1" push "dhcp-option DOMAIN ourdomain.com"
Troubleshooting
Check the contents of the /etc/openvpn/openvpn.log and openvpn-status.log files.