Table of Contents

Several open source solutions are available to build your own virtual private network. These solutions have different ways to do their job. E.g. some use ipsec, others use plain TCP/IP. Anyway, we chose the Openvpn software to build our vpn. It does not require an ipsec-supporting network infrastructure, but it is save nontheless as it supports all of the encryption, authentication, and certification features of the Openssl library (any cipher, key size, or HMAC digest). Openvpn supplies our functional needs, is able to create vpn tunnels between datacenters as well as to support roadwarriors. It just does it's job. Openvpn is available for GNU/Linux, Apple MacOSX and Microsoft Windows.

Further information is available at the openvpn homepage.

OpenVPN

This documentation describes how to create a VPN between roadwarriors and your main office that homes the Hannibal servers. The configuration supports NAT traversal and we assume an UDP portmapping (by default port 1194) exists from your firewall to the openvpn server.

In our example the hannibal-servers live in a 192.168.1.0/24 subnet. The Openvpn server will use a 192.168.11.0/24 subnet for your VPN-clients. If you want them to be able to connect to other servers in the 192.168.1.0/24 subnet, you'll have to create static routes on those servers or on your firewall.

Server side

Installation

Installation of the server part of the software is fairly simple. In addition to the package itself, Openvpn uses the LZO-package for compression.

apt-get install openvpn lzop openssl

Configuration

Create a server side configuration file /etc/openvpn/server.conf:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/xenvpn.crt
key /etc/openvpn/easy-rsa/keys/xenvpn.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 192.168.11.0 255.255.255.0
keepalive 10 120
ping-timer-rem
persist-tun
persist-key
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.11"
push "dhcp-option WINS 192.168.1.16"
comp-lzo
status openvpn-status.log
verb 4

You need to enable IP forwarding on your Openvpn server, so add this line to /etc/sysctl.conf

net.ipv4.ip_forward = 1

Activate this option by running:

/etc/init.d/procps restart

After you'll have created your certficates you can start the Openvpn server. Netstat should show a listener on UDP port 1194. Also check the file /var/log/daemon.log

/etc/init.d/openvpn start

PAM/NSSwitch

At this moment our vpn-server only checks for a valid client-certificate on vpn-clients. You might want to also add username/password authentication. As the Debian Openvpn-package already includes a plugin for PAM/NSSwitch, let's enable this plugin. We usually configure PAM/NSSwitch to check our corporate LDAP-infrastructure for authentication/authorization. Read this section for documentation on how to connect PAM/NSSwitch to LDAP.

Edit /etc/openvpn/server.conf and add a line for the plugin:

...
plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpn
...

Create a configuration file /etc/pam.d/openvpn

@include common-auth
@include common-account
@include common-session

After a restart of the Openvpn service your clients will be required to provide valid credentials. Don't forget to make sure that the Openvpn clientsoftware will prompt the user for input of credentials. Add a line to the client configurationfile:

...
auth-user-pass   
...

If you want to only grant VPN-access to members of a specific group then you could use the module pam_succeed_if. Modify /etc/pam.d/openvpn to look like this:

@include common-auth
account     required     pam_succeed_if.so user ingroup vpnusers
@include common-account
@include common-session

Certificates

Of course you can create the required certificates on your existing CA. However, the Debian Openvpn-package conveniently includes a tiny CA called Easy-RSA. We'll use Easy-RSA to create a CA, our server certificate and the client certificates.

Copy the software to the desired location:

cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

Adjust the file /etc/openvpn/easy-rsa/vars to your situation. After that you have to source in this file and create your CA. You also need to build a Diffie-Hellman parameter file for the Openvpn server.

cd /etc/openvpn/easy-rsa
. vars
./clean-all
./build-ca
./build-dh

Now you can build a certificate for your Openvpn server. In our example the hostname is 'xenvpn':

./build-key-server xenvpn

For authentication you'll need a key-pair per Openvpn client. Obviously a unique client_id is required.

./build-key your_client_id

Client side

The Openvpn client configuration requires three certificate files beside the main configuration file. A CA-root cert, a client cert and a client key file. These certificates have to be provided by the OpenVPN-server administrator (for instance by usage of the easy-rsa software as described earlier in this chapter).

Linux

Generic cli (including Asus EeePC)

If CLI-tools are sufficient for you, just install the openvpn package:

apt-get install openvpn

Use the openvpn.conf sample from usr/share/doc to create /etc/openvpn/openvpn.conf Add the correct path/filenames from the three certificate files and add the line below to let you type in your credentials on execution:

auth-user-pass

Ubuntu GUI

An easy to use graphical client (needs sudo permissions) is available as a plug-in. After:

sudo apt-get install network-manager-openvpn

the configuration and enabling can be done with the regular network configuration. Use the network dock-icon in the taskbar.

Mac OS X

Download and install Tunnelblick, the OpenVPN GUI for OSX at http://www.tunnelblick.net and follow the installation instructions.

Afterwards move your client-certificate, private key and the public CA-certificate to the directory /Users/your_username/Library/openvpn

In the same directory create an 'openvpn.conf' file with content like this:

client
dev tun
proto udp
remote fqdn_your_openvpn_server 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
auth-user-pass

MS-Win 2000/XP

Download and install the OpenVPN GUI for windows at http://www.openvpn.se and follow the installation instructions.