Several open source solutions are available to build your own virtual private network. These solutions have different ways to do their job. E.g. some use ipsec, others use plain TCP/IP. Anyway, we chose the Openvpn software to build our vpn. It does not require an ipsec-supporting network infrastructure, but it is save nontheless as it supports all of the encryption, authentication, and certification features of the Openssl library (any cipher, key size, or HMAC digest). Openvpn supplies our functional needs, is able to create vpn tunnels between datacenters as well as to support roadwarriors. It just does it's job. Openvpn is available for GNU/Linux, Apple MacOSX and Microsoft Windows.
Further information is available at the openvpn homepage.
This documentation describes how to create a VPN between roadwarriors and your main office that homes the Hannibal servers. The configuration supports NAT traversal and we assume an UDP portmapping (by default port 1194) exists from your firewall to the openvpn server.
In our example the hannibal-servers live in a 192.168.1.0/24 subnet. The Openvpn server will use a 192.168.11.0/24 subnet for your VPN-clients. If you want them to be able to connect to other servers in the 192.168.1.0/24 subnet, you'll have to create static routes on those servers or on your firewall.
Installation of the server part of the software is fairly simple. In addition to the package itself, Openvpn uses the LZO-package for compression.
apt-get install openvpn lzop openssl
Create a server side configuration file /etc/openvpn/server.conf:
port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/xenvpn.crt key /etc/openvpn/easy-rsa/keys/xenvpn.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem server 192.168.11.0 255.255.255.0 keepalive 10 120 ping-timer-rem persist-tun persist-key push "route 192.168.1.0 255.255.255.0" push "dhcp-option DNS 192.168.1.11" push "dhcp-option WINS 192.168.1.16" comp-lzo status openvpn-status.log verb 4
You need to enable IP forwarding on your Openvpn server, so add this line to /etc/sysctl.conf
net.ipv4.ip_forward = 1
Activate this option by running:
After you'll have created your certficates you can start the Openvpn server. Netstat should show a listener on UDP port 1194. Also check the file /var/log/daemon.log
At this moment our vpn-server only checks for a valid client-certificate on vpn-clients. You might want to also add username/password authentication. As the Debian Openvpn-package already includes a plugin for PAM/NSSwitch, let's enable this plugin. We usually configure PAM/NSSwitch to check our corporate LDAP-infrastructure for authentication/authorization. Read this section for documentation on how to connect PAM/NSSwitch to LDAP.
Edit /etc/openvpn/server.conf and add a line for the plugin:
... plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpn ...
Create a configuration file /etc/pam.d/openvpn
@include common-auth @include common-account @include common-session
After a restart of the Openvpn service your clients will be required to provide valid credentials. Don't forget to make sure that the Openvpn clientsoftware will prompt the user for input of credentials. Add a line to the client configurationfile:
... auth-user-pass ...
If you want to only grant VPN-access to members of a specific group then you could use the module pam_succeed_if. Modify /etc/pam.d/openvpn to look like this:
@include common-auth account required pam_succeed_if.so user ingroup vpnusers @include common-account @include common-session
Of course you can create the required certificates on your existing CA. However, the Debian Openvpn-package conveniently includes a tiny CA called Easy-RSA. We'll use Easy-RSA to create a CA, our server certificate and the client certificates.
Copy the software to the desired location:
cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
Adjust the file /etc/openvpn/easy-rsa/vars to your situation. After that you have to source in this file and create your CA. You also need to build a Diffie-Hellman parameter file for the Openvpn server.
cd /etc/openvpn/easy-rsa . vars ./clean-all ./build-ca ./build-dh
Now you can build a certificate for your Openvpn server. In our example the hostname is 'xenvpn':
For authentication you'll need a key-pair per Openvpn client. Obviously a unique client_id is required.
The Openvpn client configuration requires three certificate files beside the main configuration file. A CA-root cert, a client cert and a client key file. These certificates have to be provided by the OpenVPN-server administrator (for instance by usage of the easy-rsa software as described earlier in this chapter).
If CLI-tools are sufficient for you, just install the openvpn package:
apt-get install openvpn
Use the openvpn.conf sample from usr/share/doc to create /etc/openvpn/openvpn.conf Add the correct path/filenames from the three certificate files and add the line below to let you type in your credentials on execution:
An easy to use graphical client (needs sudo permissions) is available as a plug-in. After:
sudo apt-get install network-manager-openvpn
the configuration and enabling can be done with the regular network configuration. Use the network dock-icon in the taskbar.
Download and install Tunnelblick, the OpenVPN GUI for OSX at http://www.tunnelblick.net and follow the installation instructions.
Afterwards move your client-certificate, private key and the public CA-certificate to the directory /Users/your_username/Library/openvpn
In the same directory create an 'openvpn.conf' file with content like this:
client dev tun proto udp remote fqdn_your_openvpn_server 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key comp-lzo verb 3 auth-user-pass
Download and install the OpenVPN GUI for windows at http://www.openvpn.se and follow the installation instructions.