Implement A Free Vpn With Openvpn

Implement a free VPN with OpenVPN June 8, 2005 Takeaway: If you want to implement a VPN in your organization but don't have the budget necessary for a dedicated VPN device or to deploy ISA Server 2004, you're in luck. Here's how you can set up a VPN for mobile users quickly and inexpensively using OpenVPN.

VPN solutions are more abundant than they were a few years ago. In fact, there are tons of choices on the market, but some of them can be very expensive. If you need to provide remote access to the office, or even provide access to a remote office, and don't have a huge budget for a dedicated VPN device or ISA Server 2004, consider the open source OpenVPN project to fulfill your VPN needs. In this article, I'll provide an overview of both OpenVPN and the OpenVPN GUI for Windows.

What is OpenVPN? OpenVPN is an open source, cross platform, SSL-based VPN solution capable of accommodating a number of situations; including both remote access and site-to-site secure communication (a remote office, for example). Available for a number of platforms, including Windows, Linux, BSD, Mac OS X and Solaris, OpenVPN is fairly simple to get up and running. OpenVPN sports a multitude features that make it an ideal choice in the "free VPN" space, including the ability to build VPN tunnels over NAT devices, to read certificates and private keys from smart cards on Windows clients, as well as being able to run on fairly low-end hardware, perfect for when costs need to be kept as low as possible. OpenVPN, however, does not support the PPTP, IPSec or L2TP protocols, instead favoring SSLbased technology for all of its functionality. Everything you want to know about what OpenVPN includes can be found on the front page of the OpenVPN site.

Obtaining OpenVPN There are currently two versions of OpenVPN available: 1.6 and 2.0. 2.0 is the upcoming release that is not yet considered "final" whereas 1.6 is the most recent stable release. I'm installing OpenVPN onto a Windows Server 2003 system running a prerelease of SP1, and I'm using version 2.0 for this article. To get an OpenVPN installer for Windows or tarball for Linux, head to OpenVPN's handy download page. If you're installing OpenVPN onto a Windows system, you can instead opt to use a different download package that includes OpenVPN 2.0 and a really nice graphical user interface. This is one of the great things about open source. A package is available from this site's download page that packages OpenVPN with the GUI. Packages are also available for download for those that are already running OpenVPN and just want a graphical front-end to manage the system. The GUI is only for Windows systems, though.

For this article, I'm using the download package that includes both OpenVPN and the GUI. Note that this installer is used for both the server and the client.

Installation The installation of OpenVPN is surprisingly easy, particularly since everything you need is built right into the installer, including the TAP-Win32 virtual Ethernet driver and OpenSSL. The first screen of the installer asks you to read the obligatory license agreement, while the second screen, shown below in Figure A, shows you exactly what the installer will be putting on your system.

Figure A

The OpenVPN list of components

By default, OpenVPN installs to C:\Program Files\OpenVPN, but you can choose your own installation directory on the next screen of the installer, if you like. That's the whole initial installation. Two screens to work with: (1) pick what you want to install and (2) choose a directory into which to put everything. During the installation, you'll probably get a driver installation message indicating that the TAPWin32 driver is not certified by Microsoft. This driver is used by a number of Open Source programs (including coLinux), and is, in my experience, stable. Here's a look at the Start menu after the installation completes.

Figure B

The OpenVPN menu options

Now, open up your Network Control Panel. You'll see an additional entry for the TAP driver, which OpenVPN uses for communication across the tunnels it creates. One best practice with regard to the TAP driver is to rename it to something other than "Local Area Connection". In particular, spaces in the TAP adapter name have been known to create problems, so I renamed mine to "VPN-TAP".

Figure C

The TAP diver on my system

Now that OpenVPN is installed, it's time to move on to the configuration tasks.

Creating certificates for use with OpenVPN

OpenVPN requires the use of certificates to help establish the authenticity of clients connecting to an OpenVPN system and vice-versa. After all, you probably wouldn't want a situation in which a client was connecting to an untrusted server. To help prevent this, OpenVPN supports bidirectional authentication. To use OpenVPN, you need to establish a public key infrastructure that will be used by the system. You need a master certificate authority certificate and key, which will sign each server and client certificate. Table A will walk you through the steps necessary to configure certificates for OpenVPN.

Table A

Generate the master certificate and key by following these steps: Command Purpose Go to a command prompt C: Change to the C: drive, unless you're already there. If you installed OpenVPN to a different drive, go to that drive instead. Cd \program files\OpenVPN\easy-rsa Change to the easy-rsa directory, which is where certificate functions are carried out. init-config Copies the sample vars.bat and openssl.cnf files to version that you can safely modify while still maintaining the samples. edit vars.bat Modify the contents of the vars.bat file to Contents: correctly reflect your location. If @echo off necessary, change the set HOME=%ProgramFiles%\OpenVPN\easy-rsa HOME option to reflect the correct set KEY_CONFIG=openssl.cnf location of the easy-rsa folder on your Windows set KEY_DIR=keys system. set KEY_SIZE=1024 The option KEY_CONFIG, by default, points to openssl.cnf file set KEY_COUNTRY=US included with easy-rsa. set KEY_PROVINCE=NY set KEY_CITY= Elmira set KEY_ORG=TechRepublic

The KEY_DIR option is the directory in which keys will be stored.

set [email protected] The KEY_SIZE

Follow these commands to configure certificates for OpenVPN.

Copy keys to appropriate locations The best way to with OpenVPN is to copy the key files to the local OpenVPN config directory on both the server and the clients. For the server, copy the following files to C:\Program Files\OpenVPN\config: • • • • •

ca.crt : the certificate authority. This file will also be copied to each client later on. server.key : the server's key. Your server key will probably have a name that matches that of your server. server.crt : the server's certificate file. Your server certificate will probably have a name that matches that of your server. dh1024.pem : The Diffie-Hellman parameters for the VPN. tls.key : the TLS authentication key.

Configuring the server OpenVPN works on the concept of text-based configuration files: one for the server and one on each client for that client. OpenVPN comes with some sample configuration files found in the C:\Program Files\OpenVPN\sample-config directory. Under Windows, these sample files carry a .ovpn extension. The OpenVPN sample server configuration file is a good starting point. To use this sample, you need to copy it from C:\Program Files\OpenVPN\sample-config to C:\Program Files\OpenVPN\config. When the OpenVPN service starts up, it will look in this directory for configuration files and start a separate OpenVPN process for each one. For this example, I just have the sample server.ovpn file in the config directory. Before you start configuration, you should make note of a couple of things. First, you can configure OpenVPN to bridge your Ethernet network across the VPN (TAP mode), or you can configure the VPN using a virtual point-to-point IP link (TUN mode). I'm going to use TAP mode for this article. Note: TAP mode is required if you want to pass different protocols over the VPN. TAP mode provides a layer 2 tunnel between the client and the server that can pass TCP/IP, IPX, NetBEUI and more. TAP also provides a mechanism by which network broadcasts can traverse the VPN, which is required for some applications. TUN mode is more efficient and easier to administer, but doesn't pass anything except TCP/IP. These days, that's not a problem for many applications. Some versions of Windows don't support TAP devices. If you're using older versions of Windows, plan to use TUN mode. Table B goes over the sample configuration file included with OpenVPN and outlines what each parameter is and what it does.

Table B

Configuration file parameters ;local a.b.c.d

port 1194

;proto tcp proto udp ;dev tap dev tun dev-node MyTap ca ca.crt cert server.crt

Optional parameter – on which local IP address should OpenVPN listen for connections? On which local port should OpenVPN listen for connections. Port 1994 is OpenVPN's official port number. If you plan to run multiple OpenVPN instances, each needs its own port. Do you want to use TCP or UDP for connections? The default is UDP. If you want to use TCP, uncomment TCP and comment UDP with a semicolon. Do you want to use a TAP connection or a TUN connection? The default is TUN. (Windows only) Provide the name of the TAP device on your system. Provide the name of each of your certificate and key files as well as the file name that holds your Diffie-Hellman parameters.

key server.key dh dh1024.pem server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0"

The "server" directive configures OpenVPN in server mode. The IP network and subnet mask provided is the VPN subnet on which OpenVPN will operate. The server will take the first address in the pool. In this example, that would be 10.8.0.1. This line should be commented out for TAP-based servers. Provides a way for OpenVPN to track assigned client VPN addresses so that they can be reused for future connections. This directive enables TAP bridging, assigns the bridge an IP address, and assigns a range of IP addresses that will be assigned to clients connecting through this interface. Pushes routes to VPN-connected clients so that they can connect to other private networks behind the OpenVPN server.

Based on the information in the previous table, this is the configuration file I could use on my sample VPN server: port 1194 proto udp dev tap dev-node TAP-VPN ca ca.crt cert server.crt key server.key dh dh1024.pem ifconfig-pool-persist ipp.txt server-bridge 192.168.152.100 255.255.255.0 192.168.152.150 192.168.152.200 keepalive 10 120 comp-lzo status openvpn-status.log verb 3

Start the server With the server configuration file now built, you can start the server process on your OpenVPN server. Since I'm using the GUI, I'll right-click the GUI icon and choose Connect. A status window pops up, which is shown in Figure D.

Figure D

This screen will tell you everything you need to know about how your VPN operates

Note: If you want to start OpenVPN with a specific configuration file, go to the config directory, right-click a configuration file and choose "Start OpenVPN with this configuration file" from the shortcut menu. You can also start OpenVPN directly from the command line. Refer to the OpenVPN docs for more details on this.

Client configuration With your OpenVPN server up and running, you can start connecting clients. This is the easy part, believe it or not. The client side uses the same installer as the server side of things. So, to get started, install the OpenVPN software and GUI on to your client computer using the instructions found earlier in this article.

Build key and certificate for the client On the server side, you'll need to run the 'build-key client-name' command for each client that you want to allow to connect to the OpenVPN server. Once you do this, copy the client-name.key, client-name.crt, and ca.crt files from the server to your client's C:\Program Files\OpenVPN\config directory.

Configure the client Like the server, each client has a configuration file that you use to provide the client with its configuration information. Also like the server, you'll find a sample client file in the C:\Program Files\OpenVPN\sample-config directory. I used this file as a starting point for my installation. Table C lists some of the unique client parameters:

Table C

client remote my-server-1 1194

resolv-retry infinite

Indicates to OpenVPN that this is a client rather than a server. Connect to the server named 'myserver-1' using port 1194. You can also specify the IP address of the server instead of the hostname, if you like. Will continue to try indefinitely to resolve the host name of the OpenVPN server.

Here is a configuration file that I might use on a client to connect to the OpenVPN server I set up: client dev tap dev-node client-TAP proto udp remote 192.168.152.100 1194 (if I was using NAT on the server side, I would instead use the external IP address of the NAT rule here) resolv-retry infinite nobind ca ca.crt cert vpnclient.crt key vpnclient.key comp-lzo verb 3 Make sure that you also modify the ca, cert, and key values in the client configuration file to point to the file containing these critical pieces of information. Once you get the client configured, start it with the GUI controls, or from the command line. From the GUI in the system tray, right-click the OpenVPN icon and choose Connect.

Keep in mind Before you start the client, make sure that any firewall that you might traverse into the remote network is forwarding port 1194 to your OpenVPN server and, if you're using NAT, that you've provided an appropriate NAT rule for said server, thus providing it with an externally accessible IP address.

Remember, each client needs its own certificate/key pair, each generated on the OpenVPN server. Make sure also that you copy the master ca.crt file from the server to any client that you want to allow to connect to the OpenVPN server. If you fail to do this, you won't be able to connect. Also consider the use of a TLS shared key to help keep your communication secure.