OpenVPN
While the many remote desktop solutions available are nice, they are not the same as being there. It is like watching a web camera of a beach in Hawaii. Yes, it is beautiful. You might even have a remote control to move the camera around and zoom. However, can you bring home a sea shell easily?
A Virtual Private Network (VPN) puts you there! You can access everything just like you were on the network, perhaps a little slower. You have access to all the internal resources that you would have otherwise. Printing, sharing files, accessing the intranet are exactly the same. However, retrieving something from the printer might be more difficult.
Tunneling
Figure 1 VPN Using a Tunnel
In Figure 1, we have a notebook accessing its home environment over the Internet via a VPN that uses a tunnel. Data from the notebook is encrypted over the Internet, through the firewall to a server which decrypts the data. The tunnel carries a unique virtual network between the notebook and the server (e.g. 10.199.1.0/30). Upon reaching the server, the server must route the data to the local area network (e.g. 192.168.1.0/24). While this is trivial, it may not provide all of the services that we wish. For example, if you run NetBIOS on your internal network, you are likely to have problems routing it via a tunnel because NetBIOS does not like to have IP translations and there may be name conflicts.
Bridging
Figure 2 VPN Using Bridging
Figure 2 shows a bridging VPN. With a bridging VPN, the notebook gets an IP address from the local area network of the site and is treated as if it were on the local network. I can get to other machines with Universal Path Names and browse the network normally. Others on the network can see me. So, collaboration is easy and safe.
Performance
From my test location to my home network, the average ping delay is 101ms. The average ping delay is about 0.5ms. From my test location over the VPN, my delay is about 104ms. So, the overhead of a ping through the system is 2-3ms. This is not bad. Especially, if you consider that my VPN server is also my Trixbox and that it is only a Celeron running 500 Mhz and has only 256MB.
Setting up your VPN from the Linux side
Everyone needs a different setup. I will talk about mine which is the bridging version. The setup was not difficult and used tools available from http://openvpn.net.
Linux Step 1. Obtain the most recent version of openvpn from openvpn.net (I used 2.7 Release Candidate 7) for your Linux box (I am running CentOS 5). You will want to obtain LZO (I used 2.02) which does on the fly stream encryption/decryption. LZO reduces the amount of encrypted traffic over the public network.
Linux Step 2. Compile LZO:
Linux Step 3. Compile OpenVPN
The certificate authority will be the foundation of your encryption mechanism. Everyone will depend on it.
Linux Step 11. Start the server (remember to open the firewall)
Setting up your VPN from the Linux side
Windows Step 1: Obtain the Windows corresponding version of OpenVPN.
Windows Step 2: Install with the extractor.
Windows Step 3: Go to the program directory and down to the config subdirectory.
Windows Step 6. With any luck, you will now be able to connect, try starting the openvpn client which is located under the start menu. You will see a small set of terminals at the bottom. Green means go. Red means stopped. Yellow means trying.
Performance
From my test location to my home network, the average ping delay is 101ms. The average ping delay is about 0.5ms. From my test location over the VPN, my delay is about 104ms. So, the overhead of a ping through the system is 2-3ms. This is not bad. Especially, if you consider that my VPN server is also my Trixbox and that it is only a Celeron running 500 Mhz and has only 256MB.
Setting up your VPN from the Linux side
Everyone needs a different setup. I will talk about mine which is the bridging version. The setup was not difficult and used tools available from http://openvpn.net.
Linux Step 1. Obtain the most recent version of openvpn from openvpn.net (I used 2.7 Release Candidate 7) for your Linux box (I am running CentOS 5). You will want to obtain LZO (I used 2.02) which does on the fly stream encryption/decryption. LZO reduces the amount of encrypted traffic over the public network.
Linux Step 2. Compile LZO:
- The process requires configuration, compilation and installation
./configure
make
make install
Linux Step 3. Compile OpenVPN
- The process requires configuration, compilation and installation
./configure
make
make install
The certificate authority will be the foundation of your encryption mechanism. Everyone will depend on it.
- Create a configuration directory for openvpn, a easy-rsa directory and a key directory
mkdir /usr/local/etc/openvpn
mkdir /usr/local/etc/openvpn/keys
mkdir /usr/local/etc/openvpn/easy-rsa - From the openvpn source directory, perform:
cp -r easy-rsa/2.0 /usr/local/etc/openvpn/easy-rsa - Now to prepare the certificate, change to the your new easy-rsa directory
cd /usr/local/etc/openvpn/easy-rsa - To prepare the certificate, edit the file "vars". More than likely all you need to do is edit the key information at the bottom.
- Make the certificate:
. ./vars
./clean-all
./build-ca - During the making of the certificate, you will be asked some questions with default values taken from the "vars" file. Make the common name something that fits your domain (e.g. jackbriner-CA).
- Using the build-key-server script, create your server key
./build-key-server server - During the making of the certificate, you will be asked some questions with default values taken from the "vars" file. Make the common name something that fits your server (e.g. trixbox-jackbriner). Say "yes" when it comes time to sign the certificate and commit. If you set an encryption string for your certificate's key, you will need to type that in when it is requested.
- Using a name that is helpful, such as the user name of the user of the client machine
./build-key jack - The certificates and keys are stored in the key directory below where the keys are made.
- Keep your ".key" files safe. The ".csr" and ".crt" are public and do not need to be safe guarded.
- Be patient while a very large prime number is generated.
./build-dh
cd keys
cp ca.* server.* dh1024.pen ../../keys
port 443Linux Step 10. Next, you must create the tap and bridge to your network from your server. My server address is 192.168.1.250/24.
proto udp
dev tap0
ca keys/ca.crt
cert keys/trixbox_jackbriner.crt
key keys/trixbox_jackbriner.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.250 255.255.255.0 192.168.1.101 192.168.1.110
client-to-client
keepalive 10 120
cipher AES-128-CBC # AES
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
openvpn --mktun --dev tap0Notice that the bridge gets the IP address and not the Ethernet card.
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
ifconfig eth0 0.0.0.0 promisc up
ifconfig br0 192.168.1.250 netmask 255.255.255.0 broadcast 192.168.1.255
Linux Step 11. Start the server (remember to open the firewall)
cd /usr/local/etc/openvpn ; openvpn --config server.conf
Windows Step 1: Obtain the Windows corresponding version of OpenVPN.
Windows Step 2: Install with the extractor.
Windows Step 3: Go to the program directory and down to the config subdirectory.
- Copy the following files from the server to this directory using ssh/putty
ca.crt
jack.crt
jack.key
jack.csr
trixbox_jackbriner.crt
- Create the file "client.ovpn" with notepad
Windows Step 5. Rename the tap device to "MyTap," go to Control Panel -> Networking and rename the tap device to "MyTap".client
dev tap
dev-node MyTap
proto udp
remote jackbriner.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert JackBriner.crt
key JackBriner.key
cipher AES-128-CBC # AES
comp-lzo
verb 3
mute 20
Windows Step 6. With any luck, you will now be able to connect, try starting the openvpn client which is located under the start menu. You will see a small set of terminals at the bottom. Green means go. Red means stopped. Yellow means trying.
Labels: Open Source, openVPN, security, tunnel, vpn
posted by Jack's Jots @ 7:52 AM
0 Comments
0 Comments:
Post a Comment
<< Home