MonkeyBrains.net/~rudy/example Random examples

HOW TO set up OpenVPN

Want secure networks, use OpenVPN!

There are two ways to setup VPN, one you have a ethernet bridge and the clients and servers have IPs on the same network (ip/netmask). That is the easier way. Here we will go over the slightly more involved method of setting up VPN users in a different network.

The OpenVPN server will be the gateway machine between your client on his/her laptop and your internal network at the datacenter. For this to work, the client will encrypt and route all packets destined for the Internal Network to the External IP of the OpenVPN server. The OpenVPN server will decrypt the packets and forward them to the Internal Network. The servers on the Internal Network will all need two changes to work: [1] their firewalls will need to accept packets from the VPN Network and [2] all packets destined for the VPN Network will need to be routed to the OpenVPN Server's Internal IP.

Sound hard? It's not too bad once you understand this first section. When your laptop conencts, the OpenVPN Server will give your laptop an additional IP from the VPN Network Pool of IPs. That is how you join the VPN Network.

Configure the OpenVPN Server

  • Install OpenVPN:
    cd /usr/ports/security/openvpn && make install clean
  • Here is the output of ifconfig for this example
    bge0: flags=8843 mtu 1500
            options=1b
            inet 61.11.111.6 netmask 0xffffff00 broadcast 61.11.111.255
            ether 00:1a:a0:11:11:11
            media: Ethernet autoselect (1000baseTX )
            status: active
    bge1: flags=8802 mtu 1500
            options=1b
            inet  10.10.22.7 netmask 0xffffff00 broadcast 61.11.111.255
            ether 00:1a:a0:11:11:12
            media: Ethernet autoselect (none)
            status: no carrier
    lo0: flags=8049 mtu 16384
            inet 127.0.0.1 netmask 0xff000000   
    
    bge0 is external and bge1 is on the Internal Network.
  • Pick a port that you are going to want your VPN server to listen on. Let's say 4444. (the default is 1197)
  • Set up your firewall to allow VPN traffic to your new IP... rc.firewall
    ...
    ipfw add allow ip from any to any via tun0            // VPN device
    ipfw add allow tcp from any to any established
    ipfw add allow tcp from any to me dst-port 4444 setup // VPN access if we use TCP
    ipfw add allow udp  from any to me dst-port 4444      // VPN access if we use UDP
    ipfw add allow udp  from me 4444 to any               // VPN access if we use UDP
    ...
    
  • Create a /usr/local/etc/openvpn/server.conf
    #  external IP of OpenVPN Server
    local 61.11.111.6
    
    # pick a non-default port number...
    port 4444
    proto udp
    # We use TUN when setting separate IPs on a VPN Network
    dev tun0
    
    # Adjust path as needed.
    ca /usr/local/etc/openvpn/ca.crt
    cert /usr/local/etc/openvpn/server.crt
    key /usr/local/etc/openvpn/server.key # keep secret.
    dh /usr/local/etc/openvpn/dh1024.pem
    tls-auth /usr/local/etc/openvpn/ta.key 0
    
    # The Pool of IPs in the 'VPN Network'
    server 10.44.44.0 255.255.255.0
    ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt
    # Tell the clinet about the IPs on your Data Center Internal Network
    # Don't use 192.168.1.0 in your data center as that is the default
    # network for a lot of home systems and  that makes it HARDER to
    # get VPN working.
    push "route 10.3.3.0 255.255.255.0"
    
    client-to-client
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    # look at this file if the server doesn't launch...
    status /usr/local/etc/openvpn/openvpn-status.log
    management localhost 7505
    verb 3
    mute 20
    
  • Generate all the crts, keys, ta files, etc... read the openvpn documentation :)
  • Config /etc/rc.conf so OpenVPN will launch.
    openvpn_enable="YES"      # set to YES to enable openvpn
    openvpn_if="tun"          # driver(s) to load, set to "tun", "tap" or "tun tap"
    openvpn_configfile="/usr/local/etc/openvpn/server.conf"    # --config file   
    gateway_enable="YES"      # you need to forward packets between internal and VPN.
    
  • Start it up!
    sysctl net.inet.ip.forwarding=1
    /usr/local/etc/rc.d/openvpn start
    
    if you reboot, you don't need to turn on forwarding if you put gateway_enable in your rc.conf. Once you start the OpenVPN server, your ifconfig will automagically add a new device.
    tun0: flags=8051 mtu 1500
            inet 10.44.44.1 --> 10.44.44.2 netmask 0xffffffff 
            Opened by PID 7866   
    

    Set up the servers on your Internal Network

    You need to add a route.... when you servers get IP traffic from the fake 10.44.44.0/24 network, you need to tell your server to route those packets back through the OpenVPN Servers's Internal Interface (10.10.22.7). I usually set up ipfw, so I roll the route and firewall rules into one like this:
     # part of /etc/rc.firewall on servers in the Internal Network
    net_vpn="10.44.44.0/24"
    vpn_gateway="10.10.22.7"
    
    # Allow VPN network
    ${fwcmd} add pass all from me to ${net_vpn} // VPN network
    ${fwcmd} add pass all from ${net_vpn} to me // VPN network
    echo "Adding VPN route for ${net_vpn} to ${vpn_gateway}"
    /sbin/route add ${net_vpn} ${vpn_gateway} 2> /dev/null > /dev/null
    

    Set up Clients

    #############
    # openvpn.conf
    # mac users:
    # download tunnelblick:
    #    http://www.tunnelblick.net/
    # Note you need to place 4 files in your
    #  /Users/YOURNAME/Library/openvpn/ folder...
    #  Edit out 'rudy' and put in your local user name
    # in the lines below.
    #
    #############
    ca /Users/rudy/Library/openvpn/ca.crt
    cert /Users/rudy/Library/openvpn/RudyKey.crt
    key /Users/rudy/Library/openvpn/RudyKey.key
    tls-auth /Users/rudy/Library/openvpn/ta.key 1
    #############
    remote 61.11.111.6
    port 4444
    #############
    client
    dev tun
    proto udp
    resolv-retry infinite
    nobind
    user nobody
    group nobody
    persist-key
    persist-tun
    comp-lzo
    verb 3
    log openvpn.log
    
    That counfig out to work for a variety (Mac, Unix, Windoze) of clients. Want to know how to generate the CRT KEY ta.key and ca.crt files? Read the OpenVPN documentation.