miércoles, 29 de febrero de 2012

[DPS Class] OpenVPN



"A virtual private network (VPN) is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users an access to a central organizational network.

VPNs typically require remote users of the network to be authenticated, and often secure data with encryption technologies to prevent disclosure of private information to unauthorized parties.

VPNs may serve any network functionality that is found on any network, such as sharing of data and access to network resources, printers, databases, websites, etc. A VPN user typically experiences the central network in a manner that is identical to being connected directly to the central network. VPN technology via the public Internet has replaced the need to requisition and maintain expensive dedicated leased-line telecommunication circuits once typical in wide-area network installations.

Virtual private network technology reduces costs because it does not need physical leased lines to connect remote users to an Intranet."


For more information about VPN, visit VPN (Wikipedia)

OpenVPN



"OpenVPN is a software based connectivity solution, uses SSL (Secure Sockets Layer) and Virtual Private Network VPN (virtual private network) technology.
OpenVPN offers point-to-point connectivity with hierarchical validation of remotely connected users and host, is a very good option for Wi-Fi environments (wireless networks IEE 802.11) and supports a wide settings, including load balancing and more. It is released under the GPL, free software.

No other solution offers such a mix of enterprise-level security, safety, ease of use and rich features.
OpenVPM simplified the configuration of VPN's reducing the difficult to configure other solutions such as IPsec and making it more accessible for people inexperienced in this type of technology."


For more information, visit OpenVPN Site

Installing and configuring OpenVPN on Ubuntu 10.04 LTS 32Bits


NOTE: I don't include screenshots of the installation because I had some problems during the process, however, I will put the correct commands that if you execute it correctly, you will have no problems. Also, all of the following instructions, unless otherwise indicated, must be executed in the VPN server.


First, the installation of the packages:
suda apt-get install openvpn openssl
Our working directory will be /etc/openvpn/
cd /etc/openvpn

Now that the openvpn package is installed, the certificates for the VPN server need to be created.
First, copy the easy-rsa directory to /etc/openvpn. This will ensure that any changes to the scripts will not be lost when the package is updated. You will also need to adjust permissions in the easy-rsa directory to allow the current user permission to create files.
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown -R $USER /etc/openvpn/easy-rsa/

Next, edit /etc/openvpn/easy-rsa/vars adjusting the values to your environment, this is my configuration:
export KEY_COUNTRY="MX"
export KEY_PROVINCE="NL"
export KEY_CITY="Monterrey"
export KEY_ORG="JuanCarlos"
export KEY_EMAIL="your_email@example.com"

Now, enter the following commands in order to create the server certificates:
cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Now, enter the following commands in order to create the client certificates, replace CLIENTNAME with the hostname of the client, to know which it are, run hostname in a terminal of a client:
cd /etc/openvpn/easy-rsa/
source vars
./pkitool CLIENTNAME

Now configure the openvpn server by creating /etc/openvpn/server.conf from the example file:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
Backup /etc/openvpn/server.conf:
sudo mv /etc/openvpn/server.conf /etc/openvpn/server.conf.bak
Create a new /etc/openvpn/server.conf with the following options to:
dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status openvpn-status.log
#verb 3
client-to-client
push "redirect-gateway def1"
#log-append /var/log/openvpn
#comp-lzo 

After configuring the server, restart openvpn by entering:
sudo /etc/init.d/openvpn restart

Configuring the Clients


First, the installation of the packages:
suda apt-get install openvpn openssl
Also, our working directory will be /etc/openvpn/
cd /etc/openvpn
Make some directories:
sudo mkdir /etc/openvpn/easy-rsa/
sudo mkdir /etc/openvpn/easy-rsa/keys

From the server, copy the following files to the client, and place them in the appropriate folder:
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/CLIENTNAME.crt
/etc/openvpn/easy-rsa/keys/CLIENTNAME.key
/etc/openvpn/ta.key
Where CLIENTNAME.crt and CLIENTNAME.key are the certificates created in the server before.
Then with the server configured and the client certificates copied to the /etc/openvpn/ directory, create a client configuration file by copying the example. In a terminal on the client machine enter:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
Backup /etc/openvpn/client.conf:
sudo mv /etc/openvpn/client.conf /etc/openvpn/client.conf.bak
Create a new /etc/openvpn/client.conf with the following options to, in the line remote 123.456.789.000 1194 , replace 123.456.789.000 with the public IP of your server or the hostname of your server:
dev tun
client
proto tcp
remote 123.456.789.000 1194
resolv-retry infinite
nobind
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/easy-rsa/keys/CLIENTNAME.crt
key /etc/openvpn/easy-rsa/keys/CLIENTNAME.key
comp-lzo
# Set log file verbosity.
verb 3 
Where CLIENTNAME.crt and CLIENTNAME.key are the certificates created in the server before and which already must be copied to the client.

Finally, restart openvpn:
sudo /etc/init.d/openvpn restart
Now you should now be able to connect to the remote LAN through the VPN. If you run ifconfig command, you should see a new tunneled interface, something like this:



If you look, a new IP address is assigned to the client, that is a private IP address of our VPN.

Also, you can test the network with some pings :)




UPDATE (11/mar/2012) Configuring and Connecting 2 remote VPN


Firts, follow all the previous steps to build a fully functional local VPN.

We do our cluster, a client of another one. For this, in the remote VPN server, open a terminal and make the corresponding certificates for the client, replace CLIENTNAME with the hostname of the local VPN server, to know which it are, run hostname in a terminal of a the local VPN server:
cd /etc/openvpn/easy-rsa/
source vars
./pkitool CLIENTNAME

Back in our local VPN, copy the following files from the remote VPN server to the local VPN server, and place them in the appropriate folder:
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/CLIENTNAME.crt
/etc/openvpn/easy-rsa/keys/CLIENTNAME.key
/etc/openvpn/ta.key
Remember CLIENTNAME.crt and CLIENTNAME.key are the certificates created in the server before.
Then create a the client configuration file by copying the example. In a terminal of the local VPN server enter:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
Backup /etc/openvpn/client.conf:
sudo mv /etc/openvpn/client.conf /etc/openvpn/client.conf.bak
Create a new /etc/openvpn/client.conf with the following options to, in the line remote 123.456.789.000 1194 , replace 123.456.789.000 with the domain of the remote VPN server, is highly recommended to use a service like dyndns:
dev tun
client
proto tcp
remote remote.vpn.domain 1194
resolv-retry infinite
nobind
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/easy-rsa/keys/CLIENTNAME.crt
key /etc/openvpn/easy-rsa/keys/CLIENTNAME.key
comp-lzo
# Set log file verbosity.
verb 3 
Where CLIENTNAME.crt and CLIENTNAME.key are the certificates created in the server before and which already must be copied to the client.

Finally, restart openvpn in the local VPN server:
sudo /etc/init.d/openvpn restart
Now you should be able to connect to the remote LAN through the VPN, also, you can see how start the client and server daemon in the local VPN server:

[IMAGE]

You must have the tunneled interface like before, and now, if you run the comand route, you should be able to see the IP range of your VPN and also the IP range of the remote VPN.

[IMAGE] https://help.ubuntu.com/10.04/serverguide/openvpn.html

1 comentario: