One of the most important tools for working on-the-go is being able to connect to your office via the Interweb in a secure manner. I’m talking about VPN (Virtual Private Network). There are many services out (paid and free) there, but I wanted something that was worked in a point-to-point manor and that allowed me to appear to be connected to be physically connected to the (remote) LAN. for this I turned to OpenVPN.
OpenVPN is a free open source VPN implementation. I must admit that I’ve used it before and it worked great, but I’ve never setup an OpenVPN network before. In my attempt to actually implement a VPN network , using OpenVPN, I found the initial cryptography pretty straight forward when following the HOWTO guide but stumbled around quite a bit during the testing phase when I tried to access the remote/server LAN’s resources. The HOWTO documentation is quite fragmented and not very noob-friend. After much Googling and YouTubing, I finally worked out what the issue(s) were and managed to get the VPN working this morning.
What I hope to present here is my implementation and that it can be successfully repeated.
Before we begin, I found having a network diagram (courtesy of Gliffy) very usefully so I could visualise what was happening:
- OpenVPN Server (Windows 7 Ultimate 64-bit)
- Router (Billion
Due to the nature of ADSL accounts, WAN IP addresses are dynamically allocated by the ISP which makes finding the office’s IP address a moving target. To managed this issue, we employ the use of a public (and free) DNS like DynDNS.
Create a free DynDNS hostname, something like mydomain.dyndns.org. You can plug that into your router (if it supports dynamic DNS updates) or download one of DynDNS’s clients.
Installing OpenVPN on the client and server
Download the Windows OpenVPN here (I used 2.1.4) and run the installer on both server and client.
By default, your [OpenVPN server-side] ADSL router is configured to disallow incoming connections. We will need to configure Port Forwarding on your router to allow your client to connect to the OpenVPN server behind it. As you’ll see from the client configuration file, client’s will connect to the server via port 443 (HTTPS) – I used this port because some corporate networks may only allow HTTP and HTTPS outgoing connection.
Network Connection Bridging
As explained previously bridge-mode allows VPN clients to connect to the server LAN and browse/operate as if they are on that LAN. This can be done as follows on the server:
- Navigate to Control Panel\Network and Internet\Network Connections.
- Rename the TAP-Win32 Adapter (installed by OpenVPN) to “OpenVPN”.
- Select the “OpenVPN” adapter and your server’s primary adapter (e.g “Local Area Connection” or “Wireless Network Connection“. Right-click and select “Bridge Connection“.
- Rename the new bridged connection to “OpenVPN Bridge“.
- If your Local Area Connection (or Wireless Network Connection) IP address is manually allocated, then the IP address and gateway must be manually specified for your OpenVPN Bridge adapter.
The following assumptions are made:
- Your server’s LAN IP address is dynamically allocated (192.168.1.105 in my example).
- Your physical LAN IP range is 192.168.1.1xx (mask 255.255.255.0)
- Your VPN client IP range is 192.168.1.2xx (mask 255.255.255.0) – Managed by OpenVPN server
Setting up your Certificate Authority (CA) and generating certificates and keys for your OpenVPN server and multiple clients.
Here we do some crypto black magic (you can read the specifics in the HOWTO). I’m going to present it here as per the HOWTO as simple as possible:
The build-ca.bat script will generate the certificate authority (CA) certificate and key. During the generation process, you’ll be prompted for some info, most of them the default value can be used (just hit Enter). The only parameter that must be entered is COMMON NAME (e.g OpenVPN-CA).
Generate certificate & key for server
|Generate certificates & keys for n clients
When prompted for the COMMON NAME, enter “client1” or “client2” , etc
| Generate Diffie Hellman parameters
While the process is running, move your mouse around. This help generate random data. Note: The process might end with a failure message that can be ignored (it doesn’t seem to affect the operation).
| Key Files
|Starting the Server
||Starting the Client
Running the server as a service
By default, OpenVPN is installed as OpenVPN Service with the startup type set as Manual. To start OpenVPN automatically when the server starts up, set the startup type to Automatic. By default, the OpenVPN service will scan the OpenVPN/config directory for .ovpn files and start an instance for each. Ensure you only have server.ovpn in the ./config directory.