RSS

OpenVPN

Introduction
One of the most important tools for working on-the-go is being able to connect to your office via the Interweb in a secure manner. I’m talking about VPN (Virtual Private Network).  There are many services out (paid and free) there, but I wanted something that was worked in a point-to-point manor and that allowed me to appear to be connected to be physically connected to the (remote) LAN.  for this I turned to OpenVPN.
OpenVPN is a free open source VPN implementation. I must admit that I’ve used it before and it worked great, but I’ve never setup an OpenVPN network before.  In my attempt to actually implement a VPN network , using OpenVPN, I found the initial cryptography pretty straight forward when following the HOWTO guide but stumbled around quite a bit during the testing phase when I tried to access the remote/server LAN’s resources.  The HOWTO documentation is quite fragmented and not very noob-friend.  After much Googling and YouTubing, I finally worked out what the issue(s) were and managed to get the VPN working this morning.
What I hope to present here is my implementation and that it can be successfully repeated.
Before we begin, I found having a network diagram (courtesy of Gliffy) very usefully so I could visualise what was happening:
  • OpenVPN Server (Windows 7 Ultimate 64-bit)
  • Router (Billion BIPAC-7402G) set up as DHCP & DNS server and PPPoE with Pass-thru mode
  • WAN (MWeb 384kps ADSL)
  • OpenVPN Client (Windows Vista)

Prerequisites

Due to the nature of ADSL accounts, WAN IP addresses are dynamically allocated by the ISP which makes finding the office’s IP address a moving target.  To managed this issue, we employ the use of a public (and free) DNS like DynDNS.
Create a free DynDNS hostname, something like mydomain.dyndns.org. You can plug that into your router (if it supports dynamic DNS updates) or download one of DynDNS’s clients.

Installing OpenVPN on the client and server

Download the Windows OpenVPN here (I used 2.1.4) and run the installer on both server and client.

Router configuration

By default, your [OpenVPN server-side] ADSL router is configured to disallow incoming connections.  We will need to configure Port Forwarding on your router to allow your client to connect to the OpenVPN server behind it.  As you’ll see from the client configuration file, client’s will connect to the server via port 443 (HTTPS)  – I used this port because some corporate networks may only allow HTTP and HTTPS outgoing connection.

Network Connection Bridging

As explained previously bridge-mode allows VPN clients to connect to the server LAN and browse/operate as if they are on that LAN.  This can be done as follows on the server:
  • Navigate to Control Panel\Network and Internet\Network Connections.
  • Rename the TAP-Win32 Adapter (installed by OpenVPN) to “OpenVPN”.
  • Select the “OpenVPN” adapter and your server’s primary adapter (e.g “Local Area Connection” or “Wireless Network Connection“.  Right-click and select “Bridge Connection“.
  • Rename the new bridged connection to “OpenVPN Bridge“.
  • If your Local Area Connection (or Wireless Network Connection) IP address is manually allocated, then the IP address and gateway must be manually specified for your OpenVPN Bridge adapter.

Assumptions

The following assumptions are made:
  • Your server’s LAN IP address is dynamically allocated (192.168.1.105 in my example).
  • Your physical LAN IP range is 192.168.1.1xx (mask 255.255.255.0)
  • Your VPN client IP range is 192.168.1.2xx (mask 255.255.255.0) – Managed by OpenVPN server
Setting up your Certificate Authority (CA) and generating certificates and keys for your OpenVPN server and multiple clients.
Here we do some crypto black magic (you can read the specifics in the HOWTO).  I’m going to present it here as per the HOWTO as simple as possible:
 SERVER CLIENT 
  • Open the command prompt as Administrator
  • cd to C:\Program Files (x86)\OpenVPN\easy-rsa
  • run init-config
  • Edit the vars.bat file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL parameters (mandatory)
  • run vars.bat
  • run clean-all.bat
  • run build-ca.bat
The build-ca.bat script will generate the certificate authority (CA) certificate and key.  During the generation process, you’ll be prompted for some info, most of them the default value can be used (just hit Enter).  The only parameter that must be entered is COMMON NAME (e.g OpenVPN-CA).
 Generate certificate & key for server
  • run build-key-server.bat server
  • When COMMON NAME is prompted, enter “server
  • When Sign the certificate? [y/n] is prompted, enter “y
  • When 1 out of 1 certificate requests certified, commit? [y/n], enter “y
Generate certificates & keys for n clients

  • run build-key client1
  • run build-key client2
  • run build-key clientn
When prompted for the COMMON NAME, enter “client1” or “client2” , etc
 Generate Diffie Hellman parameters

  • run build-dh.bat
While the process is running, move your mouse around. This help generate random data. Note: The process might end with a failure message that can be ignored (it doesn’t seem to affect the operation).
 Key Files

  • cd to C:\Program Files (x86)\OpenVPN\easy-rsa\keys
  • Copy ca.crt, client1.crt and client1.key to Client 1 computer. Repeat for each client.
Key Files

  • Copy ca.crtclient1.crt and client1.key to C:\Program Files\OpenVPN\easy-rsa\keys
Configuration file

  • cd to C:\Program Files (x86)\OpenVPN\config
  • copy server.ovpn (see attachments) to C:\Program Files (x86)\OpenVPN\config
  • edit server.ovpn, update config for your LAN:

    server-bridge [local_ip_address mask client_ip_start client_ip_end]

  • edit server.ovpn, update config for your LAN:

    push “dhcp-option DNS dns_ip_address”

Configuration file

  • cd to C:\Program Files\OpenVPN\config
  • copy client.ovpn (see attachments) to C:\Program Files (x86)\OpenVPN\config
  • Edit client.ovpn and change the remote parameter to your DynDNS domain name (see Prerequisites section).
  • Edit client.ovpn and ensure the cert and key parameters correctly refer to the client key files copied in the previous step.
Starting the Server

  • From the command line, start the OpenVPN server

    openvpn “C:\Program Files (x86)\OpenVPN\config.server.ovpn”

  • A Windows Firewall warning may popup telling you that OpenVPN wants access to a port, select OK. (You may have to edit your firewall settings to allow inbound TCP & UDP connection).
Starting the Client

  • Double-click the OpenVPN GUI desktop icon to launch the gui in the system tray.
  • Right-click the icon and select Connect

Running the server as a service

By default, OpenVPN is installed as OpenVPN Service with the startup type set as Manual.  To start OpenVPN automatically when the server starts up, set the startup type to Automatic.  By default, the OpenVPN service will scan the OpenVPN/config directory for .ovpn files and start an instance for each.  Ensure you only have server.ovpn in the ./config directory.

References/Resources

 

One response to “OpenVPN

  1. openvpn tester

    September 11, 2012 at 12:11

    hi there!
    thx for publishing this manual.
    can you please highlight the links where to download to the above mentioned “attachments” to server.ovpn and client.ovpn?
    thanks a lot!

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: