Today, there's growing demand for connecting branch offices as well as mobile
users with the head office. Hardware and software based VPN solutions are the
best solution for this requirement. That's why in this article, we'll show you
how to setup a secure, reliable, and free VPN solution called OpenVPN.
OpenVPN is an SSL based VPN solution that can be deployed on any platform, be
it Windows or UNIX. It can be configured for site to site or user to site type
of connectivity. The best part is that it comes with features that every
enterprise requires, like load balancing, failover, and fine-grained
access-control.
It's neither a Web-app proxy and nor does operate through a browser.Moreover,
it lacks a GUI, so you'll need to work pretty hard to configure it. All initial
configurations are done manually. We have deployed it on a Windows 2003 Server.
This is how we did it.
Direct Hit! |
|
1.Initialize parameters
First of all, make sure that your VPN server has two network cards, one to
connect to your local network and the other to connect to the Internet. It must
also have a public IP address. You can download and install the latest version
of OpenVPN from http://openvpn.net/. After installation, it will create an
additional virtual network adaptor on your machine, which will be used for VPN
connectivity.
You also need to ensure that your VPN server is protected by a firewall. You
need to install the same software on all the clients as well. Now, from the
command prompt go to 'C:\Program Files\OpenVPN\easy-rsa' directory and execute
the init-config.bat file. This file will create a file called 'vars.bat.sample'.
Open this file and change the values of the following parameters:
KEY_SIZE=2048
KEY_COUNTRY=IN
KEY_PROVINCE=ND
KEY_CITY= DELHI
KEY_ORG=your company name
KEY_EMAIL=certs@yourcompany.com
KEY_DIR=c:\key
These parameters are used to generate a certificate key. So, you need to set
values that are relevant to your setup. Also note that the KEY_DIR parameter is
used to set the folder where all keys and certificate files will be generated
and stored offline. Save this file as vars.bat in the same directory, and then
execute it from the command prompt. Then, on the VPN server create a folder
'C:\key'.
2.Generate a signed certificate
From the command prompt, go to C:\Program Files\OpenVPN\easy-rsa directory
and execute 'build-ca.bat'. This batch file creates a signed certificate for you
(ca.crt and ca.key).
On executing this batch file, you will be prompted to fill in the details
that you want in the certificate. Accept the default values that you entered
earlier in the vars.bat file. After execution of the above command the .key and
.crt files will be placed in the 'C:\key' folder.
3.Generate a signed certifi cate for OpenVPN server
Next you need to create a certificate file to associate with your VPN
server. For this, execute the build-key-server.bat
your VPN server.
On executing this, you will be prompted to fill in the certificate details,
similar to what we did in step 2. Accept the default values and when asked for a
password leave it blank by pressing the '.' key.
When asked about the 'host name' give the machine name of your OpenVPN
server. Then you will be asked to sign the certificate, press 'Y' to commit.
This batch file will create a private key and a public certificate, signed by
the previously created certificate authority, for the OpenVPN server.
This key set is automatically saved at 'C:\key' location.
Table (A): Directories where the generated keys have to be stored (see Step
6).
Machine |
File Name 1 | File Name 2 |
File Name 3 |
File Name 4 |
File Name 5 |
Location |
OpenVPN server |
ca.crt | ta.key | dh2048.pem |
C:\Programfiles\OpenVPN\config | ||
OpenVPN clients |
ca.crt | ta.key | C:\Programfiles\OpenVPN\config |
Table (B): Changes to be made on server.conf file so that the OpenVPN Server
can use the certificates and keys for authentication
File name: |
||
Default parameter values |
New values |
Comments |
cert server.crt |
cert |
certificate file with prefix of your VPN server name |
key server.key |
key |
key file with prefix of your VPN server name |
;tls-auth ta.key 1 |
tls-auth ta.key 1 |
Remove ";" |
;max-clients 100 |
max-clients 100 |
Remove ";" You can max concurrent clients on your VPN |
dh dh1024.pem |
dh dh2048.pem |
Replace with new 2048 bit encryption key |
;client-to-client. |
client-to-client. |
allowing ping request for checking connectivity |
Table (C): Changes to be made on all VPN client machines
File name: |
||
Default parameter values |
New values |
Comments |
remote my-server-1 1194 |
remote |
IP address by which client can access the OpenVPN sever |
cert client.crt |
cert |
certificate file with prefix of your VPN client name |
key client.key |
key |
key file with prefix of your VPN client name |
;ns-cert-type server |
ns-cert-type server |
Remove ";" |
4.Generate signed certificates for clients
Next you have to generate certificate files for all clients that will
connect to the VPN server. It is exactly the same as generating a certificate
for your server, as shown in step 3. You just need to execute build-key
logical names of each client that will use this certificate for connecting to
the VPN server. When asked for a 'Common Name', enter machine name of the
client-machine. This batch file will create a private key and a public
certificate, signed by the previously created certificate authority, for OpenVPN
client.
Likewise, you have to generate a certificate file for each client.
5.Create an encryption key
Next, you need to create an encryption key, which will be used by both
client and server, for authentication. In order to generate this encryption
file, once again open the command prompt and go to 'C:\Program Files\OpenVPN\easy-rsa'
directory and execute the 'build-dh.bat' file.
This file creates a large prime number, which may take some time. Once the
batch file is executed successfully, you will receive a 2048 bit encrypted
'.pem' file at C:\key. Then, from 'C:\Program Files\OpenVPN\ bin' directory,
execute the following command:
openvpn --genkey --secret ta.key
This will create another key file, named 'ta.key', in 'C:\Program Files\OpenVPN\
bin' directory. Cut this key file 'ta.key' and paste it to
C:\key.
This file is used for TLS authentication, which provides another layer of
security to the VPN.
6.Copy Certificates
Till now, you have created all security keys and certificates for both
clients and VPN server in the C:\key directory. Now, copy the certificates and
other key files to their respective directories, as defined in Table (A).
7.Configure OpenVPN Server
You now have to configure the openVPN server so that it can use the above
created certificates and keys, for authentication. Go to 'C:\Program Files\OpenVPN\sample-config'
directory and copy the server.conf file as server.ovpn to 'C:\Program Files\OpenVPN\config'
directory. Open this file, make the changes shown in Table (B), and save it.
8.Client configuration
You now have to change a few parameters in your client configuration file.
For this, go to 'C:\Program Files\OpenVPN\ sample-config' directory and copy the
client.conf file as client.ovpn to 'C:\Program Files\OpenVPN\config' directory.
Then, open this file and do the changes, as shown in Table (C), and save it.
9.Start the OpenVPN service
You're now ready to start the OpenVPN services on the clients and the
server. Click on Start>Setting>Control panel> Administrative tools. Double-click
on “Services” icon and you get a console, showing all services running on your
Windows machine.
Select OpenVPN service and set it to automatic and then, start the
service.Repeat this process on both OpenVPN server and clients that you want to
connect to your server. Once the service gets started successfully on the
server, you will see that the virtual VPN adaptor automatically connects and
acquires an IP address in the (10.8.0.x) range.
The same thing will happen on clients, as well. To check VPN connectivity
from any client, ping '10.8.0.1' from it. This will be the default IP of our
OpenVPN server. If you are able to ping the server on this IP, from a client,
then rest assured that your VPN connectivity been has successfully established.
Now, you can access your IT resources from a remote location via an Internet
connection, without worrying about security, since OpenVPN provides connectivity
between you and your office over a secure SSL VPN tunnel.