Seamless, Secure and Reliable VPN

Today, there's growing demand for connecting branch offices as well as mobile

users with the head office. Hardware and software based VPN solutions are the

best solution for this requirement. That's why in this article, we'll show you

how to setup a secure, reliable, and free VPN solution called OpenVPN.

OpenVPN is an SSL based VPN solution that can be deployed on any platform, be

it Windows or UNIX. It can be configured for site to site or user to site type

of connectivity. The best part is that it comes with features that every

enterprise requires, like load balancing, failover, and fine-grained

access-control.

It's neither a Web-app proxy and nor does operate through a browser.Moreover,

it lacks a GUI, so you'll need to work pretty hard to configure it. All initial

configurations are done manually. We have deployed it on a Windows 2003 Server.

This is how we did it.

1.Initialize parameters



First of all, make sure that your VPN server has two network cards, one to

connect to your local network and the other to connect to the Internet. It must

also have a public IP address. You can download and install the latest version

of OpenVPN from http://openvpn.net/. After installation, it will create an

additional virtual network adaptor on your machine, which will be used for VPN

connectivity.

You also need to ensure that your VPN server is protected by a firewall. You

need to install the same software on all the clients as well. Now, from the

command prompt go to 'C:\Program Files\OpenVPN\easy-rsa' directory and execute

the init-config.bat file. This file will create a file called 'vars.bat.sample'.

Open this file and change the values of the following parameters:

KEY_SIZE=2048



KEY_COUNTRY=IN


KEY_PROVINCE=ND


KEY_CITY= DELHI


KEY_ORG=your company name


KEY_EMAIL=certs@yourcompany.com


KEY_DIR=c:\key

These parameters are used to generate a certificate key. So, you need to set

values that are relevant to your setup. Also note that the KEY_DIR parameter is

used to set the folder where all keys and certificate files will be generated

and stored offline. Save this file as vars.bat in the same directory, and then

execute it from the command prompt. Then, on the VPN server create a folder

'C:\key'.

2.Generate a signed certificate



From the command prompt, go to C:\Program Files\OpenVPN\easy-rsa directory

and execute 'build-ca.bat'. This batch file creates a signed certificate for you

(ca.crt and ca.key).

On executing this batch file, you will be prompted to fill in the details

that you want in the certificate. Accept the default values that you entered

earlier in the vars.bat file. After execution of the above command the .key and

.crt files will be placed in the 'C:\key' folder.

3.Generate a signed certifi cate for OpenVPN server



Next you need to create a certificate file to associate with your VPN

server. For this, execute the build-key-server.bat file. Here,

will be replaced by any logical name that you want to assign to

your VPN server.

On executing this, you will be prompted to fill in the certificate details,

similar to what we did in step 2. Accept the default values and when asked for a

password leave it blank by pressing the '.' key.

When asked about the 'host name' give the machine name of your OpenVPN

server. Then you will be asked to sign the certificate, press 'Y' to commit.

This batch file will create a private key and a public certificate, signed by

the previously created certificate authority, for the OpenVPN server.

This key set is automatically saved at 'C:\key' location.

Table (A): Directories where the generated keys have to be stored (see Step

6).

Table (B): Changes to be made on server.conf file so that the OpenVPN Server

can use the certificates and keys for authentication

Table (C): Changes to be made on all VPN client machines

4.Generate signed certificates for clients



Next you have to generate certificate files for all clients that will

connect to the VPN server. It is exactly the same as generating a certificate

for your server, as shown in step 3. You just need to execute build-key name> from the command prompt. Here '' will be replaced by the

logical names of each client that will use this certificate for connecting to

the VPN server. When asked for a 'Common Name', enter machine name of the

client-machine. This batch file will create a private key and a public

certificate, signed by the previously created certificate authority, for OpenVPN

client.

Likewise, you have to generate a certificate file for each client.

5.Create an encryption key



Next, you need to create an encryption key, which will be used by both

client and server, for authentication. In order to generate this encryption

file, once again open the command prompt and go to 'C:\Program Files\OpenVPN\easy-rsa'

directory and execute the 'build-dh.bat' file.

This file creates a large prime number, which may take some time. Once the

batch file is executed successfully, you will receive a 2048 bit encrypted

'.pem' file at C:\key. Then, from 'C:\Program Files\OpenVPN\ bin' directory,

execute the following command:

openvpn --genkey --secret ta.key

This will create another key file, named 'ta.key', in 'C:\Program Files\OpenVPN\

bin' directory. Cut this key file 'ta.key' and paste it to

C:\key.

This file is used for TLS authentication, which provides another layer of

security to the VPN.

6.Copy Certificates



Till now, you have created all security keys and certificates for both

clients and VPN server in the C:\key directory. Now, copy the certificates and

other key files to their respective directories, as defined in Table (A).

7.Configure OpenVPN Server



You now have to configure the openVPN server so that it can use the above

created certificates and keys, for authentication. Go to 'C:\Program Files\OpenVPN\sample-config'

directory and copy the server.conf file as server.ovpn to 'C:\Program Files\OpenVPN\config'

directory. Open this file, make the changes shown in Table (B), and save it.

8.Client configuration



You now have to change a few parameters in your client configuration file.

For this, go to 'C:\Program Files\OpenVPN\ sample-config' directory and copy the

client.conf file as client.ovpn to 'C:\Program Files\OpenVPN\config' directory.

Then, open this file and do the changes, as shown in Table (C), and save it.

9.Start the OpenVPN service



You're now ready to start the OpenVPN services on the clients and the

server. Click on Start>Setting>Control panel> Administrative tools. Double-click

on “Services” icon and you get a console, showing all services running on your

Windows machine.

Select OpenVPN service and set it to automatic and then, start the

service.Repeat this process on both OpenVPN server and clients that you want to

connect to your server. Once the service gets started successfully on the

server, you will see that the virtual VPN adaptor automatically connects and

acquires an IP address in the (10.8.0.x) range.

The same thing will happen on clients, as well. To check VPN connectivity

from any client, ping '10.8.0.1' from it. This will be the default IP of our

OpenVPN server. If you are able to ping the server on this IP, from a client,

then rest assured that your VPN connectivity been has successfully established.

Now, you can access your IT resources from a remote location via an Internet

connection, without worrying about security, since OpenVPN provides connectivity

between you and your office over a secure SSL VPN tunnel.