Seamless, Secure and Reliable VPN

Today, there's growing demand for connecting branch offices as well as mobile
users with the head office. Hardware and software based VPN solutions are the
best solution for this requirement. That's why in this article, we'll show you
how to setup a secure, reliable, and free VPN solution called OpenVPN.

OpenVPN is an SSL based VPN solution that can be deployed on any platform, be
it Windows or UNIX. It can be configured for site to site or user to site type
of connectivity. The best part is that it comes with features that every
enterprise requires, like load balancing, failover, and fine-grained
access-control.

It's neither a Web-app proxy and nor does operate through a browser.Moreover,
it lacks a GUI, so you'll need to work pretty hard to configure it. All initial
configurations are done manually. We have deployed it on a Windows 2003 Server.
This is how we did it.

1.Initialize parameters

First of all, make sure that your VPN server has two network cards, one to
connect to your local network and the other to connect to the Internet. It must
also have a public IP address. You can download and install the latest version
of OpenVPN from http://openvpn.net/. After installation, it will create an
additional virtual network adaptor on your machine, which will be used for VPN
connectivity.

You also need to ensure that your VPN server is protected by a firewall. You
need to install the same software on all the clients as well. Now, from the
command prompt go to 'C:\Program Files\OpenVPN\easy-rsa' directory and execute
the init-config.bat file. This file will create a file called 'vars.bat.sample'.
Open this file and change the values of the following parameters:

KEY_SIZE=2048

KEY_COUNTRY=IN

KEY_PROVINCE=ND

KEY_CITY= DELHI

KEY_ORG=your company name

KEY_EMAIL=certs@yourcompany.com

KEY_DIR=c:\key

These parameters are used to generate a certificate key. So, you need to set
values that are relevant to your setup. Also note that the KEY_DIR parameter is
used to set the folder where all keys and certificate files will be generated
and stored offline. Save this file as vars.bat in the same directory, and then
execute it from the command prompt. Then, on the VPN server create a folder
'C:\key'.

2.Generate a signed certificate

From the command prompt, go to C:\Program Files\OpenVPN\easy-rsa directory
and execute 'build-ca.bat'. This batch file creates a signed certificate for you
(ca.crt and ca.key).

On executing this batch file, you will be prompted to fill in the details
that you want in the certificate. Accept the default values that you entered
earlier in the vars.bat file. After execution of the above command the .key and
.crt files will be placed in the 'C:\key' folder.

3.Generate a signed certifi cate for OpenVPN server

Next you need to create a certificate file to associate with your VPN
server. For this, execute the build-key-server.bat file. Here,
will be replaced by any logical name that you want to assign to
your VPN server.

On executing this, you will be prompted to fill in the certificate details,
similar to what we did in step 2. Accept the default values and when asked for a
password leave it blank by pressing the '.' key.

When asked about the 'host name' give the machine name of your OpenVPN
server. Then you will be asked to sign the certificate, press 'Y' to commit.
This batch file will create a private key and a public certificate, signed by
the previously created certificate authority, for the OpenVPN server.

This key set is automatically saved at 'C:\key' location.

Table (A): Directories where the generated keys have to be stored (see Step
6).

Table (B): Changes to be made on server.conf file so that the OpenVPN Server
can use the certificates and keys for authentication

Table (C): Changes to be made on all VPN client machines

4.Generate signed certificates for clients

Next you have to generate certificate files for all clients that will
connect to the VPN server. It is exactly the same as generating a certificate
for your server, as shown in step 3. You just need to execute build-key name> from the command prompt. Here '' will be replaced by the
logical names of each client that will use this certificate for connecting to
the VPN server. When asked for a 'Common Name', enter machine name of the
client-machine. This batch file will create a private key and a public
certificate, signed by the previously created certificate authority, for OpenVPN
client.

Likewise, you have to generate a certificate file for each client.

5.Create an encryption key

Next, you need to create an encryption key, which will be used by both
client and server, for authentication. In order to generate this encryption
file, once again open the command prompt and go to 'C:\Program Files\OpenVPN\easy-rsa'
directory and execute the 'build-dh.bat' file.

This file creates a large prime number, which may take some time. Once the
batch file is executed successfully, you will receive a 2048 bit encrypted
'.pem' file at C:\key. Then, from 'C:\Program Files\OpenVPN\ bin' directory,
execute the following command:

openvpn --genkey --secret ta.key

This will create another key file, named 'ta.key', in 'C:\Program Files\OpenVPN\
bin' directory. Cut this key file 'ta.key' and paste it to
C:\key.

This file is used for TLS authentication, which provides another layer of
security to the VPN.

6.Copy Certificates

Till now, you have created all security keys and certificates for both
clients and VPN server in the C:\key directory. Now, copy the certificates and
other key files to their respective directories, as defined in Table (A).

7.Configure OpenVPN Server

You now have to configure the openVPN server so that it can use the above
created certificates and keys, for authentication. Go to 'C:\Program Files\OpenVPN\sample-config'
directory and copy the server.conf file as server.ovpn to 'C:\Program Files\OpenVPN\config'
directory. Open this file, make the changes shown in Table (B), and save it.

8.Client configuration

You now have to change a few parameters in your client configuration file.
For this, go to 'C:\Program Files\OpenVPN\ sample-config' directory and copy the
client.conf file as client.ovpn to 'C:\Program Files\OpenVPN\config' directory.
Then, open this file and do the changes, as shown in Table (C), and save it.

9.Start the OpenVPN service

You're now ready to start the OpenVPN services on the clients and the
server. Click on Start>Setting>Control panel> Administrative tools. Double-click
on “Services” icon and you get a console, showing all services running on your
Windows machine.

Select OpenVPN service and set it to automatic and then, start the
service.Repeat this process on both OpenVPN server and clients that you want to
connect to your server. Once the service gets started successfully on the
server, you will see that the virtual VPN adaptor automatically connects and
acquires an IP address in the (10.8.0.x) range.

The same thing will happen on clients, as well. To check VPN connectivity
from any client, ping '10.8.0.1' from it. This will be the default IP of our
OpenVPN server. If you are able to ping the server on this IP, from a client,
then rest assured that your VPN connectivity been has successfully established.

Now, you can access your IT resources from a remote location via an Internet
connection, without worrying about security, since OpenVPN provides connectivity
between you and your office over a secure SSL VPN tunnel.