Thursday, September 15, 2011

VPN


As a Webhost with more than a few servers, the benefits of having a private network setup between your servers are many. This private network allows your servers to communicate and transfer data securely among themselves. Most DCs offer this as an added feature to the services they provide. Previously, to access this network you would have to look for the expensive option of renting a leased line to the DC, but not anymore. This can now be achieved using a VPN.

Ok, Now what is a VPN?

VPN stands for Virtual Private Network. It allows you to connect securely to a private network over the Internet, and work as if you were a part of that network. It is based on the client/server architecture and it works on almost all platforms; including FreeBSD, Linux, Windows and MAC OS X. A VPN can be used to provide remote access to a private network or to connect two geographically separated private networks, using the Internet to carry the traffic. If you have outsourced your support team, you can have them setup a VPN between their network and the private network at the DC, allowing for improved productivity and security.

Is there a cheap VPN solution?

There is, and it is called OpenVPN. OpenVPN is a free and open source VPN solution and can be used for any of the scenarios mentioned above i.e. You can use it to connect your PC to the private network at your DC, or to connect your network, your support team’s network and the DCs private network together. OpenVPN employs both encryption and authentication to guarantee the safety of the data being transferred. For encryption it employs another open source package OpenSSL. It employs pre-shared secret keys, certificate-based, and username/password-based authentication.

Setting up a VPN:

Let us look into setting up a VPN between a client PC and a server.

Installing Open VPN on the server:

Open VPN requires the “lzo” real time compression library, so you should install it first if it is not already present. There are various methods by which you can install OpenVPN and installing it using YUM is the easiest. It will also install “lzo”, along with any other required packages. To install, simply run the command:
yum install openvpn -y
It is also possible to install OpenVPN from source, which will give you much more control over the installation, but is fairly complicated.
Once the installation is over you will see the configuration and binaries at the path: /usr/share/doc/openvpn-2.1/easy-rsa.
Copy this folder to the /etc directory.
We will have grant all permissions to the scripts in this folder.
cd /etc/openvpn/easy-rsa/2.0
chmod 777 *

Create Keys on Server:

Now that the server has been installed, we will now have to setup the keys that will be used by the VPN client/server for authentication. Here we will be using the public key infrastructure (PKI) method for authentication. In this method, there will be three certificates.
1) Master certificate & key which is placed in vpn server
2) Server certificate & key which is placed in vpn server
3) Client certificate & key which is placed in vpn client
We will generate the master certificate below. The server will only accept the certificates from those clients which are signed by the master certificate authority.

Generate the master Certificate Authority (CA) certificate & key:

The scripts in the easy-rsa folder are used for generating keys. The keys will be placed in /etc/openvpn/keys. This folder will not be present by default and has to be created.
mkdir /etc/openvpn/keys
In order to generate the master certificate, we first need to edit the “vars” configurations file located at /etc/openvpn/easy-rsa/2.0
Edit the following values to suit your requirements. Do not leave any of those fields blank as the cert will be generated based on these values.
export KEY_DIR="/etc/openvpn/keys"
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”test@test.com”
Now, we will start creating the cert and key.
#. ./vars
#./clean-all (This will delete all the existing files in the key folder)
#./build-ca
 (We are going to build the CA. You can just continue by hitting Enter until you reach the field for common name. All other fields will be populated by default from the entries you gave in the vars file)
You will then be asked for some details to be specified for the certificate. It is important that you give a unique value for the “Common Name” parameter. Now that the master certificate has been generated we shall proceed to generate the server certificate.

Generate certificate & key for server:

./build-key-server server
As in the master certificate almost all parameters are taken by default from the vars file. The only detail that you need to provide is again the “Common Name. Here I have used “server.ca”. You can then continue hitting enter, until you reach the“Sign the certificate?” field. Type “y” and hit enter. Next it will ask “1 out of 1 certificate requests certified, commit?”. Again type “y” and hit enter.

Generate certificate & key for client:

Now we proceed to create the certificate and key for client. It is exactly the same process as above and make sure that there also you give a unique “Common Name”. You can create as many keys as there are clients you wish to connect to the server.
./build-key client1
Here I am generating the certificate for the client named client1. Enter the common name and proceed as you did with the server certificate.

Generate Diffie Hellman parameters:

Next we will proceed to generate the Diffie Hellman parameters. Diffie-Hellman (D-H) is a public key algorithm used for producing a shared secret key.
The script for generating D-H parameters is called ./build-dh and is located in the same scripts folder.
# ./build-dh

Configuring the Open VPN client:

Upload the ca.crt, client1.crt and client1.key to the client PC.
Now that the client and server side configurations are over, we will proceed with editing the configuration files, which is the most important part.

Creating configuration files for the server:

Sample configuration files will be available at /usr/share/doc/openvpn-2.1/sample-config-files. The server.conf is the server configuration file and you can copy it to /etc/openvpn and modify as needed.
cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn
A sample configuration file is given below. The fields which you need to edit are the ones which have been explained with a # mark to the right.
=========================
port 1194
proto tcp
dev tun
ca keys/ca.crt # path to the CA.crt file
cert keys/server.crt # path to the server certificate
key keys/server.key # path to the server key file
dh keys/dh1024.pem # path to the generated D-H parameters
mode server # implements multi-client server capability
tls-server
tls-cipher DHE-RSA-AES256-SHA
server 192.168.1.0 255.255.255.0 # here give the private network address in the server and its mask.
client-config-dir ccd
#########
######### Put your Public DNS Servers here
#########
#push “dhcp-option DNS 210.80.150.4″
#push “dhcp-option DNS 202.155.174.4″
push “route 192.168.1.0 255.255.255.0″ # The OpenVPN server can push routes, DNS server IP addresses and other configuration details to the clients.
ifconfig-pool-persist ipp.txt
push “redirect-gateway”
keepalive 10 120
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3

========================
Once the configuration is over, create the file ipp.txt which contains the IP s of the clients you wish to connect to the server.
A sample ipp.txt file is as follows.
# cat ipp.txt
test1.com.client,192.168.1.4

Next, touch a file for the logs.
touch server-tcp.log

Configuring the Client:

Depending on the OS of the PC you are using to connect,(Windows, Linux/Unix) you can download an OpenVPN client that suits your needs and install it. Other than adding the keys as mentioned above, you will not have to make any configuration changes on the client.
Starting the VPN:
Once the server and client side configurations are over, we can start the open vpn server.
/etc/rc.d/init.d/openvpn start
Once OpenVPN has been started you should be able to access the server as if it were part of your private network.
For more detailed steps on setting this up, check out my complete articlehere.