If you want to implement a VPN in your organization but don't have the budget necessary for a dedicated VPN device or to deploy ISA Server 2004, you're in luck. Here's how you can set up a VPN for mobile users quickly and inexpensively using OpenVPN.
VPN solutions are more abundant than they were a few years ago. In fact, there are tons of choices on the market, but some of them can be very expensive. If you need to provide remote access to the office, or even provide access to a remote office, and don't have a huge budget for a dedicated VPN device or ISA Server 2004, consider the open source OpenVPN project to fulfill your VPN needs. In this article, I'll provide an overview of both OpenVPN and the OpenVPN GUI for Windows.
What is OpenVPN?
OpenVPN is an open source, cross platform, SSL-based VPN solution capable of accommodating a number of situations; including both remote access and site-to-site secure communication (a remote office, for example). Available for a number of platforms, including Windows, Linux, BSD, Mac OS X and Solaris, OpenVPN is fairly simple to get up and running.
OpenVPN sports a multitude features that make it an ideal choice in the "free VPN" space, including the ability to build VPN tunnels over NAT devices, to read certificates and private keys from smart cards on Windows clients, as well as being able to run on fairly low-end hardware, perfect for when costs need to be kept as low as possible.
OpenVPN, however, does not support the PPTP, IPSec or L2TP protocols, instead favoring SSL-based technology for all of its functionality. Everything you want to know about what OpenVPN includes can be found on the front page of the OpenVPN site.
There are currently two versions of OpenVPN available: 1.6 and 2.0. 2.0 is the upcoming release that is not yet considered "final" whereas 1.6 is the most recent stable release. ï¿?I'm installing OpenVPN onto a Windows Server 2003 system running a prerelease of SP1, and I'm using version 2.0 for this article.
To get an OpenVPN installer for Windows or tarball for Linux, head to OpenVPN's handy download page.
If you're installing OpenVPN onto a Windows system, you can instead opt to use a different download package that includes OpenVPN 2.0 and a really nice graphical user interface. This is one of the great things about open source. A package is available from this site's download page that packages OpenVPN with the GUI. Packages are also available for download for those that are already running OpenVPN and just want a graphical front-end to manage the system. The GUI is only for Windows systems, though.
For this article, I'm using the download package that includes both OpenVPN and the GUI. Note that this installer is used for both the server and the client.
The installation of OpenVPN is surprisingly easy, particularly since everything you need is built right into the installer, including the TAP-Win32 virtual Ethernet driver and OpenSSL. The first screen of the installer asks you to read the obligatory license agreement, while the second screen, shown below in Figure A, shows you exactly what the installer will be putting on your system.
The OpenVPN list of components
By default, OpenVPN installs to C:\Program Files\OpenVPN, but you can choose your own installation directory on the next screen of the installer, if you like. That's the whole initial installation. Two screens to work with: (1) pick what you want to install and (2) choose a directory into which to put everything.
During the installation, you'll probably get a driver installation message indicating that the TAP-Win32 driver is not certified by Microsoft. This driver is used by a number of Open Source programs (including coLinux), and is, in my experience, stable.
Here's a look at the Start menu after the installation completes.
The OpenVPN menu options
Now, open up your Network Control Panel. You'll see an additional entry for the TAP driver, which OpenVPN uses for communication across the tunnels it creates. One best practice with regard to the TAP driver is to rename it to something other than "Local Area Connection". In particular, spaces in the TAP adapter name have been known to create problems, so I renamed mine to "VPN-TAP".
The TAP diver on my system
Now that OpenVPN is installed, it's time to move on to the configuration tasks.
Creating certificates for use with OpenVPN
OpenVPN requires the use of certificates to help establish the authenticity of clients connecting to an OpenVPN system and vice-versa. After all, you probably wouldn't want a situation in which a client was connecting to an untrusted server. To help prevent this, OpenVPN supports bidirectional authentication.
To use OpenVPN, you need to establish a public key infrastructure that will be used by the system. You need a master certificate authority certificate and key, which will sign each server and client certificate. Table A will walk you through the steps necessary to configure certificates for OpenVPN.
Follow these commands to configure certificates for OpenVPN.
Copy keys to appropriate locations
The best way to with OpenVPN is to copy the key files to the local OpenVPN config directory on both the server and the clients. For the server, copy the following files to C:\Program Files\OpenVPN\config:
- ca.crt : the certificate authority. This file will also be copied to each client later on.
- server.key : the server's key. Your server key will probably have a name that matches that of your server.
- server.crt : the server's certificate file. Your server certificate will probably have a name that matches that of your server.
- dh1024.pem : The Diffie-Hellman parameters for the VPN.
- tls.key : the TLS authentication key.
Configuring the server
OpenVPN works on the concept of text-based configuration files: one for the server and one on each client for that client. OpenVPN comes with some sample configuration files found in the C:\Program Files\OpenVPN\sample-config directory. Under Windows, these sample files carry a .ovpn extension.
The OpenVPN sample server configuration file is a good starting point. To use this sample, you need to copy it from C:\Program Files\OpenVPN\sample-config to C:\Program Files\OpenVPN\config. When the OpenVPN service starts up, it will look in this directory for configuration files and start a separate OpenVPN process for each one. For this example, I just have the sample server.ovpn file in the config directory.
Before you start configuration, you should make note of a couple of things. First, you can configure OpenVPN to bridge your Ethernet network across the VPN (TAP mode), or you can configure the VPN using a virtual point-to-point IP link (TUN mode). I'm going to use TAP mode for this article.
Note: TAP mode is required if you want to pass different protocols over the VPN. TAP mode provides a layer 2 tunnel between the client and the server that can pass TCP/IP, IPX, NetBEUI and more. TAP also provides a mechanism by which network broadcasts can traverse the VPN, which is required for some applications. TUN mode is more efficient and easier to administer, but doesn't pass anything except TCP/IP. These days, that's not a problem for many applications.
Some versions of Windows don't support TAP devices. If you're using older versions of Windows, plan to use TUN mode.
Table B goes over the sample configuration file included with OpenVPN and outlines what each parameter is and what it does.
Based on the information in the previous table, this is the configuration file I could use on my sample VPN server:
192.168.152.100 255.255.255.0 192.168.152.150 192.168.152.200
keepalive 10 120
Start the server
With the server configuration file now built, you can start the server process on your OpenVPN server. Since I'm using the GUI, I'll right-click the GUI icon and choose Connect. A status window pops up, which is shown in Figure D.
This screen will tell you everything you need to know about how your VPN operates
Note: If you want to start OpenVPN with a specific configuration file, go to the config directory, right-click a configuration file and choose "Start OpenVPN with this configuration file" from the shortcut menu. You can also start OpenVPN directly from the command line. Refer to the OpenVPN docs for more details on this.
With your OpenVPN server up and running, you can start connecting clients. This is the easy part, believe it or not. The client side uses the same installer as the server side of things. So, to get started, install the OpenVPN software and GUI on to your client computer using the instructions found earlier in this article.
Build key and certificate for the client
On the server side, you'll need to run the 'build-key client-name' command for each client that you want to allow to connect to the OpenVPN server. Once you do this, copy the client-name.key, client-name.crt, and ca.crt files from the server to your client's C:\Program Files\OpenVPN\config directory.
Configure the client
Like the server, each client has a configuration file that you use to provide the client with its configuration information. Also like the server, you'll find a sample client file in the C:\Program Files\OpenVPN\sample-config directory. I used this file as a starting point for my installation.
Table C lists some of the unique client parameters:
Here is a configuration file that I might use on a client to connect to the OpenVPN server I set up:
1194 (if I was using NAT on the server side, I would instead use the external
IP address of the NAT rule here)
Make sure that you also modify the ca, cert, and key values in the client configuration file to point to the file containing these critical pieces of information.
Once you get the client configured, start it with the GUI controls, or from the command line. From the GUI in the system tray, right-click the OpenVPN icon and choose Connect.
Keep in mind
Before you start the client, make sure that any firewall that you might traverse into the remote network is forwarding port 1194 to your OpenVPN server and, if you're using NAT, that you've provided an appropriate NAT rule for said server, thus providing it with an externally accessible IP address.
Remember, each client needs its own certificate/key pair, each generated on the OpenVPN server. Make sure also that you copy the master ca.crt file from the server to any client that you want to allow to connect to the OpenVPN server. If you fail to do this, you won't be able to connect.
Also consider the use of a TLS shared key to help keep your communication secure.