Friday, February 15, 2008

OpenVPN Windows HowTo

OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.

Although originally developed for Linux, OpenVPN is now widely used for providing VPN services for Windows clients. This document describes how we install and configure OpenVPN to work in a Microsoft Windows only environment.

Prerequisites

This how to assumes that you have various things already set up:

OpenVPN Server

You need a Windows system to act as the OpenVPN server. This can be a Windows 2000/2003 Server or 2000/XP Professional system.

OpenVPN Clients

One or more OpenVPN client systems. These should be Windows 2000/XP Professional, although 2000/2003 server should work equally well.

Networking

The OpenVPN server system needs to be publically reachable on UDP port 1194 (you can use another port if required but this is the standard port for OpenVPN). If the server is behind a NAT router then this will require address/port forwarding.

It's preferable for the server IP address to be static as this makes things more stable. If your server has a dynamic IP address then you will need to use a dynamic DNS service to provide a fixed hostname.

All systems should have an unfiltered Internet connection, or at least one that allows communication on UDP port 1194. It is possible to run OpenVPN through through more restrictive connections (e.g. a proxy server), but this is outside the scope of this article.

Names and addresses

The names and addresses used in this how to are examples only and should be changed to suit your environment.

  • Company Name: Acme Corp.
  • Public Domain Name: acme.com
  • Private (Windows) Domain Name: acme.com.local
  • Server Hostname: widget
  • LAN address: 192.168.0.0/24
  • Server public address: 1.2.3.4
  • Server private address: 192.168.0.1
  • VPN address: 10.8.0.0/24

Software

OpenVPN

We generally use the OpenVPN GUI package on Windows systems rather than the stock package, as this provides a system tray icon for controlling the application:

http://openvpn.se/download.html

Server Configuration

Install OpenVPN

OpenVPN GUI can be installed with default options (certificate wizard is not needed). Near the end of the install it will add a TAP-Win32 virtual adapter that is not signed, you need to tell Windows to install this as requested.

Once the installation is complete, you will need to create additional TAP-Win32 virtual adapters using the shortcut in the OpenVPN program group. One adapter is needed for each concurrent VPN user. Rename these adapters to "OpenVPN #n" where n is the adapter number. This is cosmetic only but helps identification.

Configure OpenVPN

Create the server configuration file in the OpenVPN config folder (c:\program files\openvpn\config\)

## server.ovpn ##
port 1194
proto udp
dev tun
ca ca.crt
cert widget.crt
key widget.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option WINS 192.168.0.1"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DOMAIN acme.com.local"
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
status openvpn-status.log
verb 3

Values in italics should be changed to suit your environment.

In this example the max-clients has been set to 4, which would require 3 additional TAP-Win32 virtual adapters to be created.

Set up a Certificate Authority (CA)

You need a Certificate Authority (CA) to sign your client and server certificates. The easy-rsa scripts make this pretty straightforward.

First we need to initialise easy-rsa. You should only do this once as it will wipe out any existing certificates, keys and settings.

C:\Program Files\OpenVPN\easy-rsa> init-config

Next edit vars.bat and change the "KEY_" settings at the bottom of the file.

set KEY_COUNTRY=GB
set KEY_PROVINCE=London
set KEY_CITY=London
set KEY_ORG=Acme
set KEY_EMAIL=hostmaster@acme.com

Finally create the keys folder and the root certificate itself.

C:\Program Files\OpenVPN\easy-rsa> vars
C:\Program Files\OpenVPN\easy-rsa> clean-all
C:\Program Files\OpenVPN\easy-rsa> build-ca

You will be asked to enter some details for the root certificate. Most of these will default to the values that you entered into vars.bat, but you will need to choose a "Common Name" for the certificate.

Common Name (eg, your name or your server's hostname) []:Administrator

Keys and certificates are created in the keys subfolder. The ca.crt file (root certificate) should be copied to the OpenVPN config folder.

C:\Program Files\OpenVPN\easy-rsa> copy keys\ca.crt ..\config\

Important: Key files (.key) are very sensitive and should be kept safe and never sent over insecure (unencrypted) channels. The Certificate Authority key (ca.key) is particularly important - if it is lost or comprimised then you will have to replace all your keys and certificates.

Set up server key and certificate

Once the CA has been set up, we can generate a key and certificate for the server.

C:\Program Files\OpenVPN\easy-rsa> vars
C:\Program Files\OpenVPN\easy-rsa> build-key-server widget

Executing the vars.bat is not necessary if you do this straight after creating the CA because the environment will still be set (but it doesn't hurt).

As with generating the root certificate, most of the details will default to the correct values but you will need to enter a "Common Name". This is best set to the hostname of the server.

Common Name (eg, your name or your server's hostname) []:widget.acme.com.local

You can leave the challange password and optional company name blank.

The server also needs Diffie Hellman parameters.

C:\Program Files\OpenVPN\easy-rsa> build-dh

This may take a while...

Finally copy the key, certificate and DH file to the OpenVPN config folder.

C:\Program Files\OpenVPN\easy-rsa> copy keys\widget.crt ..\config\
C:\Program Files\OpenVPN\easy-rsa> copy keys\widget.key ..\config\
C:\Program Files\OpenVPN\easy-rsa> copy keys\dh1024.pem ..\config\

Setup VPN routing

Routing on the server should be enabled by enabling LAN routing in the Routing and Remote Access service, however we've found that this causes problems with the OpenVPN service so I would not recommend it. Instead use regedit to set the IPEnableRouter registry key to 1.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)

To allow VPN clients to communicate with systems on the LAN (other than the VPN server), you need to add the VPN network to your router(s) configuration. For a simple stub network you would do this by adding a static route to the default gateway to direct traffic for 10.8.0.0/24 to the server.

Network: 10.8.0.0
Subnet Mask: 255.255.255.0
Next Hop Address: 192.168.0.1

To do this with on an IPCop firewall, add a line to the /etc/rc.d/rc.local file.

 #!/bin/sh
/sbin/route add -net 10.8.0.0/24 gw 192.168.0.1

You can also add this route at the command line to avoid rebooting the router.

root@ipcop:~ # route add -net 10.8.0.0/24 gw 192.168.0.1

Finishing touches

We like to create a batch file called restartvpn.cmd in the OpenVPN config folder (and desktop shortcut) to restart the OpenVPN service in case it gets stuck.

net stop openvpnservice
net start openvpnservice
Configure the OpenVPN service to start automatically on boot using the services applet, and then start the service.

Client Configuration

Install OpenVPN

Again the OpenVPN GUI can be installed with default options.

I like to rename the TAP-Win32 (in Network connections) adapter to "OpenVPN". This is cosmetic only but helps identification.

Configure OpenVPN

Create the client configuration file in the OpenVPN config folder (c:\program files\openvpn\config\).

## acme.ovpn ##
client
proto udp
dev tun
remote 1.2.3.4 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert fred.crt
key fred.key
comp-lzo
verb 3

Values in italics should be changed to suit your environment.

In this example we assume that the name of the client is "Fred".

Set up client key and certificate

We will generate client keys and certificates on the server, which means you have to be careful to securely transport the client key to the client machine. To avoid this you could generate the key on the client along with a Certificate Signing Request (CSR) which can then be transported to the server where it is signed to create the certificate, however this is beyond the scope of this document.

Generate the client key and certificate on the OpenVPN server machine.

C:\Program Files\OpenVPN\easy-rsa> vars
C:\Program Files\OpenVPN\easy-rsa> build-key fred

Then copy the client key and certificate along with the root certificate securely to the config folder on the client machine. The simplest way of doing this is to just put the files on a USB key (or floppy disk).

C:\Program Files\OpenVPN\easy-rsa> copy keys\fred.crt a:\
C:\Program Files\OpenVPN\easy-rsa> copy keys\fred.key a:\
C:\Program Files\OpenVPN\easy-rsa> copy keys\ca.crt a:\

Then on the client machine

C:\Program Files\OpenVPN\easy-rsa> copy a:\fred.crt ..\config\
C:\Program Files\OpenVPN\easy-rsa> copy a:\fred.key ..\config\
C:\Program Files\OpenVPN\easy-rsa> copy a:\ca.crt ..\config\

Test

Right click the OpenVPN tray icon and select "Connect". It will open a status window showing the connection progress, and if everything is working ok then the status window should close and the icon should turn green.

To test the connection, try pinging 10.8.0.1 (the server VPN IP address), 192.168.0.1 (the server LAN IP address), the address of a PC on the remote LAN (e.g. 192.168.0.123), and then try pinging devices by name.

c:\> ping 10.8.0.1
c:\> ping 192.168.0.1
c:\> ping 192.168.0.123
c:\> ping widget

NOTE: Taken from http://www.runpcrun.com/howtoopenvpn

No comments: