6.12. Virtual private network (VPN)

Important

A VPN (virtual private network) is a network that uses Internet to transport data, but stops any external members from accessing that data.

This means that we have a network with connected VPN nodes tunnelled through another network, through which the traffic passes and with which no one can interact. It is used when remote users wish to access a corporate network to maintain the security and privacy of the data. Various methods can be used to configure a VPN, such as SSH (SSL), CIPE, IPSec, PPTP; they can be consulted in the bibliography (we recommend consulting VPN PPP-SSH HOWTO, by Scott Bronson and VPN-HOWTO by Matthew D. Wilson). [Bro01, Wil02].

In order to perform the configuration tests in this section, we will use OpenVPN, which is a solution based on SSL VPN and can be used for a wide range of solutions, for example, remote access, VPN point to point, secure WiFi networks or distributed corporate networks. OpenVPN implements OSI layer 2 or 3 using SSL/TLS protocols and supports authentication based on certificates, smart cards and other confirmation methods. OpenVPN is not a proxy applications server and does not operate through a web browser.

In order to analyse it, we will use an option in OpenVPN called OpenVPN for Static key configurations, which provides a simple method for configuring a VPN that is ideal for tests or point-to-point connections. The advantages are the simplicity and the fact that it is not necessary to have a X509 public key infrastructure (PKI) certificate to maintain the VPN. The disadvantages are that it only permits one client and one server, as, because the public key and private key are not used, there may be the same keys as in previous sessions and there must be a text-mode key in each peer and the secret key must be previously exchanged for a secure channel.

6.12.1. Simple example

In this example, we will configure a VPN tunnel on a server with IP=10.8.0.1 and a client with IP=10.8.0.2. The communication will be encrypted between the client and server on a UDP port 1194, which is the default port in OpenVPN. After installing the package (http://openvpn.net/install.html), we must generate the static key:

openvpn --genkey --secret static.key

Then, we must copy the static.key file in the other peer over a secure channel (using ssh or scp, for example). The server configuration file of the openVPN_server for example:

dev tun ifconfig 10.8.0.1 10.8.0.2 secret static.key

The client configuration file for example openVPN_client

remote myremote.mydomain dev tun ifconfig 10.8.0.2 10.8.0.1 secret static.key

Before verifying that the VPN works, we must verify the firewall to check that port 1194 UDP is open on a server and that the virtual interface tun0 used by OpenVPN is not blocked either over the client or over the server. Bear in mind that 90% of the connection problems faced by new OpenVPN users are related in some way to the firewall.

In order to verify the OpenVPN between two machines, we must change the IPs for the real ones and the domain for the corresponding one, and then execute the server side.

openvpn [server config file]

Which will provide an output such as:

Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 5 2005 Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ] Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194 Sun Feb 6 20:46:38 2005 UDPv4 link remote: [undef] Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256 Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62 Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST Sun Feb 6 20:46:38 2005 Initialization Sequence Completed

And the client side:

openvpn [client config file]

In order to check that it works, we might ping 10.8.0.2 from the server and ping 10.8.0.1 from the client. For more information, please check http://openvpn.net/howto.html.

To add compression to the link, we must add the following line to the two configuration files:

comp-lzo

In order to protect the connection through a NAT router/firewall alive and carry on the IP changes through a DNS, if one of the peers changes, add the following to the two configuration files:

keng-timer-rem persist-tun peepalive 10 60 pirsist-key

To execute as a daemon with the privileges of the nobody user/group, add the following to the configuration files:

user nobody group nobody Daemon