Version English This HOWTO describes how to configure a VPN tunnel to a centralized OpenVPN server for the IAC-BOX.

Transcription

1 Version English This HOWTO describes how to configure a VPN tunnel to a centralized OpenVPN server for the IAC-BOX.

2 Contents OpenVPN Server Installation Generate Certificates & Keys Generate Certificates & Keys with Easy-RSA OpenVPN Server Configuration IAC-BOX Configuration General Configuration Routing Protection Access to Services... 11

3 Please note the following hints: In order to use the module VPN Tunnel, it must be licensed separately The minimum required OpenVPN version is Please do not use OpenVPN versions older then that You can download OpenVPN from the official website: You can also find detailed information on how to install OpenVPN on different operating systems like Linux, Windows, Mac OS X etc.

4 In order to use OpenVPN you need to generate certificates and keys for both the OpenVPN server and for each client (IAC-BOX) which should get connected to the OpenVPN server. Therefore it is sufficient to use selfsigned SSL-certificates. There are many different tools to generate the certificates and keys. But we recommend to use Easy-RSA which is a simple OpenSSL front-end, for both Windows and Linux, to generate certificates and keys Generate Certificates & Keys with Easy-RSA You can download Easy-RSA at the following website: After extracting Easy-RSA, switch to the directory easy-rsa/2.0/ where you can find the different build scripts and edit the vars -file. Based on the parameters in the vars -file, the certificates and keys will be generated. Due to this, edit/enter the following important parameters in the vars file: export KEY_SIZE=2048 The KEY_SIZE should be at least For enhanced security you can also increase the KEY_SIZE to export CA_EXPIRE=3650 The CA_EXPIRE defines in how many days the root CA key will expire. For some Easy-RSA installations, this is set to 1year as default so be sure to check this value. export KEY_EXPIRE=3650 The KEY_EXPIRE defines in how many days the created certificates will expire. For some Easy-RSA installations, this is set to 1year as default so be sure to check this value.

5 export KEY_COUNTRY= The two-letter ISO code for the country where your organization is located. For example US, GB. export KEY_PROVINCE= The state/region where your organization is located. This shouldn't be abbreviated. export KEY_CITY= The city where your organization is located. export KEY_ORG= The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. export KEY_ = An address used to contact your organization. export KEY_OU= The division of your organization handling the certificate. export KEY_NAME= The name of the generated key. For example OpenVPN IACBOX. Save the changes you made for the vars -file. Please note that the commands below refer to a Linux system. First run the following commands to initialize the public key infrastructure (PKI):../vars./build-ca

6 In order to generate the certificate and key for the OpenVPN server, run the following command:./build-key-server server-name (as server-name you can enter an own name; for example vpnserver ) Press Enter until the following, and set both to y : Sign the certificate? [y/n]: y 1 out of 1 certificate requests certified, commit? [y/n]: y The next step is to generate the certificate and key for the client. Therefore run the following command:./build-key client-name (as client-name you can enter an own name; for example iacbox1 ) Press Enter until the following, and set both to y : Sign the certificate? [y/n]: y 1 out of 1 certificate requests certified, commit? [y/n]: y The last step is to generate a Diffie Hellman prime. Therefore run the following command:./build-dh By now the following files should have been created: Filename Needed By Purpose ca.crt Server + all clients Root CA certificate ca.key Key signing machine only Root CA key dh{n}.pem Server only Diffie Hellmann prime vpnserver.crt Server only Server certificate vpnserver.key Server only Server key client1 (iacbox1).crt Client1 (iacbox1) only Client1 (iacbox1) certificate client1 (iacbox1).key Client1 (iacbox1) only Client1 (iacbox1) key

7 All the generated certificates and keys are stored in the keys/ -directory. In order to use them for the OpenVPN, copy the keys/ -directory to the OpenVPN directory where the OpenVPN server daemon runs. On Linux this tends to be /etc/openvpn and on Windows it is usually C:\Program Files\OpenVPN\config. Since this example refers to a Linux system, we copy the files to the following directory: cp -r keys/ /etc/openvpn Please note that usually Easy-RSA sets the file permissions automatically but to be sure check if the.key-files can only be read by the root user.

8 Open the OpenVPN configuration file and edit/check the following parameters: port 1194 The OpenVPN default port is set to If there is a firewall in between the OpenVPN server and the clients, be sure to allow the configured port for input, forward and output. mode server If the mode is not set to server per default, change it. ca keys/ca.crt Enter the directory where the CA-file can be found. key keys/vpnserver.key Enter the directory where the server key file can be found. cert keys/vpnserver.crt Enter the directory where the server certificate file can be found. dh keys/dh2048.pem Enter the directory where the Diffie Helmann file can be found. ifconfig In this example, the is the IP-address for the tun1 interface of the OpenVPN server and the IP-address is used for point-to-point connections. ifconfig-pool This parameter defines the DHCP pool within OpenVPN clients will receive an IP-address. Please note that the IP-address range /17 should not be used for the ifconfig-pool. This IP-address range is already used for other functions of IAC-BOX. route This parameter sets a route to the tunnel network /24. This route is necessary and needs to be set.

9 push route This parameter pushes the defined route to the client (IAC-BOX). Due to this, the client (IAC-BOX) knows that the network /24 can be reached via tunnel default gateway client-config-dir ccd This directory should have been pre-created in the default directory where the OpenVPN server daemon runs. When a new client connects to the OpenVPN server, the daemon will check this directory for a file which matches the common name of the connecting client. If a matching file is found, it will be read and processed for additional configuration file directives to be applied to the named client. This means that if there is a client (IAC-BOX) with the common name iacbox1 (or any other common name like for example iacbox1.vpn ) you need to create a new file named iacbox1 ( iacbox1.vpn ). In this file you can define specific parameters which will only be applied to the corresponding client (IAC-BOX). For example: ifconfig-push This parameter assigns the fixed IP-address to the client (IAC-BOX) and sets the clients default gateway to iroute This parameter sets a client specific route on the OpenVPN server. In this example, a route to the Surf-LAN network of the corresponding client (IACBOX) is set. It is highly recommend to create an own file in the ccd/ -directory for each client (IAC-BOX) connected to the OpenVPN server.

10 4.1. General Configuration Activate the VPN tunnel in the WebAdmin menu Modules/VPN Tunnel. First of all, you need to upload the certificate and key files to the IAC-BOX. You need to upload the ca.crt, client1(iacbox1).crt and client1(iacbox1).key to the system. Enter a name for the VPN tunnel, the remote host or IP-address and the protocol + port according to your OpenVPN configuration (default = 1194/udp). If the connection was successful, the VPN local IP and VPN remote IP will be displayed on the right.

11 4.2. Routing Protection - Protect from Surf-LAN: If this is activated, all connections to the VPN tunnel from the Surf-LAN will be blocked. - Protect from Management-LAN: If this is activated, all connections to the VPN tunnel from the ManagementLAN will be blocked. - Protect routing from tunnel: If this is activated, all connections from the VPN tunnel to the IAC-BOX SurfLAN, Management-LAN and/or Office-LAN will be blocked. However there are certain configurations where you need to disable the protection. For example: You want to allow connections from the VPN tunnel to the Surf-LAN. Therefore you need to define a route to the Surf-LAN on the OpenVPN server. You can do this by editing the according file for the client (IACBOX) in the ccd/ -directory of the OpenVPN server and adding the route with the parameter iroute In addition, you need to disable Protect routing from tunnel at the VPN tunnel configuration on the IAC-BOX.

12 4.3. Access to Services If the client (IAC-BOX) is connected, you can access the different IAC-BOX services from the tunnel. If WebAdmin Access is enabled, it is possible to connect from the VPN tunnel to the WebAdmin of the IAC-BOX by using it's tunnel IP-address (e.g. In addition to the default access services, it is also possible to grant access to custom ports. For example: udp:53 to see if the DNS works tcp:8080 check if the proxy server is running If you want to add multiple ports use blanks as delimiter (e.g. udp:53 tcp:8080).