Securepoint Security Systems

HowTo: VPN with OpenVPN, certificates and OpenVPN-GUI Securepoint Security Systems Version 2007nx Release 3

Contents 1 Configuration on the appliance... 4 1.1 Setting up network objects... 4 1.2 Creating firewall rules... 6 1.3 Creating certificates for the appliance and for the OpenVPN user... 8 1.4 Export root certificate and roadwarrior certificate...11 1.4.1 Delete the private key of the CA...13 1.5 OpenVPN configuration...15 1.6 Setting up Users...16 1.7 Checking status of service...17 2 OpenVPN client for Windows...18 2.1 Installing OpenVPN...18 2.2 Bind the OpenVPN GUI (graphical user interface) to OpenVPN...20 2.3 Create an OpenVPN client configuration...21 2.4 Connecting the firewall...23 2.5 Items of the context menu...24 2

VPN with OpenVPN and OpenVPN-GUI A VPN connects one or several computers or networks by using another network, e. g. the internet, as a means of transport. For instance, this could be the computer of a member of staff at their home or in a subsidiary which is linked to the network at the headquarter through the internet. For the user, the VPN looks like a normal network connection to the destination computer. The actual way of transmission is not perceived. The VPN provides the user with a virtual IPconnection which is tunneled by an actual one. The data packages transmitted via this connection are encoded at the client and decoded by the Securepoint servers - and the other way round. Target: Establishing an OpenVPN connection between the Securepoint appliance and a Windows client with the OpenVPN-GUI. 3

1 Configuration on the appliance 1.1 Setting up network objects You have to set up network objects for the external interface, the internal network and the OpenVPN user. Click the Firewall icon on the toolbar and change to the tab Network objects. Click on the icon computer and set up the external interface object. fig. 1 set up network object for the external interface Click on the dropdown arrow beneath the icon Computer and select Network. Set up a network object for the internal network. fig. 2 Add network - internal-net fig. 3 select icon for the new grou 4

HowTo: VPN with OpenVPN, certificates and OpenVPN-GUI Repeat the last step and set up a network object for the OpenVPN user. fig. 4 Add network - openvpn-net fig. 5 select icon for the new group The next image shows the result of the network object configuration. fig. 6 result of the netwok object configuration

1.2 Creating firewall rules You have to create two rules. The first one allows external computer to connect to the external interface via OpenVPN. The second one allows the OpenVPN user the access to the internal network. Change to the tab Rules Click the icon New and add the rules like shown in the following images. fig. 7 create the first rule - internet --> external interface fig. 8 create the second rule - OpenVPN --> internal network 6

The next image shows the result. fig. 9 result of the rule creation 7

1.3 Creating certificates for the appliance and for the OpenVPN user The OpenVPN connection uses certificates to authenticate VPN users at the firewall. So you have to create an OpenVPN certificate for the server and an OpenVPN certificate for every OpenVPN user. If you don t have a root certificate (CA) yet, you have to create it first. Click on the icon VPN on the tool bar. Change to the tab Certificates. Select the firewall and click on the icon New. fig. 10 VPN - tab Certificates 8

The dialog Certificates appears. Select the option Root certificate. Insert your data. Confirm your entries with OK. fig. 11 create root certificate Clicking the OK button creates the CA certificate. The dialog stays open, so you can create certificates with the same settings easily. 9

Now you can create OpenVPN certificates. Select OpenVPN server certificate. Append a name for the certificate to the given Designation. Under CA select a root certificate. Confirm your settings with clicking OK. For the client certificate select OpenVPN client certificate. Repeat the other steps like described before. When all certificates are created leave the dialog with clicking on the Cancel button. fig. 12 create OpenVPN server certificate fig. 13 create OpenVPN user certificate 10

1.4 Export root certificate and roadwarrior certificate Export the roadwarrior certificate and the corresponding root certificate and transfer it to the OpenVPN user. Normally the Standard format is used. Click on the plus symbol in front of the firewall name. Select CAs and in the right list the root certificate. Click on the icon Export. The dialog Export appears. Select the wanted format. If you choose pkcs #12, insert a password. If you use the pkcs#12 format you just have to export the roadwarrior certificate with includes the root certificate. In this format the private key of the root certificate is encrypted. So you don t have to delete the key from the pem file of the CA (see 1.4.1). Confirm with clicking on OK. fig. 14 export root certificate (CA) Note: The exported root certificate includes the private key that should not be passed to the clients. You better delete it out of the certificate. 11

Select Certs and in the right list the roadwarrior certificate. Click on the icon Export. The dialog Export appears. Select the wanted format. If you choose pkcs #12, insert a password. Confirm with clicking on OK. fig. 15 export OpenVPN user certificate 12

1.4.1 Delete the private key of the CA Select the exported CA. Right click on the file opens the context menu, Select Open. fig. 16 select open to open the CA On the next dialog choose the option Select the program from a list and click OK. Select an editor, for example Microsoft Notepad, to modify the certificate. Uncheck the checkbox at Always use the selected program to open this kind of file. Click OK. fig. 17 choose the program manually fig. 18 select an editor 13

Select the text from the Section -----BEGINN PRIVATE KEY----- (see fig. 19). Delete the marked text (for example use the key del). Save the modified certificate. This modified root certificate can be given to the client. fig. 19 select the private key and delete it fig. 20 save the modified certificate 14

1.5 OpenVPN configuration You have to configure general OpenVPN settings for the appliance. Click VPN on the menu and select VPN OpenVPN. fig. 21 select OpenVPN The dialog OpenVPN appears. Mostly you can retain the values of port and protocol. Select the just created certificate ovserver_foo.local as server certificate. If you use multipath you have to bind the OpenVPN service to an external interface. Confirm your entries with OK. fig. 22 OpenVPN general settings 15

1.6 Setting up Users You have to set up OpenVPN user on the Securepoint appliance. Click on the icon Authentication in the tool bar. Click on the icon New. The dialog Add user appears. On the tab User data insert the user data. Change to the tab Group membership and check the checkbox VPN OpenVPN user. fig. 23 Add user - tab User data fig. 24 Add user - Group membership Change to the tab VPN options. Here you can set a permanent IP address taken from the OpenVPN network for the OpenVPN user. Note: The already installed tun-interface has the IP address pool 192.168.250.1/24. The last section of the IP-address (192.168.250.xxx) must grant following criterion: The number is a multiple of 4 minus 2. (y * 4) 2 = x for example (5 * 4) - 2 = 18 Following values are possible: {2, 6, 10, 14, 246, 250,254} fig. 25 set permanent IP address 16

1.7 Checking status of service Save the configuration and make a rule update, before you start the OpenVPN service. Click on the icon Save in the tool bar to store the configuration. After this click on the icon Rule update in the tool bar. The service SERVICE_OPENVPN must be activated to grant OpenVPN user the access to the firewall. Click on the icon Applications on the tool bar. Change to the tab Status of services. If the service SERVICE_OPENVPN is not running, double click on the red symbol with the white x. fig. 26 check status of service 17

2 OpenVPN client for Windows To connect from an external computer to the firewall via OpenVPN you have to install OpenVPN on the external system. You can download the current version from the website http://openvpn.net/download.html#stable. The virtual interface that is needed for OpenVPN connections is included in this package. Mathias Sundman has developed an OpenVPN client that runs under Windows. You can download it from following address: http://openvpn.se/download.html Here you can also find several translations. 2.1 Installing OpenVPN Download the Windows installer form the OpenVPN website and execute it with a double click on the downloaded file. fig. 27 start dialog of the OpenVPN installer Follow the instructions of the installation routine. Click on Continue Anyway for the TAP-Win32 Adapter V8 though it didn t pass the Windows Logo test. fig. 28 confirm the installation of the virtual interface 18

Complete the installation by clicking on Finish. fig. 29 complete the installation Under Network Connections you should find an entry for the TAP-Win32 Adapter V8. fig. 30 List of network connections 19

2.2 Bind the OpenVPN GUI (graphical user interface) to OpenVPN Copy the file openvpn-gui-number_of_version.exe in the folder bin of the OpenVPN program (for example: C:\Program Files\OpenVPN\bin). You can create a shortcut for the GUI and paste it on the desktop or in the Windows start menu. Start the OpenVPN GUI by clicking on the shortcut on the desktop or in the Windows start menu or on the exe file in the OpenVPN program folder. In the Windows system tray appears the OpenVPN GUI icon. fig. 31 icon in the system tray The second icon shows that the virtual interface is inactive. This icon is only shown when this is activated in the options of the interface. fig. 32 popup menu Click right on the icon opens a menu. In this moment you can only set the proxy settings. A configuration that includes the settings for the connection to the firewall doesn t exist. 20

2.3 Create an OpenVPN client configuration Open an editor (for example: Notepad) and insert the following text. ############################## # Client configuration ############################## # OpenVPN default client configuration # Comments are marked with a prefixed # hash sign(#) or semicolon(;). client dev tun # This options are not used anymore. ;tun-mtu 1500 ;fragment 1300 ;mssfix proto udp float # Connection data of the server (firewall) # Insert the IP-address and the port (default:1194) # of the server after the word remote # for example: remote 192.168.4.253 1194 remote IP_of_the_server 1194 nobind persist-key persist-tun # Path to root certificate and client certificate # for example: # ca C:/Programme/OpenVPN/config/keys/myCA.pem # cert C:/Programme/OpenVPN/config/keys/roadwarrior01.pem # key C:/Programme/OpenVPN/config/keys/roadwarrior01.pem # Note: If there are space characters in the path, you have to put # the path into double quotes ( Path to the certificate ). ca Path/to/the/certificate/of/the/CA.pem cert Path/to/the/certificate/of/the/client.pem key Path/to/the/certificate/of/the/client.pem # Path to the certificate in pkcs#12 format. # If you use the pkcs#12 format for the certificates, # comment the 3 line ca, cert and key an use # the following line instead (delete the prefixed semicolon). # for example: # pkcs12 C:/Programs/OpenVPN/config/keys/roadwarrior01.p12 # Note: If there are space characters in the path, you have to put # the path into double quotes ( Path to the pkcs#12 file ). ;pkcs12 Path/to/the/pkcs#12/file.p12 # If this option is activated, the client will only accept certificate # from the firewall that is include the addition server. This makes a # Man-in-the-middle attack more difficulty. ns-cert-type server comp-lzo verb 3 mute 20 21

auth-nocache auth-user-pass # If you use a proxy, uncomment the following lines # and insert your server IP-address and port. # Or use the settings of the OpenVPN-GUI. ;http-proxy server_ip port ;http-proxy-retry Save this file in the folder config of the OpenVPN directory. The file must have the suffix.ovpn. For example: C:\Program Files\OpenVPN\config\roadwarrior.ovpn Create a folder with the name keys in the config folder, if it doesn t already exist. Copy the root certificate and the client certificate or the pkcs#12 file into this new folder. This is the default storage directory for the certificates. Of course, you can choose another storage place then you have to customize the configuration script. You also have to customize the option remote IP_of_the_server 1194. Insert the IP-address of the server you want to connect to between the word remote and the port number. For example: remote 192.168.175.1 1194 22

2.4 Connecting the firewall Click with the right mouse button on the OpenVPN GUI icon in the system tray. The popup menu is been added with several options. fig. 33 completed popup menu Click on Connect. The logging dialog and the login dialog appear. fig. 34 logging window and login dialog Insert your login name and password into the login dialog and click OK. If you use the pkcs#12 format for the certificates, you will be asked for the password of the pkcs#12 file. If the connection is initiated successfully, following popup appears. fig. 35 connection is established 23

When the icon shows two green screens the connection is established. When the icon shows two yellow screens the client is connecting the server. When the icon shows two red screens the connection is down. If you roll with the mouse pointer over the icon, when the connection is up, a popup window shows the connection data. fig. 36 connection data 2.5 Items of the context menu fig. 37 the context menu item Connect Disconnect Show Status View Log Edit Config Change Password Proxy Settings About Exit description Starts the connection. Ends the connection. Shows the logging messages of the current connection. Shows the complete logging records of the last connection. If a connection is established, the logging messages of the current connection is shown. Opens an editor where you can customize the configuration. Changes will take effect when the connection will be restarted. Encrypts the private key in the certificate. Note: The pem format is not supported. The encryption will delete the certificate out of the pem file. Here you can give settings for connection through a proxy. If you use this function, the settings must not be written in the configuration file. Shows an information dialog. Closes the OpenVPN GUI. 24