MIECT: Advanced Network Security 2015-16 Practical Exercise: Host-to-Net VPN with OpenVPN Due date: no date V 1.0 1 Introduction The goal of this work is to set up an host-to-net OpenVPN in a network setting involving Linux and Windows systems. To facilitate the deployment of the network setting out of the laboratory, we will use only Linux and Windows Server 2003 virtual machines for implementing it. In this guide we will consider only the exploitation of VirtualBox. 2 Network setting We will use the network settings of Figure 1. For a first experiment, we will use only Linux machines for the both VPN client and server. The VPN client should be implemented by one student, while the Corporate network should be implemented by another student. Figure 1: Network settings and their effective deployment using virtual machines The Corporate network should be an host-only VirtualBox network; VirtualBox already features by default one network of this kind (VirtualBox Host-Only Ethernet Adapter). Initiate the VirtualBox DHCP service for the host-only network with the addresses referred in Figure 1. Hereafter, for simplicity, we will refer each involved machine as VM 1, 2, 3 and 4, according to Figure 1. The interfaces of the virtual machines 1
will also be named as eth??, according to the same figure (also for Windows system, irrespectively of being named differently in those systems). 3 Virtual machines 3.1 Linux virtual machines We will use a Linux live distribution for all Linux hosts. In this guide we will assume the Mint live distribution. Create the virtual machine for VM 1/VM 2 and clone the latter to create VM 3. Don t forget to remove the useless network interfaces, leaving only two: a multi-purpose one (which can be either NAT or bridged, to connect to the outside world if required) and an host-only. For reducing the workload while execution many virtual machines simultaneously, use only, if possible, the console interface of Linux hosts. For shutting down the graphical interface stop the graphical window manager service. In Mint we do so with the following command: service mdm stop 3.2 Windows virtual machines We will use a Windows Server 2003 virtual machine for all Windows hosts. The disk image for the virtual machine will be provided online in the subject s Web page. The Administrator s password is naomelembro. 3.3 Network configuration All virtual machines will get their network interfaces configured by DHCP (IP address and netmask). However, default gateways and extra routes in the Corporate network have to be set manually with the ifconfig command (or a similar one) in Linux machines, or with the network properties windows, in Windows (right click on any network icon on the task bar, chose Open Network Connections, right click on the proper network interface and chose Properties). 4 Set up an OpenVPN VPN Set up the network topology of figure 1. Hereafter we will assume that VM 1 has IP address addr1 and VM 2 has IP address addr2. Before proceeding, check if the two hosts can ping each other. In a separate console execute the following command (replace ethx by the appropriate interface name): tcpdump -n -i ethx 2
4.1 OpenVPN installation In VM 2 (Linux), create a root-owned bash console. Then execute: apt - get install openvpn Do the same in VM 1; then leave VM 1 and focus on VM 2. 4.2 OpenVPN Certification Authority (CA) Usually OpenVPN is used together with another package, easy-rsa, that helps to create the certificates used by the SSL component of OpenVPN. We will also use it in VM 2 (only): apt - get install easy - rsa Then copy the entire /usr/share/easy-rsa directory to another one, say /etc/openvpn: cd / usr / share tar cf - easy - rsa ( cd / etc / openvpn ; tar xf -) cd / etc / openvpn /easy - rsa The file./vars contains a set of definitions (in the form of Shell environment variables) that will be used to create the public key certificates used by the server. Edit these definitions at will, namely the ones referred as changeme and, at the end, set them in the shell environment: source./ vars Next, execute a command to clean all previously set keying material:./ clean - all Then execute the following commands to create the root CA certificate, the OpenVPN server certificate and the OpenVPN server Diffie-Hellman parameters:./ pkitool -- initca All key material, as well as CA management stuff, is stored in directory keys. ls -la keys 4.3 Server keys and certificates In VM 2, in directory /etc/openvpn/easy-rsa, execute the following commands to create the OpenVPN server certificate and the OpenVPN server Diffie-Hellman parameters:./ pkitool -- server VPNServer./ build -dh 3
Again, all key material is stored in directory keys (together with the CA management stuff). ls -la keys Now, copy all the key material files that will be used by the OpenVPN server to the directory where it will look for them: cp keys /ca.crt keys / VPNServer.* keys /dh *. pem / etc / openvpn 4.4 Client keys and certificates For authenticating the client we will also use asymmetric key pairs and certificates, therefore we need to execute the following command in VM 2 (again, in directory /etc/openvpn/easy-rsa):./ pkitool VPNClient But before executing it, we need to set once again the Shell environment variables that will be used by the command to request a public key certificate for the VPN client. To do so, we can copy the vars file to another one (say vars.client), edit it to refer data related with the VPN client, and then execute source./ vars. client before execution the previous command. Note that one fundamental field that should be different in vars.client relatively to vars is the value of KEY CN, since the CA will not issue two certificates for the same CN (Common Name) for the same period of time. Copy the resulting files keys/vpnclient.* to the directory /etc/openvpn of VM 1 (e.g., using a flash pen). 4.5 Server configuration For configuring the OpenVPN server we will copy and edit a sample file provided by the OpenVPN documentation: zcat / usr / share / doc / openvpn / examples / sample - config - files / server. conf.gz > / etc / openvpn / server. conf Edit the configuration file and define properly all the critical stuff (IP addresses, key material, tun/tap, etc.). Once edited, run: service openvpn start service openvpn status Observe the new interface created by OpenVPN: ifconfig 4
4.6 Client configuration In VM 1 edit a text configuration file for configuring a VPN to VM 2 (e.g. vm2.ovpn). Add the following content to the file: client dev tun proto udp remote XXXXXXXX 1194 resolv - retry infinite nobind persist - key persist - tun ca ca. crt cert VPNClient. crt key VPNClient. key comp - lzo where XXXXXXXX should be replaced by the IP address of interface etho of VM 2. Then execute: service openvpn start service openvpn status Observe the new interface created by OpenVPN: ifconfig Finally, ping VM 3. Observe the traffic in the tun0 interface (with tcpdump) while pinging VM 3 from VM 2. Since you are using an IP-routed VPN, you should not observe any related ARPs reaching VM 1. 4.7 Using tap instead of tun Change the tun/tap settings in both client and server. Restart both client and server daemons and repeat the previous ping experiences with the tap0 interface. 4.8 Using OpenVPN in Windows Install an OpenVPN client in a Windows virtual machine and use it as VM 1 to connect to VM 2. 5 References 1. OpenVPN, http://en.wikipedia.org/wiki/openvpn 2. OpenVPN - Open Source VPN, http://openvpn.net 3. How to Setup Linux VPN Server and Client using OpenVPN, http://www. thegeekstuff.com/2013/09/openvpn-setup 4. OpenVPN GUI for Windows, http://openvpn.se 5