How to set up a simple routed VPN

This brief how-to explains how one can set up a routed virtual private network (VPN) using openvpn in no time. In particular we deal with routed VP networks.

VPN in brief

Virtual Private Networks (VPNs, read more on Wikipedia) offer the following facilities to their users:

  1. Access web services and applications securely from anywhere in the world
  2. Access the Internet and browse securely and anonymously from any place
  3. Provides a secure tunnel for web applications to exchange information
  4. Securely access your local network at work or at home over the network
  5. Encrypted client-to-client communication

A VPN is a local network that is built over a larger network or the Internet. The main feature VPN users benefit from is protection from eavesdropping since all information exchanged between the nodes of the VPN is encrypted using highly secure algorithms. VPN is considered to be one of the most secure infrastructures one can have over a public network. In the following figure eavesdropping is illustrated (also read Internet Eavesdropping: A Brave New World of Wiretapping) .

Secure VPN protocols include a series of cryptographic protocol providing confidentiality and prevent man-in-the-middle attacks, identity spoofing and most of well known web attacks. All your data travel encrypted over the network and all sensitive information is cloaked!

A VPN consists of a VPN server and a number of VPN clients connecting to it (and eventually to each other). The establishment of such a private network assigns to each machine that participates to it a private IP address (e.g. 10.X.X.X or 192.168.X.X - see this article for details).

Bridged vs Routed Networks

This article on the openvpn web site explains the main advantages and disadvantages of each option. In this tutorial we focus on bridged VP networks. Quite reveling of the underlying mechanisms and their differences is the article one can read at grc.com (click here for the whole article) a part of which we quote here:

Routing refers to the interconnection of separate and independent "sub-networks" (subnets) which have non-overlapping ranges of IP addresses. Upon receiving a packet sent to it, a network "router" examines the destination IP address to determine which of several connected networks should receive it, after which that packet is forwarded to the proper network.

Bridging, by comparison, is much simpler. A network "bridge" is simply an electrical interconnection between separate physical networks that are all carrying the same ranges of IP addresses. Standard dumb network "hubs" and "switches" are examples of network bridges. With a hub, packets arriving at any port are "bridged" and sent out to every other port. A switch is a bit smarter, since it is able to adaptively learn which network interface cards (NICs) are attached to which ports. But a switch is still interconnecting network segments carrying the same ranges of IP addresses.


How to set up a VPN server using openVPN

OpenVPN is an openSource and free software that provides all you need to establish a Virtual Private Network. On Ubuntu and other Linux based systems it can be installed from the central repositories. OpenVPN is also available for other operating systems but here we'll focus on Ubuntu (based on our experience). So, first of all you have to install openvpn using the following command:

sudo apt-get install openvpn

Create a folder where we'll put the necessary certificates:

sudo mkdir /etc/openvpn/easy-rsa/ 
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Then personalize the information in the file /etc/openvpn/easy-rsa/vars. Edit the file using vim or any other editor:

sudo vim /etc/openvpn/easy-rsa/vars

And set properly the parameters therein. For instance:

export KEY_COUNTY=GR

Afterwards you will need to create certificates for your server (some of which you will use for your clients too):

sudo su
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
chown -R root:admin . ## make this directory writable by the system admins
chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
cp server.crt server.key ca.crt dh1024.pem ta.key ../../
exit ## Exit root console

You now need to configure your VPN server properly and that's all. For that you have to choose the private IP of the server. For the purposes of this tutorial we assume it is 10.8.0.1 (private network IP of the server). Your client(s) will have IPs like 10.8.0.X (e.g. 10.8.0.6).Modify the file /etc/openvpn/server.conf

sudo vim /etc/openvpn/server.conf

And write the following content:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4

You now just start openvpn! Run:

sudo /etc/init.d/openvpn restart

You should receive the following message:

* Starting virtual private network daemon(s)...
* Autostarting VPN server [ OK ]

It is interesting to run ifconfig. A new network interface has been set up - namely tun0:

tun0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
      inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
      UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
      RX packets:61 errors:0 dropped:0 overruns:0 frame:0
      TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100
      RX bytes:10876 (10.8 KB)  TX bytes:22967 (22.9 KB)

The machine will reply to ping at 10.8.0.1. We are now ready to configure our VPN clients to connect to the VPN server. By default, the VPN server will isolate the clients from each other allowing them to connect only to 10.8.0.1. If you need your clients to be visible to each other then include in the configuration file of openvpn (i.e. /etc/openvpn/server.conf) the following:

# This directive will allow different
# clients to be able to see each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# TUN/TAP interface of the server
client-to-client

In the next section we establish a connection between a VPN server and a client. These two machines lie now within the same private network. The client needs to be given certain files that identify him against the VPN server. To create these files run on the server the following commands:

cd /etc/openvpn/easy-rsa
source ./vars
./pkitool serverName

where serverName is the domain name of your server or any other identifier you would like to use. This command generates the files:

serverName.crt
serverName.key
serverName.csr

From these files only the first two are needed. In the following section we'll explain how to set up a connection between the VPN server and a VPN client.

 

Something went wrong?

Did something go wrong so far? Did openvpn fail to start for example returning a message like:

*   Autostarting VPN server   [ Fail ]

Then first of all you need to check the logs of openvpn. These are stored in /var/log/daemon.log. Do a 'tail' to output the last 50 lines (or more if needed). Usually this file is huge so don't attempt a 'cat' on it. Run:

tail -n 50 /var/log/daemon.log

There you should be able to find what has happened and solve it. Usual mistakes have to do with typos in the configuration file (server.conf).


Set up a VPN client

We will explain here how to set up a VPN client that connects to the VPN server. First of all you have to copy the following files from the server to the client. The best way to do so is to use an external storage device such as a flash disk or a CD. These files should be kept private and is not recommendable to transfer them over the Internet. The files that need to be transfered lie within /etc/openvpn/easy-rsa/keys and are the following:

serverName.crt
serverName.key
ta.key
ca.crt

On the client side, you should have openvpn installed. Like before run:

sudo apt-get install openvpn

Create the folders /etc/openvpn/easy-rsa and /etc/openvpn/easy-rsa/keys and transfer the above mentioned files in the folder /etc/openvpn/easy-rsa/keys. Once you have the certificates copied to the correct destination, edit the file server.conf (on the client side)

sudo vim /etc/openvpn/server.conf

and write the following (don't forget to replace remote.org with your server's domain name) :

client
remote remote.org 1194
resolv-retry infinite
nobind
pull
ns-cert-type server
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/opentox.ntua.gr.crt
key /etc/openvpn/easy-rsa/keys/opentox.ntua.gr.key
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 1
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Restart openvpn on the client side:

sudo /etc/init.d/openvpn restart

and try to ping the VPN server at 10.8.0.1 - it should respond! Now if you want to find out which is your local IP run an ifconfig (client side):

$ ifconfig tun0
tun0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
      inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
      UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
      RX packets:1356 errors:0 dropped:0 overruns:0 frame:0
      TX packets:1967 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100
      RX bytes:344776 (344.7 KB)  TX bytes:232198 (232.1 KB)

From which we see that our IP (IP of the client on the VPN) is 10.8.0.6. You can now try for example to connect to the VPN server using SSH through the VPN network. This should be as simple as:

ssh username@10.8.0.1

On the server side you can try to ping your client node which should respond. Your VPN client and your VPN server now are actually on the same network and exchange information securely (using encryption). Enjoy!

 


 

Multi-client setup

In this section we explain how to set up a VPN that supports multiple clients. You have the option to isolate individual clients and let them only communicate with the server at 10.8.0.1 or to allow them connect to one another using the VPN server as a router. If you want to allow your clients to see each other, then append this line into your server.conf file (on the VPN server):

client-to-client

Now for each client you have to create different keys. We will use the script pkitool provided by openvpn which we already have used previously. On the server side run:

cd /etc/openvpn/easy-rsa
source ./vars
./pkitool your-server-0.org

This will create the certificate file named:

your-server-0.org.crt
your-server-0.org.ke

which you will hand to the client. Do the same for each client you need to allow to connect to your VPN. You should create files with a different name for each client !!!

Give the VPN keys (files your-server-0.crt and your-server-0.key) to your client along with the files ca.crt and ta.key. Best practice is to transfer these files with a flash disk or other removable storage device and not over the Internet. Each client now will be able to connect to the VPN using their (different) keys. Under the aforementioned configuration, the clients will acquire static IP addresses.

In particular the directive:

ifconfig-pool-persist ipp.txt

tells the server to reserve an IP once it is acquired by a client. Therefore the same client will get the same VPN IP the second time it connects to the server. You can actually test it... On the client side, connect to the VPN server:

sudo /etc/init.d/openvpn restart

Check your VPN IP using ifconfig:

ifconfig tun0

Then restart openvpn and check your IP again. It should be the same!

 


 

VPN networks are designed to be very secure, but of course only if they are set up properly. One detail that might go unnoticed is that if you or any of the clients of the VPN share your Internet connection with other people then you leave the door open to intruders. In that case the intruder is not even required to have VPN keys and things like that! They don't even need to waste time trying to find security holes... The following schema (click to enlarge) is quite demonstrating of the situation and how an otherwise very well secured VPN network can be compromised.

 

Of course there is some precaution measures one can take when setting up an ad hoc network or in any other way is sharing his connection with other people so as to mitigate the risk. You can use iptables to create a firewall that will isolates the VPN from other networks. In what follows let us assume that you are a VPN client with VPN  IP address 10.8.0.10 which means that the VPN network has IPs of the form 10.8.0.X. Assume that you are sharing your Internet connection having set up an ad hoc network using the interface wlan0 and with IPs of the form 10.42.43.X. Then you need to do the following:

  1. Block ANY packet forwarding from any interface and any IP address to the VPN network. This is quite simple to do using iptables. This will prohibit clients of the ad hoc network to access any VPN node or the VPN server.
  2. Block all INBOUND traffic from the ad hoc network to your VPN. This will prohibit clients of the ad hoc network to access your machine using your VPN IP address, i.e. 10.8.0.10.
  3. Block all OUTBOUND traffic from the VPN network if the source originates from the ad hoc network. This is most probably useless since all traffic is forwarded through you and not just output - but just in case.

Here is the code you should run:

# FORWARDing to the OpenTox VPN is prohibited (from any interface and 
# from any source.)
sudo iptables -A FORWARD -d 10.8.0.1 -j DROP;

# Block all INPUT traffic from the ad hoc network to the VPN
sudo iptables -A INPUT -d 10.8.0.0/24 -j DROP;

# The OUTBOUND traffic is actually FORWARDed, but just in case,
# use the following:
sudo iptables -A OUTPUT -s 10.42.43.0/24 -d 10.8.0.0/24 -j DROP;

Ask your friend(s) to give you their MAC addresses so that you do not allow any other machines to connect to your network. Of course there is MAC address spoofing (people will usually change their MAC in order to acquire access to your network, but let's not make it easy for a primary school child to hack it):

 

YOUR_FRIENDS_MAC=00:1A:88:74:15:6B;
sudo iptables -A FORWARD -m mac ! --mac-source $YOUR_FRIENDS_MAC -i wlan0 -j DROP;
sudo iptables -A INPUT -m mac ! --mac-source $YOUR_FRIENDS_MAC -i wlan0 -j DROP;

 

Finally use WPA2 security for your wireless network instead of WEP.

 

 


 

Now what? - References for further study

Ok, so far so good. But now what? Here we provide a list of references so that you can understand deeper how VPN works and if you like you can set up a bridged VP network.

Understanding VPN:


1. This wikipedia article (http://en.wikipedia.org/wiki/VPN) is a good starter. It introduces the reader smoothly to the subject and explain the benefits one gets by using VPN.

2. A short non-jargon article is available from http://www.homenethelp.com/vpn/.

3. At openvpn the guys provide a short footage with the VPN use cases illustrated (click on use cases demo). The "what and why" of openVPN is quite interesting to take a look as well.


Setting up VP network:

1. This tutorial was based on the instructions from help.ubuntu.com. However the article on the Ubuntu site refers to bridged VPNs. The section on client configuration however is very informative and can be used in all cases.


VPN security:

1. 10 tips to secure your VPN are given in this article: http://www.computerworld.com/s/article/9003779/10_tips_to_secure_client_VPNs

2. This article on cisco.com address certain questions on the security that a VPN offers which relies of course on its good configuration. One of the key phrases in the article is "VPN security is only as strong as the methods used to authenticate the users". I suggest that you read the whole of it!