Lessons & Learnings

from real life experiences and examples

VPN Exercises

Disclaimer: These exercises are few among the number of demos available, to help you understand the routing concepts described in previous chapter.The tools used in them are not the only ones, there are many other softwares and tools which can be used to implement these concepts.

1. Site to Site VPN using Openswan

I had run a workshop for some students on vpn setup.We did not have fancy routers or firewalls.So we used vpn softwares and our laptops to replicate the topology below:

Logical Topology:

And here is how out setup looks like: Hardware: Two laptops connected to each other Software: Open Swan(Site to Site VPN), Openvpn(Client to Site VPN), Virtual Box(For Virtual Machines), Centos 6.6 (in VMs),

Physical Diagram:

In the above diagram:

  • Two laptops act as Site A and Site B
  • VM1 in each laptop act as two vpn servers.
  • VM1 has two interfaces: eth0 (Public IP) and eth1 (ptivate subnet)
  • VM2 are the machines in the private subnet
  • Both laptops are connected to to each other either via am Ethernet cable or LAN.In any case that connection between both laptops will act as the public Internet.

We will be using Openswan which is a linux software to create encrypted tunnels.Once the tunnel is setup between both the laptops then VM2 in Laptop1 will be able to talk to VM2 in Laptop 2.
A VPN tunnel is going to be setup between two private subnets 192.168.56.0/24 and 192.168.33.0/24.
Let us begin with configuration both the sites.

Network configuration in virtual machines:

Laptop 1: 
VM1 : eth0 => 10.4.1.200
      eth1 => 192.168.56.101/24
VM2 : eth1 => 192.168.56.103/24

Laptop 2:
VM1 : eth0 => 10.4.1.100
      eth1 => 192.168.33.101/24
VM2 : eth1 => 192.168.33.103/24

In order for the tunnel to come up it is very important that both VM1’s public ip I mean eth0 are reachable.So I would advice to keep iptables off in case you don’t need them. NOTE: This is only for this exercise. In the real world, you need an iptables rule permitting incoming traffic on the OpenSWAN IP.

Install Openswan in VM1s(VPN Servers) in both laptops:

$ yum install openswan lsof

Enable Ip forwarding VM1s:

$ vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

#Reload /etc/sysctl.conf
$ sysctl -p 

Allow iptables rules incase you have switched on Iptables (Optional)

$ vi /etc/sysconfig/iptables
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

Configure Openswan on both VPN servers (VM1s)

First file to configure is the ipsec.conf
VM1 on Laptop 1: Private Subnet: 192.168.56.0/24

$ vi /etc/ipsec.conf
config setup
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:192.168.56.0/24
    ## disable opportunistic encryption ##
    oe=off 

conn demo-connection-redhat
    authby=secret
    auto=start
    ike=3des-md5
    ## phase 1 ##
    keyexchange=ike
    ## phase 2 ##
    phase2=esp
    phase2alg=3des-md5
    compress=no
    pfs=yes
    type=tunnel
    left=10.4.1.200
    leftsourceip=10.4.1.200
    leftsubnet=192.168.56.0/24
    ## for direct routing ##
    leftnexthop=%defaultroute
    right=10.4.1.100
    rightsubnet=192.168.33.0/24    

Setup Authentication using pre-shared key:

$ vi /etc/ipsec.secrets
siteA-public-IP  siteB-public-IP:  PSK  "pre-shared-key"

Same configuration has to be done with Laptop2 VM1.Replace the corresponding private subnets and public ips:

In case of Laptop2 (Site B)

    virtual_private=%v4:192.168.33.0/24
    left=10.4.1.100
    leftsourceip=10.4.1.100
    leftsubnet=192.168.33.0/24
    ## for direct routing ##
    leftnexthop=%defaultroute
    right=10.4.1.200
    rightsubnet=192.168.33.0/24  

Start the services:

$ /etc/init.d/ipsec restart

Testing the tunnel status:

If both the tunnels are up then Site A private subnet should be able to reach Site B private subnet.In short VM2s in both the laptops should be able to ping each other. Also routes to the destination subnet should appear in the server:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.33.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.56.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0 eth1
0.0.0.0         192.168.56.101  0.0.0.0         UG    0      0        0 eth1

Here 192.168.56.101 is the gateway ip or vpn server ip in Site A and 192.168.33.0/24 is Site B private subnet. Also you can run the below commands to check the tunnel status:

$ service ipsec status 
IPsec running  - pluto pid: 20754
pluto pid 20754
1 tunnels up
some eroutes exist

The log for openswan can be found in /var/log/pluto.log.

Note: This particular exercise is best executed when done in teams.For us we had two teams on each Sites and building the tunnel with the other Site.It is is much more fun when done in teams like that.

2. Client to site VPN using Openvpn.

Here is the setup that I have used.Hardware requirement is same as the previous exercise.

Physical Diagram:

This is one of the exercises that I did at home. Here I will be using Openvpn to setup the client vpn server.Opnenvpn can also be used to setup site to site vpn.The client vpn server package in Openvpn is called Access Server.Here is the consolidated configuration to setup an Openvpn Access server.

  • Home Broadband: My personal Internet
  • Laptop 1: Is a Site like say your Corporate Office.Refer to previous chapter.
  • VM1: Access Server
  • VM2: Private Network
  • Laptop 2: vpn clients

Install Openvpn:

[root@www ~]# rpm -ivh http://swupdate.openvpn.org/as/openvpn-as-2.0.20-CentOS6.x86_64.rpm

The Access Server has been successfully installed in /usr/local/openvpn_as Configuration log file has been written to /usr/local/openvpn_as/init.log
To reconfigure manually, use the /usr/local/openvpn_as/bin/ovpn-init tool. Once the installation is done you should see the output as below:

OpenVPN AS can be accessed via these URLs:
Admin  UI: https://192.168.2.34:943/admin
Client UI: https://192.168.2.34:943/

Change the admin password so that you can login with that:

[root@www ~]# passwd openvpn
Changing password for user openvpn.
New password:

Login to Access Server as admin: https://192.168.2.34:943/admin

Set User permission and Authentication for Client users:

You can use various types of authentication types for the client. Example: Active Directory/Ldap, Radius, PAM or Dual Factor Authentication etc.Here I am using Local mode of authentication as below:

Once I enable Local mode of authentication I have to set a password for the client used.In this case the user is Client1:

Connect from Client

Login to the openvpnas server from the client using the client credential set above and download the client software:
https://192.168.2.34/

Connect to the vpnserver from the client.I am using a MAC and the client looks something like this.It will ask to accept the profile, so say yes:
Once Connected it will looks like this:

References:

Setup:
https://openvpn.net/index.php/access-server/docs/quick-start-guide.html
https://openvpn.net/images/pdf/OpenVPN_Access_Server_Sysadmin_Guide_Rev.pdf

Authentication:
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150/howto-authentication/387-how-to-use-local-user-authentication.html

Howtos: https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html

Previous

Comments