Disclaimer: These exercises are few among the number of demos available, to help you understand the routing concepts described in previous chapter.The tools used in them are not the only ones, there are many other softwares and tools which can be used to implement these concepts.
1. Site to Site VPN using Openswan
I had run a workshop for some students on vpn setup.We did not have fancy routers or firewalls.So we used vpn softwares and our laptops to replicate the topology below:
And here is how out setup looks like: Hardware: Two laptops connected to each other Software: Open Swan(Site to Site VPN), Openvpn(Client to Site VPN), Virtual Box(For Virtual Machines), Centos 6.6 (in VMs),
In the above diagram:
- Two laptops act as Site A and Site B
- VM1 in each laptop act as two vpn servers.
- VM1 has two interfaces: eth0 (Public IP) and eth1 (ptivate subnet)
- VM2 are the machines in the private subnet
- Both laptops are connected to to each other either via am Ethernet cable or LAN.In any case that connection between both laptops will act as the public Internet.
We will be using Openswan which is a linux software to create encrypted tunnels.Once the tunnel is setup between both the laptops then VM2 in Laptop1 will be able to talk to VM2 in Laptop 2.
A VPN tunnel is going to be setup between two private subnets 192.168.56.0/24 and 192.168.33.0/24.
Let us begin with configuration both the sites.
Network configuration in virtual machines:
Laptop 1: VM1 : eth0 => 10.4.1.200 eth1 => 192.168.56.101/24 VM2 : eth1 => 192.168.56.103/24 Laptop 2: VM1 : eth0 => 10.4.1.100 eth1 => 192.168.33.101/24 VM2 : eth1 => 192.168.33.103/24
In order for the tunnel to come up it is very important that both VM1’s public ip I mean eth0 are reachable.So I would advice to keep iptables off in case you don’t need them. NOTE: This is only for this exercise. In the real world, you need an iptables rule permitting incoming traffic on the OpenSWAN IP.
Install Openswan in VM1s(VPN Servers) in both laptops:
$ yum install openswan lsof
Enable Ip forwarding VM1s:
$ vi /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 #Reload /etc/sysctl.conf $ sysctl -p
Allow iptables rules incase you have switched on Iptables (Optional)
$ vi /etc/sysconfig/iptables iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p tcp --dport 4500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT
Configure Openswan on both VPN servers (VM1s)
First file to configure is the ipsec.conf
VM1 on Laptop 1: Private Subnet: 192.168.56.0/24
$ vi /etc/ipsec.conf config setup plutodebug=all plutostderrlog=/var/log/pluto.log protostack=netkey nat_traversal=yes virtual_private=%v4:192.168.56.0/24 ## disable opportunistic encryption ## oe=off conn demo-connection-redhat authby=secret auto=start ike=3des-md5 ## phase 1 ## keyexchange=ike ## phase 2 ## phase2=esp phase2alg=3des-md5 compress=no pfs=yes type=tunnel left=10.4.1.200 leftsourceip=10.4.1.200 leftsubnet=192.168.56.0/24 ## for direct routing ## leftnexthop=%defaultroute right=10.4.1.100 rightsubnet=192.168.33.0/24
Setup Authentication using pre-shared key:
$ vi /etc/ipsec.secrets siteA-public-IP siteB-public-IP: PSK "pre-shared-key"
Same configuration has to be done with Laptop2 VM1.Replace the corresponding private subnets and public ips:
In case of Laptop2 (Site B)
virtual_private=%v4:192.168.33.0/24 left=10.4.1.100 leftsourceip=10.4.1.100 leftsubnet=192.168.33.0/24 ## for direct routing ## leftnexthop=%defaultroute right=10.4.1.200 rightsubnet=192.168.33.0/24
Start the services:
$ /etc/init.d/ipsec restart
Testing the tunnel status:
If both the tunnels are up then Site A private subnet should be able to reach Site B private subnet.In short VM2s in both the laptops should be able to ping each other. Also routes to the destination subnet should appear in the server:
$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.33.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1 0.0.0.0 192.168.56.101 0.0.0.0 UG 0 0 0 eth1
Here 192.168.56.101 is the gateway ip or vpn server ip in Site A and 192.168.33.0/24 is Site B private subnet. Also you can run the below commands to check the tunnel status:
$ service ipsec status IPsec running - pluto pid: 20754 pluto pid 20754 1 tunnels up some eroutes exist
The log for openswan can be found in /var/log/pluto.log.
Note: This particular exercise is best executed when done in teams.For us we had two teams on each Sites and building the tunnel with the other Site.It is is much more fun when done in teams like that.
2. Client to site VPN using Openvpn.
Here is the setup that I have used.Hardware requirement is same as the previous exercise.
This is one of the exercises that I did at home. Here I will be using Openvpn to setup the client vpn server.Opnenvpn can also be used to setup site to site vpn.The client vpn server package in Openvpn is called Access Server.Here is the consolidated configuration to setup an Openvpn Access server.
- Home Broadband: My personal Internet
- Laptop 1: Is a Site like say your Corporate Office.Refer to previous chapter.
- VM1: Access Server
- VM2: Private Network
- Laptop 2: vpn clients
[root@www ~]# rpm -ivh http://swupdate.openvpn.org/as/openvpn-as-2.0.20-CentOS6.x86_64.rpm
The Access Server has been successfully installed in /usr/local/openvpn_as
Configuration log file has been written to /usr/local/openvpn_as/init.log
To reconfigure manually, use the /usr/local/openvpn_as/bin/ovpn-init tool. Once the installation is done you should see the output as below:
OpenVPN AS can be accessed via these URLs: Admin UI: https://192.168.2.34:943/admin Client UI: https://192.168.2.34:943/
Change the admin password so that you can login with that:
[root@www ~]# passwd openvpn Changing password for user openvpn. New password:
Login to Access Server as admin: https://192.168.2.34:943/admin
Set User permission and Authentication for Client users:
You can use various types of authentication types for the client.
Example: Active Directory/Ldap, Radius, PAM or Dual Factor Authentication etc.Here I am using Local mode of authentication as below:
Once I enable Local mode of authentication I have to set a password for the client used.In this case the user is Client1:
Connect from Client
Login to the openvpnas server from the client using the client credential set above and download the client software:
Connect to the vpnserver from the client.I am using a MAC and the client looks something like this.It will ask to accept the profile, so say yes:
Once Connected it will looks like this: