Quote:
Originally Posted by licht
This sounds positive to me
I've heard a lot of OpenVPN recently but not aware of all its power. So, can it be used in the scenario that mentioned in here? Suppose the intranet resource that the user wants to use (either locally or remotely) is "sth" (could be a printer or a private web-application).
- when the user plugs his laptop in his office (intranet), the openvan will not create tunnel or encrypt the connection to "sth". (OR will it?)
- when the user accesses "sth" from internet through a wireless network in the airport, the access will be a VPN connection from the user's laptop to the destination of "sth".
Could you please give some hints on both server-side and client side set-up?
Thanks!
|
1. With the proper configuration they can access the lans resources as if connected to the lan.
2. You can do it via vpn. But if they don't start the vpn-client they connect in the common way to the
lan. The vpn-client just simulates connecting the laptop to the local lan.
3. The way a user connects to the internet doesn't matter. The client connects via the default-gateway to your vpn-server, encrypting the communication with the server.
4. Config follows (Was my first try)
Server:
# Which TCP/UDP port should OpenVPN listen on?
port 1149
# TCP or UDP server?
;proto tcp
proto udp
# "dev tun" will create a routed IP tunnel,
dev tun
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
# Ed by karpi:
# these are the servers keys/certificates.
# Howto generate them is very well documented
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
crl-verify /etc/openvpn/keys/crl.pem
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/openvpn/dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
# Ed by Karpi
# this is the network for the vpn.
# you have to update the routing tables of all servers, to which the users can connect.
server 10.12.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.X.Y 255.255.255.0"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
#
http://openvpn.net/faq.html#dhcpcaveats
push "dhcp-option DNS 192.168.X.Y"
push "dhcp-option WINS 192.168.X.Y"
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 30 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
#cipher BF-CBC # Blowfish (default)
#cipher AES-128-CBC # AES
cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
max-clients 10
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log /var/log/openvpn.log
#log-append /var/log/openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 2
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20
Client:
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
dev-node vpn
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote vpn.mydomain.de 1194
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca c:\\programme\\openvpn\\keys\\ca.crt
cert c:\\programme\\openvpn\\keys\\client.crt
key c:\\programme\\openvpn\\keys\\client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
#
http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth c:\\programme\\openvpn\\keys\\ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
This was my first working openvpn-setup.
I have 10 users working with this setup.
For security reasons this I have setup a dedicated vpn-server
(Pentium II 350,512MB RAM, 4 GB HDD)
Line is a 1MBit/1Mbit synchronus DSL
This Line is fast enough, since the users mostly connect via GPRS-Modems
The users access their mails, use the CRM, their Windows shares, the fax-server
and other internet-related services.
You _can_ push a new default-gateway to the clients, so they connect to the internet via
your proxy, firewall and other security related services.
If the users connect to the lan while at their workplace, they simply don't start the vpn-client.
There is no difference between working via vpn or directly connected to the lan.
They can print on the printers while at their workplace or to a printer connected to the laptop.
HTH