Implement a free VPN with OpenVPN

June 8, 2005

Takeaway: If you want to implement a VPN in your organization but don't have the budget necessary for a dedicated VPN device or to deploy ISA Server 2004, you're in luck. Here's how you can set up a VPN for mobile users quickly and inexpensively using OpenVPN.

VPN solutions are more abundant than they were a few years ago. In fact, there are tons of choices on the market, but some of them can be very expensive. If you need to provide remote access to the office, or even provide access to a remote office, and don't have a huge budget for a dedicated VPN device or ISA Server 2004, consider the open source OpenVPN project to fulfill your VPN needs. In this article, I'll provide an overview of both OpenVPN and the OpenVPN GUI for Windows.

What is OpenVPN?

OpenVPN is an open source, cross platform, SSL-based VPN solution capable of accommodating a number of situations; including both remote access and site-to-site secure communication (a remote office, for example). Available for a number of platforms, including Windows, Linux, BSD, Mac OS X and Solaris, OpenVPN is fairly simple to get up and running.

OpenVPN sports a multitude features that make it an ideal choice in the "free VPN" space, including the ability to build VPN tunnels over NAT devices, to read certificates and private keys from smart cards on Windows clients, as well as being able to run on fairly low-end hardware, perfect for when costs need to be kept as low as possible.

OpenVPN, however, does not support the PPTP, IPSec or L2TP protocols, instead favoring SSL-based technology for all of its functionality. Everything you want to know about what OpenVPN includes can be found on the front page of the OpenVPN site.

Obtaining OpenVPN

There are currently two versions of OpenVPN available: 1.6 and 2.0. 2.0 is the upcoming release that is not yet considered "final" whereas 1.6 is the most recent stable release.  I'm installing OpenVPN onto a Windows Server 2003 system running a prerelease of SP1, and I'm using version 2.0 for this article.

To get an OpenVPN installer for Windows or tarball for Linux, head to OpenVPN's handy download page.

If you're installing OpenVPN onto a Windows system, you can instead opt to use a different download package that includes OpenVPN 2.0 and a really nice graphical user interface. This is one of the great things about open source. A package is available from this site's download page that packages OpenVPN with the GUI. Packages are also available for download for those that are already running OpenVPN and just want a graphical front-end to manage the system. The GUI is only for Windows systems, though.

For this article, I'm using the download package that includes both OpenVPN and the GUI. Note that this installer is used for both the server and the client.

Installation

The installation of OpenVPN is surprisingly easy, particularly since everything you need is built right into the installer, including the TAP-Win32 virtual Ethernet driver and OpenSSL. The first screen of the installer asks you to read the obligatory license agreement, while the second screen, shown below in Figure A, shows you exactly what the installer will be putting on your system.

Figure A

The OpenVPN list of components

By default, OpenVPN installs to C:\Program Files\OpenVPN, but you can choose your own installation directory on the next screen of the installer, if you like. That's the whole initial installation. Two screens to work with: (1) pick what you want to install and (2) choose a directory into which to put everything.

During the installation, you'll probably get a driver installation message indicating that the TAP-Win32 driver is not certified by Microsoft. This driver is used by a number of Open Source programs (including coLinux), and is, in my experience, stable.

Here's a look at the Start menu after the installation completes.

Figure B

The OpenVPN menu options

Now, open up your Network Control Panel. You'll see an additional entry for the TAP driver, which OpenVPN uses for communication across the tunnels it creates. One best practice with regard to the TAP driver is to rename it to something other than "Local Area Connection". In particular, spaces in the TAP adapter name have been known to create problems, so I renamed mine to "VPN-TAP".

Figure C

The TAP diver on my system

Now that OpenVPN is installed, it's time to move on to the configuration tasks.

Creating certificates for use with OpenVPN

OpenVPN requires the use of certificates to help establish the authenticity of clients connecting to an OpenVPN system and vice-versa. After all, you probably wouldn't want a situation in which a client was connecting to an untrusted server. To help prevent this, OpenVPN supports bidirectional authentication.

To use OpenVPN, you need to establish a public key infrastructure that will be used by the system. You need a master certificate authority certificate and key, which will sign each server and client certificate. Table A will walk you through the steps necessary to configure certificates for OpenVPN.

Table A

Generate the master certificate and key by following these steps:

Command Purpose

Go to a command prompt  

C: Change to the C: drive, unless you're already there. If you installed OpenVPN to a different drive, go to that drive instead.

Cd \program files\OpenVPN\easy-rsa Change to the easy-rsa directory, which is where certificate functions are carried out.

init-config Copies the sample vars.bat and openssl.cnf files to version that you can safely modify while still maintaining the samples.

edit vars.bat

Contents:

@echo off

Modify the contents of the vars.bat file to correctly reflect your location. If necessary, change the HOME option to

set HOME=%ProgramFiles%\OpenVPN\easy-rsa

set KEY_CONFIG=openssl.cnf

set KEY_DIR=keys

set KEY_SIZE=1024

 

set KEY_COUNTRY=US

set KEY_PROVINCE=NY

set KEY_CITY= Elmira

set KEY_ORG=TechRepublic

set KEY_EMAIL=mail@example.com

reflect the correct location of the easy-rsa folder on your Windows system.

The option KEY_CONFIG, by default, points to openssl.cnf file included with easy-rsa.

The KEY_DIR option is the directory in which keys will be stored.

The KEY_SIZE option determines the size of the keys that will be generated. This can be increased to as high as 2048, but will result in a performance hit.

vars Executes the vars.bat batch file that you just modified.

clean-all Deletes old keys and creates new folders based on the information in the vars.bat file.

build-ca

Results in:

C:\Program Files\OpenVPN\easy-rsa>build-ca

Loading 'screen' into random state - done

Generating a 1024 bit RSA private key

writing new private key to 'keys\ca.key'

Creates the OpenSSL certificate authority. This is just a batch file that calls OpenSSL with a number of predefined options.

This results in the series of questions shown

 

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

 

Country Name (2 letter code) [US]:

State or Province Name (full name) [NY]:

Locality Name (eg, city) [ Elmira]:

Organization Name (eg, company) [TechRepublic]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:sample-VPN

Email Address [mail@example.com]:admin@example.com

to the left. If you've ever set up Apache with SSL, or created an SSL certificate before, you'll recognize this information as being a typical part of the process. Most of this information is carried from your vars.bat file, but some of it (in bold to the left), you need to enter manually.

After this step, you'll see a ca.crt and ca.key file show up in your keys directory. Your certificate authority is ready to go.

Generate server certificate/key pair build-key-server server

Results in:

Loading 'screen' into random state - done

Generating a 1024 bit RSA private key

..............................................................................

writing new private key to 'keys\.key'

The build-key-server command builds the VPN server's certificate and key for use with OpenVPN.

Like the certificate authority information, this certificate needs a bunch of

-----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:

State or Province Name (full name) [NY]:

Locality Name (eg, city) [ Elmira]:

Organization Name (eg, company) [TechRepublic]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:vpn

Email Address [mail@example.com]:admin@example.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from openssl.cnf

Loading 'screen' into random state - done

information. In this example, I've named by VPN server 'vpn'.

Again, most of this information was included from the earlier batch file you modified.

When you're done, you'll see server.key and server.crt files in your keys directory.

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'US'

stateOrProvinceName :PRINTABLE:'NY'

localityName :PRINTABLE:' Elmira'

organizationName :PRINTABLE:'TechRepublic'

commonName :PRINTABLE:'VPNserver'

emailAddress :IA5STRING:'admin@example.com'

Certificate is to be certified until Mar 29 03:35:07 2015 GMT (3650 days)

Sign the certificate? [y/n]:y

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Generate client certificates/key combinationsbuild-key client-name

 

Results in:

The same information from the server key generation, except the common name should be a unique name for each client.

Use this for each client you wish to connect to the VPN server, substituting that client's name.

Generate Diffie-Hellman parameters   build-dh

 

The last item you need to generate are the Diffie-Hellman parameters for

Results in a bunch of dots and plus signs. When it's done, you get a couple of asterisks. More importantly, a file called dh1024.pem shows up in your keys folder.

your OpenVPN server.

"Diffie-what?", you might ask. Diffie-Hellman is a method by which two devices can agree on a secret key over an insecure communication channel. Before a VPN connection is established, the channel is insecure, after all.

This command builds a safe prime number that can be used as a part of the Diffie-Hellman algorithm.

Generate TLS authentication shared key  

C:\Program Files\OpenVPN\bin\openvpn --genkey --secret tls.key

Generates a TLS authentication key to add some protection to your communications.

Follow these commands to configure certificates for OpenVPN.

Copy keys to appropriate locations

The best way to with OpenVPN is to copy the key files to the local OpenVPN config directory on both the server and the clients. For the server, copy the following files to C:\Program Files\OpenVPN\config:

ca.crt : the certificate authority. This file will also be copied to each client later on. server.key : the server's key. Your server key will probably have a name that matches

that of your server. server.crt : the server's certificate file. Your server certificate will probably have a name

that matches that of your server. dh1024.pem : The Diffie-Hellman parameters for the VPN. tls.key : the TLS authentication key.

Configuring the server

OpenVPN works on the concept of text-based configuration files: one for the server and one on each client for that client. OpenVPN comes with some sample configuration files found in the C:\Program Files\OpenVPN\sample-config directory. Under Windows, these sample files carry a .ovpn extension.

The OpenVPN sample server configuration file is a good starting point. To use this sample, you need to copy it from C:\Program Files\OpenVPN\sample-config to C:\Program Files\OpenVPN\config. When the OpenVPN service starts up, it will look in this directory for configuration files and start a separate OpenVPN process for each one. For this example, I just have the sample server.ovpn file in the config directory.

Before you start configuration, you should make note of a couple of things. First, you can configure OpenVPN to bridge your Ethernet network across the VPN (TAP mode), or you can configure the VPN using a virtual point-to-point IP link (TUN mode). I'm going to use TAP mode for this article.

Note: TAP mode is required if you want to pass different protocols over the VPN. TAP mode provides a layer 2 tunnel between the client and the server that can pass TCP/IP, IPX, NetBEUI and more. TAP also provides a mechanism by which network broadcasts can traverse the VPN, which is required for some applications. TUN mode is more efficient and easier to administer, but doesn't pass anything except TCP/IP. These days, that's not a problem for many applications.

Some versions of Windows don't support TAP devices. If you're using older versions of Windows, plan to use TUN mode.

Table B goes over the sample configuration file included with OpenVPN and outlines what each parameter is and what it does.

Table B

Configuration file parameters

;local a.b.c.d Optional parameter – on which local IP address should OpenVPN listen for connections?

port 1194 On which local port should OpenVPN listen for connections. Port 1994 is OpenVPN's official port number. If you plan to run multiple OpenVPN instances, each needs its own port.

;proto tcp

proto udp Do you want to use TCP or UDP for connections? The default is UDP. If you want to use TCP, uncomment TCP and comment UDP with a semicolon.

;dev tap

Do you want to use a TAP

dev tun connection or a TUN connection? The default is TUN.

dev-node MyTap (Windows only) Provide the name of the TAP device on your system.

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

Provide the name of each of your certificate and key files as well as the file name that holds your Diffie-Hellman parameters.

server 10.8.0.0 255.255.255.0 The "server" directive configures OpenVPN in server mode. The IP network and subnet mask provided is the VPN subnet on which OpenVPN will operate. The server will take the first address in the pool. In this example, that would be 10.8.0.1. This line should be commented out for TAP-based servers.

ifconfig-pool-persist ipp.txt Provides a way for OpenVPN to track assigned client VPN addresses so that they can be reused for future connections.

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

This directive enables TAP bridging, assigns the bridge an IP address, and assigns a range of IP addresses that will be assigned to clients connecting through this interface.

;push "route 192.168.10.0 255.255.255.0"

;push "route 192.168.20.0 255.255.255.0"

Pushes routes to VPN-connected clients so that they can connect to other private networks behind the OpenVPN server.

;push "redirect-gateway" This directive configures clients to redirect their default gateway through the VPN connection. This means that all IP traffic will traverse the VPN, including DNS lookups. This can cause some problems with DHCP. Be sure to consult the complete OpenVPN guide before enabling this

directive.

;push "dhcp-option DNS 10.8.0.1"

;push "dhcp-option WINS 10.8.0.1"

(Windows only)

Provides the ability to push DHCP options to Windows clients, such as DNS and WINS servers.

;client-to-client When uncommented, allows clients to see one another.

;duplicate-cn Allows multiple clients to connect to the OpenVPN server using the same certificate/key pair. While less secure than providing each client with its own certificate, it is easier to administer.

keepalive 10 120 The system will make sure the VPN connection is still alive through the use of this directive. As written here, a keepalive message will be sent every 10 seconds and the other side will be assumed down if no keepalive messages are returned within 120 seconds.

;tls-auth ta.key 0 Creates an additional layer of security by using an additional key to create an HMAC firewall which helps block attacks on the VPN. HMAC is described in RFC 2104 as a Keyed-Hashing for Message Authentication system. This key must be present on both the server and any connected client.

;cipher BF-CBC

;cipher AES-128-CBC

;cipher DES-EDE3-CBC

Determine which cipher mode to use. The default is Blowfish.

comp-lzo Enables compression over the tunnel. If you use this directive, be sure to enable it on the client side as well.

;max-clients 100 The maximum number of concurrently connected clients you want to allow over the

connection.

status openvpn-status.log Provides a short status file about the VPN.

;log openvpn.log

;log-append openvpn.log By default, log messages will go to the C:\Program Files\OpenVPN\log directory). Use these commands to override this behavior. "Log" overwrites the current files whereas "log-append" appends to the existing file. You can only use one of these directives.

verb 3

Set the appropriate log verbosity.

0 is silent, except for fatal errors.

4 is good for general usage.

5 and 6 are used for debugging.

9 is more information than you want to know.

;mute 20 How many repeating messages should be written to the log before stopping?

Based on the information in the previous table, this is the configuration file I could use on my sample VPN server:

port 1194

proto udp

dev tap

dev-node TAP-VPN

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

ifconfig-pool-persist ipp.txt

server-bridge 192.168.152.100 255.255.255.0 192.168.152.150 192.168.152.200

keepalive 10 120

comp-lzo

status openvpn-status.log

verb 3

Start the server

With the server configuration file now built, you can start the server process on your OpenVPN server. Since I'm using the GUI, I'll right-click the GUI icon and choose Connect. A status window pops up, which is shown in Figure D.

Figure D

This screen will tell you everything you need to know about how your VPN operates

Note: If you want to start OpenVPN with a specific configuration file, go to the config directory, right-click a configuration file and choose "Start OpenVPN with this configuration file" from the shortcut menu. You can also start OpenVPN directly from the command line. Refer to the OpenVPN docs for more details on this.

Client configuration

With your OpenVPN server up and running, you can start connecting clients. This is the easy part, believe it or not. The client side uses the same installer as the server side of things. So, to get started, install the OpenVPN software and GUI on to your client computer using the instructions found earlier in this article.

Build key and certificate for the client

On the server side, you'll need to run the 'build-key client-name' command for each client that you want to allow to connect to the OpenVPN server. Once you do this, copy the client-name.key, client-name.crt, and ca.crt files from the server to your client's C:\Program Files\OpenVPN\config directory.

Configure the client

Like the server, each client has a configuration file that you use to provide the client with its configuration information. Also like the server, you'll find a sample client file in the C:\Program Files\OpenVPN\sample-config directory. I used this file as a starting point for my installation.

Table C lists some of the unique client parameters:

Table C

client Indicates to OpenVPN that this is a client rather than a server.

remote my-server-1 1194 Connect to the server named 'my-server-1' using port 1194. You can also specify the IP address of the server instead of the hostname, if you like.

resolv-retry infinite Will continue to try indefinitely to resolve the host name of the OpenVPN server.

Here is a configuration file that I might use on a client to connect to the OpenVPN server I set up:

client

dev tap

dev-node client-TAP

proto udp

remote 192.168.152.100 1194 (if I was using NAT on the server side, I would instead use the external IP address of the NAT rule here)

resolv-retry infinite

nobind

ca ca.crt

cert vpnclient.crt

key vpnclient.key

comp-lzo

verb 3

Make sure that you also modify the ca, cert, and key values in the client configuration file to point to the file containing these critical pieces of information.

Once you get the client configured, start it with the GUI controls, or from the command line. From the GUI in the system tray, right-click the OpenVPN icon and choose Connect.

Keep in mind

Before you start the client, make sure that any firewall that you might traverse into the remote network is forwarding port 1194 to your OpenVPN server and, if you're using NAT, that you've provided an appropriate NAT rule for said server, thus providing it with an externally accessible IP address.

Remember, each client needs its own certificate/key pair, each generated on the OpenVPN server. Make sure also that you copy the master ca.crt file from the server to any client that you want to allow to connect to the OpenVPN server. If you fail to do this, you won't be able to connect.

Also consider the use of a TLS shared key to help keep your communication secure.