Solved

Windows <-> Windows OpenVPN

Posted on 2004-07-30
44
1,376 Views
Last Modified: 2008-01-09
Has anyone been able to configure a multi-client VPN setup with OpenVPN? I can get a single, SSL VPN setup NO problem, but have not been able to successfully configure a multi-client yet. I'd love to see a working config file.
0
Comment
Question by:af500
  • 24
  • 19
44 Comments
 
LVL 11

Expert Comment

by:gothicbloody
ID: 11680040
0
 
LVL 9

Accepted Solution

by:
jdeclue earned 200 total points
ID: 11680219
If you are using the -inetd option then you may have the issue below. This is originally from www.sourceforge.net

How can I implement OpenVPN as a classic, forking TCP server which can service multiple clients over a single TCP port?
Here at work, we wanted to implement a VPN solution for Roadwarriors
which have to connect to the main office. OpenVPN looked like a nice
solution, as it also works with Windows and can tunnel through an https
proxy.

One problem though, was the unability to use a constant port number on
the server side.

The --inetd option seemed very promising, but the man-page explicitly
states that this option can not be used for multiple connections,
although there seemed to be no reason. (The only reason i found
mentioned was, that there was no config file templating mechanism,
which obviously isn't really a problem).

A test later I found, that the code was written for inetd with
"wait=yes" in mind, but that was quickly changed[1] (see attached patch).

The attached patch [merged with OpenVPN as of 1.6-beta5]
adds a new option "--inetd nowait" which makes OpenVPN
work with a connected socket on stdin, like (x)inetd does with wait=no,
or even netcat with the -e option.

Of course this still runs one OpenVPN process per client. You still need
one tap device per client, and configure bridging between them.

This also only works with SSL/TLS and tap devices, because of the single
config file shared between all server processes.

The server config file in our case is easy:

| # OpenVPN multiple-client-server
| inetd nowait
| proto tcp-server
|
| # 10.254.0.1 is our local VPN endpoint (office).
| dev tap
| ifconfig 10.254.0.1 255.255.255.0
|
| # Our up script will establish routes
| # once the VPN is alive.
| ifconfig-noexec
| up /etc/openvpn/vpn-server.up
|
| # We are SSL/TLS Server
| tls-server
| dh /etc/openvpn/dh2048.pem
| ca /etc/openvpn/my-ca.crt
| crl-verify /etc/openvpn/my-ca.crl
| cert /etc/openvpn/server.crt
| key /etc/openvpn/server.key

The only magic thing is the ifconfig-noexec. Of course we can't ifconfig
each of the tap interfaces with the same IP address. But we don't need
to, as we are using bridging.

My Bridging setup script (run once at bootup):

| # load Bridging-Module
| modprobe bridge
|
| # configure bridge
| brctl addbr br0
| brctl stp   br0 off
| brctl setfd br0 0
|
| # our private vpn network
| ifconfig br0 10.254.0.1 netmask 0xffffff00 broadcast 10.254.0.255

The per-client setup script (vpn-server.up):

| # add interface to bridge and activate
| brctl addif br0 $1
| ifconfig $1 up


And for completeness sake, here is the xinetd config file for the
OpenVPN server:

| service openvpn_1
| {
|         type            = UNLISTED
|         port            = 443
|         socket_type     = stream
|         protocol        = tcp
|         wait            = no
|         user            = root
|         server          = /usr/sbin/openvpn
|         server_args     = --config /etc/openvpn/vpn-server.conf
|         disable         = no
| }

And thats it. It works for me. If you have any questions or comments,
contact me, I'd be happy to hear from you.

CU,
    Stefan `Sec` Zehl

[1]  The necessary code changes are very small.
     Only socket_listen_accept needs to be changed. The accept() and
     openvpn_close_socket() calls need to be removed, because the
     connection on stdin is already the connection we want.  The second
     thing is, we have to use getpeername to find the IP and Port of
     our remote peer.

     All the other changes in the attached patch deal with adding a new
     command-line option, and propagating that new option down to the
     correct function.


0
 
LVL 4

Author Comment

by:af500
ID: 11680852
How is the TLS setup in Win2K?
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11680986
I can try to explain it on Monday, I have to leave my office now. If someone else can asnwer the question please do. I will check back with you first thing Mon morning. Take care.
0
 
LVL 4

Author Comment

by:af500
ID: 11681055
No problem, thanks for your help!
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11697674
Sorry, I have been unavailable. Let me know if you are still having issues.

J
0
 
LVL 4

Author Comment

by:af500
ID: 11703887
Stuck here:
| # We are SSL/TLS Server
| tls-server
| dh /etc/openvpn/dh2048.pem
| ca /etc/openvpn/my-ca.crt
| crl-verify /etc/openvpn/my-ca.crl
| cert /etc/openvpn/server.crt
| key /etc/openvpn/server.key

how do I setup the TLS?
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11704114
You shouldnt have to set up TLS, transport layer security is what SSL uses. It is a protocol and is enable, if SSL works then TLS is setup properly.

0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11726339
This part of your system should be setup correctly as it is related directly to the SSL sercurity certificates, I am assuming that by having one VPN coneection working over SSL that your SSL is set up correctly.

J
0
 
LVL 4

Author Comment

by:af500
ID: 11726631
Do I create the certs & keys first? If so, where / how?

I'm using the example from the OpenVPN 2 beta:

This is the config:
########################################
# Sample OpenVPN config file for
# multi-client udp server
#
# tap-style tunnel

port 5000
dev tap

# TLS parms

tls-server
ca sample-keys/tmp-ca.crt
cert sample-keys/server.crt
key sample-keys/server.key
dh sample-keys/dh1024.pem

# Tell OpenVPN to be a multi-client udp server
mode server

# The server's virtual subnet
ifconfig 10.8.0.1 255.255.255.0

# Pool of IP addresses to be allocated to clients.
# When a client connects, an --ifconfig command
# will be automatically generated and pushed back to
# the client.
ifconfig-pool 10.8.0.4 10.8.0.255

# Client should attempt reconnection on link
# failure.
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"

# The server doesn't need privileges
user nobody
group nobody

verb 4
comp-lzo


This is the error:
Thu Aug 05 10:36:03 2004 us=552163 Cannot open sample-keys/dh1024.pem for DH par
ameters: error:02001003:system library:fopen:No such process: error:2006D080:BIO
 routines:BIO_new_file:no such file
Thu Aug 05 10:36:03 2004 us=554127 Exiting
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11726656
You create they keys first... are you using OpenSSL?
0
 
LVL 4

Author Comment

by:af500
ID: 11726668
Ah, that's what I thought ..
Yes, it came with the install ..

How do I create the keys?

0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11726691
Here is a beautiful walkthrough on creating a self signed key with openSSL.

http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html
0
 
LVL 4

Author Comment

by:af500
ID: 11726736
Cool, thansk. I think I've used that URL before :)

Do I need to create the IIS request too, or only up to that point?
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11726790
You do not need the IIS request, as you will be using OpenSSL. SO you just need to make sure you create the files and put them in the locations that you point to in your config. So you need the crt, key and pem files.
0
 
LVL 4

Author Comment

by:af500
ID: 11726810
Slickness. Thanks. Trying that out now
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11726861
Just so you know.. I have never used or seen Windows OpenVPN. I slept at a Holiday Inn Express last night though!?

J
0
 
LVL 4

Author Comment

by:af500
ID: 11726941
LOL!

Well, I've used it for a basic connection and was very impressed.

If I can get it setup to accept >1 connection that would be even better :)

So, I created ca.key, and ca.cer but in the conf, it's looking for a little more:
# TLS parms

tls-server
ca sample-keys/tmp-ca.crt
cert sample-keys/server.crt
key sample-keys/server.key
dh sample-keys/dh1024.pem

Does .cer = .crt ?

What is .pem?
0
 
LVL 4

Author Comment

by:af500
ID: 11727154
Here's a pretty good little link on how to setup SSL too:

http://projectdream.org/publications/fnord.html
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11727492
Here is a set of instructions I wrote for a client and ther apache server, I changed the names of files for your setup lets see if this helps.

Step 1: Review OPENSSL.CONF

C:\ORACLE\iSuites\APACHE\open_ssl\bin\openssl.conf

Contents:

[ req ]
 default_bits           = 1024
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 prompt                 = no
 output_password        = no9dodge     # can be changed

[ ca ]
 default_ca      = CA_default            # The default ca section

[ CA_default ]
# dir                    = d:/oracle/isuites/apache/open_ssl
 new_certs_dir          = d:/
 certificate            = ca_cert_file.pem
 #private_key            = cakey.pem
 private_key = ca_cert_key.pem
 database               = ../index.txt      
 default_md             = md5
 serial                 = ../serial             # The current serial number

 defualt_days           = 365

 policy            = policy_match

# For the CA policy
[ policy_match ]
countryName            = match
stateOrProvinceName      = match
organizationName      = match
organizationalUnitName      = optional
commonName            = supplied
emailAddress            = optional


[ req_distinguished_name ]
 C                      = US
 ST                     = DC
 L                      =  Washington # State goes here
 O                      =  MyCompany # Company Name Goes here
 OU                     = Office of Information Technology # Department goes here
 CN                     = openvpnserver.mydomain.com # fully qualified domain name of server goes here
 emailAddress           = webmaster@mydomain.com # email address goes here
 [ req_attributes ]


Step 2:  Generate Random File for Key Generation

From the Command Prompt in the ..\Apache\open_ssl\bin directory;

Type: openssl md5 * > rand.dat

Step 3: Generate Key File

Type: openssl genrsa –rand rand.dat –des3 1024 > openvpn.pem

Step 4: Generated Certificate Request (CSR) File

Type: openssl req –new –key openvpn.pem  -out openvpn.csr openssl.conf=

Step 5: Remove password from egrants.pem file (Allows apache to run as a Service)

Type: openssl rsa -in openvpn.pem -out openvpn.key

      When prompted for password use  output_password  from openssl.conf file.

Step 6: Submit Request to Certificate Authority

Submit openvpn.csr file to CA  for certificate request
      
Step 7: Create Certificate File

Copy the Requested key into a text file, exactly per the instructions received and save as “openvpn.crt”

Be sure to: Copy the entire contents of the certificate from (and including) the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

Step 8:  Configure Apache Service with New Certificate.
 
place all files in the location required in configuration file.
0
 
LVL 4

Author Comment

by:af500
ID: 11728060
I used the openssl.conf from that first link and get an error when I use the -req...

I'll try this now :)

TX!
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11728173
No problem.

J
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 4

Author Comment

by:af500
ID: 11728354
certs: Permission denied
keys: Permission denied
requests: Permission denied
0
 
LVL 4

Author Comment

by:af500
ID: 11728398
ok... that doesn't seem to matter... the rand.dat was created...
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11728426
hmmm. ok... ;)
0
 
LVL 4

Author Comment

by:af500
ID: 11728567
Still stuck....

# TLS parms

tls-server
ca sample-keys/tmp-ca.crt
cert sample-keys/server.crt
key sample-keys/server.key
dh sample-keys/dh1024.pem

There are two .crt files ... what are they for? ( curiosity )

I can create the .pem, and the .key, but not the .crt

0
 
LVL 4

Author Comment

by:af500
ID: 11728703
This line throws an error:
openssl req –new –key openvpn.pem  -out openvpn.csr openssl.conf

unknown option openssl.conf
0
 
LVL 4

Author Comment

by:af500
ID: 11729298
Setup CYGWIN .. going to try creating keys there :)
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11729325
this line

openssl req –new –key openvpn.pem  -out openvpn.csr openssl.conf

should be

openssl req –new –key openvpn.pem  -out openvpn.csr openssl.conf=

The ca.crt is the files which list the certificate authorities. Open it up and look in it. If you are signing your own certificate then you will need to put information in it. If you are sending the key off to get a real certificate then they should already be in there, if not then you will have to request or download their CA entry to paste into the file.

the server.crt"openvpn" is the actual certificate, cer and crt are the same. Man this is getting complicated ;)


J
0
 
LVL 4

Author Comment

by:af500
ID: 11729549
I've used OpenSSL before to create a mass of self-signed certs for IIS and that was super easy :)

When I run that above command, without the '=' I get a can not find config file error .. so that seems like it might be on the right track.

I'm wondering if I shouldn't just grab a full copy of OpenSSL as it looks like just the .exe is sent out with OpenVPN.
0
 
LVL 4

Author Comment

by:af500
ID: 11729675
Grabbing the FULL OpenSSL works ... so far so good ... just self-signing the cert now.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11729707
Cool.. sorry about that, I assumed the full version was already there....

J
0
 
LVL 4

Author Comment

by:af500
ID: 11729995
Yeah, I did too ;)

OK, this is what I've got now:

openvpn.key
openvpn.csr
openvpn.pem

So, if .cer & .crt are the same - which is which here?

ca sample-keys/tmp-ca.crt #??
cert sample-keys/server.crt #??
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11730135
Well.... the csr file has to be sent off to get a crt file... when it comes back, it would be the csr file.
Are you familiar with getting security certificates?
0
 
LVL 4

Author Comment

by:af500
ID: 11730172
Dah, that's what I thought ...

Can't I just sign my own? :)
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11730309
uhm... you will have to stand up a certificate server, sign the cert etc... we are talking a whole new ballgame... how about trying this out;

http://www.freecert.org/

I have never used it, but maybe it works.

let me know.

J
0
 
LVL 4

Author Comment

by:af500
ID: 11730335
This did the trick:

openssl req -config openssl.cnf -new -out my-server.csr
openssl rsa -in privkey.pem -out my-server.key
openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365
0
 
LVL 4

Author Comment

by:af500
ID: 11730348
And finally, what's the difference between these two in the OpenVPN config?

ca sample-keys/tmp-ca.crt
cert sample-keys/server.crt
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11730381
okie dokie... server.crt is the actual certificate...
ca.crt is the Certificate Authority file. THis contains the information on the issuing authority. open the file and take a look in it, you should ahve one with the Open SSL install. When your certificate is opened, it references the CA file to get the information on where it came from.

J
0
 
LVL 4

Author Comment

by:af500
ID: 11730541
Of course, that file isn't there ....

Can I make one of those too?
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11730630
do a search on the internet, you should be able to find plenty all filled out. ;)

J
0
 
LVL 4

Author Comment

by:af500
ID: 11730818
My goodness, what a procedure!

Well, OpenVPN let me use a .p12 instead, so I grabbed that... now I have everything listed in the TLS/SSL config... but OpenVPN says it can't find:

Thu Aug 05 17:02:49 2004 us=527401 Cannot open keys/privkey.pem for DH parameter
s: error:02001003:system library:fopen:No such process: error:2006D080:BIO routi
nes:BIO_new_file:no such file
Thu Aug 05 17:02:49 2004 us=529339 Exiting
Press any key to continue...
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11731037
It might be getting hung up on the password, make a copy of the privkey.pem and back it up... and then try this

Step 5: Remove password from egrants.pem file (Allows apache to run as a Service)

Type: openssl rsa -in openvpn.pem -out openvpn.key

     When prompted for password use  output_password  from openssl.conf file.

THis should remove the password... in the example I gave you the password was no9dodge


I have to leave now, and won't be able to check in until the morning.

J
0
 
LVL 4

Author Comment

by:af500
ID: 11731159
No problem, thanks for *ALL* your help!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now