Windows <-> Windows OpenVPN

Has anyone been able to configure a multi-client VPN setup with OpenVPN? I can get a single, SSL VPN setup NO problem, but have not been able to successfully configure a multi-client yet. I'd love to see a working config file.
LVL 4
af500Asked:
Who is Participating?
 
jdeclueConnect With a Mentor Commented:
If you are using the -inetd option then you may have the issue below. This is originally from www.sourceforge.net

How can I implement OpenVPN as a classic, forking TCP server which can service multiple clients over a single TCP port?
Here at work, we wanted to implement a VPN solution for Roadwarriors
which have to connect to the main office. OpenVPN looked like a nice
solution, as it also works with Windows and can tunnel through an https
proxy.

One problem though, was the unability to use a constant port number on
the server side.

The --inetd option seemed very promising, but the man-page explicitly
states that this option can not be used for multiple connections,
although there seemed to be no reason. (The only reason i found
mentioned was, that there was no config file templating mechanism,
which obviously isn't really a problem).

A test later I found, that the code was written for inetd with
"wait=yes" in mind, but that was quickly changed[1] (see attached patch).

The attached patch [merged with OpenVPN as of 1.6-beta5]
adds a new option "--inetd nowait" which makes OpenVPN
work with a connected socket on stdin, like (x)inetd does with wait=no,
or even netcat with the -e option.

Of course this still runs one OpenVPN process per client. You still need
one tap device per client, and configure bridging between them.

This also only works with SSL/TLS and tap devices, because of the single
config file shared between all server processes.

The server config file in our case is easy:

| # OpenVPN multiple-client-server
| inetd nowait
| proto tcp-server
|
| # 10.254.0.1 is our local VPN endpoint (office).
| dev tap
| ifconfig 10.254.0.1 255.255.255.0
|
| # Our up script will establish routes
| # once the VPN is alive.
| ifconfig-noexec
| up /etc/openvpn/vpn-server.up
|
| # We are SSL/TLS Server
| tls-server
| dh /etc/openvpn/dh2048.pem
| ca /etc/openvpn/my-ca.crt
| crl-verify /etc/openvpn/my-ca.crl
| cert /etc/openvpn/server.crt
| key /etc/openvpn/server.key

The only magic thing is the ifconfig-noexec. Of course we can't ifconfig
each of the tap interfaces with the same IP address. But we don't need
to, as we are using bridging.

My Bridging setup script (run once at bootup):

| # load Bridging-Module
| modprobe bridge
|
| # configure bridge
| brctl addbr br0
| brctl stp   br0 off
| brctl setfd br0 0
|
| # our private vpn network
| ifconfig br0 10.254.0.1 netmask 0xffffff00 broadcast 10.254.0.255

The per-client setup script (vpn-server.up):

| # add interface to bridge and activate
| brctl addif br0 $1
| ifconfig $1 up


And for completeness sake, here is the xinetd config file for the
OpenVPN server:

| service openvpn_1
| {
|         type            = UNLISTED
|         port            = 443
|         socket_type     = stream
|         protocol        = tcp
|         wait            = no
|         user            = root
|         server          = /usr/sbin/openvpn
|         server_args     = --config /etc/openvpn/vpn-server.conf
|         disable         = no
| }

And thats it. It works for me. If you have any questions or comments,
contact me, I'd be happy to hear from you.

CU,
    Stefan `Sec` Zehl

[1]  The necessary code changes are very small.
     Only socket_listen_accept needs to be changed. The accept() and
     openvpn_close_socket() calls need to be removed, because the
     connection on stdin is already the connection we want.  The second
     thing is, we have to use getpeername to find the IP and Port of
     our remote peer.

     All the other changes in the attached patch deal with adding a new
     command-line option, and propagating that new option down to the
     correct function.


0
 
gothicbloodyCommented:
0
 
af500Author Commented:
How is the TLS setup in Win2K?
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
jdeclueCommented:
I can try to explain it on Monday, I have to leave my office now. If someone else can asnwer the question please do. I will check back with you first thing Mon morning. Take care.
0
 
af500Author Commented:
No problem, thanks for your help!
0
 
jdeclueCommented:
Sorry, I have been unavailable. Let me know if you are still having issues.

J
0
 
af500Author Commented:
Stuck here:
| # We are SSL/TLS Server
| tls-server
| dh /etc/openvpn/dh2048.pem
| ca /etc/openvpn/my-ca.crt
| crl-verify /etc/openvpn/my-ca.crl
| cert /etc/openvpn/server.crt
| key /etc/openvpn/server.key

how do I setup the TLS?
0
 
jdeclueCommented:
You shouldnt have to set up TLS, transport layer security is what SSL uses. It is a protocol and is enable, if SSL works then TLS is setup properly.

0
 
jdeclueCommented:
This part of your system should be setup correctly as it is related directly to the SSL sercurity certificates, I am assuming that by having one VPN coneection working over SSL that your SSL is set up correctly.

J
0
 
af500Author Commented:
Do I create the certs & keys first? If so, where / how?

I'm using the example from the OpenVPN 2 beta:

This is the config:
########################################
# Sample OpenVPN config file for
# multi-client udp server
#
# tap-style tunnel

port 5000
dev tap

# TLS parms

tls-server
ca sample-keys/tmp-ca.crt
cert sample-keys/server.crt
key sample-keys/server.key
dh sample-keys/dh1024.pem

# Tell OpenVPN to be a multi-client udp server
mode server

# The server's virtual subnet
ifconfig 10.8.0.1 255.255.255.0

# Pool of IP addresses to be allocated to clients.
# When a client connects, an --ifconfig command
# will be automatically generated and pushed back to
# the client.
ifconfig-pool 10.8.0.4 10.8.0.255

# Client should attempt reconnection on link
# failure.
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"

# The server doesn't need privileges
user nobody
group nobody

verb 4
comp-lzo


This is the error:
Thu Aug 05 10:36:03 2004 us=552163 Cannot open sample-keys/dh1024.pem for DH par
ameters: error:02001003:system library:fopen:No such process: error:2006D080:BIO
 routines:BIO_new_file:no such file
Thu Aug 05 10:36:03 2004 us=554127 Exiting
0
 
jdeclueCommented:
You create they keys first... are you using OpenSSL?
0
 
af500Author Commented:
Ah, that's what I thought ..
Yes, it came with the install ..

How do I create the keys?

0
 
jdeclueCommented:
Here is a beautiful walkthrough on creating a self signed key with openSSL.

http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html
0
 
af500Author Commented:
Cool, thansk. I think I've used that URL before :)

Do I need to create the IIS request too, or only up to that point?
0
 
jdeclueCommented:
You do not need the IIS request, as you will be using OpenSSL. SO you just need to make sure you create the files and put them in the locations that you point to in your config. So you need the crt, key and pem files.
0
 
af500Author Commented:
Slickness. Thanks. Trying that out now
0
 
jdeclueCommented:
Just so you know.. I have never used or seen Windows OpenVPN. I slept at a Holiday Inn Express last night though!?

J
0
 
af500Author Commented:
LOL!

Well, I've used it for a basic connection and was very impressed.

If I can get it setup to accept >1 connection that would be even better :)

So, I created ca.key, and ca.cer but in the conf, it's looking for a little more:
# TLS parms

tls-server
ca sample-keys/tmp-ca.crt
cert sample-keys/server.crt
key sample-keys/server.key
dh sample-keys/dh1024.pem

Does .cer = .crt ?

What is .pem?
0
 
af500Author Commented:
Here's a pretty good little link on how to setup SSL too:

http://projectdream.org/publications/fnord.html
0
 
jdeclueCommented:
Here is a set of instructions I wrote for a client and ther apache server, I changed the names of files for your setup lets see if this helps.

Step 1: Review OPENSSL.CONF

C:\ORACLE\iSuites\APACHE\open_ssl\bin\openssl.conf

Contents:

[ req ]
 default_bits           = 1024
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 prompt                 = no
 output_password        = no9dodge     # can be changed

[ ca ]
 default_ca      = CA_default            # The default ca section

[ CA_default ]
# dir                    = d:/oracle/isuites/apache/open_ssl
 new_certs_dir          = d:/
 certificate            = ca_cert_file.pem
 #private_key            = cakey.pem
 private_key = ca_cert_key.pem
 database               = ../index.txt      
 default_md             = md5
 serial                 = ../serial             # The current serial number

 defualt_days           = 365

 policy            = policy_match

# For the CA policy
[ policy_match ]
countryName            = match
stateOrProvinceName      = match
organizationName      = match
organizationalUnitName      = optional
commonName            = supplied
emailAddress            = optional


[ req_distinguished_name ]
 C                      = US
 ST                     = DC
 L                      =  Washington # State goes here
 O                      =  MyCompany # Company Name Goes here
 OU                     = Office of Information Technology # Department goes here
 CN                     = openvpnserver.mydomain.com # fully qualified domain name of server goes here
 emailAddress           = webmaster@mydomain.com # email address goes here
 [ req_attributes ]


Step 2:  Generate Random File for Key Generation

From the Command Prompt in the ..\Apache\open_ssl\bin directory;

Type: openssl md5 * > rand.dat

Step 3: Generate Key File

Type: openssl genrsa –rand rand.dat –des3 1024 > openvpn.pem

Step 4: Generated Certificate Request (CSR) File

Type: openssl req –new –key openvpn.pem  -out openvpn.csr openssl.conf=

Step 5: Remove password from egrants.pem file (Allows apache to run as a Service)

Type: openssl rsa -in openvpn.pem -out openvpn.key

      When prompted for password use  output_password  from openssl.conf file.

Step 6: Submit Request to Certificate Authority

Submit openvpn.csr file to CA  for certificate request
      
Step 7: Create Certificate File

Copy the Requested key into a text file, exactly per the instructions received and save as “openvpn.crt”

Be sure to: Copy the entire contents of the certificate from (and including) the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

Step 8:  Configure Apache Service with New Certificate.
 
place all files in the location required in configuration file.
0
 
af500Author Commented:
I used the openssl.conf from that first link and get an error when I use the -req...

I'll try this now :)

TX!
0
 
jdeclueCommented:
No problem.

J
0
 
af500Author Commented:
certs: Permission denied
keys: Permission denied
requests: Permission denied
0
 
af500Author Commented:
ok... that doesn't seem to matter... the rand.dat was created...
0
 
jdeclueCommented:
hmmm. ok... ;)
0
 
af500Author Commented:
Still stuck....

# TLS parms

tls-server
ca sample-keys/tmp-ca.crt
cert sample-keys/server.crt
key sample-keys/server.key
dh sample-keys/dh1024.pem

There are two .crt files ... what are they for? ( curiosity )

I can create the .pem, and the .key, but not the .crt

0
 
af500Author Commented:
This line throws an error:
openssl req –new –key openvpn.pem  -out openvpn.csr openssl.conf

unknown option openssl.conf
0
 
af500Author Commented:
Setup CYGWIN .. going to try creating keys there :)
0
 
jdeclueCommented:
this line

openssl req –new –key openvpn.pem  -out openvpn.csr openssl.conf

should be

openssl req –new –key openvpn.pem  -out openvpn.csr openssl.conf=

The ca.crt is the files which list the certificate authorities. Open it up and look in it. If you are signing your own certificate then you will need to put information in it. If you are sending the key off to get a real certificate then they should already be in there, if not then you will have to request or download their CA entry to paste into the file.

the server.crt"openvpn" is the actual certificate, cer and crt are the same. Man this is getting complicated ;)


J
0
 
af500Author Commented:
I've used OpenSSL before to create a mass of self-signed certs for IIS and that was super easy :)

When I run that above command, without the '=' I get a can not find config file error .. so that seems like it might be on the right track.

I'm wondering if I shouldn't just grab a full copy of OpenSSL as it looks like just the .exe is sent out with OpenVPN.
0
 
af500Author Commented:
Grabbing the FULL OpenSSL works ... so far so good ... just self-signing the cert now.
0
 
jdeclueCommented:
Cool.. sorry about that, I assumed the full version was already there....

J
0
 
af500Author Commented:
Yeah, I did too ;)

OK, this is what I've got now:

openvpn.key
openvpn.csr
openvpn.pem

So, if .cer & .crt are the same - which is which here?

ca sample-keys/tmp-ca.crt #??
cert sample-keys/server.crt #??
0
 
jdeclueCommented:
Well.... the csr file has to be sent off to get a crt file... when it comes back, it would be the csr file.
Are you familiar with getting security certificates?
0
 
af500Author Commented:
Dah, that's what I thought ...

Can't I just sign my own? :)
0
 
jdeclueCommented:
uhm... you will have to stand up a certificate server, sign the cert etc... we are talking a whole new ballgame... how about trying this out;

http://www.freecert.org/

I have never used it, but maybe it works.

let me know.

J
0
 
af500Author Commented:
This did the trick:

openssl req -config openssl.cnf -new -out my-server.csr
openssl rsa -in privkey.pem -out my-server.key
openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365
0
 
af500Author Commented:
And finally, what's the difference between these two in the OpenVPN config?

ca sample-keys/tmp-ca.crt
cert sample-keys/server.crt
0
 
jdeclueCommented:
okie dokie... server.crt is the actual certificate...
ca.crt is the Certificate Authority file. THis contains the information on the issuing authority. open the file and take a look in it, you should ahve one with the Open SSL install. When your certificate is opened, it references the CA file to get the information on where it came from.

J
0
 
af500Author Commented:
Of course, that file isn't there ....

Can I make one of those too?
0
 
jdeclueCommented:
do a search on the internet, you should be able to find plenty all filled out. ;)

J
0
 
af500Author Commented:
My goodness, what a procedure!

Well, OpenVPN let me use a .p12 instead, so I grabbed that... now I have everything listed in the TLS/SSL config... but OpenVPN says it can't find:

Thu Aug 05 17:02:49 2004 us=527401 Cannot open keys/privkey.pem for DH parameter
s: error:02001003:system library:fopen:No such process: error:2006D080:BIO routi
nes:BIO_new_file:no such file
Thu Aug 05 17:02:49 2004 us=529339 Exiting
Press any key to continue...
0
 
jdeclueCommented:
It might be getting hung up on the password, make a copy of the privkey.pem and back it up... and then try this

Step 5: Remove password from egrants.pem file (Allows apache to run as a Service)

Type: openssl rsa -in openvpn.pem -out openvpn.key

     When prompted for password use  output_password  from openssl.conf file.

THis should remove the password... in the example I gave you the password was no9dodge


I have to leave now, and won't be able to check in until the morning.

J
0
 
af500Author Commented:
No problem, thanks for *ALL* your help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.