Packt Publishing OpenVPN 2 Cookbook Review

OpenVPN 2 Cookbook

100 simple and incredibly effective recipes for harnessing the power of the OpenVPN 2 network
By Jan Just Keijser

OpenVPN 2 Cookbook

Introduction

I was approached by Packt Publishing representative, asking if I would be willing to make a review of this book. This was interesting because at that moment I was reading pfSense 2.0 Cookbook from the same publishing company. I was generously provided with the book, and here we are a month later.

The OpenVPN 2 Cookbook main subject is the use of OpenVPN in different scenarios. Its aim is to help you along the way of implementing an OpenVPN solution. For more detail description take a look at the detailed description Here.

My experience with OpenVPN is based on three years of different deployments. You can find more details at the bottom of this post.

What’s the book about?

The book is an in depth examination of OpenVPN and how to use is in your every work. If you are in a hurry you can find a quick fix in the huge amount of recipes, or read it from cover to cover and get extensive knowledge of OpenVPN, its capabilities and different usage scenarios.

The book states that prior knowledge and experience of system administration, TCP/IP is required, also in OpenVPN installation. The examples in the book are made mostly on Linux based systems, so prior knowledge in the field is required too.  If you are fresh to field, probably first step is to take a look at Beginning OpenVPN 2.0.9 and then continue with this book.

As the cover states: Quick answers to common problems.

The book is structured in twelve chapters, and each chapter consists of about eight to ten sub topics that are called recipes. These recipes are like short How Tos for a particular case. The valuable thing is that throughout the chapter the recipes build on each other, starting from very basic configuration to more advanced ones. To get an impression you can take a look at the Table of Contents.

Every recipe has a How it works sections. They are extremely useful to understand what and how is happening behind the scenes. And that’s not all, after this section additional value is provided in the There’s more sections, where additional explanations and further developments are delivered.

Does it achieve its promises?

The first topic that really gets me going was 3-way routing in the first chapter. I was planning to implement this for small number of fixed endpoints which are less than four. For more you have to read further in the book.

The next this that surprise me pleasantly was the PKI, Certificates and OpenSSL chapter. It helped me better understand OpenSSL and give me better idea how to manage certificates. This topic continues in the next chapters about Two-factor Authentication. I was very surprised to see that even hardware tokens can be used to authenticate users.

In The Scripting and Plugins, there is a very important secret about scripts execution, which was not known to me, and definitely will help me in future.

The Troubleshooting sections can save you precious blood, sweat and tears especially with problems related to Routing. Those are the two chapters I appreciate the most because they provide you with analytical way to diagnose and eliminate problems in deployments. You can have a peek in the sample chapter here: Troubleshooting OpenVPN: Configurations

Logically after you have fixed all the problems a Performance Tuning is your next step.

The following two chapters are related to OS integrations and advanced configuration. They help me better understand how to better integrate OpenVPN with the unique environment of the client.

The last chapter is all about the new features in 2.2 version of OpenVPN. It is quite useful to have a well arranged section with new features that you might have not known existed up until now.

Conclusion

I really like reading this book, and the systematic knowledge that it provides. Whether you are a full time System Administrator or just a part time occupied with the IT in your company, or just wants to establish a secure connection to your home this book will definitely give you the needed advices how to get there.

Biography

My experience with OpenVPN is based on three years’ of deployments.  My first deployment was on OpenWRT where I had to use predominantly command line to configure it and Secure copy (SCP) for certificate transfer, then on DD-WRT where most of the work is done through the Web GUI, with exemption for more advanced configuration that have to be placed in start-up scripts. After that on I used Windows based systems as clients and servers, and lately as you can see from my blog I’m working with pfSense.

Building Site to Site Connection with OpenVPN on pfSense 2.0 RC1 with PKI

In the last post we’ve setup a Site To Site with Shared Key, now instead we will use internal Certificate Authority. Honestly speaking if I did not follow this guide, there was no routing between the two sites.
OpenVPN Site-to-Site PKI (SSL)

For reference here is the network diagram:

pfsense01 will be out OpenVPN server, and pfsense02 will be our OpenVPN client. Client and Server are just host on the two LANs behind routers.

On pfsense01 go to System > Cert Manager, On CAs leaf create new Certificate Authority.

Enter Descriptive Name, choose as a method Create an internal Certificate Authority, leave Key length and Lifetime to defaults.

Fill in the rest of the fields.

Then go to Certificates leaf, add new and create the server certificate.

Enter descriptive name, I’ve used the router host name, as a method choose Create an internal Certificate.

Verify that for Certificate authority the CA that we have created in the previous step is selected. Leave the rest of the fields to default, with exception of Common Name, here enter the host name of the server, in my case it was pfsense01.

Now go to System > User manager, create new user. For the sake of simplicity for username I’ve used the host name of the second router, pfsense02. Enter Password, for Full name I’ve used again the router name. Then tick the Click to create a user certificate.

For descriptive name use the host name of the router, this is the Common Name of the certificate and it is important to match.

Instead of creating new user, you can create new Certificate directly.

Go to Cert Manager, on the Certificate leaf add new. Again as Descriptive name and Common Name use the host name of the second router, in my case pfsense02.

Go to VPN > OpenVPN on the Server leaf, add new.

As Server Mode select Peer to Peer (SSL/TLS). As protocol UDP, Device Mode is TUN, Interface is WAN, leave the port to default 1194. Enter Description, Tick Enable authentication of TLS packets and Automatic generation a shared TLS authentication key.

As Peer Certificate Authority select the CA that we have created in the beginning. I did not have a Peer Certification Revocation List so leave it to None. Select the Server Certificate that we have created. For DH Parameters Length you can leave it to the default 1024 bits. Choose Encryption algorithm in my case BF-CBC (128-bit), take note of the algorithm we have to use the same on the client too.

As Tunnel Network choose one different from your LANs, in my case the default 10.0.8.0/24. Enter the Local Network, in my case 10.10.9.0/24. Enter the Remote Network in my case 10.10.10.0/24. Leave the rest to defaults.

Go to VPN > OpenVPN in Client Specific Overrides, and add new entry for the client.

For Common name enter the host name of the second router that we have used as common name in the certificate, in my case pfsense02. Enter some description, and the Tunnel Network, in my case 10.0.8.0/24. Leave the rest to default.

In the Advanced form, enter

iroute 10.10.10.0 255.255.255.0

Without this step there will be no routing between the two LANs.

Got to Firewall >Rules and on the OpenVPN leaf, add new rule.

Here for testing purposes I’ve made allow all rule. Select any as Protocol, leave the rest to default and enter description.

For the client to be able to connect, let’s open the OpenVPN Server port.

In Firewall > Rules on the WAN leaf, add new rule. Select UDP as Protocol.

As Destination port Range in our case select OpenVPN.

Now it is time to export certificate for use on the second router.

Go back to System > Cert manager export public and private CA certs, click on the first downward pointing triangle. As a guide, when you hoover over it the text label is Export CA.

Then go to User Manager, enter the configuration of our user pfsense02, in the User Certificates section click on both downward pointing triangles to download both cert and key.

 

Now on pfSense02, go to System > Cert Manager on CAs leaf, add new one.

And as Method select Import an existing Certificate Authority. Enter as Descriptive name the name of the certificate from the first server, in my case pfsense01.

You have to have opened the certificate with notepad, or another text editor. Then simply copy / paste the content of the file.

Now on the Certificate leaf do the same but paste and the content of the  *.key in Private key data. Again enter Descriptive name as the one from the first router.

Go to VPN > OpenVPN in Client leaf and add new

As Server Mode select Peer to Peer (SSL/TLS), Protocol is UDP, Device mode is TUN, and Interface is WAN. For Server host or address enter the WAN IP of pfsense01, in my case 10.10.2.2 and enter the port. Put some Description.

Open the Server configuration (VPN > OpenVPN > Server leaf) on pfsense01, copy the TLS Authentication.

Paste it in the TLS Authentication form on our client configuration on pfsense02. Unpick Automatically generate a shared TLS authentication key and leave Enable authentication of TLS packets.

Use the same Tunnel Network as on the server, in my case 10.0.8.0/24. Enter Remote Network, this is the network behind pfsense01, for this case 10.10.9.0/24.

Add Allow All rule in Firewall > Rules on the OpenVPN leaf.

Now go to Status > OpenVPN and you should see that the connection is established.

From the Server prospective, again on Status > OpenVPN.

Now you should be able to access hosts from the other network successfully.

 


Building Site to Site Connection with OpenVPN on pfSense 2.0 RC1 with Shared Key

 

Sooner or later you will have two or more geographically distant LAN that you want to connect together. Whether we are speaking about to branch offices or home and office, or simply your office LAN and some co located servers in a data center, it is only a matter of time before you need such solution.

In this case we will use two pfSense 2.0 RC1, one in each remote location.

The map shows our lab setup for the purpose.

In this post we will use Shared Key as a way to authenticate the two routers.

On pfSense01, this machine will play the role of server in this scenario.

Go to VPN > OpenVPN, on the Server leaf, add new one

As Server Mode choose Peer to Peer (Shared key)

Protocol, Device Mode, Interface, Local port – you can leaf the default for now.

Description – Enter whatever is informative for you.

Encryption algorithm, choose one by your preference, keep in mind that different algorithms have different load on the server. I use BF-CBC (128-bit)

 

Choose different from both of your LAN subnets for Tunnel Network, in our case 10.0.8.0/24.

Local Network – The LAN behind the pfSense01, in this example 10.10.9.0/24.

Remote Network – this is the LAN behind the pfSense02, as on the diagram 10.10.10.0/24.

Click on Save button and we are Done.

Open the newly configured server and copy the Shared Key. We will need it for the setup of pfSense02.

Go to Firewall > Rules, on the WAN leaf, add new rule

The Action is Pass, Select WAN as Interface, UDP as Protocol.

For Destination port range, select OpenVPN in our case it is 1194, if you have used some other port in the configuration enter it here. Enter some description also.

Go to the OpenVPN leaf. Here I have made a very basic Allow All rule. If you have some security concerns, or want to limit the communication between the two sites, make one or more rules to fit your need.

 

pfSense02 will play the role of client.

Go to VPN > OpenVPN, on the Client leaf, add new one

As Server Mode choose Peer to Peer (Shared key)

Protocol, match the one from the server in our case UDP, Device mode – tun, Interface is WAN, Local port, leave empty for random, or enter manually one if you want.

Server host or address, enter the WAN IP address on the first router pfSense01, in our case 10.10.2.2. Server port, whatever port you have used on the server, in our case the default 1194.

Enter Description. For Shared Key, paste the one from the pfSense01 here. Encryption algorithm, duplicate the one from the first configuration, in our case BF-CBC (128-bit).

Tunnel Network, duplicate the one from the server. Remote Network is the LAN network behind the pfSense01, for our example 10.10.9.0/24.

Leave the rest to default, and Save the configuration.

Again add a rule on the OpenVPN leaf in the Firewall > Rules section to allow traffic flow between the two sites. Here again I’ve setup a rule that Allow All traffic between the two sites.

Now go to Status > OpenVPN. You should see that Status equals UP.

Now you should be able to successfully communicate with hosts from the other network.


Running DD-WRT on VMware Workstation 7.1

Now that’s a tricky one.  The only official build that could be found is here

But it was published in the middle of 2008.  It is a pure v24, no Service Packs, this by itself makes it useless.

Guide for installing newer version is not available.

After searching the forums, the only usable thread that I found is this: VMware ready to use ..

Here stalonge share a pre-installed virtual machine ready to use.

My recommendation is to Restore it to Factory Default, and configure it to your preference.

Install pfSense 2.0 RC1 on VMWare Workstation 7

On this video you can see the step by step guide of how to install pfSense 2.0 RC1 on VM Ware Workstation 7.1.

Download the ISO file from Here.

Configure the Virtual Machine and mount the ISO file.

Go over the Setup, and configure the interfaces.

As option you can enable SSH access.

This is the first part of the network laboratory setup.

Have fun, and I hope you enjoy the video.


My Network Laboratory

The easiest way to learn is by practice. This is especially true in IT. I have to lab out the migration from pfSense 1.2.3 to 2.0 RC1. Furthermore I have a site-to-site VPN setup that must be tested too.

I decided to expand my laboratory setup to house not just the two versions of pfSense, but DD-WRT and OpenWrt also. This will give me a opportunity to expand my test with alternatives. That is not enough, so let’s add two of each as virtual machines. Now we need a router in the middle to move the traffic between different subnets. Using any of the above will be redundant, so after browsing the VMware market for router appliance, as first option came Untangle, but I have already played around with it, and it is not appropriate for my purposes. As reasonable alternative is Vyatta. I had no experience with this appliance, and decide to check it out.

My finale network diagram looks like this:


The Console and Client are a simple Windows XP workstation from which to manage all the routers remotely by SSH and Web Interface.

As you can imagine if all the routers WAN addresses were in one sub-net, the Vyatta would be unnecessary, but my decision was based on the need to be able to test load balancing, fail over, and other scenarios in future.

In the following post I will discuss in details the configuration of each type of route. As a brief impression from the installation and configuration starting from the easiest to setup and going to the hardest ones.

PfSense have a Live CD, and is a breeze to install and configure on x86 virtual machine.

Then is the Vyatta, also available on Live CD that can be installed on virtual machine. For the configuration I have used the shell, only later to discover that there is a web interface that is somewhat helpful.

DD-WRT is hard to get on x86 virtual machine. I have opt out to find ready-made virtual machine and only to restore it to default configuration, and then to configure it to my preferences.

OpenWrt is even harder. On the forums the recommended way is to compile it for this architecture, and then install it. There is a wonderful tutorial here how to set it up on virtual box, but it does not work on VMware workstation. My guess is if you reconfigure the hard disk portions it will work. But yet again, my decision was to use ready-made virtual machine with the latest version, and configure it to my likings.

 


The easiest way to learn is by practice. This is especially true in IT. So now I have to lab out the migration from pfSense 1.2.3 to 2.0 RC1. Furthermore I have a site-to-site VPN setup that must be tested too.

I decided to expand my laboratory setup to house not just the two versions of pfSense, but DD-WRT and OpenWrt also. That is not enough, so let’s add two of each as virtual machines. Now we need a router in the middle to move the traffic between different subnets. Using any of the above will be redundant, so after browsing the VMware market for router appliance, as first option came Untangle, but I have already played around with it, and it is not appropriate for my purposes. As alternative to Untangle, Vyatta pop up from the result. I had no experience with this appliance, and decide to check it out.

My finale network diagram is like this:

The console and Client are a simple Windows XP workstation from which to manage all the routers remotely by SSH and Web Interface.

As you can imagine if all the routers WAN addresses were in one subnet, the Vyatta would be unnecessary, but my decision was based on the need to be able to test load balancing, failover, and other scenarios in future.

In the following post I will discuss in details the configuration of each type of route. Now let’s go from the fore a brief impression from the installation and configuration starting from the easiest to setup and going to the hardest ones.

PfSense have a live cd, and is a breeze to install and configure on x86 virtual machine. The only interesting this here is how to publish the web interface and the SSH on the WAN.

Then is the Vyatta, also available on live cd that can be installed on virtual machine. For the configuration I have used the shell, only later to discover that there is a web interface that is somewhat helpful.

DD-WRT is hard to get on x86 virtual machine. I have opt out to find ready-made virtual machine and only to restore it to default configuration, and then to configure it to my preferences.

The easiest way to learn is by practice. This is especially true in IT. I have to lab out the migration from pfSense 1.2.3 to 2.0 RC1. Furthermore I have a site-to-site VPN setup that must be tested too.

I decided to expand my laboratory setup to house not just the two versions of pfSense, but DD-WRT and OpenWrt also. This will give me a opportunity to expand my test with alternatives. That is not enough, so let’s add two of each as virtual machines. Now we need a router in the middle to move the traffic between different subnets. Using any of the above will be redundant, so after browsing the VMware market for router appliance, as first option came Untangle, but I have already played around with it, and it is not appropriate for my purposes. As reasonable alternative is Vyatta. I had no experience with this appliance, and decide to check it out.

My finale network diagram looks like this:

The Console and Client are a simple Windows XP workstation from which to manage all the routers remotely by SSH and Web Interface.

As you can imagine if all the routers WAN addresses were in one subnet, the Vyatta would be unnecessary, but my decision was based on the need to be able to test load balancing, failover, and other scenarios in future.

In the following post I will discuss in details the configuration of each type of route. As a brief impression from the installation and configuration starting from the easiest to setup and going to the hardest ones.

PfSense have a live cd, and is a breeze to install and configure on x86 virtual machine.

Then is the Vyatta, also available on live cd that can be installed on virtual machine. For the configuration I have used the shell, only later to discover that there is a web interface that is somewhat helpful.

DD-WRT is hard to get on x86 virtual machine. I have opt out to find ready-made virtual machine and only to restore it to default configuration, and then to configure it to my preferences.

OpenWrt is even harder. On the forums the recommended way is to compile it for this architecture, and then install it. There is a wonderful tutorial here how to set it up on virtual box, but it does not work on VMware workstation. My guess is if you reconfigure the hard disk portions it will work. But yet again, my decision was to use ready-made virtual machine with the latest version, and configure it to my likings.

OpenWrt is even harder. On the forums the recommended way is to compile it for this architecture, and then install it. There is a wonderful tutorial here how to set it up on virtual box, but it does not work on VMware workstation. My guess is if you reconfigure the hard disk portions it will work. But yet again, my decision was to use ready-made virtual machine with the latest version, and configure it to my likings.


pfSense 1.2.3 as Virtual Machine on Windows Server 2008 R2 Hyper-V

After seeing pfSense working more than half year flawlessly on Alix, recently I’ve test it as virtual machine.

To avoid some compatibility issues a “Legacy Network Adapters” must be used.

For my surprise even with that trick, there was no network connectivity. The work around for this problem is explained in this thread: Pfsense 2.0-BETA4 in Hyper-V: Throughput not as expected

Open shell from the console, create new document

vi /usr/local/etc/rc.d/startup.sh

and type in

ifconfig de1 down
ifconfig de0 down
ifconfig de0 up
ifconfig de1 up

Just check before that the names of your interfaces, mine were de0,1.

For now it is stable, no issues, with very basic configuration. On the forums there are topics about possible problems with VLANs, but I didn’t need this functionality.


File Sharing Protocols and Ports in XP and 2003

After digging around for open ports I have found TCP port 445 open on one of my machines. For what this port is used? The answer was here:
What’s TCP port 445 used for in Windows 2000/XP?

“Among the new ports used by Windows 2000, Windows XP and Windows Server 2003, is TCP port 445 which is used for SMB over TCP.
The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2000/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000/XP/2003, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.

Then found this article:
How can I configure TCP/IP networking while NetBIOS is disabled in Windows 2000/XP/2003?

Perfect! Petri IT Knowledgebase

If you are interested in the topic references are very good source of information.