Project V4: Vyatta OpenVPN Tunnel (10 pts.)

What You Need

Purpose

This VPN is important as a way to make a secure point-to-point connection, through an untrusted network, and also through NAT.

Its final purpose here is to bring in IPv6 from a Hurricane Tunnel to client machines behind NAT. But for this project, the only goal is to get an OpenVPN server and client working, using IPv4.

Making RSA Certificates

On your Vyatta OpenVPN Server, execute these commands: (Note: the "$USER" in the last command is an environment variable, and should be entered literally as shown)
sudo mkdir /etc/openvpn/easy-rsa/

sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

sudo chown -R $USER /etc/openvpn/easy-rsa/
On your Vyatta OpenVPN Server, execute this command:
sudo nano /etc/openvpn/easy-rsa/vars
Scroll to the bottom of the file. Here the location preferences are set. You can adjust them if you want, but the defaults are OK, as shown below:

Close the file with Ctrl+X.

Creating Server Certificates

On your Vyatta OpenVPN Server, execute these commands:
cd /etc/openvpn/easy-rsa

sudo ln -s openssl-1.0.0.cnf openssl.cnf

source vars

./clean-all

./build-ca
You are now prompted for Country Name and other such details. I just pressed Enter several times to accept the defaults.

On your Vyatta OpenVPN Server, execute this command:

./build-key-server myservername
You are now prompted for Country Name and other such details. I just pressed Enter several times to accept the defaults. The last two questions, "Sign the certificate? [y/n]:" and "1 out of 1 certificate requests certified, commit? [y/n]", require an answer of y

On your Vyatta OpenVPN Server, execute these commands:

./build-dh

cd keys

sudo cp myservername.crt myservername.key ca.crt dh1024.pem /config/auth

Creating Client Certificates

You need to create certificates for each client machine.

On your Vyatta OpenVPN Server, execute these commands:

cd /etc/openvpn/easy-rsa/

source vars

./build-key client1
You are now prompted for Country Name and other such details. I just pressed Enter several times to accept the defaults. The last two questions, "Sign the certificate? [y/n]:" and "1 out of 1 certificate requests certified, commit? [y/n]", require an answer of y

Server Configuration

On your Vyatta OpenVPN Server, execute these commands:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

sudo gzip -d /etc/openvpn/server.conf.gz

sudo nano /etc/openvpn/server.conf
Scroll down to find the section with these lines:
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
In the first line, change "ca.crt" to "/config/auth/ca.crt"

In the second line, change "server.crt" to "/config/auth/myservername.crt"

In the third line, change "server.key" to "/config/auth/myservername.key"

seven lines lower, change "dh1024.pem" to "/config/auth/dh1024.pem" as shown below:

Save the file with Ctrl+X, Y, Enter.

Configuring the OpenVPN Server

On your Vyatta OpenVPN Server, execute these commands:
cd

configure

set interfaces openvpn vtun2

set interfaces openvpn vtun2 mode server

set interfaces openvpn vtun2 server subnet 10.8.0.0/24

set interfaces openvpn vtun2 tls ca-cert-file /config/auth/ca.crt

set interfaces openvpn vtun2 tls cert-file /config/auth/myservername.crt

set interfaces openvpn vtun2 tls dh-file /config/auth/dh1024.pem

set interfaces openvpn vtun2 tls key-file /config/auth/myservername.key

commit

Starting the Server

On your Vyatta OpenVPN Server, execute these commands:
exit

show interfaces
You should see a vtun2 interface, as shown below:

Troubleshooting

If you have problems, you can find detailed messages of openvpn's actions with this command, which works on both the server and client:
tail -f /var/log/messages
If you have an openvpn process stuck, and you need to terminate it, try this command first:
/etc/init.d/openvpn stop
If that fails, execute this command:
ps aux | grep openvpn
Find the process ID of the openvpn process, and kill it with this command:
sudo kill 1234

Opening Firewall Port UDP 1194

If you are using a firewall, open port UDP 1194 on your Vyatta OpenVPN Server.

If you are using AWS, use the steps below.

In the AWS management console, click E2C.

On the left side, click "Security Groups".

In the top pane, select the Security Group that your Ubuntu machine is using.

Add this rule:

Click the "Apply Rule Changes" button.

Downloading the Client Files

On your local computer, (PC or Mac), use a secure File Transfer via SSH client, such as SSH Secure File Transfer on the PC or Transmit on the Mac.

Connect to your Vyatta OpenVPN Server.

Use SSH to download these three files to your local machine:

The download screen on my Mac looks like this:

Uploading the Files to the Vyatta OpenVPN Client

On your local computer, (PC or Mac), use a secure File Transfer via SSH client, such as SSH Secure File Transfer on the PC or Transmit on the Mac.

Connect to your Vyatta OpenVPN Client, using the username

vyatta
and the password
vyatta

Use SSH to upload these three files to your Vyatta OpenVPN Client's /tmp directory:

The upload screen on my Mac looks like this:

The files are now on the Vyatta OpenVPN Client, but they are not in the correct directory.

To fix that, On your Vyatta OpenVPN Client, execute these commands:

sudo cp /tmp/client1.* /config/auth

sudo cp /tmp/ca.crt /config/auth

ls /config/auth
You should see all three files, as shown below:

Configuring OpenVPN on the Client

On your Vyatta OpenVPN Client, execute these commands:
cd /etc/openvpn

sudo wget http://samsclass.info/ipv6/vyatta-openvpn/client.conf

sudo nano /etc/openvpn/client.conf
Replace the IP address in the fourth line with the IP address of your Vyatta OpenVPN Server, as shown below:

Save the file with Ctrl+X, Y, Enter.

Configure the Vyatta OpenVPN Client

On your Vyatta OpenVPN Client, execute these commands:
cd

configure

set interfaces openvpn vtun2 remote-host 54.242.11.181

set interfaces openvpn vtun2 mode client

set interfaces openvpn vtun2 tls ca-cert-file /config/auth/ca.crt

set interfaces openvpn vtun2 tls cert-file /config/auth/client1.crt

set interfaces openvpn vtun2 tls key-file /config/auth/client1.key

commit

save

exit

sudo /etc/init.d/openvpn restart

show interfaces
You now have a new adapter named "vtun2" that connects the client and server machines, starting with 10.8.0, as shown below:

On the Vyatta OpenVPN Client machine, execute this command:

ping 10.8.0.1
You should see replies, as shown below. Press Ctrl+C to stop the pings.

Observing a Connected Client

On your Vyatta OpenVPN Server, execute this command:
sudo cat /etc/openvpn/openvpn-status.log
You should see a connection to "Client1", as shown below:

Saving the Screen Image

Make sure the "Client1" message is visible.

Save a screen shot of this image with the filename

Proj V4 from Your Name

Turning In your Project

Email the image to cnit.60@gmail.com with a subject line of
Proj V4 from Your Name

Last modified 6:30 pm 10-22-12