vpn howto

[tech]

posted by tom / March 06, 2005 /

And an added bonus: both OpenVPN and VNC work on Windows, Linux and Mac OS's. I'll be covering an all-Windows installation, but the differences will be minimal -- just consult the documentation for how to do the installations. The configuration should be mostly identical. Oh, and I'll be assuming you're behind a router -- if you aren't, everything's different. But come on, they only cost twenty bucks or so, and they'll improve your security. Seriously, just go buy a router.

Okay. So what's a VPN, and why do we need one? Well, the acronym stands for Virtual Private Network, and it's essentially a secure way to be a part of a LAN by remote. All network traffic bound for the VPN is encrypted, shoved down a tunnel (usually on a single port), decompressed at the other end and dished out to its intended destination. In OpenVPN's case, this is all accomplished by the creation of an SSL key, and the installation of a virtual ethernet adapter. The key is a text file containing a 2048-bit collection of random characters -- that's 16 times stronger encryption than what's commonly used on the internet for electronic commerce. Every computer on the VPN needs to have a copy of the key file (which, for maximum security, should be copied around via a secure medium like a CDROM or thumb drive). The virtual adapter is just what it sounds like -- an ethernet connection that only exists in software. Traffic sent to it is captured by the VPN software, encrypted and sent out over the internet to the VPN server. This makes it very easy to know which traffic from your computer is going out to the VPN. And unlike IPSec VPNs, it lets you continue to use your regular internet connection for traffic that doesn't need to be secured.

So let's install OpenVPN. The documentation on this product is a bit dense -- it's a very powerful application that can do a lot of different things. We'll just do a simple setup, one that should work for most people. The sole caveat is that OS X, OpenBSD and Solaris can't use virtual adapters; instead, they need to use "tunneling mode". Email me or consult the docs for help on that -- the config files I'm providing won't work for you.

You can download the software here -- you'll want the Windows installer, and you'll need to get and run it on both the client and server. During the installation process you'll get a warning. This is a notice that the virtual adapter driver isn't approved by Microsoft -- ie, OpenVPN's authors won't pay for Microsoft's testing program. Don't worry about it. Just click okay.

Once the installation is complete, on one of the machines (it doesn't matter which) go to Start | Program Files | OpenVPN and select "Generate a Static OpenVPN Key". This'll create the key file -- key.txt -- in c:\program files\openVPN. This is the key file you'll need to copy to all the other machines participating in the VPN.

Alright, just a couple more things. You've got the key file, but you'll need a configuration file as well. Here's a sample server configuration file, and here's one for the client. These files go into c:\program files\openVPN\config -- one per machine, server.ovpn to the server and client.ovpn to the client. Only one change is necessary -- open up the client file in a text editor, and find the entry that says "remote xxx.xxx.xxx.xxx". Those x's need to be replaced with the VPN server's IP address.

This opens up a new can of worms, though. Every machine behind your router uses the same IP address, so you can go to BroadbandReports from a web browser on any one of them and click on "Your IP Address" to find out what it is. The problem is that this IP address might change from time to time. You might be able to get by with hardcoding that value into client.ovpn and changing it from time to time. But whenever it changes you won't be able to reconnect. What to do?

Simple: use a dynamic DNS service. Go to dyndns.org and create an account. Yes, this is free, too. You register a unique string -- in my case, it might've been "mom" -- and download a piece of software that periodically reports your public IP to dyndns's servers. The folks at dyndns have documentation on all of this -- if you get confused, have a look there, but it's fairly straightforward. Once you've got the update client running, yourstring.dyndns.org will point to the public address of the machine running the update client. I can therefore go into my client.ovpn and change the "remote xxx.xxx.xxx.xxx" line to read "remote mom.dyndns.org" and be confident that it'll always be able to find her.

Or, more accurately, I'll always be able to find her router. But once I contact the router, how is it supposed to know where to send the traffic? If she's got multiple computers running behind the router, how will it know which one is running the OpenVPN server?

This is the essential problem with a process performed by your router called NAT -- Network Address Translation. NAT lets outgoing connections be shared -- the router just keeps track of which local computer is trying to talk to which remote computer, and routes traffic accordingly. But what about unsolicited traffic coming from the internet? Where should that go? There's no easy answer to this. In cases like my mom's, this is usually an asset: inbound network traffic is frequently coming from Bad People trying to do Bad Things. If her router defaults to throwing away inbound traffic, so much the better.

But that won't work in this case. We need to be able to get our inbound OpenVPN traffic to a particular computer on the LAN. Almost all consumer routers will let us do this, but we've got to be careful -- we don't want to expose that computer to all the evils of the internet. Instead, we'll open up a single port. For an exhausting if not exhaustive overview of ports, see here or here. For purposes of this setup, you just need to know that whenever traffic arrives on a particular port -- in this case, 1194 -- it'll be forwarded to the local IP of our server.

But first we've got to make sure we know what that IP is. By default, routers dish out local addresses through a protocol called DHCP. DHCP makes address assignment easy, but unpredictable -- if a computer goes offline for a while, the router will reclaim the IP and hand it out to the next machine that asks for an address. That won't work for us -- we need a fixed IP on the LAN. So take a look at what DHCP is serving you -- on your OpenVPN server, go to "start | run", type "cmd" (or "command" on win98/me machines), then type "ipconfig". It should spit out a bunch of pieces of information, among them your IP address. What are the first three bytes of your IP? Probably 192.168.0, 192.168.1, 192.168.2 or 10.1.1. Whatever it is, remember it -- I'll assume it's 192.168.2 for this example. Okay, now look at the last byte -- the one occurring after 192.168.2. Is it between 2-99, or 100-200? Generally consumer routers use one of these two pools of addresses for DHCP -- the other is available for fixed addresses. Pick out an address in the middle of the fixed range -- say, 192.168.2.50, or 192.168.2.150. Make sure it's not in use by typing "ping 192.168.2.50" (or whatever) from the command prompt where you entered "ipconfig". If you get a bunch of "Destination unreachable" messages, you're ready to go. If you get replies, pick a different number until you don't.

To set up the static IP, go to "start | settings | network and dialup connections" and find your ethernet adapter -- it'll generally be called "Local Area Connection". Right click and go to "properties" -- you'll see a list of protocols. Select "TCP/IP" and click "properties" again. Here we go. Switch "Obtain an IP address automatically" to "Use the following IP address" and enter the IP you unsuccessfully pinged a second ago. Put in the subnet mask and default gateway that you got from the "ipconfig" command earlier. You'll also need to specify a DNS server -- just using the IP of your default gateway should work fine.

Confirm that your internet connection is still working alright. Yes? Rockin'. Congratulations, you're now on a static IP. Now we just need to configure your router to recognize incoming traffic. The exact procedure will vary depending on your brand of router, but usually it'll be accomplished through a web interface. Type http://192.168.2.1 into your web browser -- substituting, as necessary, 10.1.1 (or whatever else) for 192.168.2 -- and log in (you did change your default password, didn't you?). On my router, the setting we need is under "NAT > Virtual Server". Generally you enter the port and the private IP -- the port's 1194, and the private IP is whatever you just set your server's IP to be. If there's an "enabled" option, make sure it's checked, and if the dialog lets you specify the protocol type, choose UDP. Save everything and exit.

Okay! OpenVPN should be ready to go. On the server machine, browse to c:\program files\openVPN\config, right click on "server.ovpn" and select "Start OpenVPN on this config file". Then do the same thing with the client (except with "client.ovpn"). If all goes well you ought to see a DOS window, and on the client it ought to say "Initialization Sequence Completed". Hurrah -- VPN connectionward, ho! The server is 10.3.0.1, and the client is 10.3.0.2. If you need to add more than one client, you'll need to adapt the client file by giving each machine a unique VPN IP address -- look for the "ifconfig" line.

Only one thing -- it'd be nice if the server started up OpenVPN automatically, and did it without opening ugly DOS windows. This is easy to do, thanks to the OpenVPN service: when your computer starts up, it'll automatically run every .ovpn file in c:\program files\openVPN\config silently in the background. Make sure server.ovpn is the only such file in the directory. Then go to "Start | Settings | Control Panel | Administrative Tools | Services". Find "OpenVPN Service", right click and go to properties. Set startup type to "Automatic", click "Start" and then exit everything.

Alright, so you've got a working VPN connection -- let's do something with it. Let's set up VNC.

First, go download VNC. You don't need to fill out the form at that URL -- just hit the button. The server needs to have the version of VNC with the Server and Client installed -- the client can just have the client version downloaded. Simple enough. Install both, keeping all of the default options. Just make sure that the server is configured to start automatically with Windows. The options to accomplish this are pretty straightforward. You can add a password if you'd like, but VNC security isn't particularly impressive -- OpenVPN is already providing considerably stronger protection. Don't worry about a VNC password unless you don't trust the other users on your LAN (ie, the people who connect to the same router as you).

One reboot later, you should be able to connect to the server from your client by running VNC. When your OpenVPN connection is active, just start the VNC Viewer on the client and point it to 10.3.0.1. Presto -- you're staring at your other computer's screen. Neat, huh?

Well, I think so, anyway.