This assignment introduces you to the Virtual Private Network (VPN) concept. You will use OpenVPN to establish a VPN in practice by creating and examing a host-to-net VPN scenario (see the figure below). A roadwarrior host (RW) establishes a secure tunnel to a gateway (GW). Traffic can flow from the roadwarrior through the gateway to a client (C) and back. Hosts on the right-side local link can not eavesdrop or modify the traffic flowing inside the tunnel.

The goal of this assignment is to test communication between the client and the roadwarrior by succesfully pinging and tracerouting each host in both directions. OpenVPN will be used in bridging mode to connect the RW to the local network of C and GW.

Figure 1. VPN configuration scenario

1. Initial Setup

Install openvpn package for GW and RW if it has not been preinstalled. Install also bridge-utils for GW.

Set up the eth1 and/or (clarified 11/25/2012) eth2 interfaces of the client, the gateway, and the roadwarrior hosts. The eth1 interfaces on C and RW must be in different subnets (think of RW's eth1/GW's eth2 subnet as the Internet, through which you want to create the secure tunnel). Eth1 interfaces on C/GW then form a "LAN" subnet, and the RW wants to communicate with that LAN.

In this exercise, the eth0 interfaces are only used for SSH remote access. Do not use them for any other traffic. Verify that you can ping the gateway from the other hosts, and that you can not ping the roadwarrior from the client or vice versa. Write down the network configuration.

1.1

Present your network configuration. What IPs did you assign to the interfaces (4 interfaces in all) of each the three hosts?

1 p

2. Setting up a PKI (Public Key Infrastructure)

The first step in establishing an OpenVPN connection is to build the public key infrastructure (PKI). The official OpenVPN Howto has good step-by-step instructions for this.

You'll need to generate the master Certificate Authority (CA) certificate/key, the server certificate/key and a key for at least one client. In addition you also have to generate the Diffie-Hellman parameters for the server. You can use the scripts provided by OpenVPN in /usr/share/doc/openvpn/examples/easy-rsa/2.0 .

After you have generated all the necessary certificates and keys, copy the necessary files (securely) to the road warrior (RW) host.

2.1	What is the purpose of each of the generated files? Which ones are needed by the client?	2 p
2.2	Is there a more simple way of authentication available in OpenVPN? What are its benefits/drawbacks?	1 p

3. Bridging setup

Next you have to setup network bridging on the GW. We'll combine the eth1 interface of the gateway with a virtual TAP interface and bridge them together under an umbrella bridge interface.

OpenVPN provides a script for this in /usr/share/doc/openvpn/examples/sample-scripts . Copy the bridge-start and the bridge-stop scripts to a different folder for editing. Edit the parameters of the script files to match with GW's eth1. Start the bridge and check with ifconfig that the bridging was succesful.

3.1	Show with ifconfig that you have created the new interfaces (virtual and bridge). What's the IP of the bridge interface?	1 p
3.2	What is the difference between routing and bridging in VPN? What are the benefits/disadvantages of the two? When would you use routing and when bridging?	3 p

4. Configuring the server

On GW copy /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz to for example /etc/openvpn and extract it. You have to edit the server.conf to use bridged mode with the correct virtual interface. You also have to check that the keys and certificates point to the correct files. Set the server to listen for connection in GW's eth2 IP address.

Start the server on GW with openvpn server.conf .

4.1	List and give a short explanation of the commands you used in your server configuration.	2 p
4.2	What IP address space did you allocate to the OpenVPN clients?	1 p
4.3	Where can you find the log messages of the server by default? How can you change this?	1 p

5. Configuring the client and testing connection

On RW copy /usr/share/doc/openvpn/examples/sample-config-files/client.conf to for example /etc/openvpn. Edit the client.conf to match with the settings of the server. Remember to check that the certificates and keys point to the right folders.

Connect RW to the server on GW with openvpn client.conf .

5.1	List and give a short explanation of the commands you used in your client configuration.	1 p
5.2	Demonstrate that you can reach the client host from the RW. Setup a server on the client with netcat and connect to this with telnet/nc. Send messages to both directions.	2 p
5.3	Capture incoming/outgoing traffic on GW's eth2 or RW's eth1. Why can't you read the messages sent in 5.2 (in plain text) even if you comment out the cipher command in the config-files?	2 p
5.4	Enable ciphering. Can you capture and read the messages sent in 5.2 on GW?	1 p

6. Finishing your work

When finishing your work, please remember to backup your related files from the lab computers to a safe place (e.g. your home directory in Niksula or the Computer Center). The course does not provide any back up service for the virtual machines. If you report problems regarding your machines to the course personnel, note that they may get completely reset with all running configurations cleared.