Fujitsu Global Cloud Platform Installing and Configuring ... Fujitsu... · Fujitsu Global Cloud Platform Technical Guide Page 1 of 13 Installing and Configuring OpenVPN ... change

Fujitsu Global Cloud Platform Technical Guide

Page 1 of 13

Installing and Configuring OpenVPN

OpenVPN is a full-featured SSL VPN solution which can accommodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. Please see the following websites for more advanced details: http://openvpn.net/index.php/open-source/documentation.html http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html Although OpenVPN provides a) bridging and b) routing methods to link systems via a VPN, only Routing should be configured within the GCP, as

the changes required to configure a bridged network may prevent you from accessing your VM remotely.

Prerequisites

OpenVPN Server Within the Global Cloud Platform, either a dedicated or shared Windows 2003 or 2008 virtual machine is required to install OpenVPN Server software on. OpenVPN can also be installed on a Linux VM, but this is out of scope of this guide. This server should be located in the DMZ network and have an associated Global IP address. Standard processes should be followed when creating a Virtual Machine for this purpose. This is outside the scope of the guide.

OpenVPN Clients One or more OpenVPN clients are required. This can be any Windows server or client from Windows 2000 Server/Professional onwards, with the latest service packs installed. If the client is to be configured with the GCP (as part of test exercise for example), then it must also be placed in the DMZ zone of a separate vSYS. This is necessary as out of the box, the GCP firewall cannot be configured to configure a direct link into the secure network LANs from the Internet. Note: It may be possible to configure access to a client in a secure vLAN through custom routing, but this is yet to be investigated.

Networking The OpenVPN server system needs to be publically reachable on UDP port 1194 (you can use another UDP/TCP port if required but this is the standard port for OpenVPN). This will require a Global IP Address to be added and NAT‟d to the internal IP address of the VPN server and the firewall opening up accordingly. For information: Up to 10 Global IP Addresses can be added to a vSYS and NAT‟d accordingly. See below: Adding an (additional) Global IP Address

Figure 1 - Example vSYS showing existing configuration

Fujitsu Global Cloud Platform Installing and Configuring OpenVPN

The following guide provides a short introduction to OpenVPN, allowing you to install and configure within a Microsoft Windows Virtual Machine in the Global Cloud Platform.

http://openvpn.net/index.php/open-source/documentation.html

http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html


Page 2 of 13


1. Open System Manager, locate and double click the required vSYS. 2. Within the resulting System Details menu, click the „Reconfigure‟ button. 3. Click to highlight the „Firewall‟ graphic and then click „Add IP Address‟ and click „Next‟. 4. Review the order, then click „Next‟ to confirm the details. 5. Review the terms of conditions, then tick the „I agree to the Terms of Service‟ tick box and click the „Final Confirmation‟ button to the

right of the screen. 6. Click „Open System Manager‟ button to return to the previous System Details screen.

Figure 2 - Example vSys showing the additional of a further Global IP Address

7. The recently added Global IP address with be created as disabled (and be the last in the list if others exist). Click „Enable‟, „Yes‟ & „Ok‟ to bring make it active.

8. Click the refresh icon (anticlockwise arrows), after several minutes the „Enable‟ button will turn white when the process is complete, as shown above.

Configuring NATing 1. Within the „System Details‟ screen, click the „NAT settings‟ button 2. Within the drop down box for the recently added Global IP address, select the <OPENVPN> server, and confirm that all previous

configured NATing is still correct.

Figure 3 - Example screen showing the configuration of NATing rules

3. Click „Ok‟, „Yes‟ to confirm and implement the change and „Ok‟ when change is complete.

Configuring Firewall Rules 1. Within the „System Details‟ screen, click „FW Settings‟ button . 2. Add a rule for UDP communication from the Internet to the DMZ Network as below, substituting the Target Service IP address for that of

your VPN server:


Page 3 of 13


Figure 4 - Example Firewall Configuration Settings for OpenVPN

3. Click „Ok‟, „Confirm‟ and „Yes‟ to implement the change. 4. Click „Ok‟ and „Cancel‟ to close the firewall configuration windows.

Install Open VPN Server

1. OpenVPN v2.2.1 can be downloaded from http://openvpn.net/index.php/open-source/downloads.html. This needs to be made available to both the server and client. Older versions of the software should not be used as they may not be compatible with later operating systems. Note: This was found to be the case when installing an earlier version of the software on WIN7 as the virtual network interface driver could not be enabled.

2. Double click the downloaded file Openvpn-2.2.1-install.exe. In the resulting wizard, accept the default options. If prompted to install an unsigned driver for a „TAP-Win32 virtual adapter‟, select „Continue Anyway‟..

3. Click „Next‟, untick the „show readme‟ box and click „Finish‟. 4. The installation installs one TAP Virtual Ethernet Adapter by default. This is enough to allow one single VPN connection. An additional

TAP Virtual Ethernet will need to be added for each addition concurrent VPN connection required. To do this, repeat the following for each adapter required: Select „Start | All Programs | OpenVPN | Utilities | Add a new TAP Virtual Ethernet Adapter‟. Repeat this, adding a new adapted for each concurrent VPN connection required.

5. Rename each adapter to "OpenVPNn" where n is the adapter number. This is cosmetic only but helps identification. On 2008 – Start | Control Panel | Network and Sharing Centre‟, then select „Change Adapter Settings‟.

On 2003 – „Start | Control Panel‟, right click on „Network Connections‟ and select Open.

Configure Open VPN

1. Using Notepad, create the server configuration file “server.ovpn” in the following location: Win 2003 Server VM - “c:\program files\openvpn\config\” Win 2008 Server VM - “c:\program files (x86)\openvpn\config\” Note: You may need to run Notepad with administrative privileges if you do not have permission to save or edit a file in this directory. ( Enter Notepad into the Search dialog box, right click on the Notepad.exe and select „Run as administrator‟). Also make sure the file has an extension of .ovpm and not .ovpm.txt. If in doubt, change the Windows Explorer view to show file extensions. On 2003 – Explorer – Tools | Folder Options | View Tab, untick the option Hide extensions of know file types. Click „ok‟ On 2008 – Explorer – Organise | Folder and Search Options | View Tab, untick the option Hide extensions of know file types. Click „Ok‟.

http://openvpn.net/index.php/open-source/downloads.html


Page 4 of 13


2. The following configuration settings are sufficient in the majority of cases for establishing a basic VPN connection. For details on what each setting does or to customize this file please see Appendix A. Please enter the following configuration settings into the file server.ovpn:

## server.ovpn ## port 1194 proto udp dev tun ca ca.crt cert <ServerHostName>.crt key <ServerHostName>.key dh dh1024.pem server 10.9.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 172.16.66.0 255.255.255.0" ##DMZ## push "route 172.16.67.0 255.255.255.0" ##SECURE1## push "route 172.16.68.0 255.255.255.0" ##SECURE2## push "dhcp-option DNS 62.60.19.30" keepalive 10 120 comp-lzo max-clients 4 persist-key persist-tun status openvpn-status.log verb 3 Values in bold and yellow highlight should be changed to suit your environment. In this example the max-clients has been set to 4, which would require 3 additional TAP-Win32 virtual adapters to be created.

Set up a Certificate Authority (CA) A Certificate Authority (CA) is required to sign client and server certificates. This can be achieved using the easy-rsa scripts that are packaged with OpenVPN.

1. Run a CMD prompt with administrative permissions. 2. Change to the appropriate directory

For Windows 2003 the directory is: C:\Program Files\OpenVPN\easy-rsa For Windows 2008 the directory is: C:\Program Files (x86)\OpenVPN\easy-rsa

3. Enter the command: init-config This will initialise the directory, wiping any previous certificates etc.

4. Next edit vars.bat. This will require the format of the file to be sorted, i.e. add carriage returns after each line, personalise the "KEY_" settings at the bottom of the file and adjust the home path (if required). E.g.: @echo off rem Edit this variable to point to rem the openssl.cnf file included rem with easy-rsa. set HOME=%ProgramFiles%\OpenVPN\easy-rsa set KEY_CONFIG=openssl-1.0.0.cnf rem Edit this variable to point to rem your soon-to-be-created key rem directory. rem rem WARNING: clean-all will do rem a rm -rf on this directory rem so make sure you define rem it correctly! set KEY_DIR=keys rem Increase this to 2048 if you


Page 5 of 13


rem are paranoid. This will slow rem down TLS negotiation performance rem as well as the one-time DH parms rem generation process. set KEY_SIZE=1024 rem These are the default values for fields rem which will be placed in the certificate. rem Change these to reflect your site. rem Don't leave any of these parms blank. set KEY_COUNTRY=US set KEY_PROVINCE=California set KEY_CITY=Sunnyvale set KEY_ORG=Fujitsu set KEY_EMAIL=testuser set KEY_CN=changeme set KEY_NAME=changeme set KEY_OU=TSD set PKCS11_MODULE_PATH=changeme set PKCS11_PIN=1234

5. Run the following commands one after the other to generate the keys:

vars clean-all build-ca IMPORTANT: The process will prompt for some details. In the majority of cases the default for each should be accepted by pressing „Enter‟, except where this value is changeme. In the case of Common Name and Name, please enter the <servername> ensuring the value is unique. (OpenVPN uses this value to associate IP addresses with, so if the names match then duplicate IP addresses will be allocated).

6. Keys and certificates are created in the keys subfolder. The ca.crt file (root certificate) should be copied to the OpenVPN config folder using the command.

C:\..\easy-rsa> copy keys\ca.crt ..\config\ Set Up Server Key and Certificate

The next step is to generate a key and certificate for the VPN Server.

1. To do this, run the following commands:

C:..\easy-rsa> vars C:..\easy-rsa> build-key-server <ServerHostName> The process will again prompt for confirmation of values. This time specify the value of „Common Name” as the <ServerHostName>. As with generating the root certificate, most of the details will default to the correct values but you will need to enter a "Common Name". This is best set to the hostname of the server. Leave the challenge password and optional company name blank. Answer Y to sign the certificate and Y to commit

2. The server also needs Diffie Hellman parameters. Run the command „C:\..\easy-rsa> build-dh This may take several minutes... Finally copy the key, certificate and DH file to the OpenVPN config folder. C:..\easy-rsa> copy keys\widget.crt ..\config\ C:..\easy-rsa> copy keys\widget.key ..\config\ C:..\easy-rsa> copy keys\dh1024.pem ..\config\


Page 6 of 13


Setup VPN Routing Use regedit to set the IPEnableRouter registry key to 1.

1. Enter „Regedit‟ into the search or run dialogue box 2. Browse to the following location

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

3. Double click the „IPEnableRouter‟ key and change the value to „1‟ 4. Click „Ok‟ to save and close Regedit

Configure OpenVPN To Start As A Service: To ensure OPENVPN runs when the server is rebooted or when no one is logged in, it should be configured as a service. OPENVPN will automatically detect a *.ovpn configuration file and use it to start the A VPN service when the service is started. To do this:

1. Open Services tools. On Windows 2008 Server - Select All Programs | Administrative Tools | Services. On Windows 2003 Server - Select Start | Administrative Tools | Services.

2. Locate „OpenVPN Service‟, right click and select „Properties‟ 3. Change the start up type to automatic. 4. Click „Ok‟ to close 5. Right click Open VPN service and click start.

Client Configuration

Install OpenVPN

OpenVPN should be installed on the client using the same server install instructions above. Configure OpenVPN Create the client configuration file in the OpenVPN config folder (c:\program files\openvpn\config\ or c:\program files (x86)\openvpn\config ) ## acme.ovpn ## client proto udp dev tun remote 62.16.19.192 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert <clienthostname>.crt key <clienthostname>.key comp-lzo verb 3

Values in bold and yellow highlight should be changed to suit your environment.

Set Up Client Key and Certificate The next step is to generate client keys and certificates on the server. These keys will then need to be securely transferred to the client machine. To generate the client key and certificate on the OpenVPN server machine:.

1. Run a CMD prompt with administrative permissions. 2. Change to the appropriate directory

For Windows 2003 the directory is: C:\Program Files\OpenVPN\easy-rsa For Windows 2008 the directory is: C:\Program Files (x86)\OpenVPN\easy-rsa

3. Enter the commands: vars then build-key <clienthostname>


Page 7 of 13


4. Copy the following client key and certificate along with the root certificate to the config folder on the client machine: C:\Program Files\OpenVPN\easy-rsa\<clienthostname>.crt C:\Program Files\OpenVPN\easy-rsa\<clienthostname>.key C:\Program Files\OpenVPN\easy-rsa\ca.crt This can be achieved by making the drives of the local workstation available, when connecting to the server via the remote desktop software.

5. Then turn on the client machine

Establishing the VPN Connections and Testing the Connection

1. On the client, right click the OpenVPN desktop icon and select „Run As Administrator‟. If a warning is received that the OpenVPN is already running, then close any instances shown in the system try and ensure the OpenVPN service is stopped and repeat this step.

2. Right click on the OpenVPN GUI system tray icon (two red screened monitors) and select "Connect". It will open a status window showing the connection progress, and if everything is working ok then the status window should close and the icon should turn green.

To aid in the test process it is recommended that the firewall rules are configured temporarily to allow PING (ICMP) commands from the Internet to the DMZ network. Routes may need to be added to the routing tables of clients in order to communicate with the server. If the client is not able to ping the server, perform the following:

1. Open CMD prompt as administrator on the client

2. Type IPCONFIG /ALL and note down details for the TAP interface shown below in bold

Ethernet adapter Local Area Connection 2

Connection-specific DNS Suffix:

Description . . . . . . . . . . . : TAP-Win32 Adapter V9

Physical Address. . . . . . . . . : 00-FF-16-04-1E-42

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::58b0:89a1:7320:26ac%18(Preferred)

IPv4 Address. . . . . . . . . . . : 10.9.0.6(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.252

Lease Obtained. . . . . . . . . . : 30 September 2011 10:33:20

Lease Expires . . . . . . . . . . : 29 September 2012 10:33:20

Default Gateway . . . . . . . . . :

DHCP Server . . . . . . . . . . . : 10.9.0.5

DHCPv6 IAID . . . . . . . . . . . : 302055190

DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-9F-BB-2E-44-87-FC-82-4F-22

DNS Servers . . . . . . . . . . . : 62.60.19.30

NetBIOS over Tcpip. . . . . . . . : Enabled

3. Next enter the command „route print‟ and note the interface number for the TAP adapter

Interface List

18...00 ff 16 04 1e 42 ......TAP-Win32 Adapter V9

11...44 87 fc 82 4f 22 ......NVIDIA nForce Networking Controller

13...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1

15...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8

1...........................Software Loopback Interface 1

17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2




Page 8 of 13


4. Type the following command, substituting the values as appropriate:

route add <VPN subnet> mask 255.255.255.0 <VPN DHCP> if <TAP INTERFACE Number>

Appendix A - Sample OpenVPN 2.0 configuration files ########################################## # Sample OpenVPN 2.0 config file for # # multi-client server. # # # # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine # # configurations (See the Examples page # # on the web site for more info). # # # # This config should work on Windows # # or Linux/BSD systems. Remember on # # Windows to quote pathnames and use # # double backslashes, e.g.: # # "C:\\Program Files\\OpenVPN\\config\\foo.key" # # # # Comments are preceded with '#' or ';' # ########################################## # Which local IP address should OpenVPN # listen on? (optional) ; local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. Port1194 # TCP or UDP server? ;proto tcp ;proto udp

# "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. # Use "dev tap" if you are ethernet bridging. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface ;dev tap ;dev tun

# Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you have # more than one. On XP SP2 or higher, you may # need to selectively disable the Windows firewall # for the TAP adapter. Non-Windows systems # usually don't need this ;dev-node MyTap

# SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and

######################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ########################################

# Specify that we are a client and that we # will be pulling certain config file directives # from the server. client

# Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun

# Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap

# Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp ;proto udp

# The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote my-server-1 1194 ;remote my-server-2 1194

# Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random

# Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite

# Most clients don't need to bind to # a specific local port number. nobind

# Downgrade privileges after initialization (non-Windows only)

user nobody group nobody


Page 9 of 13


# key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca ca.crt cert server.crt key server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh dh1024.pem

# Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate # to connecting clients. Leave this line commented # out unless you are ethernet bridging. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0"

# To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific # configuration files (see man page for more info).

# EXAMPLE: Suppose the client

# Try to preserve some state across restarts. persist-key persist-tun

# If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings

# SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert client.crt key client.key

# Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # #mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ;ns-cert-type server

# If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1

# Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x

# Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo

# Set log file verbosity. verb 3

# Silence repeating messages ;mute 20

http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html#mitm


Page 10 of 13


# having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 # Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. ;learn-address ./script # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # the TUN/TAP interface to the internet in # order for this to work properly). # CAVEAT: May break client's network config if # client's local DHCP server packets get routed # through the tunnel. Solution: make sure # client's local DHCP server is reachable via # a more specific route than the default route # of 0.0.0.0/0.0.0.0. ;push "redirect-gateway"

# Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats ;push "dhcp-option DNS 10.8.0.1" ;push "dhcp-option WINS 10.8.0.1"

# Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. ;client-to-client

# Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use,

http://openvpn.net/faq.html#dhcpcaveats


Page 11 of 13


# each client should have its own certificate/key # pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. ;duplicate-cn

# The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. ;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES

# Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo

# The maximum number of concurrently connected # clients we want to allow. ;max-clients 100

# It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. user nobody group nobody

# The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun

# Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log

# By default, log messages will go to the syslog (or


Page 12 of 13


# on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). ;log openvpn.log ;log-append openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3

# Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20

Appendix B – VPN Connectivity Modes When a client connects via bridging to a remote network, it is assigned an IP address that is part of the remote physical ethernet subnet and is

then able to interact with other machines on the remote subnet as if it were connected locally. Bridging setups require a special OS-specific tool

to bridge a physical ethernet adapter with a virtual TAP style device.

On Windows XP or higher, select both your TAP-Win32 adapter and your ethernet adapter in Control Panel -> Network Connections, then right

click and select Bridge Connections.

When a client connects via routing, it uses its own separate subnet, and routes are set up on both the client machine and remote gateway so

that data packets will seamlessly traverse the VPN. The "client" is not necessarily a single machine. It could be a subnet of several machines.

Bridging and routing are functionally very similar, with the major difference being that a routed VPN will not pass IP broadcasts while a bridged

VPN will.

When you are bridging, you must always use --dev tap on both ends of the connection. If you are routing you can use either --dev tap or --dev

tun, but you must use the same on both ends of the connection. --dev tun tends to be slightly more efficient for the routing case.

Bridging Advantages

Broadcasts traverse the VPN -- this allows software that

depends on LAN broadcasts such as Windows NetBIOS file

sharing and network neighbourhood browsing to work.

■ Broadcasts traverse the VPN -- this allows software that

depends on LAN broadcasts such as Windows NetBIOS

file sharing and network neighbourhood browsing to

work.

■ No route statements to configure.

■ Works with any protocol that can function over Ethernet,

including IPv4, IPv6, Netware IPX, AppleTalk, etc.

■ Relatively easy-to-configure solution for road warriors.

Bridging Disadvantages

■ Less efficient than routing, and does not scale well.

Routing Advantages

■ Efficiency and scalability.

■ Allows better tuning of MTU for efficiency.

Routing Disadvantages

■ Clients must use a WINS server (such as samba) to allow

cross-VPN network browsing to work.

■ Routes must be set up linking each subnet.

■ Software that depends on broadcasts will not "see"

machines on the other side of the VPN.

■ Works only with IPv4 in general, and IPv6 in cases where

tun drivers on both ends of the connection support it

explicitly.


Page 13 of 13


Overall, routing is probably a better choice for most people, as it is more efficient and easier to set up (as far as the OpenVPN configuration itself) than bridging. Routing also provides a greater ability to selectively control access rights on a client-specific basis. It is recommend to use routing unless you need a specific feature which requires bridging, such as: ■ The VPN needs to be able to handle non-IP protocols such as IPX,

■ You are running applications over the VPN which rely on network broadcasts (such as LAN games), or

■ You would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server.

http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html

Contact Fujitsu Global Cloud Team

FUJITSU

E-mail: [email protected]

Website: www.fujitsu.com

All rights reserved, including intellectual property rights.

Technical data subject to modifications and delivery subject to

availability. Any liability that the data and illustrations are complete,

actual or correct is excluded. Designations may be trademarks and/

or copyrights of the respective manufacturer, the use of which by third

parties for their own purposes may infringe the rights of such owner.

© Copyright Fujitsu Limited 2011

http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html

Documents

Fujitsu Global Cloud Platform Installing and Configuring ... Fujitsu... · Fujitsu Global Cloud Platform Technical Guide Page 1 of 13 Installing and Configuring OpenVPN ... change