DestinyBlog

Vyatta is a great free firewall/routing solution.  As of version 5 (I’m specifically using 5.0.2), OpenVPN support was added.  OpenVPN is a much better alternative than any of the L2TP/IPSec VPN solutions out there, and with just a little problem solving, I was able to get a Client-Server (aka road-warrior) vpn set up.

In Part1, I explained how to get the certificates and keys generated.  Part2 explained how to set up OpenVPN within Vyatta.  Part3 explains how to set up the client on Windows.

I went the easy route of downloading the latest OpenVPN 2.1 release candidate which included the latest OpenVPN GUI.  Make sure to download 2.1 as apparently Vyatta’s implementation doesn’t support 2.0.

Some documents I read online said to download the latest version from the OpenVPN GUI site, but I found the TUN install to fail on Vista.  Apparently the latest Vista SP recognizes the tun0801.sys  driver as incompatible and will not start the virtual device.  The 2.1 release candidate from the OpenVPN site includes the newer tun0901.sys driver, which installs in Vista x86 & x64.

Proceed with a standard install.  Read each installable’s description to determine the need for install.  I personally did not install the service component as I would always be initiating the connection.

At this point, the client is ready to connect, but we need to tell it where and how.  In Part1 I explained how to create keys for the client.  At this point, we need those keys locally.  The way I retrieved them from the Vyatta server was enabling SSH on Vyatta and using WinSCP.  The required files are ca.crt, clientname.crt, and clientname.key. (where clientname is the name given during Part1)

As the VPN documentation from Vyatta says, create an .ovpn file and make the contents the following.

dev tun
client
remote 12.34.56.78
ca ca.crt
cert clientname.crt
key clientname.key

Place this file in the OpenVPN’s config folder (typically c:\program files\openvpn\config).  If the crt and key files are not in the config folder as well, make sure to put full paths to the files and use double backslashes since a backslash is a control character.

At this point, OpenVPN GUI should see the config and allow you to connect.

Additional Note for Vista:  OpenVPN GUI must be launched as Administrator (which can be set as a property of the .exe if desired) in order to have permissions to set routes.

Hope this helps. 

If you wish to review either of the previous blogs about setting up Vyatta’s OpenVPN or the easy-rsa keys/certs, read Part1 and Part2.

Vyatta is a great free firewall/routing solution.  As of version 5 (I’m specifically using 5.0.2), OpenVPN support was added.  OpenVPN is a much better alternative than any of the L2TP/IPSec VPN solutions out there, and with just a little problem solving, I was able to get a Client-Server (aka road-warrior) vpn set up.

In Part1, I explained how to get the certificates and keys generated.  Part2 explains how to setup OpenVPN within Vyatta.

1. The OpenVPN Client-Server implementation for Vyatta requirs TLS.  The keys and certificates for this must be created first (see earlier post).
2. Within the new GUI, set up the virtual tunnel interface on Vyatta.  Select openvpn under interfaces and press the Create button.
3. Enter an interface name, and select the set button.  *I was only successful using the name vtun# (where # is a number like eth0, eth1, eth2…)
4. After the interface is created, enter the vtun# mode as server
5. Set any openvpn-option values needed, such as dhcp or routes, and press the set button.  Example:  –push dhcp-option DNS 192.168.1.10 –push route 192.168.1.0 255.255.255.0.  This should correlate to the network behind Vyatta with which the clients need to communicate.
6. Select server under the vtun# interface and press the Create button
7. Enter the subnet you wish the clients to have and select subnet for the topology and press the set button.  I commonly use 172.16.x.x through 172.31.x.x as to not conflict with home networks who often use192.168.x.x and businesses who often use 10.x.x.x.
8. Select tls under the vtun# interface and press the Create button
9. Enter the correct certificate and key files and press the Set button.  The crl-file and role are not required.
   • ca-cert-file = ca.crt
   • cert-file = servername.crt
   • dh-file = dh1024.pem
   • key-file = servername.key
10. Commit your changes

At this point, the OpenVPN configuration within Vyatta is complete, however, the client must still be configured.

Vyatta is a great free firewall/routing solution.  As of version 5 (I’m specifically using 5.0.2), OpenVPN support was added.  OpenVPN is a much better alternative than any of the L2TP/IPSec VPN solutions out there, and with just a little problem solving, I was able to get a Client-Server (aka road-warrior) vpn set up.

Prior to setting up the actual OpenVPN solution, a few steps are required to generate the PKI certificates and keys used by TLS in order to secure the communication.  Pre-shared keys are not available for a Client-Server OpenVPN setup in Vyatta.  I don’t believe this is a limitation of OpenVPN but rather Vyatta.  We’ll see if this changes in the future.  The steps below will generate self-signed certificates and set up Vyatta as its own certificate authority.  More advanced setup for certificates and keys may be found on the OpenVPN website.

• The pkitool and all of the key/cert scripts such as ./build-key can be found under /usr/share/doc/openvpn/examples/easy-rsa/2.0
• when asked to sign the certs, answer yes
• when asked for passwords, only enter one if you know the client to be used can decrypt a passworded key.  At the time of this writing, OpenVPN GUI for windows could not.

1. Log into the console as root.
2. Configure the vars file with the correct KEY_DIR and certificate details.  I used /root for the KEY_DIR as it was easy to remember where they were when configuring Vyatta.
3. Create an index.txt and serial file in KEY_DIR.  These 2 files must be present in the folder used for KEY_DIR.  To make the index.txt file, just use the command “touch index.txt” and to create the serial file, “echo 01 > serial” .  This will create a zero-byte file index.txt and a file called serial with the contents “01″
4. run “./build-ca” to create the Certificate Authority certificate.
5. run “./build-key-server servername” to create a key and certificate for the vyatta server.  Enter your desired name for “servername”.  It will be referenced when configuring TLS in Vyatta.
6. run “./build-dh” to create the diffie hellman exchange file.
7. run “./build-key clientname” to create a key and certificate for a specific client.  Enter your desired name for the “clientname”.  This is the certificate and key required by the client to be allowed connection with the OpenVPN server.

At this point, you are ready to configure OpenVPN in Vyatta.

In the month of February, 2005, the typical site for downloading a Dilbert RSS feed expired. In a mad scramble…
I really do need my dilbert fix…I wrote my own feed from a small perl example I found. Anyone can link to it at
http://www.destinyforge.com/rss/dilbert.pl.
If you are interested in the perl code, send me an email.