Carbonwind.net
Home
Blog
Articles
Books
Links
Tools
About
Contact
Disclaimer
Forefront TMG
ISA Server
Vyatta OFR
VPN
Virtualization
Firewalls
Cisco
Miscellaneous
Wireless

 07.04.2011
Configure Vyatta(Core 6.2) as an OpenVPN server(in routing mode) using for the PKI part XCA instead of easy-rsa

 - 1. Intro
 - 2. Configure Vyatta
 - 3. Sample OpenVPN client on Windows(XP SP3 used)

 1. Intro
In this paper we will configure Vyatta(Core 6.2) as an OpenVPN server(in routing mode) using for the PKI part XCA instead of easy-rsa.
We will do so per my previous article Using XCA to configure the OpenVPN PKI part as an alternative to OpenVPN's easy-rsa.
So first make sure you follow the steps from there in order to create a CA and issue certificates for the OpenVPN server and clients.

Per the mentioned paper, I have prepared within a folder on a Windows 7 machine the following files: CA certificate, DH parameter file, client and server certificates, client and server private keys, see Figure 1:


Figure1: XCA Exported Files

Make sure the server's private key is in SSLeay compatible format, otherwise you may not be able to commit the configuration on Vyatta.

 2. Configure Vyatta
The network diagram is presented in Figure2:


Figure2: Network Diagram

First simple configuration on the Vyatta machine(installed on hdd) to achieve basic connectivity.
This was entered on the Vyatta machine:

set interfaces ethernet eth0 address 192.168.22.234/24
set interfaces ethernet eth1 address 192.168.10.1/24
commit

set service ssh protocol-version v2
commit
save

set protocols static route 0.0.0.0/0 next-hop 192.168.22.1
commit

edit service nat rule 20
set type masquerade
set source address 192.168.10.0/24
set outbound-interface eth0
top
commit

save

We need to copy on Vyatta the CA certificate, the server certificate, the server private key and the DH parameter file.
Per Vyatta's configuration guide Vyatta_BasicSystemRef_R6.2_v01.pdf we can put these files within the /root location.

There are a couple of ways to do this; I will use WinSCP.
Note that, for example, the default administrator named vyatta is allowed to do sudo without being prompted with password.
So if we configure WinSCP, per its documentation, like in Figure3(use SCP and select the Advanced options) and Figure4(custom shell sudo su - on the SCP/Shell/ tab), we will be able to obtain write access to the /root location.


Figure3: WinSCP use SCP


Figure4: WinSCP custom shell

For example, I've copied the above mentioned files like so on the Vyatta machine, see Figure5:


Figure5: WinSCP Files copied on the Vyatta machine over SCP

After we've copied these files on Vyatta, we can proceed and configure the OpenVPN server on it.

We will enter a basic OpenVPN configuration on Vyatta, it will use UDP and listen for VPN connections on UDP port 1194(default OpenVPN port), we will assign IP addresses to the OpenVPN clients from the 192.168.200.0/24 subnet and we will push a route for the subnet behind Vyatta(192.168.10.0/24) to the OpenVPN clients in order for them to be able to reach resources located behind Vyatta over the VPN tunnel.
Also we will use AES CBC 128-bit for data encryprion.

set interfaces openvpn vtun0
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 192.168.200.0/24
set interfaces openvpn vtun0 tls ca-cert-file /root/OpenVPN_CA.crt
set interfaces openvpn vtun0 tls cert-file /root/openvpnsrv_cert.crt
set interfaces openvpn vtun0 tls key-file /root/openvpnsrv_key.key
set interfaces openvpn vtun0 tls dh-file /root/dh2048.pem
set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 server push-route 192.168.10.0/24
commit

save

 3. Sample OpenVPN client on Windows(XP SP3 used)
I've copied on the client within the config folder the CA certificate, the client certificate and the client private key, see Figure 6:


Figure6: Windows XP SP 3 OpenVPN client config folder

The below client configuration is basic, we have some anti-MITM features, for example we verify the CN on the server's certificate and this certificate must have certain Key Usage and EKU values(for more details about this refer to the article Using XCA to configure the OpenVPN PKI part as an alternative to OpenVPN's easy-rsa).

client
dev tun
proto udp
remote 192.168.22.240 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca OpenVPN_CA.crt
cert openvpnclienta_cert.crt
key openvpnclienta_key.key
remote-cert-tls server
tls-remote "/CN=openvpnsrv"
cipher AES-128-CBC
verb 3
Copyright ©2011 Adrian F. Dimcev