Step 5.1: Configuring the Server (OpenVPN)
To configure the server you really can copy this config file and just change it as you need it. It is pretty self explanatory and has tls-auth already included as well as compression and the virtual device tun for routing. Notice that the the protocol is set to TCP. Its a personal choice and you can use UDP as well. Also the keys are already pointing to the ones we have used in this tutorial with the paths that we used. The Virtual Lan that the VPN clients will get their IPs from is as we determined in the beginning 192.168.1.0/24. And we have set it so that split tunneling is not allowed. This means that while connected to your VPN, the clients cannot access any other network at the same time. Sometimes you can connect to a VPN and traffic destined for that network will go there, everything else goes through “the internet” which we will not allow here. When the clients connect, they should be setup as if they were physically present in your LAN. The server config can be seen here: (click to expand and to collapse)

OpenVPN Server config

#OpenVPN Server config file
# Which local IP address should OpenVPN listen on? (optional)
local 10.1.1.2

# Which TCP/UDP port should OpenVPN listen on?
port 1194

# TCP or UDP server?
proto tcp

# “dev tun” will create a routed IP tunnel, which is what we want
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don’t need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.

ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret

# Diffie hellman parameters.
dh keys/dh1024.pem

# Configure server mode and supply a VPN subnet
server 192.168.1.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.
ifconfig-pool-persist ipp.txt

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push “route 172.10.1.0 255.255.255.0″

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
push “redirect-gateway”

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.
;push “dhcp-option DNS 172.10.1.2″

# Uncomment this directive to allow different
# clients to be able to “see” each other.
client-to-client

# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an “HMAC firewall”
# to help block DoS attacks and UDP port flooding.
tls-auth keys/ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

# Enable compression on the VPN link.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 250

# It’s a good idea to reduce the OpenVPN
# daemon’s privileges after initialization.
user nobody
group nobody

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
status openvpn-status.log

log-append openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20

Step 5.2: Configuring the Server (DHCP)
You want to give all the WLAN clients an IP from a certain range. For that you need a DHCP Server. I know that most APs come with a built in DHCP server but this is not a real option since you want to have a central location AND you do not want each meeting room to have their own IP range. Administration would become hell :). Your DHCP server basically needs to contain very little information for the clients.
The default gateway
The DNS Server
The network range for the IP pool and subnetmask

The DHCP Server should also reside on your OpenVPN server. to install it simply type

yum install dhcpd

. Now all you need to do is enter the following information into the /etc/dhcpd.conf file: (click to expand and collapse)
DHCP server config

option domain-name "youromain.com";
option domain-name-servers 10.1.1.2;
option subnet-mask 255.255.255.0;

default-lease-time 3600;
max-lease-time 86400;
ddns-update-style none;

subnet 10.1.1.0 netmask 255.255.255.0 {
range 10.1.1.10 10.1.1.254;
option routers 10.1.1.1;
}

Once done, save the file and do a

service dhcpd restart

and if it said you are OK, you are done.

Step 5.3: Configuring the Server (Public DNS)
Since we want a DNS Server for the “public” internet usage that we will provide to our visiting clients, we will need to configure one. This is a very simple thing to do since you do not need a specific domain zone for this, you just need to set the DNS server up so that it will forward all requests to our ISPs public DNS servers. Since all legit corporate DNS traffic will come over the VPN tunnel only there is no need to have any zone and corporate DNS information here. In the /etc/named.conf file look for something like:

options {

and add this line in between the {} :

forwarders { x.x.x.x, y.y.y.y };

Where x.x.x.x and y.y.y.y are the DNS servers of your ISP or the DNS servers you will use to provide public DNS lookups. Save the file and do the service named restart and your DNS Server. You are now ready to serve DNS requests, well forward them anyway.

Technorati Tags: central authentication, cheap solution, corporate lan, fast secure, linux unix, openvpn, open source, security, wep encryption, wireless infrastructure, wlan, wlan meetingroom

Popularity: 58% [?]

Pages: 1 2 3 4 5 6