OpenVPN Tunnels

Simon Mater

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

2005-02-08


Table of Contents

Preliminary Reading
Bridging two Masqueraded Networks
Roadwarrior

OpenVPN is a robust and highly configurable VPN (Virtual Private Network) daemon which can be used to securely link two or more private networks using an encrypted tunnel over the internet. OpenVPN is an Open Source project and is licensed under the GPL. OpenVPN can be downloaded from http://openvpn.net/.

OpenVPN support was added to Shorewall in version 1.3.14.

Warning

The default port number for OpenVPN changed from 5000 to 1194 in Shorewall version 2.2.0 RC2. This change follows OpenVPN 2.0 which also changed its default port to 1194. In the text that follows, where you see Port 1194 this can also refer to port 5000 depending on which version of Shorewall and OpenVPN that you are using.

Preliminary Reading

I recommend reading the VPN Basics article if you plan to implement any type of VPN.

Bridging two Masqueraded Networks

Suppose that we have the following situation:

We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is accomplished through use of the /etc/shorewall/tunnels file and the /etc/shorewall/policy file and OpenVPN.

While it was possible to use the Shorewall start and stop script to start and stop OpenVPN, I decided to use the init script of OpenVPN to start and stop it.

On each firewall, you will need to declare a zone to represent the remote subnet. We'll assume that this zone is called “vpn” and declare it in /etc/shorewall/zones on both systems as follows.

/etc/shorewall/zones — Systems A & B

#ZONE           DISPLAY           COMMENTS
vpn             VPN               Remote subnet

On system A, the 10.0.0.0/8 will comprise the vpn zone.

In /etc/shorewall/interfaces on system A:

#ZONE      INTERFACE        BROADCAST     OPTIONS
vpn        tun0

In /etc/shorewall/tunnels on system A, we need the following:

#TYPE         ZONE           GATEWAY        GATEWAY ZONE
openvpn       net            134.28.54.2

Note

Shorewall versions prior to 2.2.0 Beta 1 enforced use of the same port number for both the source and destination port.

Some OpenVPN clients (notabley on Windows™) do not use the same source and destination ports which can cause problems. If system B is a Windows system or if you find that Shorewall is blocking the UDP port 1194 traffic from the remote gateway and you are running a version of Shorewall prior to 2.2.0 Beta 1, then you will want the following entry in /etc/shorewall/tunnels instead of the one above:

#TYPE                  ZONE           GATEWAY        GATEWAY ZONE
generic:udp:1194       net            134.28.54.2

This entry in /etc/shorewall/tunnels opens the firewall so that OpenVPN traffic on the default port 1194/udp will be accepted to/from the remote gateway. If you change the port used by OpenVPN to 7777, you can define /etc/shorewall/tunnels like this:

/etc/shorewall/tunnels with port 7777:

#TYPE             ZONE           GATEWAY         GATEWAY ZONE
openvpn:7777      net            134.28.54.2

This is the OpenVPN config on system A:

dev tun
local 206.162.148.9
remote 134.28.54.2
ifconfig 192.168.99.1 192.168.99.2
up ./route-a.up
tls-server
dh dh1024.pem
ca ca.crt
cert my-a.crt
key my-a.key
comp-lzo
verb 5

Similarly, On system B the 192.168.1.0/24 subnet will comprise the vpn zone

In /etc/shorewall/interfaces on system B:

#ZONE      INTERFACE        BROADCAST     OPTIONS
vpn        tun0             192.168.1.255

In /etc/shorewall/tunnels on system B, we have:

#TYPE         ZONE           GATEWAY        GATEWAY ZONE
openvpn       net            206.191.148.9

And in the OpenVPN config on system B:

dev tun
local 134.28.54.2
remote 206.162.148.9
ifconfig 192.168.99.2 192.168.99.1
up ./route-b.up
tls-client
ca ca.crt
cert my-b.crt
key my-b.key
comp-lzo
verb 5

You will need to allow traffic between the “vpn” zone and the “loc” zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file:

/etc/shorewall/policy on systems A & B

#SOURCE        DEST          POLICY          LOG LEVEL
loc            vpn           ACCEPT
vpn            loc           ACCEPT

On both systems, restart Shorewall and start OpenVPN. The systems in the two masqueraded subnetworks can now talk to each other.

Roadwarrior

OpenVPN 2.0 provides excellent support for roadwarriors. Consider the setup in the following diagram:

On the gateway system (System A), we need a zone to represent the remote clients — we'll call that zone “road”.

/etc/shorewall/zones — System A:

#ZONE           DISPLAY           COMMENTS
road            Roadwarriors      Remote clients

On system A, the remote clients will comprise the road zone.

In /etc/shorewall/interfaces on system A:

#ZONE      INTERFACE        BROADCAST     OPTIONS
road       tun+

In /etc/shorewall/tunnels on system A, we need the following:

#TYPE         ZONE           GATEWAY        GATEWAY ZONE
openvpn:1194  net            0.0.0.0/0

We want the remote systems to have access to the local LAN — we do that with an entry in /etc/shorewall/policy (assume that the local LAN comprises the zone “loc”).

#SOURCE      DESTINATION        POLICY
road         loc                ACCEPT

The OpenVPN configuration file on system A is something like the following:

dev tun

server 192.168.2.0 255.255.255.0
 
dh dh1024.pem
 
ca /etc/certs/cacert.pem
 
crl-verify /etc/certs/crl.pem
 
cert /etc/certs/SystemA.pem
key /etc/certs/SystemA_key.pem
 
port 1194
 
comp-lzo
 
user nobody
 
group nogroup
 
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
 
verb 3

Configuration on the remote clients follows a similar line. We define a zone to represent the remote LAN:

/etc/shorewall/zones — System B:

#ZONE           DISPLAY           COMMENTS
home            Home              Home LAN

On system A, the hosts accessible through the tunnel will comprise the home zone.

In /etc/shorewall/interfaces on system B:

#ZONE      INTERFACE        BROADCAST     OPTIONS
home       tun0

In /etc/shorewall/tunnels on system B, we need the following:

#TYPE         ZONE           GATEWAY        GATEWAY ZONE
openvpn:1194  net            206.162.148.9

We want the remote clien to have access to the local LAN — we do that with an entry in /etc/shorewall/policy.

#SOURCE      DESTINATION        POLICY
$FW          home               ACCEPT

The OpenVPN configuration on the remote clients is along the following line:

dev tun
remote 206.162.148.9
up /etc/openvpn/home.up
 
tls-client
pull
 
ca /etc/certs/cacert.pem

cert /etc/certs/SystemB.pem
key /etc/certs/SystemB_key.pem
 
port 1194
 
user nobody
group nogroup
 
comp-lzo
 
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
 
verb 3

If you want multiple remote clients to be able to communicate openly with each other then you must:

  1. Include the client-to-client directive in the server's OpenVPN configuration; and

  2. Specify the routeback option on the tun+ device in /etc/shorewall/interfaces.

If you want to selectively allow communication between the clients, then see this article by Marc Zonzon