LAB04: Virtual Private Networks (VPN)
Tomáš Rebok
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Brief VPN introduction
4 □ ► <
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
What is VPN?
The goal of a Virtual Private Network (VPN) is to provide private communications within the public Internet infrastructure
• they employ various networking technologies to achieve the goal
• can occur at any layer of the OSI protocol stack
• theoretical background provided by the lecture
• basic VPN idea:
• build a virtual overlay network that is run on top of the Internet infrastructure
• "virtual" . . . means that there is not a new infrastructure necessary
• connect private networks by the overlay networks
• can be built between two end systems, an end system and a network, or among two or more networks
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
VPNs Basic Functions
VPNs provide four critical functions:
9 Confidentiality - the sender can encrypt the packets before transmitting them across a public network
• by doing so, no one can access the communication without permission
• if intercepted, the communications cannot be read
o Data integrity - the receiver can verify that data was transmitted through the Internet without being altered
• Origin authentication - the receiver can authenticate the packet sender, guaranteeing and certifying the source of the information
• User authorization - limits unauthorized users from accessing the network
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
VPN Deployment Scenarios
There are two basic VPN deployment scenarios:
• Site-to-Site Intranet VPN
• interconnects multiple network sites at different locations within the same organization
forms a larger corporate network (with distant branches)
• Remote Access VPN
o connect a single remote device to a corporate intranetwork • enable flexible access to corporate network
Tomáš Rebok
LAB04: Virtual Private Networks (VPN)
VPN Approaches
Taxonomy of VPN approaches based on the ISO/OSI layer:
« Layer 2 VPN
• MPLS - Multiprotocol Label Switching
o analogy of a virtual wire
• Layer 3 VPN
• IP Sec, PPTP, L2TP
9 usually implemented on the perimeter firewall (network border)
• Point-to-Point Tunneling Protocol (obsolete) and Layer 2 Tunneling Protocol
• IPSec- see animation at
https://frakira.fi.muni.cz/~jeronimo/vyuka/IPSec (part of IPv6 animation at
https://frakira. fi. muni, cz/ ~ jeronimo/vyuka/IPv6)
9 Layer 4 VPN
• SSL/TLS VPNs
• usually allow to access specific applications rather than entire subnets
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
VPN at Masaryk University
In MUNI network, there is a Remote Access VPN server running for MUNI students and MUNI staff:
• when connected, your computer behaves in the exact way as it does when connected directly in the university network
• you can make use of all services, which are available via the university network, like:
• access to MU's paid digital libraries
• access to specialized devices and equipment
• access to university licences
o more information available at
https://it.muni.cz/en/services/vpn
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Warming QUIZ!
□
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Warming QUIZ!
Ql: VPN stands for:
Q) Virtual Public Network Q) Virtual Private Network O Virtual Protocol Network CD Virtual Perimeter Network
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Warming QUIZ!
Ql: VPN stands for:
Q) Virtual Public Network Q) Virtual Private Network O Virtual Protocol Network CD Virtual Perimeter Network
b) Virtual Private Network
(or Virtual Private Networking)
A VPN is a private network in the sense that it carries controlled information, protected by various security mechanisms, between known parties. VPNs are only "virtually" private, however, because this data actually travels over shared public networks instead of fully dedicated private connections.
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Warming QUIZ!
Q2: What are the acronyms for the most common VPN protocols?
• identify their ISO/OSI layer as well
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Warming QUIZ!
Q2: What are the acronyms for the most common VPN protocols?
• identify their ISO/OSI layer as well
Most common VPN protocols (and approaches) taxonomied by layers:
• Layer 2- (VPN over) MPLS
• Layer 3- PPTP, L2TP, IPSec
• Layer 4 - (VPN over) SSL/TLS
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Warming QUIZ!
Q3: What are the basic VPN deplyment scenarios?
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Warming QUIZ!
There are two basic deployment Q3: What are the basic VPN scenarios: deplyment scenarios? o Site-to-Site VPNs
• Remote Access VPNs
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Warming QUIZ!
Q4: What is the main benefit of VPNs compared to dedicated networks utilizing frame relay, leased lines, and traditional dial-up?
Q> better network performance Q) less downtime on average Q flexibility and reduced cost Q) improved security
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Warming QUIZ!
Q4: What is the main benefit of VPNs compared to dedicated networks utilizing frame relay, leased lines, and traditional dial-up?
Q> better network performance Q) less downtime on average Q flexibility and reduced cost Q) improved security
c) flexibility and reduced cost
The main benefit of a VPN is the potential for significant cost savings compared to traditional leased lines or dial-up networking. These savings come with a certain amount of risk, however, particularly when using the public Internet as the delivery mechanism for VPN data.
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Warming QUIZ!
Q5: In VPNs, the term "tunneling" refers to ...
Q> an optional feature, that
increases network performance if it is turned on
Q> the encapsulation of packets inside packets of a different protocol to create and maintain a virtual circuit
Q the method a system
administrator uses to detect hackers on the network
Q> a marketing strategy that
involves selling VPN products for very low prices in return for expensive service contracts
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Warming QUIZ!
Q5: In VPNs, the term "tunneling" refers to ...
Q> an optional feature, that
increases network performance if it is turned on
Q> the encapsulation of packets inside packets of a different protocol to create and maintain a virtual circuit
Q the method a system
administrator uses to detect hackers on the network
Q> a marketing strategy that
involves selling VPN products for very low prices in return for expensive service contracts
b) the encapsulation of packets inside packets of a different protocol to create and maintain a virtual circuit
Several computer network protocols have been implemented specifically for use with VPN tunnels -Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), and Internet Protocol Security (IPsec).
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Warming QUIZ!
Q6: Will the VPNs be useful in future modern IPv6-only networks?
© YES, VPNs provide features not available in IPv6
© NO, IPv6 includes VPNs as part of its specification
© NO, IPv6 can substitute VPN's functionality via its Home Agents
© YES, VPNs can further increase the number of available IP addresses
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Warming QUIZ!
Q6: Will the VPNs be useful in future modern IPv6-only networks?
© YES, VPNs provide features not available in IPv6
© NO, IPv6 includes VPNs as part of its specification
© NO, IPv6 can substitute VPN's functionality via its Home Agents
© YES, VPNs can further increase the number of available IP addresses
a) YES, VPNs provide features not available in IPv6
VPNs provide two main features:
• They provide protection for the traffic against eavesdropping, spoofing, replay attacks and so-on (even on Layer 4)
• They decouple your addressing and routing from the operators of your underlying networks (esp. useful for Site-to-Site VPNs)
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
OpenVPN & practical example
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
OpenVPN Introduction
• VPNs can be realized both using specialized HW devices and SW tools
• SW tools may require specific OS functionality (L2 + L3 VPNs) or not (L4 VPNs)
• the most known and widely-used open-source SW tool is OpenVPN
• OpenVPN (http://openvpn.net)
• open-source VPN solution
• uses SSL certificates (X.509)
• clients available for most OSes (Linux, OSX, Windows, DD-WRT, Tomato)
simple setup for small networks
• user-mode, not kernel-mode
• the tool we will use during this practical lab
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Lab Scenario and Infrastructure
secure channe
A small company called RedGears Ltd. (producing red wheels) requires you - as a network administrator - to configure the network so that their Sales Representatives can access internal network resources (webserver with internal pricelist) during travelling. All the communication has to be sufficiently secured.
Goal: Establish a VPN server (VPN gateway) and configure clients to establish a secured VPN connection.
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Lab Tasks
O build the basic infrastructure
• and test its functionality.. . Q configure the OpenVPN server
O create server certificates
O create server configuration file
O adjust server networking configuration
O start and check the server
O configure the OpenVPN client
O connect the client to the server and observe behavior
• both Windows and Linux clients
Q questions and another possible scenarios O homework assignment
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
1. Building the Lab Infrastructure
• start your VirtualBox
• import VPN server and Enterprise server VMs
• VirtualBox: File —>> Import Appliance
• O:\PA197\Lab 4\PA197-L4-VPNserver.ova
• O:\PA197\Lab 4\PA197-L4-Enterprise.ova
• do not start the VMs yet
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
1. Building the Lab Infrastructure
start your VirtualBox
import VPN server and Enterprise server VMs
• VirtualBox: File —>• Import Appliance
• O:\PA197\Lab 4\PA197-L4-VPNserver.ova
• O:\PA197\Lab 4\PA197-L4-Enterprise.ova
• do not start the VMs yet
observe the VMs configuration
• network settings & port forwarding
• note internal & external network config.
P 1 0PENVPN" 1
VPNserver Enterprise
VirtualBox
Windows host
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
1. Building the Lab Infrastructure
start your VirtualBox
import VPN server and Enterprise server VMs
• VirtualBox: File —>• Import Appliance
• O:\PA197\Lab 4\PA197-L4-VPNserver.ova
• O:\PA197\Lab 4\PA197-L4-Enterprise.ova
• do not start the VMs yet
observe the VMs configuration
• network settings & port forwarding
• note internal & external network config.
start the VMs
• users: root & pa 197
• passwords: pa 197
• observe the internal configuration (networking, tools, .. .)
• make yourself root (sudo su)
P 1 0PENVPN" 1
VPNserver Enterprise
VirtualBox
Windows host
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
1. Building the Lab Infrastructure
• start your VirtualBox
• import VPN server and Enterprise server VMs
• VirtualBox: File —>• Import Appliance
• O:\PA197\Lab 4\PA197-L4-VPNserver.ova
• O:\PA197\Lab 4\PA197-L4-Enterprise.ova
• do not start the VMs yet
• observe the VMs configuration
• network settings & port forwarding
• note internal & external network config.
• start the VMs
• users: root & pa 197
• passwords: pa 197
• observe the internal configuration (networking, tools, .. .)
• make yourself root (sudo su)
• test the communication
• from VPN server to Enterprise
• ping, SSH, WWW browser
P 1 0PENVPN" 1
VPNserver Enterprise
VirtualBox
Windows host
Tomáš Rebok
LAB04: Virtual Private Networks (VPN)
2. OpenVPN Server Configuration
A. Generate Certificates
• necessary for VPN server authentication
• usable for client authentication too
• PKI: Public Key Infrastructure - the tools, procedures and people used to manage the creation, management and revocation of digital certificates
• X.509 - standardized format for certificates, cert revocation and path verification Standardized by the ITU Telecommunication Standardization Sector
Certificate Authority - entity that creates & signs digital certificates
• EasyRSA SW tool - a set of scripts allowing for the easy creation, signing and revocation of X.509 certificates used by OpenVPN
• abstracts the use of OpenSSL (run in background)
• distributed with OpenVPN
Tomáš Rebok
LAB04: Virtual Private Networks (VPN)
2. OpenVPN Server Configuration
A. Generate Certificates
• become root
• pal97@VPNserver$ sudo su -
• EasyRSA Setup
• create a CA directory with basic CA content
• # make-cadir /root/openvpn-ca
• move into that directory
• # cd /root/openvpn-ca
• configure the CA variables
• # mcedit vars experienced users: # vim vars
• see export KEY_* variables (not necessary to change)
• change KEYJJAME to server
• variables will be used as defaults for all the generated certificates
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
2. OpenVPN Server Configuration
A. Generate Certificates
• build the CA
• source the variables into environment
# source vars
• the same as # . vars
• clean previously generated keys (if any)
# ./clean-all
• build the root CA # ./build-ca (press ENTERs through the prompts)
(The CA key can be password protected by using the "—pass" option. This password will be required to sign any certificates using the key)
• EasyRSA Setup contn'd.
• create the OpenVPN server certificate
• # ./build-key-server server (press ENTERs & answer 'y')
• generate strong Diffie-Hellman keys to use during key exchange
o # ./build-dh
Tomáš Rebok
LAB04: Virtual Private Networks (VPN)
2. OpenVPN Server Configuration
B. Configure the OpenVPN service
9 copy-out the CA cert and key, our server cert and key, and the Diffie-Hellman keys to OpenVPN server directory
• # cd /root/openvpn-ca/keys
• # cp ca.crt ca.key server.crt server.key dh2048.pern /etc/openvpn
• copy and unzip sample OpenVPN configuration file
• # gunzip -c /usr/share/doc/openvpn/examples/ sample-config-files/server.conf.gz >/etc/openvpn/server.conf
• make yourself familiar with the OpenVPN configuration
• # mcedit /etc/openvpn/server.conf
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
2. OpenVPN Server Configuration
B. Configure the OpenVPN service
personalize the OpenVPN server configuration
o edit /etc/openvpn/server.conf
• at least, see the options:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway defl bypass-dhcp"
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
log /var/log/openvpn.log
<— CHANGE
<
<
<
<
CHANGE CHANGE
CHANGE CHANGE
<— CHANGE
Tomáš Rebok
LAB04: Virtual Private Networks (VPN)
2. OpenVPN Server Configuration
B. Configure the OpenVPN service
• set client authentication method
• various methods available, see
https://openvpn.net/index.php/open-source/documentation/ howto.html#auth
• authentication via a script/command (any script/command could be called, username/password passed via a file or environment variables) o various plugins (PAM, LDAP, htpasswd, RADIUS, etc.)
• we will use PAM plugin (authentication against system users)
add the folowing options at the end of the server.conf file:
2 lines:
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login client-cert-not-required
• This should finalize the OpenVPN server configuration.
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
2. OpenVPN Server Configuration
C. Adjust server networking configuration
• allow IP forwarding
• # mcedit /etc/sysctl.conf
• remove '#' before net.ipv4.ip_forward=l
• run # sysctl —load
D. Start and test the OpenVPN server
• reboot the server and examine log file(s) for errors
• # reboot
once booted, run # cat /var/log/openvpn.log • has to be run with root privileges
• later, you will use common services to start/stop the OpenVPN server
• # service openvpn stop (if running)
• # service openvpn start
□ gi - =
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
3. Configure the OpenVPN client
• prepare the client configuration file (PA197-L4.ovpn)
• again, by adapting sample config file
o # cd /root
o # cp /usr/share/doc/openvpn/examples/
sample-config-files/client.conf PA197-L4.ovpn
o and adapt it (PA197-L4.ovpn) to server configuration
• at least, see the options:
client dev tun proto udp
remote localhost 1194 user nobody-group nogroup
<— CHANGE <— CHANGE <— CHANGE
persist-key persist-tun
cipher AES-128-CBC
comp-lzo
auth-user-pass
y C ô ľ "t • • •
;key ...
• • •
<— CHANGE <— CHANGE <— CHANGE <— CHANGE
<— CHANGE
Tomáš Rebok
LAB04: Virtual Private Networks (VPN)
3. Configure the OpenVPN client
• include CA certificate into the client configuration file
• attach the content of ca.crt file between options "" and ""
... include content of ca.crt
• Hint: # cat FILE1 »FILE2
# cat /etc/openvpn/ca.crt >>PA197-L4.ovpn
• add and marks using an editor (just after auth-user-pass option)
transfer the configuration file to the client (Windows host)
• WinSCP from Windows host to localhost, port 2222
• use pal97 or root user credentials
• and save to C:\Program Files\OpenVPN\config\
• finally, try to connect to the OpenVPN server
• using pal97 username and pal97 password examine the OpenVPN log files
• if you are successfull, you should be able to access http://10.10.10.10 from the Windows host's WWW browser
Tomáš Rebok
LAB04: Virtual Private Networks (VPN)
Questions & Tasks
Open network sniffer/analyzer application (Wireshark) and examine the content of the captured packets (on both VPN ends)
O Are the passing packets encrypted?
O Are all the packets (even external) passing the OpenVPN server?
• if YES, how would you change the configuration so that just packets destined to the internal network(s) will go through the VPN?
• if NO, could you capture and identify the ones not going through the VPN tunnel?
Finally, connect to the VPN server from your Linux host (Enterprise VM for current testing purposes).
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Homework
Tomáš Rebok LAB04: Virtual Private Networks (VPN)
Homeworks...
Your homework tasks:
O make the example (basic) configuration more secure
• hint: inspire at OpenVPN webpage (https://openvpn.net) or other pages providing tips to secure VPN tunnels
(e.g. https://blog.g3rt.nl/openvpn-security-tips.html)
O adapt the configurations to authenticate clients using personal certificates (not username & password)
O our configuration has used so-called routing mode (L3-mode); try to
adapt it to so-called bridged mode (L2-mode) O optional challenge:
• between two Linux hosts, establish a site-to-site bridged VPN (interconnecting both networks into a single large network)
All the reports should contain a descriptive document (including figures if useful), all the configuration files (server, client) and support files (e.g. certificates), including textual description of all the changes performed on the server/client side (including their explanation and rationale). If you success with the bridge configuration, include small packet captures (PCAP format) as well. ==
Tomáš Rebok
LAB04: Virtual Private Networks (VPN)