Try our RSS feed

Sys Admin Magazine > Archives > 2005 > June 2005
Print-Friendly Version

Branded VPN Deployment and Seamless Remote Management

Adam Olson

Bridging the gap between production network systems and remote users has always posed challenges. Initial infrastructure design, access privileges, and client software needs all must be addressed to ensure that network capacity and maintenance issues remain manageable as the user base grows. Perhaps the most important consideration is ease of use for the end user. Software, in general, is becoming more and more intuitive and end users expect a certain level of usability and aesthetic quality.

In this article, I will discuss a VPN system that overcomes these technical challenges while also providing an easy-to-use, attractive interface to the user. The solution is based on multiple open source tools. These open source projects are OpenVPN, OpenVPN GUI, Nullsoft Scriptable Install System (NSIS), and TightVNC (see Resources). TightVNC is added to provide seamless remote management that is not provided by the VPN solution itself.

The result will be a company-branded Windows 2000/XP installer that not only includes all client-side VPN configuration and key information, but also provides an integrated VNC server for remote management and assistance upon starting the VPN instance.

Open Source Tools

OpenVPN is a robust and flexible VPN solution that enables most Unix/Linux, Windows 2000/XP, and Mac OSX platforms to securely build encrypted tunnels to one another. These tunnels can be configured in a variety of ways, but in this article, I will focus solely on a point-to-point network design that will be one small or large hub and spoke deployment.

OpenVPN GUI is a very handy front end to managing VPN instances for Windows 2000/XP. This is usually the most prominent end-user operating system within the organization, so an easy-to-use System Tray icon is a must. OpenVPN GUI allows for easy VPN access for most users.

The Nullsoft Scriptable Install System (NSIS) is a great open source project that enables you to create company-branded client installer packages. End-user perception is greatly enhanced when the install process has an in-house look and feel.

You may be familiar with Virtual Network Computing (VNC), and TightVNC is another open source package based on Real VNC. I began using TightVNC over its counterparts about five years ago, so I've stuck with it in this deployment. It is very reliable and carries a small footprint. The same result could probably be attained with a different VNC package if you want to experiment after reading this article.

Data Center Requirements

This article is primarily focused on simplifying the end-user side of things, but it would be incomplete if the data center needs were left unaddressed. In your data center, you will need a dedicated and hardened server running a popular Unix/Linux operating system. Please note the words "dedicated" and "hardened", because this is one machine that you do not want to be compromised. Any remote nodes that require VPN access are inherently passing sensitive data, so take extra caution in this area. Strip down the network services to nothing but SSH and OpenVPN, if possible, and maintain strict firewall rules. For additional information, check out the many online documents on this subject.

The following examples will be based on a system running Red Hat Fedora Core 2.

To compile OpenVPN, run the standard:

# gzip -d openvpn-2.0_rc6.tar.gz
# tar xf openvpn-2.0_rc6.tar
# cd openvpn-2.0_rc6
# ./configure
# make
# make install
If you have any problems compiling, make sure you have LZO compression libraries installed. Please refer to the OpenVPN documentation for details on this.

OpenVPN Server Configuration

To begin, create a directory to house your VPN configuration files and keys:

# cd /etc
# mkdir openvpn
# chmod 700 openvpn
# cd openvpn
Here is a straightforward configuration file for your first server instance that should be named port5023.conf:

### Start Config File Port 5023 ###

# local tun device
dev tun23

# interface addresses
ifconfig 10.23.0.1 10.23.0.2

# key location
secret /etc/openvpn/port5023.key

# port to listen on
port 5023

# user to run as
user nobody
group nobody

# options
comp-lzo
ping 15
verb 1

### End Config File Port 5023 ###
This file has very few options that require changing for each server instance, mainly the tunnel interface on which to bind, the UDP port on which to listen, the location of the key file, and the point-to-point addressing for the VPN connection.

Please note that the example configuration above instructs OpenVPN to switch user and group IDs to the account "nobody". This is ideal if your VPN server is running only OpenVPN daemons as nobody. If the VPN server is running other services under the user and group IDs of nobody, it is best to run OpenVPN as a different user and group ID.

To create the static key for this VPN instance, run this command from within /etc/openvpn:

# /usr/local/sbin/openvpn --genkey --secret port5023.key
At this point, don't forget to add the necessary rule permitting UDP traffic destined to port 5023 within IPTables or your respective firewall software. Also note that a simple Perl script run via cron should be set up to monitor failed attempts at making a connection to this port for security auditing purposes.

You should now be able to start your VPN instance by executing:

# /usr/local/sbin/openvpn --daemon --disable-occ --config \
  /etc/openvpn/port5023.conf
The options passed to OpenVPN are as follows:

--daemon -- Run as a daemon.
--disable-occ -- This option allows, among other things, two different versions of OpenVPN to communicate. This is very handy when you are supporting true telecommuters who don't receive software updates on a routine basis.

--conf -- Specify the location of the configuration file.

You should now have a basic VPN server instance listening on port 5023. If you experience any problems, please review the OpenVPN documentation. It is straightforward to configure, so any issues should be easily resolved.

Building the VPN Installer

VPN clients in this configuration need to know where the VPN server is located, which port to connect to, which statically assigned key to use, and more. This is all accomplished by providing a complete configuration file and key within the company-branded VPN installer. End users will not need nearly as much assistance in remotely accessing the more sensitive resources within the company with an easy-to-use installer executable.

Because we are creating our own Windows 2000/XP installer, the opportunity exists to introduce otherwise totally separate program binaries into the installation process. Instead of simply installing a VPN client with a prearranged key and configuration file, we will also be including TightVNC binaries for both the client and server instance of the VNC protocol.

Download and install the NSIS package on a Windows XP development system at:

http://www.openvpn.se/files/nsis/nsis20b3.exe
Since the release of my production rollout, a newer version of NSIS has been released. Make sure you are using the version linked to above for demonstration purposes, but each principle covered here is applicable to the later versions. However, I have noticed that the latest version of NSIS does require a little bit of tweaking with the following install source zip file, so you will find it easier to use the above version of NSIS anyway.

Next, download the installation source to the same Windows XP development system at:

http://www.openvpn.se/files/install_packages_source/ \
  openvpn_install_source-2.0-rc6-gui-1.0-beta26.zip
This file was put together by Mathias Sundman and includes all of the necessary files for OpenVPN, OpenVPN GUI, and NSIS configuration to build the standard OpenVPN Windows installer package. Unzip this file to your desktop and name the folder "VPN Sources" for now.

To get an idea of what will result from the overall process, open the VPN Sources folder, right-click openvpn-gui.nsi, and left-click "Compile NSI". A few seconds later you should see an OpenVPN installer executable in the "VPN Sources" folder. If you were to execute this installer, the standard version of OpenVPN would be installed. If you ran into any problems creating this executable, please refer to the documentation located at:

http://openvpn.se/files/howto/ \
  openvpn-howto_roll_your_own_installation_package.html
or:

http://nsis.sourceforge.net
Building the Company-Branded VPN Installer

We now have a basic VPN server instance and a standard Windows installer for OpenVPN, but we want to make it custom built for easy deployment. We also want to add TightVNC binaries for instant remote administration and assistance.

Download the complete set of TightVNC 1.3dev6 executables without the installer at:

http://www.tightvnc.com/download.html
For now, unzip and save the included files to your desktop. We will be concerned with the files VNCHooks.dll, vncviewer.exe, WinVNC.exe, and LICENCE.txt. Copy these files to the openvpn folder within the "VPN Sources" folder.

Save the following client-side example configuration file to openvpn/config/VPN.ovpn within your "VPN Sources" folder as well:

### BEGIN CLIENT SIDE CONFIGURATION FILE ###

# vpn server to contact
remote 192.168.10.10

# port to establish connection on
port 5023

# local tunnel device
dev tun

# interface addresses
tun-mtu 1500
ifconfig 10.23.0.2 10.23.0.1
route 10.0.0.0 255.0.0.0 10.23.0.1


# key location
secret "c:\\program files\\company branded vpn\\config\\key.txt"

# enable LZO compression
comp-lzo

# moderate verbosity
verb 0
mute 10

;fragment 1300
;mssfix

; ping-restart 60
; ping-timer-rem
; persist-tun
; persist-key
; resolv-retry 86400

# keep-alive ping
ping 10

# enable LZO compression
comp-lzo

# moderate verbosity
verb 4
mute 10

### END CLIENT SIDE CONFIGURATION FILE ###
You will see a number of options in the above example configuration, and I encourage you to test different settings. For now, a reasonable number of options are enabled, and the rest are commented out with a leading semicolon. The most important options will be the IP address of your VPN server, the port number on which to connect, the location of the key file, and the addressing assignments of the VPN interface. Also, note the route command listed above. You have control over establishing entries in the end user's routing table upon successful completion of the VPN tunnel creation. This comes in handy in a number of situations.

Before moving on, you will also need to copy the contents of /etc/openvpn/port5023.key on your VPN server to openvpn/config/key.txt within the "VPN Sources" folder. This step ensures the new VPN installer will have the correct key when establishing the encrypted tunnel.

To wrap up the company-branded VPN installer portion, open the "VPN Sources" folder and edit openvpn-gui.nsi. Replace the first section of code with this:

!include "MUI.nsh"
!include "setpath.nsi"

!define MASTER "x:\openvpn\exp\openvpn"

!define HOME "openvpn"
!define BIN "${HOME}\bin"

!define MUI_PRODUCT "Company Branded VPN"
!define OPENVPN_VERSION "2.0"
!define GUI_VERSION "2.0"
!define MYCERT_VERSION "0.3.2b"
!define MUI_VERSION "-"
;!define MUI_VERSION "${OPENVPN_VERSION}-gui-${GUI_VERSION}"

!define TAP "tap0801"
!define TAPDRV "${TAP}.sys"
Now find the line that starts with "OutFile" and replace it with:

OutFile "Company Branded VPN.exe"
Next, locate the line:

File "${HOME}\openvpn.exe"
And add directly below it (overwriting the identically named sections):

  SetOutPath "c:\program files\TightVNC"

nsExec::ExecToLog '"c:\program files\TightVNC\winvnc.exe" -kill'
    

  File "${HOME}\vncviewer.exe"
  File "${HOME}\WinVNC.exe"
  File "${HOME}\LICENCE.txt"
  File "${HOME}\VNCHooks.dll"

nsExec::ExecToLog '"c:\program files\TightVNC\winvnc.exe" -reinstall'
nsExec::ExecToLog 'net start winvnc'

SectionEnd

Section "OpenVPN GUI" SecGUI

  SetOverwrite on
  SetOutPath "$INSTDIR\bin"
  File "${HOME}\openvpn-gui.exe"

  SetOutPath "$INSTDIR\config"
  File "${HOME}\config\VPN.ovpn"
  File "${HOME}\config\key.txt"

  CreateDirectory "$INSTDIR\log"

SectionEnd
Next, locate the following lines:

Delete "$INSTDIR\config\README.txt"
Delete "$INSTDIR\config\sample.${SERV_CONFIG_EXT}.txt"
and replace them with:

Delete "$INSTDIR\config\key.txt"
Delete "$INSTDIR\config\README.txt"
Delete "$INSTDIR\config\VPN.ovpn"
This step ensures removal of the key and configuration file in the event the user uninstalls the company-branded VPN package.

Finally, in the "VPN Sources\openvpn" folder, rename openvpn-2.0_rc6.zip to openvpn-2.0.zip and openvpn-gui-1.0-beta26.zip to openvpn-gui-2.0.zip. I do this to keep the version of the primary application OpenVPN simple; feel free to address this issue as desired.

Return to the "VPN Sources" folder, right-click openvpn-gui.nsi and left-click compile NSI. If you made all the changes correctly, you will now see a "Company Branded VPN.exe" in the "VPN Sources" folder. It will include a complete example configuration, the appropriate key, and a company-branded look and feel to the installer. It will also install TightVNC, register it as a Windows Service, and start you on your way to easier remote user administration with secure remote access.

Where You Can Go from Here

The general ideas outlined in this article enable systems and network administrators to deploy a company-branded VPN solution for the Windows 2000/XP platform, which can be extended to other client platforms with additional work. This solution allows administrators to control what the end user's workstation knows about (routing table additions), what the end user is permitted to access (VPN server's firewall configuration), and utilizes open source tools, thereby allowing a company to deploy cost-effective and branded solutions to its users.

Resources

NSIS Web site -- http://nsis.sourceforge.net

OpenVPN Web site -- http://www.openvpn.net

OpenVPN GUI Web site -- http://openvpn.se

Real VNC Web site -- http://www.realvnc.com

TightVNC Web site -- http://www.tightvnc.com

Adam Olson lives in Northern California. He's been active in network design, systems administration, and systems programming for more than nine years with various companies like MCI WorldCom and small Bay Area startups. He has now co-founded a relatively new company serving the needs of small and medium-sized businesses that is called Office Appliance (http://officeappliance.com).

Current Issue


Table of contents

Buy this issue.

Unix Review Spotlight

Certification: Test Your Knowledge of Wireless Technology
Think you�re ready to sign up for the CWNA (Certified Wireless Network Administrator) exam or one similar to it? Before you do, test your knowledge of wireless technology � and readiness for such a certification test � with this sample exam of questions on basics of the technology.

Systems raid array and disk drive component failures can happen at anytime. Learn about how SalvageData Recovery Labs data recovery software & services professionals can help to salvage and recover your critical hard drive or RAID data failures.

CMP DevNet Spotlight

Global Web Site Performance Improvement
Jeffrey Fulmer explains how to get a comprehensive picture of your site's performance and describes some tips for improving it.

Looking for the Code?

The complete source code from each issue is available here.

In the News

Cell Users Compromise Airplane Safety, Study Says
Carnegie Mellon University researchers conclude that passengers are regularly violating the ban on using the devices and are creating risk to airplane navigation.


Apple Fixes Critical Safari Bug, 16 Other Flaws
Apple Computer releases its first security update of 2006 to patch 17 bugs, including a critical flaw in the Safari browser and a gaffe in iChat that was used by the first Mac OS X worm to infect Macintosh machines.


Registrar Firms Objects To ICANN-VeriSign Agreement
Domain registrars are seeking to derail the agreement before the U.S. Department of Commerce approves the deal.


Bagle Bullies Users Into Infections
A variant of the long-running Bagle worm appeared Wednesday, and tried to bully people into installing its payload.


Philadelphia Will Provide Wi-Fi Access For Under $20 Per Month
City's agreement with Earthlink will create a 135-square-mile hotspot supplied largely by 700 discounted discounted T-1 links.


Subscribe Today!

Subscribe to THE journal for UNIX systems administrators. Receive 45% off your subscription by following the link below:

Newsletter

Subscribe to the
Sys Admin email newsletter...
Email Address
First Name
Last Name

CD-ROM

Sys Admin and The Perl Journal CD-ROM version 11.0

Version 11.0 delivers every issue of Sys Admin from 1992 through 2005 and every issue of The Perl Journal from 1996-2002 in one convenient CD-ROM!

Order now!




MarketPlace

Technical Webinars for Embedded Linux Developers
Interactive, educational Webinars led by technical experts show you how to navigate the open source community, create a kernel and root filesystem, integrate real-time extensions, enable field upgradeability and more. Space is limited. Register now.

Resource for Embedded Linux Developers
Free Resource. Latest components for Freescale, Intel, ARM and MIPS processors. Cross-development environment, reference Linux distribution, 500+ cross-compiled packages, developer documentation, online help and more. Register Now.

Bug Tracking Like You've Never Seen Before
Full API hooks ExtraView bug tracking into your applications, Web, source control & testing tools.

We BUY Technology Hardware!
We'll buy your Technology Hardware even if you don't buy ours. Get an offer today!

Wanna see your ad here?

SoftTree TechnologiesCycladesFree Unix Spec BookManage IT with less effort. Go!Get to root cause faster. Troubleshoot with ease.Get better mainframe performance. Go!DaniWeb IT CommunitySSL Certificates from VeriSignCrystal Reports TrainingCheap Web HostingVideo Conferencing EquipmentWeb HostingPlotter PaperLaser LabelsReseller Hosting