Branded VPN Deployment and Seamless Remote
Management
Adam Olson
Bridging the gap between production network systems
and remote users has always posed challenges. Initial
infrastructure design, access privileges, and client
software needs all must be addressed to ensure that
network capacity and maintenance issues remain
manageable as the user base grows. Perhaps the most
important consideration is ease of use for the end user.
Software, in general, is becoming more and more
intuitive and end users expect a certain level of
usability and aesthetic quality.
In this article, I will discuss a VPN system that
overcomes these technical challenges while also
providing an easy-to-use, attractive interface to the
user. The solution is based on multiple open source
tools. These open source projects are OpenVPN, OpenVPN
GUI, Nullsoft Scriptable Install System (NSIS), and
TightVNC (see Resources). TightVNC is added to provide
seamless remote management that is not provided by the
VPN solution itself.
The result will be a company-branded Windows 2000/XP
installer that not only includes all client-side VPN
configuration and key information, but also provides an
integrated VNC server for remote management and
assistance upon starting the VPN instance.
Open Source Tools
OpenVPN is a robust and flexible VPN solution that
enables most Unix/Linux, Windows 2000/XP, and Mac OSX
platforms to securely build encrypted tunnels to one
another. These tunnels can be configured in a variety of
ways, but in this article, I will focus solely on a
point-to-point network design that will be one small or
large hub and spoke deployment.
OpenVPN GUI is a very handy front end to managing VPN
instances for Windows 2000/XP. This is usually the most
prominent end-user operating system within the
organization, so an easy-to-use System Tray icon is a
must. OpenVPN GUI allows for easy VPN access for most
users.
The Nullsoft Scriptable Install System (NSIS) is a
great open source project that enables you to create
company-branded client installer packages. End-user
perception is greatly enhanced when the install process
has an in-house look and feel.
You may be familiar with Virtual Network Computing
(VNC), and TightVNC is another open source package based
on Real VNC. I began using TightVNC over its
counterparts about five years ago, so I've stuck with it
in this deployment. It is very reliable and carries a
small footprint. The same result could probably be
attained with a different VNC package if you want to
experiment after reading this article.
Data Center Requirements
This article is primarily focused on simplifying the
end-user side of things, but it would be incomplete if
the data center needs were left unaddressed. In your
data center, you will need a dedicated and hardened
server running a popular Unix/Linux operating system.
Please note the words "dedicated" and "hardened",
because this is one machine that you do not want to be
compromised. Any remote nodes that require VPN access
are inherently passing sensitive data, so take extra
caution in this area. Strip down the network services to
nothing but SSH and OpenVPN, if possible, and maintain
strict firewall rules. For additional information, check
out the many online documents on this subject.
The following examples will be based on a system
running Red Hat Fedora Core 2.
To compile OpenVPN, run the standard:
# gzip -d openvpn-2.0_rc6.tar.gz
# tar xf openvpn-2.0_rc6.tar
# cd openvpn-2.0_rc6
# ./configure
# make
# make install
If you have any problems compiling, make sure you
have LZO compression libraries installed. Please refer
to the OpenVPN documentation for details on this.
OpenVPN Server Configuration
To begin, create a directory to house your VPN
configuration files and keys:
# cd /etc
# mkdir openvpn
# chmod 700 openvpn
# cd openvpn
Here is a straightforward configuration file for
your first server instance that should be named
port5023.conf:
### Start Config File Port 5023 ###
# local tun device
dev tun23
# interface addresses
ifconfig 10.23.0.1 10.23.0.2
# key location
secret /etc/openvpn/port5023.key
# port to listen on
port 5023
# user to run as
user nobody
group nobody
# options
comp-lzo
ping 15
verb 1
### End Config File Port 5023 ###
This file has very few options that require
changing for each server instance, mainly the tunnel
interface on which to bind, the UDP port on which to
listen, the location of the key file, and the
point-to-point addressing for the VPN connection.
Please note that the example configuration above
instructs OpenVPN to switch user and group IDs to the
account "nobody". This is ideal if your VPN server is
running only OpenVPN daemons as nobody. If the VPN
server is running other services under the user and
group IDs of nobody, it is best to run OpenVPN as a
different user and group ID.
To create the static key for this VPN instance, run
this command from within /etc/openvpn:
# /usr/local/sbin/openvpn --genkey --secret port5023.key
At this point, don't forget to add the necessary
rule permitting UDP traffic destined to port 5023 within
IPTables or your respective firewall software. Also note
that a simple Perl script run via cron should be set up
to monitor failed attempts at making a connection to
this port for security auditing purposes.
You should now be able to start your VPN instance by
executing:
# /usr/local/sbin/openvpn --daemon --disable-occ --config \
/etc/openvpn/port5023.conf
The options passed to OpenVPN are as follows:
--daemon -- Run as a daemon.
--disable-occ -- This option allows, among
other things, two different versions of OpenVPN to
communicate. This is very handy when you are supporting
true telecommuters who don't receive software updates on
a routine basis.
--conf -- Specify the location of the
configuration file.
You should now have a basic VPN server instance
listening on port 5023. If you experience any problems,
please review the OpenVPN documentation. It is
straightforward to configure, so any issues should be
easily resolved.
Building the VPN Installer
VPN clients in this configuration need to know where
the VPN server is located, which port to connect to,
which statically assigned key to use, and more. This is
all accomplished by providing a complete configuration
file and key within the company-branded VPN installer.
End users will not need nearly as much assistance in
remotely accessing the more sensitive resources within
the company with an easy-to-use installer executable.
Because we are creating our own Windows 2000/XP
installer, the opportunity exists to introduce otherwise
totally separate program binaries into the installation
process. Instead of simply installing a VPN client with
a prearranged key and configuration file, we will also
be including TightVNC binaries for both the client and
server instance of the VNC protocol.
Download and install the NSIS package on a Windows XP
development system at:
http://www.openvpn.se/files/nsis/nsis20b3.exe
Since the release of my production rollout, a
newer version of NSIS has been released. Make sure you
are using the version linked to above for demonstration
purposes, but each principle covered here is applicable
to the later versions. However, I have noticed that the
latest version of NSIS does require a little bit of
tweaking with the following install source zip file, so
you will find it easier to use the above version of NSIS
anyway.
Next, download the installation source to the same
Windows XP development system at:
http://www.openvpn.se/files/install_packages_source/ \
openvpn_install_source-2.0-rc6-gui-1.0-beta26.zip
This file was put together by Mathias Sundman and
includes all of the necessary files for OpenVPN, OpenVPN
GUI, and NSIS configuration to build the standard
OpenVPN Windows installer package. Unzip this file to
your desktop and name the folder "VPN Sources" for now.
To get an idea of what will result from the overall
process, open the VPN Sources folder, right-click
openvpn-gui.nsi, and left-click "Compile NSI". A few
seconds later you should see an OpenVPN installer
executable in the "VPN Sources" folder. If you were to
execute this installer, the standard version of OpenVPN
would be installed. If you ran into any problems
creating this executable, please refer to the
documentation located at:
http://openvpn.se/files/howto/ \
openvpn-howto_roll_your_own_installation_package.html
or:
http://nsis.sourceforge.net
Building the Company-Branded VPN Installer
We now have a basic VPN server instance and a
standard Windows installer for OpenVPN, but we want to
make it custom built for easy deployment. We also want
to add TightVNC binaries for instant remote
administration and assistance.
Download the complete set of TightVNC 1.3dev6
executables without the installer at:
http://www.tightvnc.com/download.html
For now, unzip and save the included files to your
desktop. We will be concerned with the files
VNCHooks.dll, vncviewer.exe, WinVNC.exe, and
LICENCE.txt. Copy these files to the openvpn folder
within the "VPN Sources" folder.
Save the following client-side example configuration
file to openvpn/config/VPN.ovpn within your "VPN
Sources" folder as well:
### BEGIN CLIENT SIDE CONFIGURATION FILE ###
# vpn server to contact
remote 192.168.10.10
# port to establish connection on
port 5023
# local tunnel device
dev tun
# interface addresses
tun-mtu 1500
ifconfig 10.23.0.2 10.23.0.1
route 10.0.0.0 255.0.0.0 10.23.0.1
# key location
secret "c:\\program files\\company branded vpn\\config\\key.txt"
# enable LZO compression
comp-lzo
# moderate verbosity
verb 0
mute 10
;fragment 1300
;mssfix
; ping-restart 60
; ping-timer-rem
; persist-tun
; persist-key
; resolv-retry 86400
# keep-alive ping
ping 10
# enable LZO compression
comp-lzo
# moderate verbosity
verb 4
mute 10
### END CLIENT SIDE CONFIGURATION FILE ###
You will see a number of options in the above
example configuration, and I encourage you to test
different settings. For now, a reasonable number of
options are enabled, and the rest are commented out with
a leading semicolon. The most important options will be
the IP address of your VPN server, the port number on
which to connect, the location of the key file, and the
addressing assignments of the VPN interface. Also, note
the route command listed above. You have control over
establishing entries in the end user's routing table
upon successful completion of the VPN tunnel creation.
This comes in handy in a number of situations.
Before moving on, you will also need to copy the
contents of /etc/openvpn/port5023.key on your VPN server
to openvpn/config/key.txt within the "VPN Sources"
folder. This step ensures the new VPN installer will
have the correct key when establishing the encrypted
tunnel.
To wrap up the company-branded VPN installer portion,
open the "VPN Sources" folder and edit openvpn-gui.nsi.
Replace the first section of code with this:
!include "MUI.nsh"
!include "setpath.nsi"
!define MASTER "x:\openvpn\exp\openvpn"
!define HOME "openvpn"
!define BIN "${HOME}\bin"
!define MUI_PRODUCT "Company Branded VPN"
!define OPENVPN_VERSION "2.0"
!define GUI_VERSION "2.0"
!define MYCERT_VERSION "0.3.2b"
!define MUI_VERSION "-"
;!define MUI_VERSION "${OPENVPN_VERSION}-gui-${GUI_VERSION}"
!define TAP "tap0801"
!define TAPDRV "${TAP}.sys"
Now find the line that starts with "OutFile" and
replace it with:
OutFile "Company Branded VPN.exe"
Next, locate the line:
File "${HOME}\openvpn.exe"
And add directly below it (overwriting the
identically named sections):
SetOutPath "c:\program files\TightVNC"
nsExec::ExecToLog '"c:\program files\TightVNC\winvnc.exe" -kill'
File "${HOME}\vncviewer.exe"
File "${HOME}\WinVNC.exe"
File "${HOME}\LICENCE.txt"
File "${HOME}\VNCHooks.dll"
nsExec::ExecToLog '"c:\program files\TightVNC\winvnc.exe" -reinstall'
nsExec::ExecToLog 'net start winvnc'
SectionEnd
Section "OpenVPN GUI" SecGUI
SetOverwrite on
SetOutPath "$INSTDIR\bin"
File "${HOME}\openvpn-gui.exe"
SetOutPath "$INSTDIR\config"
File "${HOME}\config\VPN.ovpn"
File "${HOME}\config\key.txt"
CreateDirectory "$INSTDIR\log"
SectionEnd
Next, locate the following lines:
Delete "$INSTDIR\config\README.txt"
Delete "$INSTDIR\config\sample.${SERV_CONFIG_EXT}.txt"
and replace them with:
Delete "$INSTDIR\config\key.txt"
Delete "$INSTDIR\config\README.txt"
Delete "$INSTDIR\config\VPN.ovpn"
This step ensures removal of the key and
configuration file in the event the user uninstalls the
company-branded VPN package.
Finally, in the "VPN Sources\openvpn" folder, rename
openvpn-2.0_rc6.zip to openvpn-2.0.zip and
openvpn-gui-1.0-beta26.zip to openvpn-gui-2.0.zip. I do
this to keep the version of the primary application
OpenVPN simple; feel free to address this issue as
desired.
Return to the "VPN Sources" folder, right-click
openvpn-gui.nsi and left-click compile NSI. If you made
all the changes correctly, you will now see a "Company
Branded VPN.exe" in the "VPN Sources" folder. It will
include a complete example configuration, the
appropriate key, and a company-branded look and feel to
the installer. It will also install TightVNC, register
it as a Windows Service, and start you on your way to
easier remote user administration with secure remote
access.
Where You Can Go from Here
The general ideas outlined in this article enable
systems and network administrators to deploy a
company-branded VPN solution for the Windows 2000/XP
platform, which can be extended to other client
platforms with additional work. This solution allows
administrators to control what the end user's
workstation knows about (routing table additions), what
the end user is permitted to access (VPN server's
firewall configuration), and utilizes open source tools,
thereby allowing a company to deploy cost-effective and
branded solutions to its users.
Resources
NSIS Web site -- http://nsis.sourceforge.net
OpenVPN Web site -- http://www.openvpn.net
OpenVPN GUI Web site -- http://openvpn.se
Real VNC Web site -- http://www.realvnc.com
TightVNC Web site -- http://www.tightvnc.com
Adam Olson lives in Northern California. He's been
active in network design, systems administration, and
systems programming for more than nine years with
various companies like MCI WorldCom and small Bay Area
startups. He has now co-founded a relatively new company
serving the needs of small and medium-sized businesses
that is called Office Appliance
(http://officeappliance.com).
|