Using an ifconfig-pool block

In this recipe, we will use an ifconfig-pool block to separate regular VPN clients from administrative VPN clients. This makes it easier to set up different firewall rules for administrative users.

Getting ready

This recipe uses the PKI files created in the first recipe of this chapter. Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the regular VPN client was running Windows 7 64 bit and OpenVPN 2.3.11 and was assigned to the 192.168.200.0 network. The VPN client Admin was running Fedora 20 Linux and OpenVPN 2.3.9 and was on the 192.168.202.0 network. Keep the client configuration file, basic-udp-client.conf, from the Server-side routing recipe at hand.

We use the following network layout:

Getting ready

How to do it...

  1. Create the server configuration file:
            proto udp 
            port 1194 
            dev tun 
     
            mode server 
            ifconfig 192.168.200.1 255.255.255.0 
            ifconfig-pool 192.168.200.100 192.168.200.120 
            route 192.168.200.0 255.255.248.0 192.168.200.1 
            push "route 192.168.200.1" 
            push "route 192.168.200.0 255.255.248.0" 
     
            ca       /etc/openvpn/cookbook/ca.crt 
            cert     /etc/openvpn/cookbook/server.crt 
            key      /etc/openvpn/cookbook/server.key 
            dh       /etc/openvpn/cookbook/dh2048.pem 
            tls-auth /etc/openvpn/cookbook/ta.key 0 
     
            persist-key 
            persist-tun 
            keepalive 10 60 
     
            topology subnet 
            push "topology subnet" 
     
            user  nobody 
            group nobody  # use "group nogroup" on some distros 
     
            daemon 
            log-append /var/log/openvpn.log 
     
            client-config-dir /etc/openvpn/cookbook/clients 
    

    Then save it as example2-9-server.conf.

  2. Start the server:
           [root@server]# openvpn --config example2-9-server.conf
    
  3. The administrative VPN client will be assigned a special IP address using a client-configuration file:
           [root@server]# mkdir -m 755 /etc/openvpn/cookbook/clients
           [root@server]# cd /etc/openvpn/cookbook/clients
           [root@server]# echo "ifconfig-push 192.168.202.6 
               192.168.202.6" 
             > client1
    

    Note that the client VPN address is listed twice. This is not a typo; for more details on this, refer to the previous recipe.

  4. Note that the clients directory needs to be world-readable, as the OpenVPN server process will run as user nobody after starting up.
  5. Next, start the Linux client using the configuration file from the earlier recipe:
           [root@AdminClient]# openvpn --config basic-udp-client.conf
    [...]
    [openvpnserver] Peer Connection Initiated with 
               openvpnserver:1194
    TUN/TAP device tun0 opened
    do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    /usr/sbin/ip link set dev tun0 up mtu 1500
    /usr/sbin/ip addr add dev tun0 192.168.202.6/24 broadcast     
               192.168.200.255
    Initialization Sequence Completed  
    

    The IP address that is assigned to the administrative client is highlighted for clarity.

  6. Create a configuration file for the Windows client:
            client 
            proto udp 
            remote openvpnserver.example.com 
            port 1194 
            dev tun 
            nobind 
     
            ca       "c:/program files/openvpn/config/ca.crt" 
            cert     "c:/program files/openvpn/config/client2.crt" 
            key      "c:/program files/openvpn/config/client2.key" 
            tls-auth "c:/program files/openvpn/config/ta.key" 1 
     
            remote-cert-tls server 
    
  7. Then save it as basic-udp-client.ovpn.

    Note

    Note the use of the forward slash (/), which is easier to use than the backslash (), as the backslash needs to be repeated twice each time.

  8. Transfer the ca.crtclient2.crt, and client2.key files along with the tls-auth secret key file, ta.key, to the Windows machine using a secure channel, such as winscp or the PuTTY pscp command-line tool.
  9. Start the Windows client using the OpenVPN GUI:
    How to do it...

    Note

    Remember that this client's private key file is protected using a password or passphrase. After both the clients are connected, we verify that they can ping each other and the server (assuming that no firewalls are blocking access).

  10. On the Admin Client:
          [AdminClient]$ ping 192.168.200.1
          [AdminClient]$ ping 192.168.200.102
    
  11. And on the regular client:
          [WinClient]C:> ping 192.168.200.1
          [WinClient]C:> ping 192.168.202.6
    

How it works...

A server configuration file normally uses the following directive to configure a range of IP addresses for the clients:

server 192.168.200.0 255.255.255.0 

This directive is internally expanded to the following:

mode server 
tls-server 
 
ifconfig 192.168.200.1 192.168.200.2  
ifconfig-pool 192.168.200.4 192.168.200.251 
route 192.168.200.0 255.255.255.0 
push "route 192.168.200.1" 
if (topology==subnet) push "topology subnet" 

So, by not using the server directive, but by specifying our own ifconfig-pool range, we can override this behavior. We then use a CCD file to assign an IP address to the administrative client, which falls outside of the ifconfig-pool range. By using the appropriate route and push "route" statements, we ensure that all clients are able to ping each other.

Note that we also need to explicitly push the topology in this case, as this is no longer done automatically by the server directive.

There's more..

There are many details to consider when setting up the default configuration files.

Configuration files on Windows

The OpenVPN GUI application on Windows always starts in the directory:

C:Program FilesOpenVPNconfig 

Or, C:Program Files(x86)... when using the 32-bit version of OpenVPN on 64-bit versions of Windows. Thus, the directory paths in the basic-udp-client.ovpn configuration file can be omitted:

ca       ca.crt 
cert     client2.crt 
key      client2.key 
tls-auth ta.key 1 

Client-to-client access

With this setup, the VPN clients can connect to each other even though we did not make use of the following directive in the server-side configuration:

client-to-client 

This is possible due to the route and push "route" statements in the server configuration file. The advantage of not using client-to-client is that it is still possible to filter out unwanted traffic using iptables or another firewalling solution.

If there is no need for the administrative clients to connect to the regular VPN clients (or vice versa), then the netmask can be adjusted to:

route 192.168.200.0 255.255.255.0 
push "route 192.168.200.0 255.255.255.0" 

Now, the networks are completely separated.

Using the TCP protocol

In this example, we chose the UDP protocol. The client configuration file in this recipe can easily be converted to use TCP protocol by changing the line:

proto udp 

Change it to the following:

proto tcp 

Save this file as basic-tcp-client.ovpn for future use.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.17.155.54