OpenVPN Hands-On Guide - TLS TAP (Right)

blueberrystoreSecurity

Dec 9, 2013 (3 years and 6 months ago)

76 views

OpenVPN Hands-on Practice Guide
Page 1 of 8
Stephen 9/5/2005 5:53 PM

OpenVPN Hands-On Guide - TLS TAP (Right)

1. Application:
ixp0 (LAN1): 192.168.3.127 / 255.255.255.0
ixp1(LAN2): 192.168.4.127 / 255.255.255.0




UC-Right
Ixp0
LAN
ixp1
Connect to UC-Left

2. Configure the IP settings for the host laptop.
a. Right Click on the “My Network Places” and select the “Properties”.
Right Click on the “Local Area Connection” and select the “Properties”.


b. Configure the Host PC’s IP Address to: 192.168.4.1/255.255.255.0



OpenVPN Hands-on Practice Guide
Page 2 of 8
Stephen 9/5/2005 5:53 PM

3. Connect the Cross-Over Ethernet Cable from the laptop to the LAN2 of UC
4. telnet to the UC. (Start  Run  telnet 192.168.4.127)


5. Change the network settings of the UC
a. login UC: Login / Password  root / root

b. Change the LAN1/LAN2 IP Settings
# vi /etc/network/interfaces
ixp0 (LAN1): 192.168.12.202 / 255.255.255.0
ixp1(LAN2): 10.0.2.254 / 255.255.255.0





ESC
c. Configure the system time; Restart UC, close the telnet screen.
OpenVPN Hands-on Practice Guide
Page 3 of 8
Stephen 9/5/2005 5:53 PM

# date 091314202005  (09-13 14:20 2005)
# reboot
6. Reconfigure the Laptop’s IP to 10.0.2.1/255.255.255.0/gw: 10.0.2.254


7. telnet / login to the UC (root / root).


8. Change to OpenVPN Working Directory.
# cd /etc/openvpn
# vi /etc/openvpn/tap0-br.conf
OpenVPN Hands-on Practice Guide
Page 4 of 8
Stephen 9/5/2005 5:53 PM




ESC

# mkdir /etc/openvpn/easy-rsa
9. Modify the routing script.
# vi /etc/openvpn/tap0-br.sh



ESC
# chmod +x /etc/openvpn/tap0-br.sh

10. Connect the LAN1 of UC-Right to the LAN1 of the UC-Left; securely copy the CA
Certificate, UC-Right’s Key/Certificate, and also dh value to local directory using
“scp” or ”sftp” commands.

# scp root@192.168.12.201:/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys

# scp root@192.168.12.201:/etc/openvpn/easy-rsa/keys/right.crt /etc/openvpn/easy-rsa/eys
# scp root@192.168.12.201:/etc/openvpn/easy-rsa/keys/right.key /etc/openvpn/easy-rsa/keys
# scp root@192.168.12.201:/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys

[Note]:
a. Confirm with your partner if those files have been generated and located in the
correct place. (/etc/openvpn/easy-rsa/keys)
OpenVPN Hands-on Practice Guide
Page 5 of 8
Stephen 9/5/2005 5:53 PM


b. UC-Left need to have its own key and certificate for the communication,
since the files are generated by the UC-Left (CA Server), there should be a
better way to securely transfer the files from the UC-Left to the UC-Right.
Floppy Disks, USB Pen Disk should also be considered.

c. For how to use “sftp” command, please refer to the CDROM file
“OpenVPN Hands-On guide(TLS - Left).doc”








11. Modify the script to start the modules and the configuration file.
# vi /etc/openvpn/openvpn-bridge




[Note]:
Use “: 117” to jump to Line 117, add “openvpn --config /etc/openvpn/tap0-br.conf”.
Also double dashes here.
ESC
OpenVPN Hands-on Practice Guide
Page 6 of 8
Stephen 9/5/2005 5:53 PM

Finally use ESC + “:wq” to save the file.

12. Create two script to Start/Stop the OpenVPN automatically.
# vi /etc/openvpn/openvpn_go




ESC
# vi /etc/openvpn/openvpn_stop



ESC



# chmod +x /etc/openvpn/openvpn_*
# ln –s /etc/openvpn/openvpn_go /etc/rc.d/rc3.d/S32vpn-tap
# ln –s /etc/openvpn/openvpn_stop /etc/rc.d/rc6.d/K32vpn-tap
# reboot

[Note]:
To start the OpenVPN manually without modify the “openvpn-bridge” at step 11,
# /etc/openvpn/openvpn-bridge start
Also double dashes here.
# openvpn --config /etc/openvpn/tap0-br.conf


To stop OpenVPN manually,
# /etc/openvpn/openvpn-bridge stop

In this hands-on practice, we use the scripts to start/stop the OpenVPN automatically.

13. From the laptop, open the browser to link to the IP 10.0.1.254 which is the IP address of the
OpenVPN Hands-on Practice Guide
Page 7 of 8
Stephen 9/5/2005 5:53 PM

UC-Left’s LAN2.

[Appendix]:

1. The created Certificates are time related, so please you must configure the system
time first, or the VPN connection will fail because of the mismatch of the time
OpenVPN Hands-on Practice Guide
Page 8 of 8
Stephen 9/5/2005 5:53 PM



The Certificate is not activated yet.
2. Change mode and modify the Moxa script if you want to run it on standard PC Linux
With OpenVPN 2.X package.
#vi openvpn-bridge
Modify the Line 3 to “iface=eth1“
Modify the Line 15 “sh $ifcfg_f” to “. $ifcfg_f”

#chmod +x openvpn-bridge