Remote access scenario to allow a communication between protected, not directly accessible machine networks and remote Service-by using a public OpenVPN-Server as -

possibledisastrousSecurity

Dec 9, 2013 (3 years and 7 months ago)

115 views


Technical note „Remote access using an OpenVPN
-
Server as
Meeting
-
Point“


Version 1.03,
May 3, 2013

/ HJH



Copyright
©
201
3

Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

1

of

4

Remote access scenario
to
allow a communication
between
protected
,

not directly accessible

machine
networks
and remote Service
-
PC’s
by
using
a
public
OpenVPN
-
Server
as

„Meeting
-
Point“





This

application scenario is described and tested using the
Weidmüller



Router
s

IE
-
SR
-
2GT
-
LAN
a
nd IE
-
SR
-
2GT
-
UMTS/3G

using


firmware version 2.3.0 and abov
e.


Contents


1.

GENERAL DESCRIPTION
OF
APPLICATION REQUIREM
ENTS

................................
................................
......

2

1.1


T
ECHNICAL REQUIREMENT
S AND SOLUTION APPRO
ACH

................................
................................
......................

2

1.2

S
UMMARY OF TECHNICAL
ASPECTS TO IMPLEMENT

THE SCENARIO
„R
EMOTE ACCESS USING A

MEETING POINT


...

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

1.3

I
MPLEMENTING A SIMPL
E TEST SCENARIO

................................
....................

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

1.4

G
ENERAL PROCEDURE TO

IMPLEMENT THE REMOTE

ACCESS SCENARIO

...............

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IER
T
.

2.

CREATING CERTIFICATE
S (STEP 1)

................................
.................

FEHLER! TEXTMARKE NI
CHT DEFINIERT.

3.

CONFIGURING A WINDOW
S
-
PC AS OPENVPN
-
SERVER (STEP 2)

....

FEHLER! TEXTMARKE NI
CHT DEFINIERT.

4.

CONFIGURATION OF THE

SERVICE
-
PC’S RUNNING AS OPEN
VPN
-
CLIENTS (STEP 3)

..

FEHLER! TEXTMARKE
NICHT DEFINIERT.

4.1

P
REPARING THE INSTALL
ATION
OF
O
PEN
VPN

SOFTWARE

................................

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

4.2

C
REATING THE CONFIGUR
ATION FILES FOR
S
ERVICE
-
PC

1

................................

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

4.3

C
REATING THE CONFIGUR
ATION FILES FOR
S
ERVICE
-
PC

2

................................

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

4.4

C
REATING THE CONFIGUR
ATION FILES FOR
S
ERVICE
-
PC

3

................................

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

5.

CONFIGURING THE ROUT
ERS LOCATED AT CUSTO
MER 1 AND 2 RUNNING

AS OPENVPN
-
CLIENTS


(STEP 4)

................................
................................
........................

FEHLER! TEXTMARK
E NICHT DEFINIERT.

6.

TAKE THE CONFIGURED
TEST SCENARIO

INTO OPERATION (STEP
5)

................

FEHLER! TEXTMARKE NI
CHT
DEFINIERT.

6.1

S
TARTING THE
O
PEN
VPN
-
S
ERVER
................................
..............................

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

6.2

A
CTIVATING
O
PEN
VPN
-
C
LIENT CONNECTIONS ON

S
ERVICE
-
PC’
S

.....................

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

6.3

T
ESTING THE REMOTE AC
CESSIBILITY OF A MAC
HINE NETWORK DEVICE

FROM
S
ERVICE
-
PC

....

F
EHLER
!

T
EXTMARKE NICHT
DEFINIERT
.

APPENDIX

................................
................................
.............................

FEHLER! TEXTMARKE NI
CHT DEFINIERT.

A.

GUIDANCE FOR CREATIN
G AND ADMINISTRATING

CERTIFICATES (X.509)

BY
USING THE PROGRAM XC
A
(RELEASE 0.93)

................................
................................
......................

FEHLER! TEXTMARKE NI
CHT DEFINIERT.

A1.

D
OWNLOAD AND
I
NSTALLATION OF
XCA

................................
.....................

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

A2.

C
REATE A NEW
D
ATABASE FOR CERTIFIC
ATE MANAGEMENT

.............................

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

A3.

C
REATING A TEMPLATE F
OR THE
CA

CERTIFICATE
(R
OOT
)

................................

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

A4.

C
REATING THE TEMPLATE

TO BE USED FOR PRODU
CTIVE
S
ERVER CERTIFICATES

.....

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

A5.

C
REATING THE TEMPLATE

TO BE USED FOR PRODU
CTIVE
C
LIENT CERTIFICATES

.....

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

A6.

C
REATING THE PRODUCTI
VE
CA

CERTIFICATE
(R
OOT
)

................................
.....

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

A7.


C
REATING A PRODUCTIVE

S
ERVER CERTIFICATE

................................
..............

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.

A8.


C
REATING A PRODUCTIVE

C
LIENT CERTIFICATE

................................
...............

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.


Technical note „Remote access using an OpenVPN
-
Server as
Meeting
-
Point“


Version 1.03,
May 3, 2013

/ HJH



Copyright
©
201
3

Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

2

of

4

A9.


E
XPORT OF CERTIFICATE
S FOR USING WITH
O
PEN
VPN
-
S
ERVER OR
O
PEN
VPN
-
C
LIENTS

.......

F
EHLER
!

T
EXTMARKE
NICHT
DEFINIERT
.

A10.

C
REATION OF THE
D
IFFIE
-
H
ELLMAN
-
KEY
-
EXCHANGE
-
FILE

DH
1024.
PEM


.........

F
EHLER
!

T
EXTMARKE NICHT DEFIN
IERT
.


1.

General

d
escription of
application
requirements

A machine manufacturer
has
sold several
Ethernet
-
based machines
to his customer
s

(in this example
2)
. The machine networks at customer side are connected to customers factory network
using
a
Weidmüller Security Router.

The machine builder
would like to get
access to
these devices for
service reasons. This should be done by using a secured
Open
VPN tunnel
between a Service
-
PC and
the machine network Router
over the Internet.


1.1

Technical
requirements

and

solution
a
pproach

Typically m
achine

network
s

inside a factory network
are protected
by
the customers

Firewall and
cannot be accessed from outside (
I
nternet)
.
Due to this fact the Router
s at customer side

cannot
be
configured as
an
VPN
-
Server

because they are not
accessible by remote
Service

PC’s

configured as
VPN clients
. This limitation
beeing not accessible by a public IP address
is also true for Service PC’s
which are located
e
.
g
.

inside the Firewall protected network of the machine builder.


As a solution
to allow
a Service
-
PC to
connec
t to a
machine
network behind the Router both devices
(PC and Router)
have to be
configured as
outgoing

Open
VPN clients which connect to a public
accessible
Open
VPN
-
Server.
T
he VPN
-
Server acts as a relay station
(
m
eeting
p
oint)
to establish a
connection
between the
S
ervice
-
PC
and the customer´s machine network behind the Router.

Generally Firewall
-
protected networks
only
allow
outgoing connections for standard WEB
-
Browsing
(http, Protocol TCP, Port 80) and also for secured WEB
-
Browsing (HTTPS, Protocol T
CP, Port 443).

For
this reason we will use in this application scenario Port 443/TCP (normally HTTPS) for outgoing
OpenVPN
-
Client connections.


In this described example 2 machine networks (one at customer 1 and the second at customer 2)
should be able to
get maintained by 3 engineers of the machine builder company. The engineers 1
and 2 should be able to access each of these networks (customers 1 and 2), while the 3rd engineer
should only have the right to access
the
network

of
customer 1.


Technical note „Remote access using an OpenVPN
-
Server as
Meeting
-
Point“


Version 1.03,
May 3, 2013

/ HJH



Copyright
©
201
3

Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

3

of

4

Figure

1:
Overview
remote access
scenario
with OpenVPN
-
S
erver as “Meeting Point”



The Meeting
-
Point (
Open
VPN
-
Server)
can
be
setup
on
a
ny

s
tandard Windows
Computer (Windows
XP, 7

or Windows Server 2003/2008
)
. The
OpenVPN
-
Server

must be accessible by a public IP address
from the Internet that OpenVPN
-
Clients can connect.


An
OpenVPN
-
Server

e.g. can be
located
at the
manufacture
r

s

company

using a DSL connection to
the
Internet
by
a
DSL
-
R
outer.
In this case t
he
DSL
-
R
outer
itself
is accessible by a public

IP address
and
has to be
configured to forward an incoming OpenVPN request to the
Open
VPN
-
Server
which is
connected at LAN
-
Port of the DSL
-
Router.

Alternatively an OpenVPN
-
Server can be setup in the DMZ
(
Demilitarized Zone
) of
manufacture
r
’s company

directly accessible by a public IP address. This
alternative
generally is controlled by
the IT department.


Another possibility to setup an OpenVPN
-
Server is to use a low cost virtual cloud server typically
running a
s

Windows 2008 s
erver instance. The
re are many

benefit
s

to use a hosted virtual server

like providing
a computer with
a
public IP address
, high Internet bandwith (nearly Fast Ethenet) ,
very high availabilty and automatically server backup by
the host
provider.
Th
is solution avoids an
invest in computer hardware and
e.g. monthly costs for providing the Internet connection by DSL.
Regarding the monthly costs of
providing a
virtual
PC running as
OpenVPN
-
Server e.g. the clo
ud
provider Amazon
-
Web
-
Services

offers Windo
ws
-
Server 2008
-
based systems in total
(without traffic
limitation)
for about 30 € per month.


Re
g
arding the software installation
we use
the same OpenSource software “
OpenVPN
” (Release

2.2.2

or above
)

for both
the
Windows
-
based OpenVPN
-
Server and the
Windows
-
based Service PC
configured as
OpenVPN
-
Client
.

T
he
Weidmüller R
outer
already
has
implemented
t
he OpenVPN
-
Software

(Client and Server)
. It only
has to be configured as
described below
.


P
lease contact your local Weidm
ü
ller customer support for the complete document.


Technical note „Remote access using an OpenVPN
-
Server as
Meeting
-
Point“


Version 1.03,
May 3, 2013

/ HJH



Copyright
©
201
3

Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

4

of

4