Difference between revisions of "Configure WireGuard VPN"
(→Server configuration: nobody/nogroup, duplicate-cn, push WINS DHCP option) |
m (→Server configuration) |
||
Line 31: | Line 31: | ||
server 10.8.0.0 255.255.255.0 | server 10.8.0.0 255.255.255.0 | ||
+ | push "dhcp-option WINS 10.8.0.1" | ||
+ | |||
ifconfig-pool-persist ipp.txt | ifconfig-pool-persist ipp.txt | ||
− | |||
− | |||
duplicate-cn | duplicate-cn | ||
− | |||
keepalive 10 120 | keepalive 10 120 | ||
comp-lzo | comp-lzo | ||
Line 48: | Line 47: | ||
verb 4 | verb 4 | ||
</pre>}} | </pre>}} | ||
+ | *The ''server'' parameter is multi-client config running as a DHCP server | ||
=== Creating Keys === | === Creating Keys === |
Revision as of 10:07, 5 June 2009
Configure WireGuard VPN Organic Design procedure |
Contents
Install OpenVPN
OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN is a single program that is run on both the server hosting the share, and on the clients which will be accessing it. First install it on the server an Linux clients.
Create the TUN/TAP device
A TAP device is a virtual ethernet adapter, while a TUN device is a virtual point-to-point IP link. Most Linux systems will have these devices set up by default, but some VPS hosts such as VPSLink do not (see the issue raised in their forum and the solution added to their wiki for more detail about this). If /dev/net/tun exists then you already have TUN/TAP set up and can move on to the OpenVPN configuration, otherwise do the following to create a TUN device.
Server configuration
We'll go for a configuration which is as close to the default server.conf example file as possible to simplify the procedure. The certificate files must be specified with full pathnames, and the protocol must be changed to TCP rather than UDP which is the default. Here's all the required settings with comments removed for brevity.
- The server parameter is multi-client config running as a DHCP server
Creating Keys
There's a utility called easy-rsa in /usr/share/doc/openvpn/examples/easy-rsa which should be copied to another location (we use /etc/openvpn/easy-rsa. The default values for all certificates generated can be updated in the vars file. First, configure easy-rsa with the following shell commands:
Next we'll user easy-rsa to generate a master key, a server key, a shared client key and finally we'll build the Diffie Hellman key exchange parameters. Each of the commands requires a number of questions to be answered which can all be left as their defaults (which were set up in the vars file above), except for the common name setting which we'll set to "od-server" for the master key, "server" for the server key, and "client" for a generic keys shared by all the clients (the name "client" is the default name used on the windows sample client configuration and so requires no changes, but if you prefer you may like to create a separate client key for each based on the hostnames).
All the generated key files are in the easy-rsa/2.0/keys directory that was created above. All the files having the .key suffix are secret and should only be communicated over encrypted connections like SCP. The ca.crt file belongs on the server in /etc/openvpn and all the client machines as well. The files that start with "client" or the client hostnames belong on the client machines.
Setting up Ubuntu workstations
First install OpenVPN and the configuration GUI using apt-get install openvpn network-manager-openvpn. The GUI adds a "VPN Connections" item to the network menu from the system tray which VPN's can be added, removed and configured from.
Setting up on Windows workstations
Download and install OpenVPN GUI for Windows, this will set up a new network adapter which you should rename appropriately for example to "office-lan".
Copy the ca.crt, client.crt and client.key files generated on the server into Program Files\OpenVPN\Config on the client. Also copy the sample client config into that directory and set the 'dev-node parameter to the name you gave to the new network adapter.
Right click on the VPN network icon in the system tray and select "connect", if all has been done correctly, the connection with the remote LAN should be made and an IP address obtained.
Currently you'll need to enter \\10.8.0.1 into an Explorer window to gain access to the intranet shares because the NetBIOS names that are routed to the clients via DHCP are in terms of the intranets subnet not the VPN's.
Notes
Bridging/Routing
Ethernet bridging essentially involves combining an ethernet interface with one or more virtual TAP interfaces and bridging them together under the umbrella of a single bridge interface. Ethernet bridges represent the software analog to a physical ethernet switch. The ethernet bridge can be thought of as a kind of software switch which can be used to connect multiple ethernet interfaces (either physical or virtual) on a single machine while sharing a single IP subnet.
By bridging a physical ethernet NIC with an OpenVPN-driven TAP interface at two separate locations, it is possible to logically merge both ethernet networks, as if they were a single ethernet subnet. See the OpenVPN bridging information for more detail.