The tutorial provides configuration steps that help us to setup OpenVPN client/server model on GNS3. The model allows to connect multiple remote clients to a single centralized server. The VyOS router severs as OpenVPN server, with two VyOS branch office routers acting as OpenVPN clients (client 1 and 2). The third OpenVPN client is Ubuntu 18.04.1 (client3). The use of server-client VPNs in OpenVPN requires X.509 certificates to be setup. For this purpose we are going to create a public key infrastructure (PKI), with the own certification authority running on the VyOS OpenVPN server. It will be used for issuing the trusted certificate for the server and clients.
The OpenVPN client Client3 is Linux Ubuntu 18.04.1. It is pre-installed Ubuntu VMDK image downloaded from osboxes.org. The username is osboxes and password osboxes.org. The client is connected to the router SOHO. It is a VyOS router acting as SOHO router. In our scenario, SOHO router can't be loaded with OpenVPN configuration so the tunnel is configured directly on the Client3.
Note: A network device Inet is L2 Cisco switch. It only reconnects the Server, Client1,2 and SOHO routers and it is not loaded with configuration.
Check the list of used software and hardware below to get overall insight into what is needed to setup network infrastructure.
Software installed on Host OS (Kubuntu 18.04.1 LTS Bionic)
- GNS3 2.1.11
- QEMU emulator version 3.0.0
- QEMU Guest Instances (Virtual machines)
-- Server: VyOS 1.2.0-epa3
-- Client1: VyOS 1.2.0-epa3
-- Client2: VyOS 1.2.0-epa3
-- Client3: Ubuntu 18.04.1 LTS Bionic
-- Inet: vIOS-L2 version 15.2
-- SOHO: VyOS 1.2.0-epa3
-- PC1 and PC2: Linux CorePure64 version 6.3
Hardware K55VM (ASUS-NotebookSKU)
- 2 x 8GiB SODIMM DDR3 Synchronous 1600 MHz
- Intel(R) Core(TM) i7-3610QM CPU @ 2.30
- QEMU Guets VMs (RAM per guest):
-- VyOS: 512MB
-- Client3: 4096MB
-- vIOS-L2: 768MB
-- Linux CorePure64: 128MB
Picture 1 - Network Topology - VyOS OpenVPN Server with 3 OpenVPN Clients
1. Initial Configuration
The goal of this part is to configure network devices and the hosts in our topology with IP addresses in order to ensure network connectivity and enable required services, such as SSH.
1.1 VyOS Router OpenVPN Client1
The content of the directory /config persists even after VyOS image upgrade. Therefore, we will create a directory ovpn in the folder /config/auth/ in order to store client's openvpn configuration file, a certificate with a public key, the private key and certificate of the CA:
- client1.ovpn
- client1.crt
- client1.key
- ca.crt
vyos@vyos$ mkdir /config/auth/ovpn
vyos@vyos$ configure
Configure hostname. You need to logout form VyOS to get a prompt changed.
vyos@vyos# set system host-name 'Client1'
We will use scp command to copy the client's files from the server to clients. Therefore, enable SSH service on all clients (including client3 - Ubuntu).
vyos@Client1# set service 'ssh'
Configure IPv4 addresses for the WAN and LAN interfaces.
vyos@Client1s# set interfaces ethernet eth0 address '11.0.2.2/24'
vyos@Client1# set interfaces ethernet eth1 address '10.0.1.254/24'
1.2 VyOS Router OpenVPN Client2
vyos@vyos$ mkdir /config/auth/ovpn
vyos@vyos$ configure
vyos@vyos# set system host-name 'Client2'
vyos@Client2# set service 'ssh'
Configure IPv4 addresses for the WAN and LAN interfaces.
vyos@Client2# set interfaces ethernet eth0 address '11.0.2.3/24'
vyos@Client2# set interfaces ethernet eth1 address '10.0.2.254/24'
1.3 VyOS Router OpenVPN Server
The content of the directory /config persists even after VyOS image upgrade. Therefore, we will create a directory ovpn in /config/auth/ in order to store server's certificate with a public key, the private key, certificate of the CA and DH parameters
- server.crt
- server.key
- ca.crt
- dh2048.pem
vyos@vyos$ mkdir /config/auth/ovpn
vyos@vyos$ configure
vyos@vyos# set system host-name 'Server'
Configure IPv4 addresses for the WAN and LAN interfaces.
vyos@Server# set interfaces ethernet eth0 address '11.0.2.1/24'
vyos@Server# set interfaces ethernet eth1 address '10.0.0.254/24'
vyos@Server# exit
vyos@Server# set service 'ssh'
1.4 Ubuntu 18.04.1 OpenVPN Client3
Use a network manager to configure IPv4 address 11.0.2.4/24 for interface eth0 on Ubuntu 18.04 (Picture 2).
Picture 2 - IPv4 Address Configuration Using NM
Install OpenSSH server with the command below
osboxes@Client3:~$ sudo apt-get update
osboxes@Client3:~$ sudo apt-get install openssh-server
1.5 VyOS Router SOHO
vyos@vyos$ configure
Configure the hostname. You need to logout form VyOS to get a prompt changed.
vyos@vyos# set system host-name 'SOHO'
vyos@SOHO# set interfaces ethernet eth0 address '10.0.3.254/24'
vyos@SOHO# set interfaces ethernet eth1 address '11.0.2.4/24'
Configure NAT on SOHO router. Traffic is excluded from NAT when it is sent to remote LANs 10.0.0.0/22 within OpenVPN tunnel (rule 10) . However, a source NAT is applied for the traffic destined for the other subnets (e.g. 11.0.2.0/24) outside of VPN tunnel (rule 20). In this case, the subnet 10.0.3.0/24 is translated to the public IPv4 address 11.0.2.4.
vyos@SOHO# set nat source rule 10 description 'exclude_10.0.3.0.0/24_from_nat'
vyos@SOHO# set nat source rule 10 destination address '10.0.0.0/22'
vyos@SOHO# set nat source rule 10 exclude
vyos@SOHO# set nat source rule 10 outbound-interface 'eth1'
vyos@SOHO# set nat source rule 20 description 'include_10.0.3.0.0/24_to_nat'
vyos@SOHO# set nat source rule 20 outbound-interface 'eth1'
vyos@SOHO# set nat source rule 20 source address '10.0.3.0/24'
vyos@SOHO# set nat source rule 20 translation address 'masquerade'
2. Setup of the Certificate Authority (CA)
VyOS CLI requires TLS Authentication for client/server implementation. We need to create CA, create server and client keys and sign server and client certificates. For this purpose, we will use easy-rsa. It is a CLI utility to build and manage a PKI CA.
Firstly, copy a directory easy-rsa to the folder config and edit fields values to match your company.
vyos@Server:~$ cp -rv /usr/share/easy-rsa/ /config/
vyos@Server:~$ vi /config/easy-rsa/vars
# Increase this to 2048 if you are paranoid. This will slow down TLS negotiation performance
# as well as the one-time DH parms generation process.
export KEY_SIZE=2048
# In how many days should the root CA key expire?
export CA_EXPIRE=3650
# In how many days should certificates expire?
export KEY_EXPIRE=3650
# These are the default values for fields which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="SK"
export KEY_PROVINCE="Bratislava"
export KEY_CITY="Bratislava"
export KEY_ORG="Brezular Inc."
export KEY_EMAIL="brezular@brezular.com"
export KEY_OU="Brezular HomeLabs"
Enter the folder where easy-rsa scripts are located. Notice, that your prompt has changed, displaying a path to the current directory.
vyos@Server:~$ cd /config/easy-rsa/
By executing the vars file in a non-forked shell, we set all of or environment variables.
vyos@Server:/config/easy-rsa$ source ./vars
Clean old stuff (keys, certificates).
vyos@Server:/config/easy-rsa$ ./clean-all
Build ca, dh, keys and server certificate. Do not set password for certs.
vyos@Server:/config/easy-rsa$ ./build-ca
vyos@Server:/config/easy-rsa$ ./build-dh
vyos@Server:/config/easy-rsa$ ./build-key-server server
Copy the certificates and keys into the folder /config/auth/ovpn.
vyos@Server:/config/easy-rsa$ cp /config/easy-rsa/keys/ca.crt /config/auth/ovpn
vyos@Server:/config/easy-rsa$ cp /config/easy-rsa/keys/dh2048.pem /config/auth/ovpn
vyos@Server:/config/easy-rsa$ cp /config/easy-rsa/keys/server.key /config/auth/ovpn
vyos@Server:/config/easy-rsa$ cp /config/easy-rsa/keys/server.crt /config/auth/ovpn
3. Building and Distributing Certificates and Keys for Clients
Now, we can start building client's private keys for the clients that we will later copy to the clients. Use a script build-key to generate a certificate for each client that they will use to connect to the vpn without a pass-phrase. Build keys for all three clients.
vyos@Server:/config/easy-rsa$ ./build-key client1
vyos@Server:/config/easy-rsa$ ./build-key client2
vyos@Server:/config/easy-rsa$ ./build-key client3
Create a directory for the each client in /config/easy-rsa2/keys.
vyos@Server:/config/easy-rsa/keys$ cd ~
vyos@Server:~$ mkdir /config/easy-rsa/keys/client1
vyos@Server:~$ mkdir /config/easy-rsa/keys/client2
vyos@Server:~$ mkdir /config/easy-rsa/keys/client3
Copy the files client1.crt, client1.key and ca.crt to the folder client1.
vyos@Server:~$ cp /config/easy-rsa/keys/client1* /config/easy-rsa/keys/client1/
vyos@Server:~$ cp /config/easy-rsa/keys/ca.crt /config/easy-rsa/keys/client1/
Do the same for the client2.
vyos@Server:~$ cp /config/easy-rsa/keys/client2* /config/easy-rsa/keys/client2/
vyos@Server:~$ cp /config/easy-rsa/keys/ca.crt /config/easy-rsa/keys/client2/
And the same applies for the client3.
vyos@Server:~$ cp /config/easy-rsa/keys/client3* /config/easy-rsa/keys/client3/
vyos@Server:~$ cp /config/easy-rsa/keys/ca.crt /config/easy-rsa/keys/client3/
3.1 Creating OpenVPN Configuration Files for OpenVPN Clients
Create an OpenVPN configuration file for the OpenVPN client VyOS router Client1 with your favorite text editor.
vyos@Server:~$ vi /config/easy-rsa/keys/client1/client1.ovpn
client
proto udp
remote-cert-tls server
verb 2
dev tun0
cert client1.crt
key client1.key
ca ca.crt
remote 11.0.2.1 1194
Do the same for the OpenVPN client router VyOS Client2.
vyos@Server:~$ vi /config/easy-rsa/keys/client2/client2.ovpn
client
proto udp
remote-cert-tls server
verb 2
dev tun0
cert client2.crt
key client2.key
ca ca.crt
remote 11.0.2.1 1194
Create an OpenVPN configuration file for OpenVPN client running on Linux Ubuntu VM Client3.
vyos@Server:~$ vi /config/easy-rsa/keys/client3/client3.ovpn
client
dev tun0
cert /home/osboxes/client3/client3.crt
key /home/osboxes/client3/client3.key
ca /home/osboxes/client3/ca.crt
remote 11.0.2.1 1194
3.1 Copying OpenVPN Configuration Files to OpenVPN Clients
Login to VyOS (server) and use the utility scp to copy all files (client1.ovpn, client1.crt, client1.key, ca.crt) located in the directory client1 to the VyOS router Client1.
vyos@Server:~$ scp -rv /config/easy-rsa/keys/client1/* vyos@11.0.2.2:/config/auth/ovpn/
Do the same for the VyOS router Client2.
vyos@Server:~$ scp -rv /config/easy-rsa/keys/client2/* vyos@11.0.2.3:/config/auth/ovpn/
As the client3 is located behind NAT, login to Uuuntu 18.04 (client3) and download the directory /config/auth/client3 from VyOS using Ubuntu's shell.
osboxes@Client3:~$ scp -rv vyos@11.0.2.1:/config/easy-rsa/keys/client3/ ~
osboxes@Client3:~$ scp -rv vyos@11.0.2.1:/config/easy-rsa/keys/ca.crt ~/client3
The files client3.ovpn, client3.crt, client3.key, and ca.crt are now stored on Ubuntu (Client3) in the directory /home/osboxes/client3.
4. OpenVPN Server a Clients Configuration on VyOS
4.1 OpenVPN Server
The server subnet is used for IP configuration of the tunnel interfaces. It needs to be set to a different subnet from server and client's LAN. We will set it to something unique (172.16.1.0/24) that will be unlikely on any remote networks our clients will be on. The push route will be sent to clients and installed as a kernel route on the clients. It should match the subnet of the LAN interface of the OpenVPN server - (10.0.0.0/24). In our case, however, it is better to set push-it to the 10.0.0.0/22 as it is also matching the LAN subnet of the server (10.0.0.0/24), the remote client 1 (10.0.1.0/24) and the client 2 ( 10.0.2.0/24).
vyos@Server$ configure
vyos@Server# set interfaces openvpn vtun0 mode server
vyos@Server# set interfaces openvpn vtun0 server subnet 172.16.1.0/24
vyos@Server# set interfaces openvpn vtun0 server domain-name brezular.com
vyos@Server# set interfaces openvpn vtun0 server push-route 10.0.0.0/22
vyos@Server# set interfaces openvpn vtun0 tls cert-file /config/auth/ovpn/server.crt
vyos@Server# set interfaces openvpn vtun0 tls key-file /config/auth/ovpn/server.key
vyos@Server# set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ovpn/ca.crt
vyos@Server# set interfaces openvpn vtun0 tls dh-file /config/auth/ovpn/dh2048.pem
Note: We can send any route to clients using the option push-route but the route must be installed in the routing table of OpenVPN server.
Now we need to set each of the client's configuration options. Client names are identified by the CN field in their certs:
vyos@Server# set interface openvpn vtun0 server client client1 ip 172.16.1.10
vyos@Server# set interface openvpn vtun0 server client client1 subnet 10.0.1.0/24
vyos@Server# set interface openvpn vtun0 server client client2 ip 172.16.1.20
vyos@Server# set interface openvpn vtun0 server client client2 subnet 10.0.2.0/24
vyos@Server# set interface openvpn vtun0 server client client3 ip 172.16.1.30
vyos@Server# set interface openvpn vtun0 server client client3 subnet 10.0.3.0/24
We also need to set up a static route to our 10.0.0.0/22 subnet as OpenVPN does not install this route automatically:
vyos@Server# set protocols static interface-route 10.0.0.0/22 next-hop-interface vtun0
4.2 OpenVPN Client1 and Client2
The routers Client1 and Clien2 are running VyOS so their OpenVPN configuration is almost identical.
vyos@Client1# set interfaces openvpn vtun0 mode client
vyos@Client1# set interfaces openvpn vtun0 remote-host 11.0.2.1
vyos@Client1# set interfaces openvpn vtun0 tls cert-file /config/auth/ovpn/client1.crt
vyos@Client1# set interfaces openvpn vtun0 tls key-file /config/auth/ovpn/client1.key
vyos@Client1# set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ovpn/ca.crt
vyos@Client2# set interfaces openvpn vtun0 mode client
vyos@Client2# set interfaces openvpn vtun0 remote-host 11.0.2.1
vyos@Client2# set interfaces openvpn vtun0 tls cert-file /config/auth/ovpn/client2.crt
vyos@Client2# set interfaces openvpn vtun0 tls key-file /config/auth/ovpn/client2.key
vyos@Vlient2# set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ovpn/ca.crt
We do not need to set the route that is pointing to server and other clients LAN interfaces as we have received the push route 10.0.0.0/22 from the OpenVPN server. If not, we should configure it as an interface-route.
# set protocols static interface-route 10.0.0.0/22 next-hop-interface vtun0
4.3 OpenVPN Client Client3
Install OpenVPN plugin for network manager.
osboxes@Client3:~$ sudo apt-get install network-manager-openvpn network-manager-openvpn-gnome
Right clink on Network icon -> Wired Settings-> VPN -> Import form File (Picture 3). Navigate to the folder /home/osboxes/client3/.
Picture 3 - Adding VPN Connection on Ubuntu 18.04 Using Network Manager
Select the configuration file client3.ovpn and hit the Open button. Your OpenVPN settings are being imported (Picture 4). Hit the Add button.
Picture 4 - Imported OpenVPN Settings
To connect to VPN server, right clink on Network icon -> VPN and select Connect (Picture 5).
Picture 5 - Connecting to OpenVPN Server
5. Testing
Check the status of the OpenVPN server with the command below (Picture 6).
vyos@Server:~$ show openvpn server status
Picture 6 - Checking status of OpenVPN Server
We can also check the status of the client, e.g. Client1 (Picture 7).
vyos@client1:~$ show openvpn client status
Picture 7 - Checking Status of OpenVPN Client1
Connectivity test conducted from OpenVPN client3 to remote LANs (Server1, PC1 and PC2) is depicted on the Picture 8.
$ for client in {10.0.0.1 10.0.1.1 10.0.2.1}; do ping "$client" -c 1; done
Picture 8 - Checking Connectivity from Client3 to Server1, Client1 and Client2
Connectivity test conducted from the host Server1 to remote LANs (PC1, PC2, Client3) is depicted on the Picture 9.
$ for client in {10.0.1.1 10.0.2.1 10.0.3.1}; do ping "$client" -c 1; done
Picture 9 - Checking Connectivity from Server1 to PC1, PC2, Client3
Captured traffic between devices OpenVPN server and a network device Inet (a file captured_traffic.pcap) is depicted on the Picture 10. As we can see, network traffic is encrypted within VPN tunnel.
Picture 10 - Captured OpenVPN Traffic
Now, test the connectivity between the Client3 (10.0.3.1/24) and OpenVPN server (11.0.2.1/24) with the ping command. ICMP traffic is transferred out of the tunnel and NAT is in use, translating the inside local address 10.0.3.1 to the inside global address 11.0.2.4 (Picture 11).
Picture 11 - ICMP Traffic Between OpenVPN server and Client3
End.
I need help to implement this topology. can anyone help me.
all the instructions are very clear, but why do you need someone else to do it?