LAB4: Virtual Private Networks (VPN)
Tomáš Rebok
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
Brief VPN introduction
< □ ► <
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
What is VPN?
The goal of a Virtual Private Network (VPN) is to provide private communications within the public Internet infrastructure
• they employ various networking technologies to achieve the goal
• can occur at any layer of the OSI protocol stack
• basic VPN idea:
• Build a virtual overlay network that is run on top of the Internet infrastructure
• "virtual" . . . means that there is not a new infrastructure necessary
• Connect private networks by the overlay networks
• can be build between two end systems, or it can be build between two or more networks
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
VPNs Basic Functions
VPNs provide four critical functions:
9 Confidentiality - the sender can encrypt the packets before transmitting them across a network.
• By doing so, no one can access the communication without permission.
• If intercepted, the communications cannot be read.
• Data integrity - The receiver can verify that the data was transmitted through the Internet without being altered.
9 Origin authentication - The receiver can authenticate the packet sender, guaranteeing and certifying the source of the information.
• User authorization - limits unauthorized users from accessing the network.
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
VPN Deployment Scenarios
There are two basic VPN deployment scenarios:
• Site-to-Site Intranet VPN
• Interconnects multiple network sites at different locations within the same organization
• forms a larger corporate network
• Remote Access VPN
• Connect a single remote device to a corporate intranetwork
• enable flexible access to corporate network
Tomáš Rebok
LAB4: Virtual Private Networks (VPN)
VPN Approaches
Taxonomy of VPN approaches based on the ISO/OSI layer:
9 Layer 2 VPN
• MPLS - Multiprotocol Label Switching 9 Layer 3 VPN
• IP Sec, PPTP, L2TP
• usually implemented on the perimeter firewall (network border)
• Point-to-Point Tunneling Protocol (obsolete) and Layer 2 Tunneling Protocol
• IPSec- see animation at
https://frakira.fi.muni.cz/~jeronimo/vyuka/IPSec (part of IPv6 animation at
https://frakira. fi. muni, cz/ ~ jeronimo/vyuka/IPv6)
9 Layer 4 VPN
• SSL/TLS VPNs
• usually allow to access specific applications rather than entire subnets
< ± *■    .f o^o
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
VPN Approaches - IPSec VPN vs. SSL VPN
FHjL..'flF
IPSec: uk. SSL VPNs
Wttl iPSw Client vp^ii-^ii
Uwt's Mailbox
URL^OĎiííCIS
|PSw VPN gptc^^ys W *rv uiuallv iniptamnntnd gn th" pirirnqtcrfirewpIL, jj.|id p^mi( or d^ny ramota i. .:. r-r .- is.   entir* fir.-. ■: ■ =i ■■ :■ SSL VPtJ -gateways   are u&uaMy --:r t■: -, ■ . = behind
'.'■L !:■■!!■: !i     ■. . I       li   n: i ■.   h :l    i | 11 it Of dfMf ftCftHi (O ■ ■ ■ I ■ ■       i ■. :■ ■ . Of .i. I i In thlB
. s ii :l-   SSL uitri havn LO Ihtir Own n . I.   ■ ■ . on 4 all t^cli-in • ■ '•      u ■• id ■■■ A ■   !. . i
□J URLs hasted an A an intr;iitii-E \\       ■ r. ■ ■
Tomáš Rebok
LAB4: Virtual Private Networks (VPN)
Warming QUIZ!
□
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
Warming QUIZ!
Ql: VPN stands for:
a) Virtual Public Network
b) Virtual Private Network
c) Virtual Protocol Network
d) Virtual Perimeter Network
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
Warming QUIZ!
Ql: VPN stands for:
a) Virtual Public Network
b) Virtual Private Network
c) Virtual Protocol Network
d) Virtual Perimeter Network
b) Virtual Private Network
(or Virtual Private Networking)
A VPN is a private network in the sense that it carries controlled information, protected by various security mechanisms, between known parties. VPNs are only "virtually" private, however, because this data actually travels over shared public networks instead of fully dedicated private connections.
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
Warming QUIZ!
Q2: What are the acronyms for the most common VPN protocols?
• identify their ISO/OSI layer as well
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
Warming QUIZ!
Q2: What are the acronyms for the most common VPN protocols?
• identify their ISO/OSI layer as well
Most common VPN protocols (and approaches) taxonomied by layers:
• Layer 2- (VPN over) MPLS
• Layer 3- PPTP, L2TP, IPSec
• Layer 4 - (VPN over) SSL/TLS
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
Warming QUIZ!
Q3: What are the basic VPN deplyment scenarios?
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
Warming QUIZ!
There are two basic deployment Q3: What are the basic VPN scenarios: deplyment scenarios? o Site-to-Site VPNs
• Remote Access VPNs
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
Warming QUIZ!
Q4: What is the main benefit of VPNs compared to dedicated networks utilizing frame relay, leased lines, and traditional dial-up?
a) better network performance
b) less downtime on average
c) flexibility and reduced cost
d) improved security
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
Warming QUIZ!
Q4: What is the main benefit of VPNs compared to dedicated networks utilizing frame relay, leased lines, and traditional dial-up?
a) better network performance
b) less downtime on average
c) flexibility and reduced cost
d) improved security
c) flexibility and reduced cost
The main benefit of a VPN is the potential for significant cost savings compared to traditional leased lines or dial-up networking. These savings come with a certain amount of risk, however, particularly when using the public Internet as the delivery mechanism for VPN data.
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
Warming QUIZ!
Q5: In VPNs, the term "tunneling" refers to ...
a) an optional feature, that increases network performance if it is turned on
b) the encapsulation of packets inside packets of a different protocol to create and maintain a virtual circuit
c) the method a system administrator uses to detect hackers on the network
d) a marketing strategy that involves selling VPN products for very low prices in return for expensive service contracts
Tomáš Rebok
LAB4: Virtual Private Networks (VPN)
Warming QUIZ!
Q5: In VPNs, the term "tunneling" refers to ...
a) an optional feature, that increases network performance if it is turned on
b) the encapsulation of packets inside packets of a different protocol to create and maintain a virtual circuit
c) the method a system administrator uses to detect hackers on the network
d) a marketing strategy that involves selling VPN products for very low prices in return for expensive service contracts
b) the encapsulation of packets inside packets of a different protocol to create and maintain a virtual circuit
Tomáš Rebok
LAB4: Virtual Private Networks (VPN)
OpenVPN & practical example
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
OpenVPN Introduction
• VPNs can be realized both using specialized HW devices and SW tools
• SW tools may require specific OS functionality (L2 + L3 VPNs) or not (L4 VPNs)
• the most known and widely-used open-source SW tool is OpenVPN
• OpenVPN (http://openvpn.net)
• Open-source VPN solution
o Uses SSL certificates (X.509)
• Clients available for most OSes (Linux, OSX, Windows, DD-WRT, Tomato)
• Simple setup for small networks
• User-mode, not kernel-mode
o The tool we will use during the practical lab
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
Lab Scenario and Infrastructure
A small company called RedGears Ltd. (producing red wheels) requires you - as a network administrator - to configure the network so that their Sales Representatives can access internal network resources (webserver) during travelling. All the communication has to be sufficiently secured.
Goal: Establish a VPN server (VPN gateway) and configure clients to establish a secured VPN connection.
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
Lab Tasks
O build the infrastructure
• and test its functionality.. . O configure the OpenVPN server
A. create server certificates
B. create server configuration file
C. adjust server networking configuration
D. start and test the server
O configure the OpenVPN client
O connect the client and observe behavior
• both Windows and Linux clients
• is the traffic encrypted?
O further scenario variants
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
1. Building the Lab Infrastructure
• start your Virtual Box
• import VPN server and Enterprise server VMs
• File —> Import Appliance
• O:\PA197\Lab 4\PA197-L4-VPNserver.ova
• O:\PA197\Lab 4\PA197-L4-Enterprise.ova
• observe the VM configuration
• network setting & port forwarding
ENG
• start the VMs
• users: root & pa 197user
• passwords: pa 197
• observe the internal configuration (networking, tools, ...)
• test the communication
• ping, SSH, WWW browser (VPNserver -> Enterprise)
□ S1
Tomáš Rebok
LAB4: Virtual Private Networks (VPN)
2. Server Configuration
A. Generating Certificates
• PKI: Public Key Infrastructure - the tools, procedures and people used to manage the creation, management and revocation of digital certificates
• X.509 - standardized format for certificates, cert revocation and path verification Standardized by the ITU Telecommunication Standardization Sector
Certificate Authority - entity that creates & signs digital certificates
• EasyRSA SW tool - a set of scripts allowing for the easy creation, signing and revocation of X.509 certificates used by OpenVPN
• abstracts the use of OpenSSL
• distributed with OpenVPN
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
2. Server Configuration
A. Generating Certificates
• become root
• pal97user@VPNserver$ sudo su -
• EasyRSA Setup
• Create a CA directory with basic CA content
• # make-cadir /root/openvpn-ca Move into that directory
• # cd /root/openvpn-ca
• Configure the CA variables
o # vim vars
• see export KEY_* variables (not necessary to change)
• change KEY_NAME to server
• variables will be used as defaults for all the generated certificates
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
2. Server Configuration
A. Generating Certificates
• Build the CA
• source the variables into environment
# source vars
• clean previously generated keys (if any)
# ./clean-all
• build the root CA # ./build-ca (press ENTER through the prompts)
(The CA key can be password protected by using the "—pass" option. This password will be required to sign any certificates using the key)
• EasyRSA Setup contn'd.
• Create the OpenVPN server certificate
• # ./build-key-server server (press ENTERs & answer 'y')
• Generate strong Diffie-Hellman keys to use during key exchange
• # ./build-dh
Tomáš Rebok
LAB4: Virtual Private Networks (VPN)
2. Server Configuration
B. Configure the OpenVPN service
• Copy-out the CA cert and key, our server cert and key, and the Diffie-Hellman keys to OpenVPN server directory
• # cd /root/openvpn-ca/keys
• # cp ca.crt ca.key server.crt server.key dh2048.pern /etc/openvpn
• Copy and unzip sample OpenVPN configuration file
• # gunzip -c /usr/share/doc/openvpn/examples/ sample-config-files/server.conf.gz >/etc/openvpn/server.conf
• Make yourself familiar with the OpenVPN configuration
• # vim /etc/openvpn/server.conf
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
2. Server Configuration
B. Configure the OpenVPN service
• Personalize the OpenVPN server configuration
• at least, see the options:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway defl bypass-dhcp"
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
log /var/log/openvpn.log
Tomáš Rebok
LAB4: Virtual Private Networks (VPN)
2. Server Configuration
B. Configure the OpenVPN service
• Set client authentication method
• various methods available, see
https://openvpn.net/index.php/open-source/documentation/ howto.html#auth
• we will use PAM authentication
add the folowing options into server.conf plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
client-cert-not-required
o This should finalize the OpenVPN server configuration
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
2. Server Configuration
C. Adjust server networking configuration
• Allow IP forwarding
# vim /etc/sysctl.conf
• remove '#' before net.ipv4.ip_forward=l
• run # sysctl -p
D. Start and test the OpenVPN server
• Try to start the server and examine log file for errors
• # /etc/init.d/openvpn stop (if running)
• # /etc/init.d/openvpn start
• # cat /var/log/openvpn.log
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
3. Configure the OpenVPN client
9 Prepare the client configuration file (PA197-L4.ovpn)
• again, by adapting sample config file
# cd /root o # cp /usr/share/doc/openvpn/examples/
sample-config-files/client.conf PA197-L4.ovpn
o and adapt it to server configuration
• at least, see the options:
dev tun proto udp
remote localhost 1194 user nobody-group nogroup persist-key persist-tun
\ CcL   • • •
y CGI*"t        •    • •
;key ...
cipher AES-128-CBC
comp-lzo
auth-user-pass
□ 31
Tomáš Rebok
LAB4: Virtual Private Networks (VPN)
3. Configure the OpenVPN client
• include CA certificate into the client configuration file
• attach the content of ca.crt file between options "<ca>" and "</ca>"
<ca>
... include content of ca.crt </ca>
9 Hint: cat FILE1 »FILE2
transfer the configuration file to the client (Windows host)
• # scp config.ovpn USERNAME@aisa.fi.muni.cz:
• WinSCP from Windows host to aisa.fi.muni.cz
• and save to C:\Program Files\OpenVPN\config\
o (for sure, reboot the VPN server)
• finally, try to connect to the OpenVPN server
• using pal97user username and pal97 password examine the OpenVPN log files
• if you are successful!, you should be able to access http://10.10.10.10 from the Windows host's WWW browser
Tomáš Rebok
LAB4: Virtual Private Networks (VPN)
Questions & tasks
Open network sniffer/analyzer application (Wireshark) and examine the content of the captured packets (on both VPN ends)
• are the passing packets encrypted?
• are all the packets passing the OpenVPN server?
• if YES, how would you change the configuration so that just packets destined to the internal network will go through the VPN?
• if NO, could you capture and identify the ones not going through VPN?
• (optional homework) adapt the client configurations to authenticate using clients' certificates (not username and password)
Finally, connect to the VPN server from the Linux host as well.
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
Homework
Tomáš Rebok LAB4: Virtual Private Networks (VPN)
Homeworks?
Your homework tasks:
• make the example (basic) configuration more secure
• hint: inspire at OpenVPN webpage (https://openvpn.net) or other pages providing tips to secure VPN tunnels (e.g.
https://blog.g3rt.nl/openvpn-security-tips.html)
• our configuration has used so-called routing mode (L3-mode); try to adapt it to use so-called bridged mode (L2-mode)
• optional tasks / challenges:
• adapt the configurations to authenticate clients using personal certificates (not username & password)
• between two hosts, establish a site-to-site bridged VPN (interconnecting both networks into a single large network)
All report should contain all the configuration files (server, client), including the description of all the changes performed on (server) host. If you success with the configuration, include small packet captures (PCAP format) as well.
Tomáš Rebok
LAB4: Virtual Private Networks (VPN)