Monday, November 21, 2005
OpenVPN on Suse 10
I work for a company where we do projects on-site for clients. Some of these projects result in us being away from the office for long periods of time. Being in the "connected" world we are, it is very helpful to connect to our company network at all times.
I suppose there are several options for connecting to a private network. One example would be dialup through RAS (Remote Access Server). One of the downsides of this approach is that it actually cost me money to connect to the other network (yes, we do pay for all telephone calls..even local ones). The target RAS server could "phone" me back, but the point is that someone still pays for the actual call.
This is where VPN (Virtual Private Network) comes in handy. A VPN is a way for one to establish connection to a private network in a secure way if you are already on a public network (like the internet). There are various options when it comes to VPN solutions. We are currently using OpenVPN at our company. This is an open-source project licensed under the GPL. I will describe my scenario by example:
My company (Company A) exposes an OpenVPN server on the internet, which means anyone can actually connect to this server from anywhere. I'm currently sitting at Company B, which allows me access to the internet through an authenticated proxy. This means that I could access the OpenVPN server at Company A. The OpenVPN server is conveniently exposed on the SSL port 443 and the communication is encrypted. This means that the proxy (or any other tool) at Company B cannot "see" what we actually communicate.
To gain access to the private network, one also needs client-side OpenVPN software, which will actually establish connection with the OpenVPN server at Company A. In my case, this client is configured to connect to the OpenVPN server at Company A, using the http proxy at Company B.
To prevent anyone from connecting to the VPN server (and therefore gaining access to Company A's private network), we do authentication and encryption via a public/private key pair. These keys were generated for me at Company A. The private key is also encrypted with a password. Whenever I startup my VPN client, it requests the encryption password and then uses the public/private key pair to authenticate me to the target VPN server (public / private keys, authentication and encryption could be a whole new blog in it's own right!).
When connection is established between client and server in a VPN environment, the client-side mimics a network card in the Operating System through software only. This means that it exposes a network interface to applications, but this network interface is not a physical network card in the system. This special network interface just accepts IP traffic and routes everything over the VPN to the VPN server. This makes integration from client-side applications trivial. The software network interface is implemented as a TUN / TAP interface. There is support for such a module in most operating systems.
I always had the OpenVPN client-side software installed and running on my Windows O/S. I know wanted to install this on my new Suse 10 O/S.
This is basically what I did:
According to the installation instructions, one has to do the following to get the TUN/TAP driver working under Linux:
(1) make device node: mknod /dev/net/tun c 10 200
(2a) add to /etc/modules.conf: alias char-major-10-200 tun
(2b) load driver: modprobe tun
(3) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward
Note that either of steps (2a) or (2b) is sufficient. While (2a)
only needs to be done once per install, (2b) needs to be done once
per reboot. If you install from RPM (see above) and use the
openvpn.init script, these steps are taken care of for you.
This is where my problems started:
/lib/modules/2.6.13-15-smp/kernel/drivers/net/tun.ko
When running the OpenVPN client, it connects successfully to the server, but when it tries to start the TUN/TAP interface, I get the following error:
Cannot allocate TUN/TAP dev dynamically
I searched the web, and struggled with this for a while, until one of my colleagues pointed me in the direction of an already built OpenVPN RPM for Suse 10: ftp://rpmfind.net/linux/SuSE-Linux/i386/update/10.0/rpm/i586/openvpn-2.0.2-2.2.i586.rpm
I installed this and what do you know.. everything just worked.. I can connect and use my company's private network in my Linux O/S!
Being a software developer I like to know why something worked after I struggled with a problem for a while, but in this case I cannot explain why the RPM works, but my custom build does not. This is quite frustrating - How can I figure out what exactly an RPM does (besides just copying binaries)?
I'll see if I get time to look at this again, but at least it's working.
Until next time, when I hopefully get to my VMWare attempt.
I suppose there are several options for connecting to a private network. One example would be dialup through RAS (Remote Access Server). One of the downsides of this approach is that it actually cost me money to connect to the other network (yes, we do pay for all telephone calls..even local ones). The target RAS server could "phone" me back, but the point is that someone still pays for the actual call.
This is where VPN (Virtual Private Network) comes in handy. A VPN is a way for one to establish connection to a private network in a secure way if you are already on a public network (like the internet). There are various options when it comes to VPN solutions. We are currently using OpenVPN at our company. This is an open-source project licensed under the GPL. I will describe my scenario by example:
My company (Company A) exposes an OpenVPN server on the internet, which means anyone can actually connect to this server from anywhere. I'm currently sitting at Company B, which allows me access to the internet through an authenticated proxy. This means that I could access the OpenVPN server at Company A. The OpenVPN server is conveniently exposed on the SSL port 443 and the communication is encrypted. This means that the proxy (or any other tool) at Company B cannot "see" what we actually communicate.
To gain access to the private network, one also needs client-side OpenVPN software, which will actually establish connection with the OpenVPN server at Company A. In my case, this client is configured to connect to the OpenVPN server at Company A, using the http proxy at Company B.
To prevent anyone from connecting to the VPN server (and therefore gaining access to Company A's private network), we do authentication and encryption via a public/private key pair. These keys were generated for me at Company A. The private key is also encrypted with a password. Whenever I startup my VPN client, it requests the encryption password and then uses the public/private key pair to authenticate me to the target VPN server (public / private keys, authentication and encryption could be a whole new blog in it's own right!).
When connection is established between client and server in a VPN environment, the client-side mimics a network card in the Operating System through software only. This means that it exposes a network interface to applications, but this network interface is not a physical network card in the system. This special network interface just accepts IP traffic and routes everything over the VPN to the VPN server. This makes integration from client-side applications trivial. The software network interface is implemented as a TUN / TAP interface. There is support for such a module in most operating systems.
I always had the OpenVPN client-side software installed and running on my Windows O/S. I know wanted to install this on my new Suse 10 O/S.
This is basically what I did:
- I couldn't find an OpenVPN installation RPM or package on the Suse DVD and therefore downloaded the source distribution from http://openvpn.net.
- The installation instructions required OpenSSL and LZO to be installed. OpenSSL was installed by default, but I had to add the OpenSSL development libraries with Yast as well.
- LZO was also installed, but I also needed the development libraries, which I downloaded and installed from http://www.oberhumer.com/opensource/lzo/
- According to installation instructions, I configured my OpenVPN build with: ./configure --with-lzo-headers /usr/local/include/ --with-lzo-lib /usr/local/lib/ - which worked fine.
- Build the source with make, which also worked fine.
- Installing the binaries with make install failed with the following error:
/usr/bin/install -c 'openvpn' '/usr/local/sbin//usr/local/include/-openvpn'
/usr/bin/install: cannot create regular file `/usr/local/sbin//usr/local/include/-openvpn': No such file or directory
make[1]: *** [install-sbinPROGRAMS] Error 1
Still not sure why this happens, as it seems like the paths are screwed. I gave up on trying to fix this, as I've got the binary built in the local directory and it seems that I can run it (I can always copy this to another directory if I wanted to).
According to the installation instructions, one has to do the following to get the TUN/TAP driver working under Linux:
(1) make device node: mknod /dev/net/tun c 10 200
(2a) add to /etc/modules.conf: alias char-major-10-200 tun
(2b) load driver: modprobe tun
(3) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward
Note that either of steps (2a) or (2b) is sufficient. While (2a)
only needs to be done once per install, (2b) needs to be done once
per reboot. If you install from RPM (see above) and use the
openvpn.init script, these steps are taken care of for you.
This is where my problems started:
- I already have a device called /dev/net/tun
- I don't even have an /etc/modules.conf file in my Suse installation!
- It looks like my TUN driver is loaded:
/lib/modules/2.6.13-15-smp/kernel/drivers/net/tun.ko
When running the OpenVPN client, it connects successfully to the server, but when it tries to start the TUN/TAP interface, I get the following error:
Cannot allocate TUN/TAP dev dynamically
I searched the web, and struggled with this for a while, until one of my colleagues pointed me in the direction of an already built OpenVPN RPM for Suse 10: ftp://rpmfind.net/linux/SuSE-Linux/i386/update/10.0/rpm/i586/openvpn-2.0.2-2.2.i586.rpm
I installed this and what do you know.. everything just worked.. I can connect and use my company's private network in my Linux O/S!
Being a software developer I like to know why something worked after I struggled with a problem for a while, but in this case I cannot explain why the RPM works, but my custom build does not. This is quite frustrating - How can I figure out what exactly an RPM does (besides just copying binaries)?
I'll see if I get time to look at this again, but at least it's working.
Until next time, when I hopefully get to my VMWare attempt.
[What's the difference between a C++ programmer and God? God knows he's not a C++ programmer]
# posted by Jaco Joubert @ 10:02 AM 
Comments:
<< Home
SJOE! EISH! HAOW! AIKONA BOOTI!
I know I should comment on content but I am unsure of the content as it is really technical and lost me halfway.
I want to comment on the composition of the blog, if that is alright. Just delete my comment with your C++ programmer like powers if you don't like it ;-)
I think, as you mentioned about certificates, that you should break the blog up into 2 parts. One explaining what VPN is and all that and one explaining the Linux stuff. I think it might be easier to follow - or let me say I would've found it easier to follow (not that I am absolutely sure but I think so)
I am sure, should I want to install Suse and connect to a VPN, that I will find this blog usefull but now I am just plain common confused ;-)
I know I should comment on content but I am unsure of the content as it is really technical and lost me halfway.
I want to comment on the composition of the blog, if that is alright. Just delete my comment with your C++ programmer like powers if you don't like it ;-)
I think, as you mentioned about certificates, that you should break the blog up into 2 parts. One explaining what VPN is and all that and one explaining the Linux stuff. I think it might be easier to follow - or let me say I would've found it easier to follow (not that I am absolutely sure but I think so)
I am sure, should I want to install Suse and connect to a VPN, that I will find this blog usefull but now I am just plain common confused ;-)
I unfortunately do not possess the "C++ programmer-like powers" you are also referring to, otherwise I wouldn't have struggled so much with my Linux installation!
I appreciate your comment and will split my future blogs into a general description / ideas on certain topics / technologies and the nitty-gritty of my struggles and solutions - Expect more problems than solutions ;-)
Post a Comment
I appreciate your comment and will split my future blogs into a general description / ideas on certain topics / technologies and the nitty-gritty of my struggles and solutions - Expect more problems than solutions ;-)
<< Home
