shorewall_code/Shorewall-docs2/OPENVPN.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="OPENVPN">
  <!--$Id$-->

  <articleinfo>
    <title>OpenVPN Tunnels</title>

    <authorgroup>
      <author>
        <firstname>Simon</firstname>

        <surname>Mater</surname>
      </author>

      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate>2005-10-12</pubdate>

    <copyright>
      <year>2003</year>

      <year>2004</year>

      <year>2005</year>

      <holder>Simon Mater</holder>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <caution>
    <para><emphasis role="bold">This article applies to Shorewall 3.0 and
    later. If you are running a version of Shorewall earlier than Shorewall
    3.0.0 then please see the documentation for that
    release.</emphasis></para>
  </caution>

  <para>OpenVPN is a robust and highly configurable VPN (Virtual Private
  Network) daemon which can be used to securely link two or more private
  networks using an encrypted tunnel over the internet. OpenVPN is an Open
  Source project and is <ulink
  url="http://openvpn.sourceforge.net/license.html">licensed under the
  GPL</ulink>. OpenVPN can be downloaded from <ulink
  url="http://openvpn.net/">http://openvpn.net/</ulink>.</para>

  <section>
    <title>Preliminary Reading</title>

    <para>I recommend reading the <ulink url="VPNBasics.html">VPN
    Basics</ulink> article if you plan to implement any type of VPN.</para>
  </section>

  <section>
    <title>Bridging two Masqueraded Networks</title>

    <para>Suppose that we have the following situation:</para>

    <graphic fileref="images/TwoNets1.png" />

    <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
    communicate with the systems in the 10.0.0.0/8 network. This is
    accomplished through use of the
    <filename>/etc/shorewall/tunnels</filename> file and the
    <filename>/etc/shorewall/policy file</filename> and OpenVPN.</para>

    <para>While it was possible to use the Shorewall start and stop script to
    start and stop OpenVPN, I decided to use the init script of OpenVPN to
    start and stop it.</para>

    <para>On each firewall, you will need to declare a zone to represent the
    remote subnet. We'll assume that this zone is called <quote>vpn</quote>
    and declare it in <filename>/etc/shorewall/zones</filename> on both
    systems as follows.</para>

    <blockquote>
      <para><filename>/etc/shorewall/zones</filename> — Systems A &amp;
      B</para>

      <programlisting>#ZONE   TYPE   OPTIONS                 IN                      OUT
#                                      OPTIONS                 OPTIONS
vpn     ipv4</programlisting>
    </blockquote>

    <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
    role="bold">vpn</emphasis> zone.</para>

    <blockquote>
      <para>In <filename>/etc/shorewall/interfaces</filename> on system
      A:</para>

      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
vpn        tun0</programlisting>
    </blockquote>

    <para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need
    the following:</para>

    <blockquote>
      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
openvpn       net            134.28.54.2</programlisting>
    </blockquote>

    <note>
      <para>Shorewall versions prior to 2.2.0 Beta 1 enforced use of the same
      port number for both the source and destination port.</para>

      <para>Some OpenVPN clients (notabley on <trademark>Windows</trademark>)
      do not use the same source and destination ports which can cause
      problems. If system B is a Windows system or if you find that Shorewall
      is blocking the UDP port 1194 traffic from the remote gateway and you
      are running a version of Shorewall prior to 2.2.0 Beta 1, then you will
      want the following entry in <filename>/etc/shorewall/tunnels</filename>
      instead of the one above:</para>

      <programlisting>#TYPE                  ZONE           GATEWAY        GATEWAY ZONE
generic:udp:1194       net            134.28.54.2</programlisting>
    </note>

    <para>This entry in <filename>/etc/shorewall/tunnels</filename> opens the
    firewall so that OpenVPN traffic on the default port 1194/udp will be
    accepted to/from the remote gateway. If you change the port used by
    OpenVPN to 7777, you can define /etc/shorewall/tunnels like this:</para>

    <blockquote>
      <para>/etc/shorewall/tunnels with port 7777:</para>

      <programlisting>#TYPE             ZONE           GATEWAY         GATEWAY ZONE
openvpn:7777      net            134.28.54.2</programlisting>
    </blockquote>

    <para>This is the OpenVPN config on system A:</para>

    <blockquote>
      <programlisting>dev tun
local 206.162.148.9
remote 134.28.54.2
ifconfig 192.168.99.1 192.168.99.2
up ./route-a.up
tls-server
dh dh1024.pem
ca ca.crt
cert my-a.crt
key my-a.key
comp-lzo
verb 5</programlisting>
    </blockquote>

    <para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the
    <emphasis role="bold">vpn</emphasis> zone</para>

    <blockquote>
      <para>In <filename>/etc/shorewall/interfaces</filename> on system
      B:</para>

      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
vpn        tun0             192.168.1.255</programlisting>
    </blockquote>

    <para>In <filename>/etc/shorewall/tunnels</filename> on system B, we
    have:</para>

    <blockquote>
      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
openvpn       net            206.191.148.9</programlisting>
    </blockquote>

    <para>And in the OpenVPN config on system B:</para>

    <blockquote>
      <programlisting>dev tun
local 134.28.54.2
remote 206.162.148.9
ifconfig 192.168.99.2 192.168.99.1
up ./route-b.up
tls-client
ca ca.crt
cert my-b.crt
key my-b.key
comp-lzo
verb 5</programlisting>
    </blockquote>

    <para>You will need to allow traffic between the <quote>vpn</quote> zone
    and the <quote>loc</quote> zone on both systems -- if you simply want to
    admit all traffic in both directions, you can use the policy file:</para>

    <blockquote>
      <para><filename>/etc/shorewall/policy </filename>on systems A &amp;
      B</para>

      <programlisting>#SOURCE        DEST          POLICY          LOG LEVEL
loc            vpn           ACCEPT
vpn            loc           ACCEPT</programlisting>
    </blockquote>

    <para>On both systems, restart Shorewall and start OpenVPN. The systems in
    the two masqueraded subnetworks can now talk to each other.</para>
  </section>

  <section>
    <title>Roadwarrior</title>

    <para>OpenVPN 2.0 provides excellent support for roadwarriors. Consider
    the setup in the following diagram:</para>

    <graphic fileref="images/Mobile.png" />

    <para>On the gateway system (System A), we need a zone to represent the
    remote clients — we'll call that zone <quote>road</quote>.</para>

    <blockquote>
      <para><filename>/etc/shorewall/zones</filename> — System A:</para>

      <programlisting>#ZONE   TYPE   OPTIONS                 IN                      OUT
#                                      OPTIONS                 OPTIONS
road    ipv4</programlisting>
    </blockquote>

    <para>On system A, the remote clients will comprise the <emphasis
    role="bold">road</emphasis> zone.</para>

    <blockquote>
      <para>In <filename>/etc/shorewall/interfaces</filename> on system
      A:</para>

      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
road       tun+</programlisting>
    </blockquote>

    <para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need
    the following:</para>

    <blockquote>
      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
openvpn:1194  net            0.0.0.0/0</programlisting>
    </blockquote>

    <para>If you are running Shorewall 2.4.3 or later, you might prefer the
    following in <filename>/etc/shorewall/tunnels</filename> on system A.
    Specifying the tunnel type as openvpnserver has the advantage that the VPN
    connection will still work if the client is behind a gateway/firewall that
    uses NAT.</para>

    <blockquote>
      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
openvpnserver:1194  net            0.0.0.0/0</programlisting>
    </blockquote>

    <para>We want the remote systems to have access to the local LAN — we do
    that with an entry in <filename>/etc/shorewall/policy</filename> (assume
    that the local LAN comprises the zone <quote>loc</quote>).</para>

    <blockquote>
      <programlisting>#SOURCE      DESTINATION        POLICY
road         loc                ACCEPT</programlisting>
    </blockquote>

    <para>The OpenVPN configuration file on system A is something like the
    following:</para>

    <blockquote>
      <programlisting>dev tun

server 192.168.2.0 255.255.255.0

dh dh1024.pem

ca /etc/certs/cacert.pem

crl-verify /etc/certs/crl.pem

cert /etc/certs/SystemA.pem
key /etc/certs/SystemA_key.pem

port 1194

comp-lzo

user nobody

group nogroup

ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

verb 3</programlisting>
    </blockquote>

    <para>Configuration on the remote clients follows a similar line. We
    define a zone to represent the remote LAN:</para>

    <blockquote>
      <para><filename>/etc/shorewall/zones</filename> — System B:</para>

      <programlisting>#ZONE   TYPE   OPTIONS                 IN                      OUT
#                                      OPTIONS                 OPTIONS
home    ipv4</programlisting>
    </blockquote>

    <para>On system A, the hosts accessible through the tunnel will comprise
    the <emphasis role="bold">home</emphasis> zone.</para>

    <blockquote>
      <para>In <filename>/etc/shorewall/interfaces</filename> on system
      B:</para>

      <programlisting>#ZONE      INTERFACE        BROADCAST     OPTIONS
home       tun0</programlisting>
    </blockquote>

    <para>In <filename>/etc/shorewall/tunnels</filename> on system B, we need
    the following:</para>

    <blockquote>
      <programlisting>#TYPE         ZONE           GATEWAY        GATEWAY ZONE
openvpn:1194  net            206.162.148.9</programlisting>
    </blockquote>

    <para>Again in you are running Shorewall 2.4.3 or later, in
    <filename>/etc/shorewall/tunnels</filename> on system B you might
    prefer:</para>

    <blockquote>
      <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
openvpnclient:1194  net            206.162.148.9</programlisting>
    </blockquote>

    <para>We want the remote clien to have access to the local LAN — we do
    that with an entry in <filename>/etc/shorewall/policy</filename>.</para>

    <blockquote>
      <programlisting>#SOURCE      DESTINATION        POLICY
$FW          home               ACCEPT</programlisting>
    </blockquote>

    <para>The OpenVPN configuration on the remote clients is along the
    following line:</para>

    <blockquote>
      <programlisting>dev tun
remote 206.162.148.9
up /etc/openvpn/home.up

tls-client
pull

ca /etc/certs/cacert.pem

cert /etc/certs/SystemB.pem
key /etc/certs/SystemB_key.pem

port 1194

user nobody
group nogroup

comp-lzo

ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

verb 3</programlisting>
    </blockquote>

    <para>If you want multiple remote clients to be able to communicate openly
    with each other then you must:</para>

    <orderedlist>
      <listitem>
        <para>Include the <emphasis role="bold">client-to-client</emphasis>
        directive in the server's OpenVPN configuration; and</para>
      </listitem>

      <listitem>
        <para>Specify the <emphasis role="bold">routeback</emphasis> option on
        the <filename class="devicefile">tun+</filename> device in <ulink
        url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.</para>
      </listitem>
    </orderedlist>

    <para>If you want to selectively allow communication between the clients,
    then see <ulink
    url="http://www.iut-lannion.fr/ZONZON/memos_index.php?part=Network&amp;section=WRTMemo&amp;subsec=vpnwithshorewall">this
    article</ulink> by Marc Zonzon</para>
  </section>

  <section>
    <title>Securing a Home Wireless Network with OpenVPN (OpenVPN
    Bridge)</title>

    <para>This section will discuss how I secured my home wireless network
    using OpenVPN. Our network is as shown in the following diagram.</para>

    <graphic fileref="images/network3.png" />

    <para>The Wireless zone is in the lower right of the diagram and consists
    of two laptops: Eastepnc6000 (Windows XP - SP1) and Tipper (SuSE 10.0). We
    use OpenVPN to bridge those two laptops with the Local Zone shown in the
    lower left hand corner. The laptops are configured with addresses in the
    192.168.3.0/24 network connection to the firewall's <filename
    class="devicefile">eth0</filename> interface which places them in the
    firewall's Wifi zone. OpenVPN bridging allows them to be assigned an
    additional temporary IP address from the 192.168.1.0/24 network and to be
    securely bridged to the LAN on the lower left.</para>

    <section>
      <title>Configuring the Bridge</title>

      <para>The firewall runs Debian Sarge so the bridge is defined in
      <filename>/etc/network/interfaces</filename>.</para>

      <programlisting># LAN interface
auto br0
iface br0 inet static
        address 192.168.1.254
        netmask 255.255.255.0
        pre-up /usr/sbin/openvpn --mktun --dev tap0
        pre-up /sbin/ip link set tun0 up
        pre-up /sbin/ip link set eth3 up
        pre-up /usr/sbin/brctl addbr br0
        pre-up /usr/sbin/brctl addif br0 eth3
        pre-up /usr/sbin/brctl addif br0 tap0
        up ip route add 224.0.0.0/4 dev br0
        post-down /usr/sbin/brctl delif br0 eth3
        post-down /usr/sbin/brctl delif br0 tap0
        post-down /usr/sbin/brctl delbr br0
        post-down /usr/sbin/openvpn --rmtun --dev tap0</programlisting>

      <para>Note that the IP address assigned to the bridge is 192.168.1.254
      -- that is the default gateway address for hosts in the local
      zone.</para>
    </section>

    <section>
      <title>Configuring OpenVPN</title>

      <para>We use X.509 certificates for authentication.</para>

      <section>
        <title>Firewall (Server) configuration.</title>

        <para>/etc/openvpn/server-bridge.conf defines a bridge and reserves IP
        addresses 192.168.1.64-192.168.1.71 for VPN clients. Note that the
        bridge server only uses local IP address 192.168.3.254. We run two
        instances of OpenVPN; this one and a second tunnel-mode instance for
        remote access (see </para>

        <programlisting>dev tap0

local 192.168.3.254

server-bridge 192.168.1.254 255.255.255.0 192.168.1.64 192.168.1.71

client-to-client

dh dh1024.pem

ca /etc/certs/cacert.pem

crl-verify /etc/certs/crl.pem

cert /etc/certs/gateway.pem
key /etc/certs/gateway_key.pem

port 1194

comp-lzo

user nobody
group nogroup

keepalive 15 45
ping-timer-rem
persist-tun
persist-key

verb 3</programlisting>
      </section>

      <section>
        <title>Tipper Configuration</title>

        <para>/etc/openvpn/wireless.conf:</para>

        <programlisting>dev tap

remote 192.168.3.254
tls-remote gateway.shorewall.net

client

route-gateway 192.168.1.254

up /etc/openvpn/wireless.up
down /etc/openvpn/wireless.down

ca /etc/certs/cacert.pem

cert /etc/certs/tipper.pem
key /etc/certs/tipper_key.pem

port 1194

comp-lzo

ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

mute-replay-warnings

verb 3</programlisting>

        <para>/etc/openvpn/wireless.up changes the default gateway to
        192.168.1.254:</para>

        <programlisting>ip route replace default via 192.168.1.254 dev tap0</programlisting>

        <para>/etc/openvpn/wireless.down restores the default gateway to
        192.168.3.254. Note that this command requires privilege and hence we
        do not include "user nobody" and "group nobody" in
        /etc/openvpn/wireless.conf.</para>

        <para>/etc/openvpn/wireless.down:</para>

        <programlisting>ip route replace default via 192.168.3.254 dev eth0</programlisting>
      </section>
    </section>

    <section>
      <title>Configuring Shorewall</title>

      <para>In this configuration, we don't need any firewalling between the
      laptops and the local LAN so we set BRIDGING=No in shorewall.conf. The
      configuration of the bridge then becomes as described in the <ulink
      url="SimpleBridge.html">Simple Bridge documentation</ulink>.</para>

      <section>
        <title>Firewall</title>

        <section>
          <title>/etc/shorewall/interfaces</title>

          <para>Note that the bridge (br0) is defined as the interface to the
          local zone and has the <emphasis role="bold">routeback</emphasis>
          option.</para>

          <programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
net     eth2            206.124.146.255         dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs
loc     br0             192.168.1.255           dhcp,<emphasis role="bold">routeback</emphasis>
dmz     eth1            -                       logmartians
Wifi    eth0            192.168.3.255           dhcp,maclist
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
        </section>

        <section>
          <title>/etc/shorewall/tunnels</title>

          <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
#                                               ZONE
openvpnserver:1194      Wifi    192.168.3.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
        </section>
      </section>

      <section>
        <title>Tipper</title>

        <section>
          <title>/etc/shorewall/zones</title>

          <programlisting>#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
<emphasis role="bold">home    ipv4</emphasis>    #Wired LAN at our home
net     ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
        </section>

        <section>
          <title>/etc/shorewall/interfaces</title>

          <programlisting>#ZONE    INTERFACE      BROADCAST       OPTIONS
#
net      eth0           detect          routefilter,dhcp,tcpflags
<emphasis role="bold">home     tap0           192.168.1.255</emphasis>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
        </section>

        <section>
          <title>/etc/shorewall/policy</title>

          <para>Since we don't expect any traffic between the <emphasis
          role="bold">net</emphasis> zone and the <emphasis
          role="bold">home</emphasis> zone, we use NONE policies for that
          traffic. If any such traffic should occur, it will be handled
          according to the all-&gt;all policy.</para>

          <programlisting>#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              net             ACCEPT
<emphasis role="bold">fw              home            ACCEPT
home            fw              ACCEPT
net             home            NONE
home            net             NONE</emphasis>
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE
</programlisting>
        </section>
      </section>
    </section>
  </section>
</article>