How to use OpenVPN for Simulation Connectivity

How to use OpenVPN for Simulation Connectivity INTRODUCTION VIRL includes the ability to use OpenVPN for VPN connectivity. This feature allows the use...
Author: Diana Caldwell
2 downloads 0 Views 732KB Size
How to use OpenVPN for Simulation Connectivity INTRODUCTION VIRL includes the ability to use OpenVPN for VPN connectivity. This feature allows the user to securely connect from a remote location to the VIRL server. The user can now leverage the VPN connection to access the VIRL server and the nodes in the simulation(s). VIRL places the remote client (your PC) directly on the FLAT network using a L2 connection. This means that the remote client is Layer 2 ‘adjacent’ to the simulated nodes, which has an interface on FLAT. TECHNICAL DETAIL Remote users are authenticated using certificates. These certificates are automatically created on the VIRL server during the setup of the OpenVPN service. IP addresses for the connected clients are assigned from an IP range configured during OpenVPN service configuration. The addresses must be in the FLAT subnet and the default range is 172.16.1.20 - 172.16.1.39. Currently no more than 20 remote clients are allowed to connect simultaneously. • • • • •

IP addresses are assigned dynamically from configured IP range Only administrators can enable the OpenVPN service Accessing STD and UWM via VPN is possible on 172.16.1.254. Use case: To minimize attack surface, use of Linux firewall to only allow VPN and SSH on the public interface Accessing Console ports via STD / VMM requires additional changes which are beyond the scope of this basic document. There is only one OpenVPN configuration file shared by all users of the VIRL server. This ‘.ovpn’ file is not unique to each user

CAVEATS The user should have a basic understanding of remote access VPNs and their function. It is also implied that the user understands that ports may need to be opened on the user’s or remote firewall to allow for VPN connectivity. The VIRL server offers two types of connection methods, one (default) using UDP as the transport and the second using TCP (443). Some firewalls might block VPN traffic on the default UDP port. Establishing an OpenVPN connection using TCP port 443 (the same as used for secure HTTP) is usually possible. This works even when traffic is going through a proxy as long as HTTPS is allowed. Another important caveat is that certain environments might not permit the use of multiple VPN clients at the same time. E.g. if the Cisco AnyConnect VPN client is used and the VIRL server is reachable through the AnyConnect VPN tunnel then OpenVPN will not work when split tunneling is administratively prohibited. VIRL White Paper

Page 1

OpenVPN Configuration Guide KNOWN WORKING OPERATING SYSTEMS This list is by no means exhaustive. It just represents a list of operating systems that were successfully used by the VIRL team. Other OS versions or platforms (Android, iOS, *BSD, …) will probably work as long as there is an OpenVPN implementation for said platform. •

• •

Linux o Ubuntu 14.04 / 15.04 o Fedora 22 o CentOS 7 Mac OS X (10.9 and later) Windows 7 and later

CONFIGURING OPENVPN (VIA UWM) This document will assist with the configuration of the OpenVPN feature on the VIRL server using UWM. In order to connect to your system you must use an OpenVPN client that accepts the ‘.ovpn’ file format. You will need to download the appropriate OpenVPN client for you operating system. For detailed information on installing the client, please refer to the OpenVPN project web page1 or the client application documentation. You can download free clients for Windows and Mac OS X from one of the following links. Note that there are other OpenVPN clients available (paid and free) and the suggested programs represent a non-exhaustive list. Client for Windows: https://openvpn.net/index.php/open-source/downloads.html Client for Mac OS X: https://tunnelblick.net/downloads.html Client for Linux: An OpenVPN client for Linux should be part of any distribution. Please consult the distribution specific documentation how to install and configure the OpenVPN client. A good start for configuring the client is then typically the Network Manager application. This document contains a section about using OpenVPN via command line.

1

https://openvpn.net/index.php/open-source/documentation/howto.html#install

VIRL White Paper

Page 2

OpenVPN Configuration Guide Step 1 Connect to UWM and navigate to System Configuration (under VIRL Server)

Step 2 Tick ‘OpenVPN server on/off’ Step 3 Click on ‘Apply Changes’ (opens new page) Step 4 Then, again ‘Apply Changes’ to commit the configuration

VIRL White Paper

Page 3

OpenVPN Configuration Guide

Ensure all commands complete as expected. If you did not receive (x out of x) then something is wrong and OpenVPN may not function as expected. Additional log (and potential error) messages can be retrieved by clicking on ‘state.sls virl.openvpn’ link under the job column.

GETTING READY TO CONNECT Step 1 Click on ‘uwmadmin’ icon at top right corner Step 2 Scroll to bottom of page and click on ‘Download OpenVPN client configuration file’ Step 3 Save the file to a known location – this file will configure the OpenVPN client connection

VIRL White Paper

Page 4

OpenVPN Configuration Guide

Note:

The ‘.ovpn’ file is not user-specific and may be shared among VIRL server users. But only an administrator can configure the OpenVPN service.

CONNECTING FROM WINDOWS 7 (AND LATER) Step 1 Install your preferred OpenVPN client software and launch on completion (examples show the OpenVPN ‘free client’) Step 2 Navigate to your OpenVPN file (client.ovpn) Step 3 Right click on your file and select ‘Start OpenVPN with this config file’

VIRL White Paper

Page 5

OpenVPN Configuration Guide

Step 4 A terminal window will open and show connection information. You must leave this terminal window open in order to keep your VPN connection alive. Step 5 When the connection is complete you will see a line like this: Tue Nov 03 09:57:37 2015 Initialization Sequence Completed

CONNECTING FROM LINUX Step 1 Install the OpenVPN client and launch on completion. Go here2 for additional installation details. As mentioned above, this is probably highly distribution specific Step 2 Launch your favorite terminal client and change directory to the location of your ‘client.ovpn’ file Step 3 Start your connection with this command (leave terminal open to keep VPN connection alive): ~$ sudo openvpn --config client.ovpn Step 4 Once connected you will see a line like this: Tue Nov 03 09:57:37 2015 Initialization Sequence Completed

CONNECTING FROM MAC OS X The following instructions assume you’re using Tunnelblick for Mac OS X. If you’re using a different OpenVPN client then the procedure might be slightly different. Step 1 Install the Client for Mac OS X. For more information about installing Tunnelblick go to this site3 Step 2 Launch Tunnelblick on completion Step 3 You will now have an icon at the top right of your screen: Note: The icon is grayed out when not connected

Step 4 Navigate to your ‘client.ovpn’ file Step 5 Right click on file and select ‘Open with…’ > Tunnelblick.app Step 6 Answer pop-up dialog as needed

2

https://openvpn.net/index.php/access-server/docs/admin-guides/182-how-to-connect-to-access-serverwith-linux-clients.html 3 https://tunnelblick.net/cInstall.html VIRL White Paper

Page 6

OpenVPN Configuration Guide

Step 7 Once the file is installed successfully you can now launch the connection Step 8 Hover over the Tunnelblick icon on navigation bar to expose connection window

Step 9 Click ‘Connect’; after successful negotiation you should see the client connected

Note:

You can also click on the Tunnelblick icon directly and select ‘Connect client’

VIRL White Paper

Page 7

OpenVPN Configuration Guide

USING OPENVPN When the connection is established, check that a valid IP address has been assigned to your remote client. This IP address is from the Client IP range configured in UWM. Here’s an example on Mac OS X (similar results and commands on Linux. For Windows run ipconfig): $ ifconfig tap0 tap0: flags=8843 mtu 1500 ether da:7c:2d:61:c1:db inet 172.16.1.20 netmask 0xffffff00 broadcast 172.16.1.255 media: autoselect status: active open (pid 9125) Note:

Here, the tap0 interface has the IP 172.16.1.20, which is on the FLAT subnet on your VIRL server

Also check the routing table, which has several references to the networks that are reachable via the VPN on the remote end (e.g. the VIRL server): $ netstat -rn | grep tap0 172.16.1/24 link#14 172.16.1.254 4e:fa:7d:5b:39:3f 172.16.1.255 ff:ff:ff:ff:ff:ff

UC UHLWIi UHLWbI

3 16 0

0 3329 3

tap0 tap0 tap0

On Windows: $ route print -4 …(omitted text) IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 172.16.50.3 172.16.50.55 10 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 172.16.1.0 255.255.255.0 On-link 172.16.1.20 276 172.16.50.0 255.255.255.0 On-link 172.16.50.55 266 172.16.50.55 255.255.255.255 On-link 172.16.50.55 266 172.16.50.255 255.255.255.255 On-link 172.16.50.55 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 172.16.1.20 276 224.0.0.0 240.0.0.0 On-link 172.16.50.55 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 172.16.50.55 266 =========================================================================== Persistent Routes: None

VIRL White Paper

Page 8

OpenVPN Configuration Guide You should also be able to ping the VIRL server’s IP on the FLAT network and any node that has an IP on those networks that is currently running: $ ping 172.16.1.56 PING 172.16.1.56 (172.16.1.56): 56 data bytes 64 bytes from 172.16.1.56: icmp_seq=0 ttl=64 time=1.122 ms 64 bytes from 172.16.1.56: icmp_seq=1 ttl=64 time=0.711 ms 64 bytes from 172.16.1.56: icmp_seq=2 ttl=64 time=0.781 ms ^C --- 172.16.1.56 ping statistics --3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.711/0.871/1.122/0.180 ms $ ping 172.16.1.254 PING 172.16.1.1 (172.16.1.254): 56 data bytes 64 bytes from 172.16.1.254: icmp_seq=0 ttl=64 time=0.685 ms 64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.779 ms 64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=0.917 ms ^C --- 172.16.1.254 ping statistics --3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.685/0.793/0.917/0.083 ms

And, finally, a Telnet connection to a router via the LXC jump host using the VPN: $ ssh [email protected] telnet 10.255.0.6 Trying 10.255.0.6... Connected to 10.255.0.6. Escape character is '^]'. ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** User Access Verification Password: cisco ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** iosv-1>

VIRL White Paper

Page 9

OpenVPN Configuration Guide With the remote PC now on the same IP subnet (the FLAT network) as the simulation nodes, all tools that need IP connectivity can be used. Examples are Telnet, SSH, SNMP, other network management software, controllers running as a local VM that need access to simulation routers, etc. Happy connecting!

VIRL White Paper

Page 10