Road Warrior Access with OpenVPN

Posted on by

Since my previous posts (1 & 2) about using IPsec in tunnel mode to securely connect multiple networks (I’m up to 17 on the same gateway.), I have needed to add support for “road warriors”.

While IPsec has low overhead, even in tunnel mode, it requires a lot of effort to configure for use by mobile clients. First, we must now assume NATs in the field; whether they are behind the now omnipresent home gateways or on public wireless networks. Secondly, it is my experience that using a VPN system based around bridging has many advantages:

  • supports services requiring broadcasts (SMB Browsing, Zeroconf/Rendezvous, etc.
  • allows bi-directional routing to remote networks
  • supports legacy, non-IP, protocols

I will elaborate on the routing issues. In our setup, our main gateway connects to 17 remote networks via IPsec. In order for a remote client to access a remote network, both the client and the remote gateway must have the correct routing table.

In light of the above, I decided to use OpenVPN. It fulfills my main objectives: simplicity and security. Correctly setup, OpenVPN will perform verification against both the client and server certificates and uses very strong crypto. To set this up you will need a PKI (Public Key Infrastructure).

My server-side configuration:

ca /etc/ssl/certs/ca.crt
ccd-exclusive
cert /etc/ssl/certs/gw.domain.ca.crt
client-config-dir ccd
client-to-client
dev tap0
dh /etc/ssl/dh2048.pem
float
group nogroup
keepalive 10 120
key /etc/ssl/private/gw.domain.ca.key  # This file should be kept secret
local 66.46.199.130
passtos
persist-key
persist-tun
port 1194
proto udp
push "route 10.100.0.0 255.255.0.0"
server-bridge 10.100.0.1 255.255.255.0 10.100.0.90 10.100.0.100
status openvpn-status.log
user nobody
verb 4

My client-side configuration:

dev tap0
remote gw.domain.ca
tls-remote gw.domain.ca
pull
nobind
passtos
float
tls-client
ca ts-ca.crt
cert adam.crt
key adam.key
keepalive 15 45
persist-tun
persist-key
verb 2

Note the tls-remote directive. This is critical to ensuring that the client verifies the identity of the server.

One thought on “Road Warrior Access with OpenVPN

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">