Securepoint Security Systems

(1)

Securepoint Security Systems

(2)

For the user, the VPN looks like a normal network connection to the destination computer. The actual way of transmission is not perceived. The VPN provides the user with a virtual IP-connection which is tunneled by an actual one. The data packages transmitted via this connection are encoded at the client and decoded by the Securepoint servers - and the other way round.

Target: Establishing an OpenVPN connection between the Securepoint appliance and a

(4)

1 Configuration on the appliance

1.1 Setting up network objects

You have to set up network objects for the external interface, the internal network and the OpenVPN user.

 Click the Firewall icon on the toolbar and change to the tab Network objects.  Click on the icon computer and set up the external interface object.

fig. 1 set up network object for the external interface

 Click on the dropdown arrow beneath the icon Computer and select Network.  Set up a network object for the internal network.

(5)

 Repeat the last step and set up a network object for the OpenVPN user.

fig. 4 Add network - openvpn-net fig. 5 select icon for the new group

The next image shows the result of the network object configuration.

(6)

1.2 Creating firewall rules

You have to create two rules. The first one allows external computer to connect to the external interface via OpenVPN. The second one allows the OpenVPN user the access to the internal network.

 Change to the tab Rules

 Click the icon New and add the rules like shown in the following images.

fig. 7 create the first rule - internet --> external interface

(7)

7

The next image shows the result.

(8)

1.3 Creating certificates for the appliance and for the OpenVPN user

The OpenVPN connection uses certificates to authenticate VPN users at the firewall. So you have to create an OpenVPN certificate for the server and an OpenVPN certificate for every OpenVPN user.

If you don’t have a root certificate (CA) yet, you have to create it first.  Click on the icon VPN on the tool bar.

 Change to the tab Certificates.

 Select the firewall and click on the icon New.

(9)

9

The dialog Certificates appears.

 Select the option Root certificate.  Insert your data.

 Confirm your entries with OK.

fig. 11 create root certificate

(10)

Now you can create OpenVPN certificates.  Select OpenVPN server certificate.

 Append a name for the certificate to the given Designation.  Under CA select a root certificate.

 Confirm your settings with clicking OK.

 For the client certificate select OpenVPN client certificate.  Repeat the other steps like described before.

 When all certificates are created leave the dialog with clicking on the Cancel button.

(11)

11

1.4 Export root certificate and roadwarrior certificate

Export the roadwarrior certificate and the corresponding root certificate and transfer it to the OpenVPN user.

Normally the Standard format is used.

 Click on the plus symbol in front of the firewall name.  Select CAs and in the right list the root certificate.  Click on the icon Export.

 The dialog Export appears.

 Select the wanted format. If you choose pkcs #12, insert a password.

If you use the pkcs#12 format you just have to export the roadwarrior certificate with includes the root certificate. In this format the private key of the root certificate is encrypted. So you don’t have to delete the key from the pem file of the CA (see 1.4.1).

 Confirm with clicking on OK.

fig. 14 export root certificate (CA)

Note: The exported root certificate includes the private key that should not be passed to the

(12)

 Select Certs and in the right list the roadwarrior certificate.  Click on the icon Export.

 The dialog Export appears.

 Select the wanted format. If you choose pkcs #12, insert a password.  Confirm with clicking on OK.

(13)

13

1.4.1 Delete the private key of the CA

 Select the exported CA. Right click on the file opens the context menu,  Select Open.

fig. 16 select open to open the CA

 On the next dialog choose the option Select the program from a list and click OK.  Select an editor, for example Microsoft Notepad, to modify the certificate.

 Uncheck the checkbox at Always use the selected program to open this kind of file.  Click OK.

fig. 17 choose the program manually

(14)

 Select the text from the Section ---BEGINN PRIVATE KEY--- (see fig. 19).  Delete the marked text (for example use the key del).

 Save the modified certificate.

This modified root certificate can be given to the client.

(15)

15

1.5 OpenVPN configuration

You have to configure general OpenVPN settings for the appliance.  Click VPN on the menu and select VPN OpenVPN.

fig. 21 select OpenVPN

The dialog OpenVPN appears.

 Mostly you can retain the values of port and protocol.

 Select the just created certificate ovServer_foo.local as server certificate.

 If you use multipath you have to bind the OpenVPN service to an external interface.  Confirm your entries with OK.

(16)

1.6 Setting up Users

You have to set up OpenVPN user on the Securepoint appliance.  Click on the icon Authentication in the tool bar.

 Click on the icon New. The dialog Add user appears.  On the tab User data insert the user data.

 Change to the tab Group membership and check the checkbox VPN OpenVPN user.

fig. 23 Add user - tab User data fig. 24 Add user - Group membership

 Change to the tab VPN options.

 Here you can set a permanent IP address taken from the OpenVPN network for the OpenVPN user.

Note: The already installed tun-interface has the IP address pool 192.168.250.1/24. The

last section of the IP-address (192.168.250.xxx) must grant following criterion: The number is a multiple of 4 minus 2. (y * 4) – 2 = x

for example (5 * 4) - 2 = 18

Following values are possible: {2, 6, 10, 14, … 246, 250 ,254}

(17)

17

1.7 Checking status of service

Save the configuration and make a rule update, before you start the OpenVPN service.  Click on the icon Save in the tool bar to store the configuration.

 After this click on the icon Rule update in the tool bar.

The service SERVICE_OPENVPN must be activated to grant OpenVPN user the access to the firewall.

 Click on the icon Applications on the tool bar.  Change to the tab Status of services.

 If the service SERVICE_OPENVPN is not running, double click on the red symbol with the white x.

(18)

2 OpenVPN client for Windows

To connect from an external computer to the firewall via OpenVPN you have to install OpenVPN on the external system.

You can download the current version from the website

http://openvpn.net/download.html#stable.

The virtual interface that is needed for OpenVPN connections is included in this package. Mathias Sundman has developed an OpenVPN client that runs under Windows. You can download it from following address: http://openvpn.se/download.html

Here you can also find several translations.

2.1 Installing OpenVPN

 Download the Windows installer form the OpenVPN website and execute it with a double click on the downloaded file.

fig. 27 start dialog of the OpenVPN installer

 Follow the instructions of the installation routine.

 Click on Continue Anyway for the TAP-Win32 Adapter V8 though it didn’t pass the Windows Logo test.

(19)

19

 Complete the installation by clicking on Finish.

fig. 29 complete the installation

Under Network Connections you should find an entry for the TAP-Win32 Adapter V8.

(20)

2.2 Bind the OpenVPN GUI (graphical user interface) to OpenVPN

 Copy the file openvpn-gui-number_of_version.exe in the folder bin of the OpenVPN program (for example: C:\Program Files\OpenVPN\bin).

 You can create a shortcut for the GUI and paste it on the desktop or in the Windows start menu.

 Start the OpenVPN GUI by clicking on the shortcut on the desktop or in the Windows start menu or on the exe file in the OpenVPN program folder.

In the Windows system tray appears the OpenVPN GUI icon.

fig. 31 icon in the system tray

The second icon shows that the virtual interface is inactive. This icon is only shown when this is activated in the options of the interface.

fig. 32 popup menu

(21)

21

2.3 Create an OpenVPN client configuration

 Open an editor (for example: Notepad) and insert the following text.

##############################

# Client configuration

##############################

# OpenVPN default client configuration # Comments are marked with a prefixed # hash sign(#) or semicolon(;). client

dev tun

# This options are not used anymore. ;tun-mtu 1500

;fragment 1300 ;mssfix proto udp float

# Connection data of the server (firewall)

# Insert the IP-address and the port (default:1194) # of the server after the word „remote“

# for example: remote 192.168.4.253 1194 remote IP_of_the_server 1194

nobind persist-key persist-tun

# Path to root certificate and client certificate # for example:

# ca C:/Programme/OpenVPN/config/keys/myCA.pem

# cert C:/Programme/OpenVPN/config/keys/roadwarrior01.pem

# key C:/Programme/OpenVPN/config/keys/roadwarrior01.pem

# Note: If there are space characters in the path, you have to put # the path into double quotes (“Path to the certificate”).

ca Path/to/the/certificate/of/the/CA.pem cert Path/to/the/certificate/of/the/client.pem key Path/to/the/certificate/of/the/client.pem # Path to the certificate in pkcs#12 format.

# If you use the pkcs#12 format for the certificates, # comment the 3 line ca, cert and key an use

# the following line instead (delete the prefixed semicolon). # for example:

# pkcs12 C:/Programs/OpenVPN/config/keys/roadwarrior01.p12

# Note: If there are space characters in the path, you have to put # the path into double quotes (“Path to the pkcs#12 file”).

;pkcs12 Path/to/the/pkcs#12/file.p12

# If this option is activated, the client will only accept certificate # from the firewall that is include the addition „server‟. This makes a # „Man-in-the-middle‟ attack more difficulty.

ns-cert-type server comp-lzo

(22)

auth-nocache auth-user-pass

# If you use a proxy, uncomment the following lines # and insert your server IP-address and port.

# Or use the settings of the OpenVPN-GUI. ;http-proxy server_IP port

;http-proxy-retry

 Save this file in the folder config of the OpenVPN directory. The file must have the suffix .ovpn .

For example: C:\Program Files\OpenVPN\config\roadwarrior.ovpn

 Create a folder with the name keys in the config folder, if it doesn’t already exist. Copy the root certificate and the client certificate or the pkcs#12 file into this new folder.

This is the default storage directory for the certificates. Of course, you can choose another storage place then you have to customize the configuration script.

You also have to customize the option remote IP_of_the_server 1194 .

Insert the IP-address of the server you want to connect to between the word remote and the port number.

(23)

23

2.4 Connecting the firewall

 Click with the right mouse button on the OpenVPN GUI icon in the system tray. The popup menu is been added with several options.

fig. 33 completed popup menu

 Click on Connect.

The logging dialog and the login dialog appear.

fig. 34 logging window and login dialog

 Insert your login name and password into the login dialog and click OK.

 If you use the pkcs#12 format for the certificates, you will be asked for the password of the pkcs#12 file.

If the connection is initiated successfully, following popup appears.

(24)

When the icon shows two green screens the connection is established. When the icon shows two yellow screens the client is connecting the server. When the icon shows two red screens the connection is down.

If you roll with the mouse pointer over the icon, when the connection is up, a popup window shows the connection data.

fig. 36 connection data

2.5 Items of the context menu

fig. 37 the context menu

item description

Connect Starts the connection. Disconnect Ends the connection.

Show Status Shows the logging messages of the current connection.

View Log Shows the complete logging records of the last connection. If a connection is established, the logging messages of the current connection is shown.

Edit Config Opens an editor where you can customize the configuration. Changes will take effect when the connection will be restarted.

Change Password Encrypts the private key in the certificate.

Note: The pem format is not supported. The encryption will delete the

certificate out of the pem file.

Proxy Settings Here you can give settings for connection through a proxy. If you use this function, the settings must not be written in the configuration file.

About Shows an information dialog.

Securepoint Security Systems