10.2.5.4. Connections using the OpenVPN (server/client) function

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
OpenVPN is an SSL VPN technology, which uses SSL/TSL technologies. For Brocade 5600vRouter, OpenVPN is supported.
This section describes the setting of a server which is subject to remote access and a client which originates a request, by means of OpenVPN.
Placing into the server/client mode allows to build up a network for virtual direct connections from firewall and PC on which an OpenVPN client works to an OpenVPN server.

OpenVPN (Server/Client Mode) Setting

This section describes the settings for making remote access connections from an OpenVPN client, using the server mode of OpenVPN.
VPN connections can be made using a PC or firewall on which an OpenVPN client works.
For an OpenVPN server, route setting is made so that a client to be connected makes virtual direct connections via a tunnel interface.

Presumed case for sample setting

  • To use the OpenVPN function as the VPN connection method

  • To set the server/client mode in order to allow VPN connections from an Internet-accessible PC to the firewall in the future

  • To perform certificate-use authentication for clients

Configuration diagram
openvpn_tunnel_fig1

Note

Assume that communications between the server and client have been established before OpenVPN setting.

Setting flow in a presumed case

  • Setting the firewall (OpenVPN server mode/ host name: FW80)

1.Creating vtun0 tunnel interface
2.For the vtun0 interface, setting the server mode of OpenVPN
3.Setting “192.168.110.0/24” as the IP address to be used by the OpenVPN tunnel
4.Setting “192.168.60.0/24” as the route to be input from the server to the client after OpenVPN connection
5.For the CA certificate, specifying “/config/auth/ca.crt”
6.For the server certificate, specifying “/config/auth/server.crt”
7.For the secret key of the server, specifying “/config/auth/server.key”
8.For the DH file, specifying “/config/auth/dh.pem”

  • Firewall (OpenVPN client mode/ host name: FW70)

1.Creating vtun0 tunnel interface
2.For the vtun0 interface, setting the client mode of OpenVPN
3.Setting server address “172.16.210.80” for connections of the VPN tunnel
4.For the CA certificate, specifying “/config/auth/ca.crt”
5.For the client certificate, specifying “/config/auth/client1.crt”
6.For the secret key of the client, specifying “/config/auth/client1.key”

Preparation of a certificate

For OpenVPN server connections, authentication with a certificate is performed.
For certificate files, use certificates (etc.) issued by certification organizations reliable to users, as needed.
The needed certificate files are as follows.

File name (example)

Certificate and key file type

Device for storage

ca.crt

CA certificate

Commonly saved in the server and client

server.crt

Server certificate issued by a CA station

Save in the connected machine in the server mode

server.key

Server secret-key

Save in the connected machine in the server mode

dh.pem

DH file

Save in the connected machine in the server mode

client.crt

Certificate issued by a CA station

Save in the connected machine in the client mode

client.key

Client secret-key

Save in the connected machine in the client mode

SCP is usable as the method for copying key files to the firewall.
[root@vserver7 openvpn]# scp /etc/openvpn/server.key user-admin@10.0.0.80:/config/auth/
Welcome to Brocade vRouter

user-admin@10.0.0.80's password:
server.key                                      0%    0     0.0KB/s   --:-- ETAserver.key                                    100% 1704     1.7KB/s   00:00
[root@vserver7 openvpn]#

Command to be entered with CLI

  • OpenVPN server mode setting

set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 server push-route '192.168.60.0/24'
set interfaces openvpn vtun0 server subnet '192.168.110.0/24'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/server.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/dh.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/server.key'
  • OpenVPN client mode setting

set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 remote-host '172.16.210.80'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/client1.crt'
set interfaces openvpn vtun0 tls key-file '/config/auth/client1.key'

Note

Specifying server secret-key and client secret-key and committing cause a warning to be shown. This, however, does not affect connections and communications. “Warning: Specified key-file /config/auth/server.key does not have expected header and may not be valid”

The configuration after completion of appropriate settings is as follows.
  • OpenVPN server mode setting

interfaces {
       dataplane dp0s4 {
               address 192.168.60.80/24
       }
       dataplane dp0s5 {
               address 172.16.210.80/24
       }
       dataplane dp0s6
       dataplane dp0s7 {
               address 10.0.0.80/24
       }
       loopback lo
       openvpn vtun0 {
               mode server
               server {
                       push-route 192.168.60.0/24
                       subnet 192.168.110.0/24
               }
               tls {
                       ca-cert-file /config/auth/ca.crt
                       cert-file /config/auth/server.crt
                       dh-file /config/auth/dh.pem
                       key-file /config/auth/server.key
               }
       }
}
  • OpenVPN client mode setting

interfaces {
        dataplane dp0s4 {
                address 192.168.50.70/24
        }
        dataplane dp0s5 {
                address 172.16.110.70/24
        }
        dataplane dp0s6 {
        }
        dataplane dp0s7 {
                address 10.0.0.70/24
        }
        loopback lo
        openvpn vtun0 {
                mode client
                remote-host 172.16.210.80
                tls {
                        ca-cert-file /config/auth/ca.crt
                        cert-file /config/auth/client1.crt
                        key-file /config/auth/client1.key
                }
        }
}

Operation check result

It was confirmed that the two firewall machines worked as an OpenVPN server and client respectively.
It was confirmed that connections from the OpenVPN client to the server were made through the OpenVPN tunnel and route information was shown.
The communication check result allows to confirm that PING communications between the server and client were possible.
  • OpenVPN connection status

      #OpenVPN Server  OpenVPN Status  → Status OK

      uesr-admin@FW80:~$ show openvpn server status
      OpenVPN server status on vtun0

      Client CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since
      --------------- --------------- --------------- ------- ------- ------------------------
      client1         172.16.110.70   192.168.110.2     69.7K   94.1K Sat Mar 25 09:02:06 2017

      user-admin@FW80:~$
      user-admin@FW80:~$ show int
      Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
      Interface        IP Address                        S/L  Description
      ---------        ----------                        ---  -----------
      dp0s3            100.xx.xx.65/20                   u/u
      dp0s4            192.168.60.80/24                  u/u
      dp0s5            172.16.210.80/24                  u/u
      dp0s6            -                                 A/D
      dp0s7            10.0.0.80/24                      u/u
      vtun0            192.168.110.1/24                  u/u
      user-admin@FW80:~$


#OpenVPN Client  OpenVPN Status  → Status OK

      user-admin@FW70:~$ show openvpn client status
      OpenVPN client status on vtun0

      Server CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since
      --------------- --------------- --------------- ------- ------- ------------------------
      N/A             172.16.210.80   N/A              106.9K   99.9K N/A

      user-admin@FW70:~$
      user-admin@FW70:~$ show int
      Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
      Interface        IP Address                        S/L  Description
      ---------        ----------                        ---  -----------
      dp0s3            100.xx.xx.64/20                   u/u
      dp0s4            192.168.50.70/24                  u/u
      dp0s5            172.16.110.70/24                  u/u
      dp0s6            -                                 A/D
      dp0s7            10.0.0.70/24                      u/u
      vtun0            192.168.110.2/24                  u/u
      user-admin@FW70:~$
  • Route status (Server/Client) when in OpenVPN connections

      #OpenVPN Server  OpenVPN Routing status

      user-admin@FW80:~$ sh ip route
              Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
             O - OSPF, IA - OSPF inter area
             N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
             E1 - OSPF external type 1, E2 - OSPF external type 2
             i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
             > - selected route, * - FIB route, p - stale info

      IP Route Table for VRF "default"
      C    *> 10.0.0.0/24 is directly connected, dp0s7
      S    *> 100.xx.x.64/26 [210/0] via 100.xx.xx.1, dp0s3
      S    *> 100.xx.xx.64/26 [210/0] via 100.xx.xx.1, dp0s3
      C    *> 100.xx.xx.0/20 is directly connected, dp0s3
      C    *> 127.0.0.0/8 is directly connected, lo
      O    *> 172.16.110.0/24 [110/2] via 172.16.210.10, dp0s5, 04:12:10
      C    *> 172.16.210.0/24 is directly connected, dp0s5
      C    *> 192.168.60.0/24 is directly connected, dp0s4
      C    *> 192.168.110.0/24 is directly connected, vtun0
      user-admin@FW80:~$

#OpenVPN Client OpenVPN Routing status

      user-admin@FW70:~$ show ip route
      Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
             O - OSPF, IA - OSPF inter area
             N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
             E1 - OSPF external type 1, E2 - OSPF external type 2
             i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
             > - selected route, * - FIB route, p - stale info

      IP Route Table for VRF "default"
      C    *> 10.0.0.0/24 is directly connected, dp0s7
      S    *> 100.xx.x.64/26 [210/0] via 100.xx.xx.1, dp0s3
      S    *> 100.xx.xx.64/26 [210/0] via 100.xx.xx.1, dp0s3
      C    *> 100.xx.xx.0/20 is directly connected, dp0s3
      C    *> 127.0.0.0/8 is directly connected, lo
      C    *> 172.16.110.0/24 is directly connected, dp0s5
      O    *> 172.16.210.0/24 [110/2] via 172.16.110.10, dp0s5, 03:52:34
      C    *> 192.168.50.0/24 is directly connected, dp0s4
      K    *> 192.168.60.0/24 via 192.168.110.1, vtun0
      C    *> 192.168.110.0/24 is directly connected, vtun0
      user-admin@FW70:~$
  • Communication check (Server/Client) when in OpenVPN connections

#From OpenVPN Server to Client  →  OK

user-admin@FW80:~$ ping 192.168.110.2 count 5
PING 192.168.110.2 (192.168.110.2) 56(84) bytes of data.
64 bytes from 192.168.110.2: icmp_seq=1 ttl=64 time=2.36 ms
64 bytes from 192.168.110.2: icmp_seq=2 ttl=64 time=2.57 ms
64 bytes from 192.168.110.2: icmp_seq=3 ttl=64 time=2.32 ms
64 bytes from 192.168.110.2: icmp_seq=4 ttl=64 time=7.79 ms
64 bytes from 192.168.110.2: icmp_seq=5 ttl=64 time=2.55 ms

--- 192.168.110.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 2.324/3.524/7.799/2.140 ms
user-admin@FW80:~$


#From OpenVPN Client to OpenVPN server → OK

user-admin@FW70:~$ ping 192.168.110.1 count 5
PING 192.168.110.1 (192.168.110.1) 56(84) bytes of data.
64 bytes from 192.168.110.1: icmp_seq=1 ttl=64 time=2.17 ms
64 bytes from 192.168.110.1: icmp_seq=2 ttl=64 time=3.14 ms
64 bytes from 192.168.110.1: icmp_seq=3 ttl=64 time=2.61 ms
64 bytes from 192.168.110.1: icmp_seq=4 ttl=64 time=3.01 ms
64 bytes from 192.168.110.1: icmp_seq=5 ttl=64 time=2.62 ms

--- 192.168.110.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 2.179/2.712/3.140/0.345 ms
user-admin@FW70:~$

#From OpenVPN Client to Server segment → OK

user-admin@FW70:~$ ping 192.168.60.11 count 5
PING 192.168.60.11 (192.168.60.11) 56(84) bytes of data.
64 bytes from 192.168.60.11: icmp_seq=1 ttl=125 time=15.0 ms
64 bytes from 192.168.60.11: icmp_seq=2 ttl=126 time=3.98 ms
64 bytes from 192.168.60.11: icmp_seq=3 ttl=125 time=4.38 ms
64 bytes from 192.168.60.11: icmp_seq=4 ttl=126 time=7.77 ms
d64 bytes from 192.168.60.11: icmp_seq=5 ttl=126 time=4.27 ms

--- 192.168.60.11 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 3.989/7.102/15.094/4.229 ms
user-admin@FW70:~$