Plan du site  
pixel
pixel

Articles - Étudiants SUPINFO

Setup OpenVPN server TAP behind an ASA

Par Kevin GUITTEAUD Publié le 28/08/2015 à 22:30:34 Noter cet article:
(0 votes)
Avis favorable du comité de lecture

In this tutorial, we will see the difference between OpenVPN TUN and TAP modes and why use one or another.

Finally we will see how to setup an OpenVPN server in TAP mode behind a firewall Cisco ASA.

DIFFERENCE BETWEEN TUN AND TAP

Tun mode

Tun stands for network TUNnel. The term "tun" mode also refer to routing mode and operate with layer 3 packets.

In routing mode, the VPN client is given an IP address on a different subnet than the local LAN where the OpenVPN server is sitting.

This virtual subnet is created for connecting to any remote VPN computers.

In routing mode, the OpenVPN server creates a "tun" interface with its own IP address pool which is different from the local LAN. Client 1 will get an IP address inside the 10.0.8.0 network and will have access only to the server where OpenVPN resides.

The problem with TUN

The problem with TUN mode is that OpenVPN client cannot communicate with other local LAN resources. Local LAN machines already have a default gateway (10.10.10.1) while OpenVPN client's default gateway is 10.0.8.1. If an OpenVPN client sends a packet destined to 10.10.10.11, the destination device will receive that packet and see that the packet is coming from an IP address outside of its own local LAN and would send any reply packets to their gateway (10.10.10.1) instead of sending the packets back to OpenVPN server.

The only way for a local machine to communicate with an OpenVPN client in TUN mode is to define a static routes on it. But it is a bit too extravagant.

The other conventional solution is TAP mode.

The term "tap" mode refer to bridge mode and operates with layer 2 packets.

In bridge mode, the VPN client is given an IP address on the same subnet than the LAN where reside the OpenVPN server, giving the OpenVPN client direct access to other LAN resources. In bridge mode, the OpenVPN server creates two logical interfaces, "br0" and "tap". The role of the "br0" interface is to link the "eth0" interface to the "tap" interface. When that link is established, both "eth0" and "tap" interfaces are communicationg through "br0".

Client 1 will get an IP address inside the 10.10.10.0 network and will have access to all resources and internet through the OpenVPN server.

TUN or TAP

If you want to give remote access to a single server to multiple clients without the need to access to remote LAN resources, OpenVPN TUN mode is the simplest solution.

If you want to give remote access to the entire remote LAN to multiple clients, you need to setup OpenVPn in bridge mode.

TAP Configuration

OpenVPN behind a firewall

OpenVPN can be setup as VPN server and firewall (IpTables or UFW) or behind a firewall (ASA5520 IOS 8.4.2 here) performing NAT and protecting our network from the internet.

Here OpenVPN server will have a LAN ip address of 10.10.10.200 and will listen on port 1194 (default). We will need a static port forwarding on the ASA to allow outside incoming connection to port 1194 to the OpenVPN server.

Figure 1. Topology

Topology

ASA configuration

OpenVPN server configuration

This tutorial is using Ubuntu server 15.04. The configuration is the same on all debian distributions.

First we will need OpenVPN, easy-rsa and bridge-utils packages

sudo apt-get install openvpn bridge-utils easy-rsa

Note: bridge-utils is needed for this specific TAP configuration while TUN needs only openvpn and easy-rsa

Configure the bridge interface

As we discussed earlier, the bridge interface is a logical interface that link TAP and Eth0 interfaces together allowing OpenVPN clients to have an IP address in the same local LAN for accessing local resources.

  1. Edit /etc/network interfaces

  2. Restart the networking service to apply changes

    /etc/init.d/networking restart

Certificate configuration and generation

  1. Copy the necessary files to /etc/openvpn/easy-rsa/

    mkdir /etc/openvpn/easy-rsa/

    cp –R /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/easy-rsa/

    Note: depending on the package version, sometime the path could be

    /usr/share/doc/openvpn/examples/easy-rsa/2.0/*

    To know where is the easy-rsa directory, just issue the command:

    whereis easy-rsa

  2. Edit the /etc/openvpn/easy-rsa/vars file

    The vars file contains all necessary information used by PKI to generates server and client certificates and some other files.

  3. Setup CA and create the server certificate

    This method is also valid

Server configuration

  1. Create a script that will automatically brings up the “br0” interface at each boot of the server

    nano /etc/openvpn/up.sh

  2. Create the script to shutdown the interface

    nano /etc/openvpn/down.sh

  3. Allow script execution

    chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh

  4. Configure server.conf

    nano /etc/openvpn/server.conf

  5. Restart the openvpn service

    service openvpn restart

Configuring the client

  1. Create the client certificate

  2. Copy the files ca.crt, client.crt, client.key, ta.key to your windows client in the OpenVpn "config" directory in "C:\Program files\OpenVPN\config"

  3. Add and configure the client.ovpn file on your windows client to the “config” directory

    Now you can connect your client to OpenVPN. You should have a similar network configuration on your server.

TROUBLESHOOTING

The server is not being NATd (pings does not work on WAN ip)

  1. Verify the ASA configuration

    • Verify interface are up and the ASA can ping outside ip addresses

    • Verify that the ASA has a default route

    • Verify the inspection policy

  2. Verify the OpenVPN default route with “route -n

    You can add a default route with “route default gw 10.10.10.1

TAP0 interface does not comes up

  1. Verify your script

  2. Verify you add “security-script 2” or “security-script 3” in server.conf

  3. Verify that you make the scripts executable with “chmod +x up.sh down.sh

The client when connecting is getting stuck at “MANAGEMENT: >STATE:1435176030,WAIT,,”

  1. Verify that the client have internet connectivity

  2. Verify port 1194 is open on the ASA

  3. Verify OpenVPN server is listening on port 1194

A propos de SUPINFO | Contacts & adresses | Enseigner à SUPINFO | Presse | Conditions d'utilisation & Copyright | Respect de la vie privée | Investir
Logo de la société Cisco, partenaire pédagogique de SUPINFO, la Grande École de l'informatique, du numérique et du management Logo de la société IBM, partenaire pédagogique de SUPINFO, la Grande École de l'informatique, du numérique et du management Logo de la société Sun-Oracle, partenaire pédagogique de SUPINFO, la Grande École de l'informatique, du numérique et du management Logo de la société Apple, partenaire pédagogique de SUPINFO, la Grande École de l'informatique, du numérique et du management Logo de la société Sybase, partenaire pédagogique de SUPINFO, la Grande École de l'informatique, du numérique et du management Logo de la société Novell, partenaire pédagogique de SUPINFO, la Grande École de l'informatique, du numérique et du management Logo de la société Intel, partenaire pédagogique de SUPINFO, la Grande École de l'informatique, du numérique et du management Logo de la société Accenture, partenaire pédagogique de SUPINFO, la Grande École de l'informatique, du numérique et du management Logo de la société SAP, partenaire pédagogique de SUPINFO, la Grande École de l'informatique, du numérique et du management Logo de la société Prometric, partenaire pédagogique de SUPINFO, la Grande École de l'informatique, du numérique et du management Logo de la société Toeic, partenaire pédagogique de SUPINFO, la Grande École de l'informatique, du numérique et du management Logo du IT Academy Program par Microsoft, partenaire pédagogique de SUPINFO, la Grande École de l'informatique, du numérique et du management

SUPINFO International University
Ecole d'Informatique - IT School
École Supérieure d'Informatique de Paris, leader en France
La Grande Ecole de l'informatique, du numérique et du management
Fondée en 1965, reconnue par l'État. Titre Bac+5 certifié au niveau I.
SUPINFO International University is globally operated by EDUCINVEST Belgium - Avenue Louise, 534 - 1050 Brussels