In this recipe, we will use an ifconfig-pool block to separate regular VPN clients from administrative VPN clients. This makes it easier to set up different firewall rules for administrative users.
We use the following network layout:
This recipe uses the PKI files created in the first recipe of this chapter. For this recipe, we used the server computer that was running the CentOS 5 Linux and OpenVPN 2.1.1. The VPN client Client was running the Windows XP and OpenVPN 2.1.1 and was on the 192.168.200.0 network. The VPN client Admin Client was running Fedora 12 Linux and OpenVPN 2.1.1 and was on the 192.168.202.0 network. For the Linux clients, keep the client configuration file basic-udp-client.conf from the recipe Server-side routing at hand.
- Create the server configuration file:
proto udp port 1194 dev tun mode server ifconfig 192.168.200.1 192.168.200.2 ifconfig-pool 192.168.200.100 192.168.200.120 route 192.168.200.0 255.255.248.0 push "route 192.168.200.1" push "route 192.168.200.0 255.255.248.0" ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/server.crt key /etc/openvpn/cookbook/server.key dh /etc/openvpn/cookbook/dp024.pem tls-auth /etc/openvpn/cookbook/ta.key 0 persist-key persist-tun keepalive 10 60 user nobody group nobody daemon log-append /var/log/openvpn.log client-config-dir /etc/openvpn/cookbook/clients
Then save it as
example2-7-server.conf. Note thattopology subnetis not used here. - Start the server:
[root@server]# openvpn --config example2-7-server.conf - The administrative VPN client will be assigned a special IP address:
[root@server]# mkdir -m 755 /etc/openvpn/cookbook/clients [root@server]# cd /etc/openvpn/cookbook/clients [root@server]# echo "ifconfig-push 192.168.202.6 192.168.202.5" \ > openvpnclient1
- Note that the directory
clientsneeds to be world-readable, as the OpenVPN server process will run as usernobodyafter starting up. - Next, start the Linux client using the configuration file from the earlier recipe:
[root@AdminClient]# openvpn --config basic-udp-client.conf […] [openvpnserver] Peer Connection Initiated with openvpnserver:1194 TUN/TAP device tun0 opened /sbin/ip link set dev tun0 up mtu 1500 /sbin/ip addr add dev tun0 local 192.168.202.6 peer 192.168.202.5 Initialization Sequence Completed
The IP address that is assigned to the administrative client is highlighted for clarity.
- Create a configuration file for the Windows client:
client proto udp remote openvpnserver.example.com port 1194 dev tun nobind ca "c:/program files/openvpn/config/ca.crt" cert "c:/program files/openvpn/config/client2.crt" key "c:/program files/openvpn/config/client2.key" tls-auth "c:/program files/openvpn/config/ta.key" 1 ns-cert-type server
Then save it as
basic-udp-client.ovpn. Note the use of the forward slash ('/'), which is easier to use than the backslash ('\'), as the backslash needs to be repeated twice each time. - Transfer the
ca.crt,client2.crt,client2.keyfiles, and thetls-authsecret key file,ta.key, to the Windows machine using a secure channel, such aswinscpor the PuTTYpscpcommand-line tool. - Start the Windows client using the OpenVPN GUI:
Remember that this client's private key file is protected using a password or passphrase. After both the clients are connected, we verify that they can ping each other and the server (assuming that no firewalls are blocking access).
- On the Admin Client:
[AdminClient]$ ping 192.168.200.1 [AdminClient]$ ping 192.168.200.102
- And on the "regular" client:
[WinClient]C:> ping 192.168.200.1 [WinClient]C:> ping 192.168.202.6
A server configuration file normally uses the following directive to configure the range of IP addresses for the clients:
server 192.168.200.0 255.255.255.0
This directive is internally expanded to the following:
mode server tls-server ifconfig 192.168.200.1 192.168.200.2 ifconfig-pool 192.168.200.4 192.168.200.251 route 192.168.200.0 255.255.255.0 push "route 192.168.200.1"
So, by not using the server directive, but by specifying our own ifconfig-pool, we can override this behavior. We then use a CCD file to assign an IP address to the administrative client, which falls outside of the ifconfig-pool range. By using the appropriate route and push route statements, we ensure that all clients can "ping" each other.
The OpenVPN GUI application on Windows always starts in the directory:
C:\Program Files\OpenVPN\config
Or, C:\Program Files(x86)\... on 64-bit versions of Windows. Thus, the directory paths in the basic-udp-client.ovpn configuration file can be omitted:
ca ca.crt cert client2.crt key client2.key tls-auth ta.key 1
Note that in this recipe we did not make use of the following directive:
topology subnet
The subnet topology is still a new feature in OpenVPN 2.1 and it does not interact very well when using separate ifconfig-pool options.
With this setup, the VPN clients can connect to each other even though we did not make use of the following directive in the server-side configuration:
client-to-client
This is possible due to the route and push route statements in the server configuration file. The advantage of not using client-to-client is that it is still possible to filter out unwanted traffic using iptables or another firewalling solution.
If there is no need for the administrative clients to connect to the regular VPN clients (or vice versa), then the netmask can be adjusted to:
route 192.168.200.0 255.255.255.0 push "route 192.168.200.0 255.255.255.0"
Now, the networks are completely separated.