How To Simplify Your VPN Configuration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] alright let's get started so I'll start by introducing myself I am Lauren Elkins and I'm a technical writer for OpenVPN and Johan Theresa is here as well and he is the project manager for Open VPN access server during the webinar I will be on the QA so you are welcome to drop questions in there as we go through the presentation and then also at the end as long as we've got time johann will have an live audio Q&A for some questions there so feel free in the chat if you'd like to drop us where you're connecting from we have lots of people have mentioned it already and we're glad you enjoyed the music at the beginning we're excited to get going and I'll turn the time over to Johann for the webinar so it's your turn Johann go ahead all right thanks Lauren see some people are already interested in music so that's great my little contribution to this webinar yeah so the next half hour is probably gonna be one big monologue from me but you knew what you signed up for so let's go so first of all a quick overview of this webinar first of all this is not a sales pitch we're not trying to be like you know oh you have to use Open VPN access server because it is the best you know there will be people that say like you know Open VPN open source or Community Edition is the best fit for me and there will be people that say like you know Open VPN access server is a good fit for me it depends basically the idea is to give some information about what's out there now that regard we will be doing a live installation of open we can open source server we won't die very deeply into the subject matter i've prepared most of the work but still the actual installation steps will happen live so hopefully it doesn't break you know how it is when you prepare things and then you do a demo and then you know so we'll see and we will be connecting to an open source server from a Windows machine in theory you can connect from you know all the major platforms of course and afterwards we'll do a live installation of open VPN access server and you can sort of see the differences in you know how the philosophy is about how things work and we will be connecting to an access server as well so you'll be able to see the process like how do I set up a no VPN server and open source or access server and how do I get connected afterwards we'll do some final words about the situation that we've gone through and at the end if time permits it was kind of difficult to estimate the exact times we'll do a Q&A session and people can ask questions live and we'll answer them of course we also have the Q&A section open in the webinar itself so if you ask questions there we have panelists answering to the best of their ability and if there's something that we cannot answer directly then you can leave contact information email address or something and we'll get back to you and get that answer for you so as I said this is not a sales pitch it's an informative and unbiased demonstration there are many products based on Oprah VPN open source and in fact Open VPN access service built on it at the heart of open VPN access server is the Open VPN version - open source core and that is what makes the VPN connections possible everything around it in open VPN access server just for management and making lives a life easier for people basically and the goal here is just to inform people you know a little bit of what's out there I said there are many products based on open BPM you've got like PI VPN which is based on raspberry and you've got all the major networking brands like Netgear a su straight tag and they all incorporate Open VPN in one way or another a server or client or both we also have new products coming one we recently launched OpenVPN cloud there is just a lot but let's focus on open V P an open source and access server and the differences between those so let's go ahead and look at this wonderful diagram I made of an open BPM client on the left hand side and an open e pn server on the other side what I've done is I've set up a debian 9 Open VPN server or actually I should say I have a Linux Debian 9 installation and I'm going to install Open VPN on it and configure it as a server we'll be doing that in the next step and on the other hand we have a Windows 10 machine that has no Open VPN client software installed yet but we will install it and we will make a connection and I will be doing a little bit of explanation out of the possible Open VPN clients that we could use so let's head on over to our Windows 10 machine that we have here it's just a standard Windows 10 machine it's a virtual machine but that doesn't really matter we have a debian 9 installation running here and I'm going to look at a script that I've made I call it setup and what I've done is basically gone and compiled the list of commands that will be run on the Linux system itself and yeah I've just compiled a list of all these commands that take sample configurations that come with open VPN on Linux and I've tried to make a somewhat reasonable setup but I haven't gone into detail on security so I want to make it clear that this script you know all these commands you should not take this as the basis for your production Open VPN installation as I said I haven't gone into the detail so there are definitely things that can be done better but I have taken as a basis the fact that we are going to be using certificates and that means setting up a certificate authority and that means creating server key and certificate and creating client key and certificate and setting things up in such a way that when the open VPN client makes a connection it verifies the identity of the server and the server does the same with the identity of the client so they verify in both directions I've also implemented TLS auth which is kind of like a software-based firewall where packets that get sent out get signed with a shared and the other end will verify this signature and if it fails then the packet will simply be dropped but people send packets that are not signed in the correct way these packets will get dropped so kind of like a simple software firewall there are newer and better ways of doing this there's for example TLS last version 2 and so on but let's go through the script here's where we make a new CA a certificate authority for the certificates we make a server key in certificate and the diffie-hellman parameters and the TLS identification key that's a shared key for TLS of education this is where we take a sample configuration and this is for the server side and basically we make a couple of small changes to that and afterwards we'll let OpenVPN start up and we'll start up the configuration with this particular configuration and that should result in an Open VPN server that is up and running and afterwards we'll create a key and certificate for the client and afterwards what I'll be doing here this is a bunch of gibberish to most people some people are very familiar that you know about these commands but you know if you generally have the idea that what I'm showing you right now is too complicated you might want to consider access server but for those people that are familiar with command line stuff and you know the willingness to go into the documentation and read it and also read books like the ones that have been written by Eric rest' and Jung Kaiser then you know this this should be familiar and reasonably easy to do what I'm doing in this section is I'm taking a sample configuration file or connection profile or configuration profile however you want to name it that file is basically everything you need to connect and I'm taking that sample configuration file and I'm shoving all the certificates that we need all the keys into one file it will just be client not ovie can and that's it and that is what will go into an open view can't climb program and you hit connect and it will work in all of this I've skipped implementing username and password authentication I could do it but it would make the presentation longer and I'm like fine let's do this it's simple so if I make a connection it's all based on the certificates basically I could also have implemented two-factor authentication again I didn't do that because of the length of the presentation it would be too long at the end here there's one option and again I want to point out that I haven't done any security on this I haven't done any iptables rules or firewall rules on this basically this enables IP forwarding and IP forwarding is necessary if you want information from the virtual VPN network to go through the system and reach a real network like to traverse the barrier between interfaces like you can imagine the Debian server has a real network interface where all of your network equipment is and it has a fake software adapter where your VPN clients are and where your VPN server is and where they communicate and these are separate interfaces and if you want to traverse between them you need to have IP forwarding enabled so I'll just do that here it's not relevant for the presentation but I have it here so I'm going to take all these commands and a copy and paste them and I'm going to make a connection to my Debian 9 server and what I'll do I'll create a file I'll put all those commands in there executed you and if everything goes well which hopefully it does then I should end up with a situation where it generates the keys and certificates necessary it creates a server configuration it starts openvpn with that server configuration so my server will be waiting for incoming client connections and it will also generate a client configuration file for me in theory now this diffie-hellman thing can sometimes take a little longer and sometimes I run it and it's like super fast and sometimes I run it and it's like super slow normally you would just let it run but it's taking a long time I'll give it another minute and if it still takes too long I'll interrupt it and now I'll restart it so it'll be a lot faster so let's see if that pulls through or if I need to do something yeah I'm just gonna redo that this is kind of the risk that you have when you do a live presentation it's always something could happen like this and you need to redo it but it's okay you we'll just redo it let me get the setups again let me login again let me try it again maybe I'm just being impatient but you know okay let's see free runs a little faster this time kind of a hidden mess with DP elements sometimes it takes a long time sometimes it's super fast you you there we go now it is pretty fast okay so all these commands have been run and in theory if I query the status of the server configuration that I am running now I should be able to see that it's online and yeah it is it's active it's running and it has a subnet in the 10800 range that is I believe the default for the VPN let's see if we have any processes listening yes we do we have Open VPN on port one 194 UDP so that's up and running and listening for incoming connections if I look at my network interfaces I see I have a ton zero device with ten eight zero one so basically my Open VPN server is at the first IP in the range right now I should have a file on this server that allows me to connect my script has ensured that let me use winscp it's a program I can use to connect to the hard disk of that Debian 9 server on the right here is the contents of the Debbie 9 server and there is indeed a file called Cline Dovie p.m. in the etc VPN clients directory where I made it I'll copy that file to my desktop on the left here and now I have this file let's see if we can take a quick look at the inside of it to get an idea of what's in there and you can see that it has a lot of comments it's a sample configuration file it has a lot of configuration directives and these these directives basically tell the client program what to do where to connect to what ease to use what encryption this is the cipher is being used AES 256 cbc now all of these things and here are the certificates and the private key and everything and i have no problem showing you all this because this is just temporary and i will be wiping this and you cannot even reach it from the internet so i'm safe but normally you would definitely make sure that this information doesn't leak out so having said that we need a client for open source you have multiple options you could go to our website and go to community and then downloads and you could download the open source program which installs open beacon GUI graphic user interface of course well let's do that let's install that client and see what happens how that works there we go okay we get I think a readme file that's great close that I already know what this program is and does so we've got the over VPN GUI and it tells me that there are no connection profiles found yet so it doesn't know you know I haven't put this file in the right place yet so let's do that it's telling me I can put it in Program Files Open VPN config or I can put it in users user of the VPN confi I'll just dump it in the Program Files of the VPN config folder so let's do that okay now there is a new icon here from openvpn GUI here at the bottom and if I click that with the right mouse button I should be able to connect everything goes well I should be able to establish a connection and indeed I am connected I've been given that IP address and let's just see if I can ping the Open VPN server and indeed I can now this traffic is actually going cryptid through the VPN tunnel to the server and the server is listening on ten eight zero I don't have to use the open source client I could also use the client all OpenVPN connect and there are two versions of that there is a we can connect to which is the the previous generation and there is open we can three I'll just go ahead and get them both so you can get an idea of you know what it looks like and how it functions and I'll use those to make a connection to our Open VPN open source server see what that looks like okay I'll just rename this so I know which version it is there we go now I have a new icon it's hope of you can connect version 2 and it says I have no VPN service I can import from local file go to my desktop oh wait the two Program Files there we go okay now I can use this client to connect oops wrong entry connect want to connect and wallah we are connected so I'm using the software that was originally developed for above you can access server the commercial addition to connect to an open source server that works I'll disconnect that one and then I'll show you what we can connect three that is currently in beta but we have a release coming up in the next couple of weeks that will be out of beta and will be officially stable you you you you all right great now we have a VPN connects version three now of course it's kind of ridiculous that I have three different clients on the same computer but I just wanted to show the the different options that are out there you get an onboarding tour that explains you can import a profile from a server or you can import it from a file the EU la comes up I have to agree some warnings about things that are no longer supported it unsafe come up all one-time messages and I can import from a file let's go ahead and do that again I'll grab it from where I last left this file and voila and again I can connect this and I am connected so yeah that works cool yeah everything is working great cool okay so that is open source and again I didn't go into all of the details of all the possible directives and you know how I got to this because if you want to do this then you got a you know read the manual you got a read the sample configuration files you need to invest some time to learn this but the advantage is that there is no overhead there's no management interface or stuff draining resources or whatever it is just purely the VPN engine that makes the VPN connections possible you can do a lot with that but at the same time there is the issue that you might do configurations that seem very good for security that might be very bad for performance that is just a matter of experience now let's see where did I leave my presentation all right so we've done that and I have shown you the open source client welcome to get gooey I've shown you the v2 and v3 client software for access server and that it works with almost all the VPN office or servers and it's all available from our website for free there are also other clients available both in paid and free forms most of the like all the platforms have a free version basically so you can connect an Android Mac OS Linux Windows iOS even Chrome OS if you use the Android app so that all works then we get to the live installation of oblivion access server so let's do that on the left here we keep the same client that I already have I'm not going to reset that or anything I'm just going to leave it as is it I just installed all the client software and on the right we're going to be using a digital ocean droplet open begin access server and I'll be doing that live as well so that's going to be interesting let's switch back to our Windows machine okay it's closed a couple of items there we go let's go to the digital ocean marketplace now I want to make clear that we support access server on a lot of platforms basically a lot of the major Linux distributions like Debian Ubuntu CentOS Red Hat all those are supported even Amazon Linux 2 which is Amazon's own adjusted CentOS 7 installation we are on Amazon Marketplace and all that stuff you can find on a website as I said I don't want to turn this into a sales pitch but anyways digitalocean is the easiest to do this because it takes the least steps to get things done so let's go ahead and create an open VPN access or droplet let me just sign in here you so I've gone to the marketplace and I've selected that I want to launch a new droplet that's what they call a virtual machine on a lotion and is automatically selected open VPN access server for me so that's good it selects a $40 a month instance for me with a lot of memory and stuff I'm just gonna go ahead and take the the simplest one that's more than enough for what we need right now I don't need extra storage I'm in the Netherlands so I'm gonna choose Amsterdam it needs an SSH key fine I'll select my SSH key this is something that you should already have set up basically when you start using diesel ocean I'm gonna give it some reasonable name and I'm gonna create already out of preparation did one earlier today so just in case this lodge takes a very long time or fails or whatever we can go and try this one but I want to be as authentic as possible and just use this one that we've just launched hopefully it'll come through in the next minute or so usually they're very fast and it's moving cool all right so we've got our virtual machine and it has an IP address that I can copy and paste so now with my SSH key that I've already prepared before I will make a connection to that instance yes I agree so now I get the initial installation of access server on the command line it shows me the EUL a and user License Agreement and I can just go ahead and agree at the moment I don't care to configure anything specific so I'm just gonna hit enter a bunch of times and just let it all assume the default values I don't want to change what port it listens to I don't want to change if my client internet traffic should go through the VPN server or not I mean this is a configurable thing you can just change it here or you can change it afterwards in the web interface of the access server it's all configurable from the server side so there we go I'll just enter enter hunter I do not enter an activation key so basically I'm gonna be using access server unlicensed and I don't intend to buy a license either and if you do this you will be allowed to connections for free um you can just try it out and there is no expiration date on that basically it just just works now the only thing I have to do is I have to well well this of course this is handy this is useful this tells me where I can log-in to get into the admin panel and this is where it can log in as a user to get my connection profile to make a connection the only thing I have to do now is set a password for the main admin user that is by default openvpn but if you look here and the questions you could change it you could say you want another username in my case I just accepted the defaults so here we go you can't see it but I just entered a new password and I can't give that to you because this is public so so let's get that address here so I can get to the admin web interface and this is where access server really shines because it has a web interface a graphic interface now this message is because I don't have a valid SSL certificate for the web services installed yet just go ahead and proceed and now it can login with my username and password I see the end user License Agreement I can agree and now I am in my access servers web interface I get a status overview I see that I only have two allowed connections it's set for layer 3 routing Nats so I'll just leave it all people I'm just going to go ahead and create a user under user management and then user permissions here I can create a new user it's going to go ahead and do that and I am going to give it a password and yeah if I do this and I save this I end up with a user that uses both certificates because that's completely automated and managed in Access of it does it for you and it uses username and password authentication on top of that and if I want to I can even go into the options under authentication and I can enable Google Authenticator which is a two-factor authentication system I could enable that but that would just make the presentation longer and we want to try to you know keep it simple but the option is there cool so now I have a user set up and I can now go to the main URL of this access server and you know this is this is ugly of course I mean this doesn't look great I could set up a DNS record and that would be our recommendation as well because it would be good to have a DNS record like you know VPN dot my company or something and then if you do that you can actually install a valid SSL certificate on it and then you don't get that ugly warning that you saw earlier about the certificate being self side and not secure and all that stuff the best way to get connected to an access server is by going to the web interface not the admin web interface but just the the main URL that I'm on right now and I can log in with my hoe with my own user and I will be offered the choice of downloading the Open VPN Connect software that is recommended for this device it recognizes that I have Windows on Mac OS of course it would recognize that yeah Mac and offer the Mac version and it also offers the option to get more information about the open beacon Linux client iOS client android client and yeah you can also download just the user profile if I do that I'll end up with a file that basically is very similar to what the open-source version did this is almost the same idea you got your directives in here and you've got your certificates in there no I'm not going to show you the key right now because I know that it could be abused because this server is public so I can't show you the whole content so I won't do that but basically this is everything you need you can take this client dot ovp n file and you can load this into any of these clients you can load it into the the GUI claim you could load it into connect v2 you could load into connect v3 and you can even import from server on connect v2 v3 I will show you that option by the way that's that's good to show like if I have a VPN connect v3 already installed and I want to add that profile I'm gonna need the address of the server that's basically the IP address here and I'm gonna need the username in the password and I'll add a profile import from URL there we go that's that's or a server basically let's go ahead I accept that this is a self-signed certificate and i enter my username i enter my password and i have a connection profile and in theory all as well this should work should be able to make a connection unless I made a mistake of course nope it works great so now I'm actually connected to this digitalocean droplet and if I'm not mistaken it's also currently set up to redirect all my internet traffic through that VPN the server let's go ahead and look at the configuration very briefly there is under configuration VPN settings some options like should client Internet traffic be routed through the VPN yes no should we alter the DNS server on the client side like should we push the one that is being used on the access or itself or should we push a very specific one that we want to do this could be useful for Active Directory situations enterprise solutions that kind of thing so these are all options that can be found in the web interface of the access server and most of these options if you apply them they take effect immediately on the client you don't have to reinstall them one advantage that this main interface has is you could show up with a computer that has no OpenVPN client installed yet and when you download this it comes bundled with your connection profile so you install it and you immediately have the profile already listed here so that is the advantage that you get when you use Open VPN serve and open be can connect to get it pre bundles it I think that's pretty much it for now let's see where is my presentation why is it not showing up there we go so we've done the live insulation of open may be an actress ever created a user connected it and it all works and I've shown you how it works on diesel ocean because it's so easy to do but you're a no obligated to use that of course and you've seen that I've done the installation of Open VPN Connect previously it can be installed on Linux Windows Mac OS Android iOS we have oblique and connect with the same graphic user interface that you've seen before this one we've got this available on Android iOS Mac OS and Windows Linux we don't have a graphic client yet I'm not sure if that will will come anytime soon but we probably will be working on integration with network manager so that you can just start the connection from there and that is a graphic component already present in most Linux distributions yeah so we've done this we've used the Windows system for this and we have set up the access urban logged in we installed the OBB Connect software and connected it and actually this line that you just saw doesn't belong there that was a leftover from from before sorry about that okay that's pretty much it I think I seem to be little stuck in my presentation why is it not moving on there we go so final words as I said before OpenVPN is used in a lot of places like I said you can use it on all of the major brands of networking equipment they almost all have openvpn implemented the open-source version of course because it's free and very powerful and important for embedded systems as well very low and resources so that's great experienced users can achieve a lot with the open-source version you can do all sorts of thing I know people that have set up kind of like mesh networks between different servers so that if one connection fails or one server fails thinks the work it's possible you know this takes a lot of effort to learn these things learn the consequences of configurations that you make in short it's very powerful and access service just based on that and extends the functionality makes it more accessible to beginners I would say having said that Open VPN over source is very powerful but with great power comes great responsibility because we actually see even major VPN providers they they take some configuration items that you can use to adjust the security and they go for the highest possible security and you know with some settings it doesn't really make that much of a difference but you do get a huge performance penalty and we do see that mistake being made even by you know big parties and that is yeah you gotta know your stuff basically with access server we basically went for a very secure but reasonable approach and that is the default you don't have to worry about it so in that sense it can be attractive to people if business users of course they tend to want the support that comes with access server can be difficult to get support with the Community Edition for example but with access or we have 24/7 support this is starting to sound like a sales page I don't really mean that but it's mean like yeah just trying to show you guys that you know what's out there and beginners could start out very easily with access server and without a paid license you know it still allows to connection so you can go ahead and try it out alright great thank you everyone and yeah thanks for joining and we'll see you at the next webinar
Info
Channel: OpenVPN
Views: 17,023
Rating: undefined out of 5
Keywords:
Id: mLBkuvNZiP0
Channel Id: undefined
Length: 42min 48sec (2568 seconds)
Published: Thu Jul 02 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.