How to: Configure OpenVPN in UWM

    [UPDATED: Oct. 7,2016]

     

    INTRODUCTION

    VIRL includes the ability to use OpenVPN for VPN connectivity. This feature allows the user to securely connect from a remote location to the VIRL server. The user can now leverage the VPN connection to access the VIRL server and the nodes in the simulation(s).
    VIRL places the remote client (your PC) directly on the FLAT network using a L2 connection. This means that the remote client is Layer 2 ‘adjacent’ to the simulated nodes, which have an interface on FLAT.

     

    TECHNICAL DETAIL

    Remote users are authenticated using certificates. These certificates are automatically created on the VIRL server during the setup of the OpenVPN service. IP addresses for the connected clients are assigned from an IP range configured during OpenVPN service configuration. The addresses must be in the FLAT subnet and the default range is 172.16.1.20 - 172.16.1.39. Currently no more than 20 remote clients are allowed to connect simultaneously.

    • IP addresses are assigned dynamically from configured IP range
    • Only administrators can enable the OpenVPN service
      • Accessing STD and UWM via VPN is possible on 172.16.1.254. Use case: To minimize attack
      surface, use of Linux firewall to only allow VPN and SSH on the public interface
    • Accessing Console ports via STD / VMM requires additional changes which are beyond the scope of
      this basic document.
    • There is only one OpenVPN configuration file shared by all users of the VIRL server. This ‘.ovpn’
      file is not unique to each user

     

    CAVEATS

    The user should have a basic understanding of remote access VPNs and their function. It is also implied that the user understands that ports may need to be opened on the user’s or remote firewall to allow for VPN connectivity. The VIRL server offers two types of connection methods, one (default) using UDP as the transport and the second using TCP (443). Some firewalls might block VPN traffic on the default UDP port. Establishing an OpenVPN connection using TCP port 443 (the same as used for secure HTTP) is usually possible. This works even when traffic is going through a proxy as long as HTTPS is allowed.

    Another important caveat is that certain environments might not permit the use of multiple VPN clients at the same time. E.g. if the Cisco AnyConnect VPN client is used and the VIRL server is reachable through the AnyConnect VPN tunnel then OpenVPN will not work when split tunneling is administratively prohibited.

     

    KNOWN WORKING OPERATING SYSTEMS

    This list is by no means exhaustive. It just represents a list of operating systems that were successfully used by the VIRL team. Other OS versions or platforms (Android, iOS, *BSD, ...) will probably work as long as there is an OpenVPN implementation for said platform.

    • Linux
      o Ubuntu 14.04 / 15.04
      o Fedora 22
      o CentOS 7
    • Mac OS X (10.9 and later)
    • Windows 7 and later