Branded VPN Deployment and Seamless Remote Management

Adam Olson

Bridging the gap between production network systems and remote users has always posed challenges. Initial infrastructure design, access privileges, and client software needs all must be addressed to ensure that network capacity and maintenance issues remain manageable as the user base grows. Perhaps the most important consideration is ease of use for the end user. Software, in general, is becoming more and more intuitive and end users expect a certain level of usability and aesthetic quality.

In this article, I will discuss a VPN system that overcomes these technical challenges while also providing an easy-to-use, attractive interface to the user. The solution is based on multiple open source tools. These open source projects are OpenVPN, OpenVPN GUI, Nullsoft Scriptable Install System (NSIS), and TightVNC (see Resources). TightVNC is added to provide seamless remote management that is not provided by the VPN solution itself.

The result will be a company-branded Windows 2000/XP installer that not only includes all client-side VPN configuration and key information, but also provides an integrated VNC server for remote management and assistance upon starting the VPN instance.

Open Source Tools

OpenVPN is a robust and flexible VPN solution that enables most Unix/Linux, Windows 2000/XP, and Mac OSX platforms to securely build encrypted tunnels to one another. These tunnels can be configured in a variety of ways, but in this article, I will focus solely on a point-to-point network design that will be one small or large hub and spoke deployment.

OpenVPN GUI is a very handy front end to managing VPN instances for Windows 2000/XP. This is usually the most prominent end-user operating system within the organization, so an easy-to-use System Tray icon is a must. OpenVPN GUI allows for easy VPN access for most users.

The Nullsoft Scriptable Install System (NSIS) is a great open source project that enables you to create company-branded client installer packages. End-user perception is greatly enhanced when the install process has an in-house look and feel.

You may be familiar with Virtual Network Computing (VNC), and TightVNC is another open source package based on Real VNC. I began using TightVNC over its counterparts about five years ago, so I've stuck with it in this deployment. It is very reliable and carries a small footprint. The same result could probably be attained with a different VNC package if you want to experiment after reading this article.

Data Center Requirements

This article is primarily focused on simplifying the end-user side of things, but it would be incomplete if the data center needs were left unaddressed. In your data center, you will need a dedicated and hardened server running a popular Unix/Linux operating system. Please note the words "dedicated" and "hardened", because this is one machine that you do not want to be compromised. Any remote nodes that require VPN access are inherently passing sensitive data, so take extra caution in this area. Strip down the network services to nothing but SSH and OpenVPN, if possible, and maintain strict firewall rules. For additional information, check out the many online documents on this subject.

The following examples will be based on a system running Red Hat Fedora Core 2.

To compile OpenVPN, run the standard:

# gzip -d openvpn-2.0_rc6.tar.gz
# tar xf openvpn-2.0_rc6.tar
# cd openvpn-2.0_rc6
# ./configure
# make
# make install

OpenVPN Server Configuration

To begin, create a directory to house your VPN configuration files and keys:

# cd /etc
# mkdir openvpn
# chmod 700 openvpn
# cd openvpn

### Start Config File Port 5023 ###

# local tun device
dev tun23

# interface addresses
ifconfig 10.23.0.1 10.23.0.2

# key location
secret /etc/openvpn/port5023.key

# port to listen on
port 5023

# user to run as
user nobody
group nobody

# options
comp-lzo
ping 15
verb 1

### End Config File Port 5023 ###

Please note that the example configuration above instructs OpenVPN to switch user and group IDs to the account "nobody". This is ideal if your VPN server is running only OpenVPN daemons as nobody. If the VPN server is running other services under the user and group IDs of nobody, it is best to run OpenVPN as a different user and group ID.

To create the static key for this VPN instance, run this command from within /etc/openvpn:

# /usr/local/sbin/openvpn --genkey --secret port5023.key

You should now be able to start your VPN instance by executing:

# /usr/local/sbin/openvpn --daemon --disable-occ --config \
  /etc/openvpn/port5023.conf

--daemon -- Run as a daemon.

--conf -- Specify the location of the configuration file.

You should now have a basic VPN server instance listening on port 5023. If you experience any problems, please review the OpenVPN documentation. It is straightforward to configure, so any issues should be easily resolved.

Building the VPN Installer

VPN clients in this configuration need to know where the VPN server is located, which port to connect to, which statically assigned key to use, and more. This is all accomplished by providing a complete configuration file and key within the company-branded VPN installer. End users will not need nearly as much assistance in remotely accessing the more sensitive resources within the company with an easy-to-use installer executable.

Because we are creating our own Windows 2000/XP installer, the opportunity exists to introduce otherwise totally separate program binaries into the installation process. Instead of simply installing a VPN client with a prearranged key and configuration file, we will also be including TightVNC binaries for both the client and server instance of the VNC protocol.

Download and install the NSIS package on a Windows XP development system at:

http://www.openvpn.se/files/nsis/nsis20b3.exe

Next, download the installation source to the same Windows XP development system at:

http://www.openvpn.se/files/install_packages_source/ \
  openvpn_install_source-2.0-rc6-gui-1.0-beta26.zip

To get an idea of what will result from the overall process, open the VPN Sources folder, right-click openvpn-gui.nsi, and left-click "Compile NSI". A few seconds later you should see an OpenVPN installer executable in the "VPN Sources" folder. If you were to execute this installer, the standard version of OpenVPN would be installed. If you ran into any problems creating this executable, please refer to the documentation located at:

http://openvpn.se/files/howto/ \
  openvpn-howto_roll_your_own_installation_package.html

http://nsis.sourceforge.net

We now have a basic VPN server instance and a standard Windows installer for OpenVPN, but we want to make it custom built for easy deployment. We also want to add TightVNC binaries for instant remote administration and assistance.

Download the complete set of TightVNC 1.3dev6 executables without the installer at:

http://www.tightvnc.com/download.html

Save the following client-side example configuration file to openvpn/config/VPN.ovpn within your "VPN Sources" folder as well:

### BEGIN CLIENT SIDE CONFIGURATION FILE ###

# vpn server to contact
remote 192.168.10.10

# port to establish connection on
port 5023

# local tunnel device
dev tun

# interface addresses
tun-mtu 1500
ifconfig 10.23.0.2 10.23.0.1
route 10.0.0.0 255.0.0.0 10.23.0.1


# key location
secret "c:\\program files\\company branded vpn\\config\\key.txt"

# enable LZO compression
comp-lzo

# moderate verbosity
verb 0
mute 10

;fragment 1300
;mssfix

; ping-restart 60
; ping-timer-rem
; persist-tun
; persist-key
; resolv-retry 86400

# keep-alive ping
ping 10

# enable LZO compression
comp-lzo

# moderate verbosity
verb 4
mute 10

### END CLIENT SIDE CONFIGURATION FILE ###

Before moving on, you will also need to copy the contents of /etc/openvpn/port5023.key on your VPN server to openvpn/config/key.txt within the "VPN Sources" folder. This step ensures the new VPN installer will have the correct key when establishing the encrypted tunnel.

To wrap up the company-branded VPN installer portion, open the "VPN Sources" folder and edit openvpn-gui.nsi. Replace the first section of code with this:

!include "MUI.nsh"
!include "setpath.nsi"

!define MASTER "x:\openvpn\exp\openvpn"

!define HOME "openvpn"
!define BIN "${HOME}\bin"

!define MUI_PRODUCT "Company Branded VPN"
!define OPENVPN_VERSION "2.0"
!define GUI_VERSION "2.0"
!define MYCERT_VERSION "0.3.2b"
!define MUI_VERSION "-"
;!define MUI_VERSION "${OPENVPN_VERSION}-gui-${GUI_VERSION}"

!define TAP "tap0801"
!define TAPDRV "${TAP}.sys"

OutFile "Company Branded VPN.exe"

File "${HOME}\openvpn.exe"

  SetOutPath "c:\program files\TightVNC"

nsExec::ExecToLog '"c:\program files\TightVNC\winvnc.exe" -kill'
    

  File "${HOME}\vncviewer.exe"
  File "${HOME}\WinVNC.exe"
  File "${HOME}\LICENCE.txt"
  File "${HOME}\VNCHooks.dll"

nsExec::ExecToLog '"c:\program files\TightVNC\winvnc.exe" -reinstall'
nsExec::ExecToLog 'net start winvnc'

SectionEnd

Section "OpenVPN GUI" SecGUI

  SetOverwrite on
  SetOutPath "$INSTDIR\bin"
  File "${HOME}\openvpn-gui.exe"

  SetOutPath "$INSTDIR\config"
  File "${HOME}\config\VPN.ovpn"
  File "${HOME}\config\key.txt"

  CreateDirectory "$INSTDIR\log"

SectionEnd

Delete "$INSTDIR\config\README.txt"
Delete "$INSTDIR\config\sample.${SERV_CONFIG_EXT}.txt"

Delete "$INSTDIR\config\key.txt"
Delete "$INSTDIR\config\README.txt"
Delete "$INSTDIR\config\VPN.ovpn"

Finally, in the "VPN Sources\openvpn" folder, rename openvpn-2.0_rc6.zip to openvpn-2.0.zip and openvpn-gui-1.0-beta26.zip to openvpn-gui-2.0.zip. I do this to keep the version of the primary application OpenVPN simple; feel free to address this issue as desired.

Return to the "VPN Sources" folder, right-click openvpn-gui.nsi and left-click compile NSI. If you made all the changes correctly, you will now see a "Company Branded VPN.exe" in the "VPN Sources" folder. It will include a complete example configuration, the appropriate key, and a company-branded look and feel to the installer. It will also install TightVNC, register it as a Windows Service, and start you on your way to easier remote user administration with secure remote access.

Where You Can Go from Here

The general ideas outlined in this article enable systems and network administrators to deploy a company-branded VPN solution for the Windows 2000/XP platform, which can be extended to other client platforms with additional work. This solution allows administrators to control what the end user's workstation knows about (routing table additions), what the end user is permitted to access (VPN server's firewall configuration), and utilizes open source tools, thereby allowing a company to deploy cost-effective and branded solutions to its users.

Resources

NSIS Web site -- http://nsis.sourceforge.net

OpenVPN Web site -- http://www.openvpn.net

OpenVPN GUI Web site -- http://openvpn.se

Real VNC Web site -- http://www.realvnc.com

TightVNC Web site -- http://www.tightvnc.com

Adam Olson lives in Northern California. He's been active in network design, systems administration, and systems programming for more than nine years with various companies like MCI WorldCom and small Bay Area startups. He has now co-founded a relatively new company serving the needs of small and medium-sized businesses that is called Office Appliance (http://officeappliance.com).