Chapter 18: Experiment 18.3 - Install and Configure a VPN

This is quite an experiment, and I am not sure whether it might be harder in an Emulab environment. My student, Eric Knibbe, began the work, I picked it up, and was able to finish it with the invaluable assistance of my student, Tim Brom.

This is a difficult assignment, and I am going to do most of it for you. The interesting part is up to you.

We used a slightly simpler topology than Professor Comer specifies, but the basic idea is there. Here is the ns file:

  
set ns [new Simulator]
source tb_compat.tcl

set monitor [$ns node]
set server [$ns node]
set client [$ns node]
set node1 [$ns node]
set node2 [$ns node]
tb-set-node-os $monitor FC4-STD
tb-set-node-os $server FC4-STD
tb-set-node-os $client FC4-STD
tb-set-node-os $node1 FC4-STD
tb-set-node-os $node2 FC4-STD

set link1 [$ns duplex-link $monitor $server 100Mb 0ms
DropTail]
set link2 [$ns duplex-link $monitor $client 100Mb 0ms
DropTail]


set lan2 [$ns make-lan "$client $node2 " 100Mb 0ms]
set lan1 [$ns make-lan "$node1 $server " 100Mb 0ms]


$ns rtproto Static
$ns run

This gives a simple topology like this:

At one end of the ring is node1 (10.1.1.2) connecting to server through its interface, (10.1.1.3). Server connects through (10.1.4.3) to monitor through (10.1.4.2). Monitor connects through (10.1.2.2) to client through (10.1.2.3). Client connects through (10.1.3.2) to node 2 through (10,1.3,3).

We gratefully the help gleaned from Static Key Mini-HOWTO which got us started.

Here is what you do, roughly in order:

  1. You need a key so type "openvpn --genkey --secret static.key". The file "static.key" will need to be on client and on server.

  2. You need to run openvpn on client and server so download and extract the software from openvpn.net onto users.emulab.whatever.

  3. You will need a client.config and a server.config file in some convenient location (grab the ones from the Mini-HOWTO, we did).

  4. Someday I'll think about how to automate some of this, but for now you just need to begin the experiment and ssh to client (twice), server (twice), monitor, node1, and node2.

  5. On client and server, change directory to the directory where you saved the openvpn software, and type "./configure" (we needed "--disable-lzo"), "make", and "sudo make". This will install /usr/local/sbin/openvpn.

  6. The difficult part of all this is the routing setup by Emulab for you to which some changes must be made.

    This is the interesting part. It is all about routing, and that is all I am going to say.

  7. Now we are ready to build the tunnel. On server type "/usr/local/sbin/openvpn server.config", and on client type "/usr/local/sbin/openvpn client.config".

  8. Now we have to put in the good routes (through the tunnel) to replace the bad routes we took out earlier. On server type "route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.8.0.1", and on client type "route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.8.0.2".

  9. Finally, the fun part! On monitor type "tcpdump -i eth1 (probably) -X udp port 1194". Get some traffic going from node1 to node2 (ping, or I ran David Vos's web server on node2 and used wget on node1). You will have no doubt that the correct traffic is getting from node2 to node1 and that it is encrypted! Wow!