Warning: preg_match(): Delimiter must not be alphanumeric or backslash in /var/www/html/activities/books/networking/labbook/ch/emulab/exp18.3.php on line 2

Warning: preg_match(): Delimiter must not be alphanumeric or backslash in /var/www/html/activities/books/networking/labbook/ch/emulab/exp18.3.php on line 3

Warning: preg_match(): Delimiter must not be alphanumeric or backslash in /var/www/html/activities/books/networking/labbook/ch/emulab/exp18.3.php on line 4

Warning: preg_match(): Delimiter must not be alphanumeric or backslash in /var/www/html/activities/books/networking/labbook/ch/emulab/exp18.3.php on line 5

Warning: preg_match(): Delimiter must not be alphanumeric or backslash in /var/www/html/activities/books/networking/labbook/ch/emulab/exp18.3.php on line 6

Warning: preg_match(): Delimiter must not be alphanumeric or backslash in /var/www/html/activities/books/networking/labbook/ch/emulab/exp18.3.php on line 8

 

 


Douglas E. Comer


Computer Science Department
Purdue University
West Lafayette, IN 47907

webmaster: W. David Laverell


Companion Topics

Home

Book Information

Purpose of Site

Getting Started

Students

Faculty

"What's New"

"Coming Attractions"

"C Pointers"

Acknowledgements

 

 
Hands-On Networking: Experiment 18.3 (An Emulab Approach) Home > Student > Experiments > Emulab > 18.3

Chapter 18: Experiment 18.3 - Install And Configure A VPN

This is quite an experiment, and I am not sure whether it might be harder in an Emulab environment. My student, Eric Knibbe, began the work, I picked it up, and was able to finish it with the invaluable assistance of my student, Tim Brom.

We used a slightly simpler topology than Professor Comer specifies, but the basic idea is there. Here is the ns file:

  
set ns [new Simulator]
source tb_compat.tcl

set monitor [$ns node]
set server [$ns node]
set client [$ns node]
set node1 [$ns node]
set node2 [$ns node]
tb-set-node-os $monitor FC4-STD
tb-set-node-os $server FC4-STD
tb-set-node-os $client FC4-STD
tb-set-node-os $node1 FC4-STD
tb-set-node-os $node2 FC4-STD

set link1 [$ns duplex-link $monitor $server 100Mb 0ms
DropTail]
set link2 [$ns duplex-link $monitor $client 100Mb 0ms
DropTail]


set lan2 [$ns make-lan "$client $node2 " 100Mb 0ms]
set lan1 [$ns make-lan "$node1 $server " 100Mb 0ms]


$ns rtproto Static
$ns run

This gives a simple topology like this:

At one end of the ring is node1 (10.1.1.2) connecting to server through its interface, (10.1.1.3). Server connects through (10.1.4.3) to monitor through (10.1.4.2). Monitor connects through (10.1.2.2) to client through (10.1.2.3). Client connects through (10.1.3.2) to node 2 through (10,1.3,3).

We gratefully acknowledge the help gleaned from Static Key Mini-HOWTO which got us started.

Here is what you do, roughly in order:

  1. You need a key so type "openvpn --genkey --secret static.key". The file "static.key" will need to be on client and on server.

  2. You need to run openvpn on client and server so download and extract the software from openvpn.net onto users.emulab.whatever.

  3. You will need a client.config and a server.config file in some convenient location (grab the ones from the Mini-HOWTO, we did).

  4. Someday I'll think about how to automate some of this, but for now you just need to begin the experiment and ssh to client (twice), server (twice), monitor, node1, and node2.

  5. On client and server, change directory to the directory where you saved the openvpn software, and type "./configure" (we needed "--disable-lzo"), "make", and "sudo make". This will install /usr/local/sbin/openvpn.

  6. To build the tunnel on server type "/usr/local/sbin/openvpn server.config", and on client type "/usr/local/sbin/openvpn client.config".

  7. Finally, the fun part! On monitor type "tcpdump -i eth1 (probably) -X udp port 1194". Get some traffic going from node1 to node2 (ping, or I ran David Vos's web server on node2 and used wget on node1). You will have no doubt that the correct traffic is getting from node2 to node1 and that it is encrypted! Wow!

  8. The difficult part of all this is the routing setup by Emulab for you to which some changes must be made. This is one case where having the routing configured for you is not helpful. You are very likely to get this going in such a way that the traffic gets where it is supposed to go but is not encrypted on the way. Then you need to do some thinking.


This site is maintained by W. David Laverell of the Computer Science Department at Calvin College. For assistance or corrections, please contact him at lave@calvin.edu.