|
Douglas E. Comer
Computer Science Department
Purdue University
West Lafayette, IN 47907
webmaster: W. David Laverell
Companion
Topics
Home
Book
Information
Purpose
of Site
Getting
Started
Students
Faculty
"What's
New"
"Coming
Attractions"
"C Pointers"
Acknowledgements
|
|
Hands-On Networking: Experiment 18.3 (An Emulab Approach)
Home > Student > Experiments > Emulab > 18.3
Chapter 18: Experiment 18.3 - Install And Configure A VPN
This is quite an experiment, and I am not sure whether it
might be harder in an Emulab environment. My student, Eric
Knibbe, began the work, I picked it up, and was able to finish
it with the invaluable assistance of my student, Tim Brom.
We used a slightly simpler topology than Professor Comer
specifies, but the basic idea is there. Here is the ns
file:
set ns [new Simulator]
source tb_compat.tcl
set monitor [$ns node]
set server [$ns node]
set client [$ns node]
set node1 [$ns node]
set node2 [$ns node]
tb-set-node-os $monitor FC4-STD
tb-set-node-os $server FC4-STD
tb-set-node-os $client FC4-STD
tb-set-node-os $node1 FC4-STD
tb-set-node-os $node2 FC4-STD
set link1 [$ns duplex-link $monitor $server 100Mb 0ms
DropTail]
set link2 [$ns duplex-link $monitor $client 100Mb 0ms
DropTail]
set lan2 [$ns make-lan "$client $node2 " 100Mb 0ms]
set lan1 [$ns make-lan "$node1 $server " 100Mb 0ms]
$ns rtproto Static
$ns run
This gives a simple topology like this:
At one end of the ring is node1 (10.1.1.2) connecting to
server through its interface, (10.1.1.3). Server connects
through (10.1.4.3) to monitor through (10.1.4.2). Monitor
connects through (10.1.2.2) to client through (10.1.2.3).
Client connects through (10.1.3.2) to node 2 through
(10,1.3,3).
We gratefully acknowledge the help gleaned from
Static Key
Mini-HOWTO which got us started.
Here is what you do, roughly in order:
- You need a key so type "openvpn --genkey --secret
static.key". The file "static.key" will need to be on
client and on server.
- You need to run openvpn on client and server
so download and extract the software from openvpn.net onto
users.emulab.whatever.
- You will need a client.config and a server.config file
in some convenient location (grab the ones from the
Mini-HOWTO, we did).
- Someday I'll think about how to automate some of this, but
for now you just need to begin the experiment and ssh
to client (twice), server (twice), monitor, node1, and node2.
- On client and server, change directory to the directory
where you saved the openvpn software, and
type "./configure" (we needed "--disable-lzo"), "make", and
"sudo make".
This will install /usr/local/sbin/openvpn.
- To build the tunnel on server
type "/usr/local/sbin/openvpn server.config",
and on client type "/usr/local/sbin/openvpn client.config".
- Finally, the fun part! On monitor type "tcpdump -i eth1
(probably) -X udp port 1194". Get some traffic going from
node1 to node2 (ping, or I ran David Vos's web server on node2
and used wget on node1). You will have no doubt that the
correct traffic is getting from node2 to node1 and that it is
encrypted! Wow!
- The difficult part of all this is the routing setup by
Emulab for you to which some changes must be made.
This is one case where having the routing configured for
you is not helpful. You are very likely to get this going
in such a way that the traffic gets where it is supposed
to go but is not encrypted on the way. Then you need to
do some thinking.
This site is maintained by W. David Laverell
of the Computer Science Department
at Calvin College. For assistance or corrections,
please contact him at . |
|
