Ulteo Open Virtual Desktop

VPN solution

Copyright © 2008, 2009, 2010 Ulteo SAS - http://www.ulteo.com

Table of Contents

Introduction
Use Case
VPN server installation
SSL keys generation
OpenVPN configuration
Check the VPN status
VPN client installation
SSL keys generation
OpenVPN configuration
Routing configuration
Set the VPN server as a router
Set the route on other network machines
Tests
Test a session

This document is aimed at providing a VPN solution that can provide multi server access though Internet.

This documentation can also be used to secure all the Ulteo data stream between the client software and Ulteo Open Virtual Desktop servers while that's not the primary goal.

This documentation won't explain how to use authentication with the VPN client key. VPN is just used to make a virtual network to get access on multiple machines with only one IP public address.

[Important]Important

The Linux commands started by a # must be done as root. Those started by a $ can be done either by any user.

Introduction

Ulteo Open Virtual Desktop is a product that's using several server machines. Although for a demo or a small solution, it's possible to use a single machine for the whole OVD, on a production site, it's recommended to have several Application Servers.

On a LAN it's not a problem to use several machines, because it's possible to use private IP addressing. But on Internet, it may be more difficult or too expensive to get several public IP addresses for only one service.

Use Case

A factory is installing OVD on their internal network. As a first step, employees have access to OVD when they are at work. On a second step, the factory wants to provide access to the Ulteo OVD from Internet so that employees can access their corporate desktop remotly (from home for instance).

...

The issue is that the factory can only have one public IP address. So how to install the several Ulteo servers on only one address? The solution we are going to explain here is using the VPN technology.

Networks:

  • Ulteo secure net: this network contains the Session Manager, all Application servers and the Ulteo VPN server.

  • VPN: contains the Ulteo VPN server and all VPN client

  • Factory network: the base network which is hosting all those servers

[Note]Note

The Ulteo secure net can be the factory network. It just depends on the security policy.

Routing

The VPN server will provide a route to each client so that clients are able to reach the Ulteo secure network.

IP address plan:

  • Ulteo secure network: 10.0.1.0/24

  • VPN net: 10.0.2.0/24

The VPN server will deliver a route to 10.0.2.0/24 ...

VPN server installation

[Important]Important

This documentation works for Debian lenny or Ubuntu Hardy systems. It may work on other systems too but we haven't tested it.

Install packages: 

    
# apt-get install openvpn openssl zip

SSL keys generation

  • Create a working directory and place into it

                
$ cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0 ~/vpn-keys
$ cd ~/vpn-keys

  • Config some environment variables into the file vars

                
export KEY_COUNTRY="EN"
export KEY_PROVINCE="Your province"
export KEY_CITY="Your city"
export KEY_ORG="Ulteo"
export KEY_EMAIL="some@email.address"

  • Load the following file and clean the directory

                 
$ . ./vars
$ ./clean-all

  • Build the certificate authority

                
$ ./build-ca

  • Build the server key

                 
$ ./build-key-server ulteo-vpn

  • Build the Diffie-Hellman parameters

                
$ ./build-dh

OpenVPN configuration

  • Go into your key directory

                
$ cd ~/vpn-keys

  • Copy the needed files to the openvpn directory 

                
# cp ./keys/ca.crt              /etc/openvpn/
# cp ./keys/ulteo-vpn.crt       /etc/openvpn/
# cp ./keys/ulteo-vpn.key       /etc/openvpn/
# cp ./keys/dh1024.pem          /etc/openvpn/
# chmod 600 /etc/openvpn/ulteo-vpn.key

  • Edit the /etc/openvpn/openvpn.conf file and paste the following text to it: 

                
port 1194 ## You can use 443 if you 
          ## want to bypass some proxy/firewall
proto tcp
dev tun

ca ca.crt
cert ulteo-vpn.crt
key ulteo-vpn.key
dh dh1024.pem

server 10.0.2.0 255.255.255.0

push "route 10.0.1.0 255.255.255.0"
  # used to provide the route to the
  # Ulteo secure network

keepalive 10 120
persist-key
persist-tun
status openvpn-status.log

  • Restart OpenVPN

                
# /etc/init.d/openvpn restart

Check the VPN status

  • Look at the tun0 network interface:

                
# ifconfig tun0

    You should get something like: 

                
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet adr:10.0.2.1  P-t-P:10.0.2.2  Masque:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    [Important]Important

    If you don't have a tun0 network interface, your VPN server is not working.

VPN client installation

SSL keys generation

[Important]Important

These operations have to be performed on the Ulteo VPN server that you used to build the server keys.

  • Go to your key generation directory:

              
$ cd ~/vpn-keys

  • Load the following file and clean the directory

                 
$ . ./vars

  • Build the client key

                
$ ./build-key client

  • Create a ZIP file for client

                
$ cd keys
$ zip client.zip ca.crt client.key client.crt

OpenVPN configuration

[Important]Important

These operations have to be done on the client machine you want to connect from.

On Windows

  • Get the OpenVPN Windows™ installer from http://www.openvpn.net/

  • Install openvpn without changing any option

  • Create a directory on your Desktop, copy the ZIP file from the server and extract the zip file to the same directory

  • Create a new text file called client.ovpn and paste the following text inside:

    [Important]Important

    Replace the vpn.ip.address by the current IP address of the VPN server you configured before. 

                
client
dev tun
proto tcp

remote vpn.ip.address 1194

resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key

  • Then right-click on the client.ovpn file and select

    Then, you should see a window appearing looking like:

    [Note]Note

    The highlighted part shows that the connection succeeded.

Check the VPN connection

  • Launch a Windows cmd and test to ping the VPN local IP address

On Linux

  • Install OpenVPN and unzip software.

    If you are using a Debian based system: 

                
# apt-get install openvpn openssl zip

  • Get the ZIP file from the server and copy it to /etc/openvpn/

  • Extract the zip file to /etc/openvpn/ 

                
# cd /etc/openvpn/
# unzip client.zip
# chmod 600 client.key

  • Edit the /etc/openvpn/openvpn.conf file and copy paste the following text inside:

    [Important]Important

    Replace the vpn.ip.address by the effective IP address of the VPN server you configured before. 

                
client
dev tun
proto tcp

remote vpn.ip.address 1194

resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key

  • Restart OpenVPN

                
# /etc/init.d/openvpn restart
Check the VPN connection

  • Look at the tun0 network interface

                  
# ifconfig tun0

    You should get something like: 

                  
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet adr:10.0.2.6  P-t-P:10.0.2.5  Masque:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          Packets reçus:0 erreurs:0 :0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:100
          Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B)
    [Important]Important

    If you don't have a tun0 network interface your VPN client is not working.

  • Ping the VPN server with the local IP address

                  
$ ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=0.711 ms
64 bytes from 10.0.2.1: icmp_seq=2 ttl=64 time=0.668 ms
...

Routing configuration

Set the VPN server as a router

[Important]Important

Those operations have to be done on the VPN server.

  • Enable IP forwarding as default at system boot

    Open /etc/sysctl.conf and uncomment the following line: 

                
net.ipv4.ip_forward=1

  • Enable IP forwarding for the current system

                
# echo 1 > /proc/sys/net/ipv4/ip_forward

Set the route on other network machines

All other servers on the network (Session Manager, ApS, ...) have to be able to route to 10.0.2.0/24.

Either the DHCP server can provide the route or you can define it by hand: 

      
# route add -net 10.0.2.0/24 gw 10.0.1.100

Tests

On client machine ping the Session Manager

      
$ ping 10.0.1.20
PING 10.0.1.20 (10.0.1.20) 56(84) bytes of data.
64 bytes from 10.0.1.20: icmp_seq=1 ttl=64 time=0.711 ms
64 bytes from 10.0.1.20: icmp_seq=2 ttl=64 time=0.668 ms
...

Test a session

Open a browser with the Session manager local address: 10.0.1.20 and start a session.