OpenVPN: How to safely access a database behind a firewall

0

OpenVPN is an open source VPN implementation which can be found on http://www.openvpn.net

With OpenVPN, you can:

  • tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port,
  • configure a scalable, load-balanced VPN server farm using one or more machines which can handle thousands of dynamic connections from incoming VPN clients (OpenVPN 2.0 examples),
  • use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic as it transits the internet,
  • use any cipher, key size, or HMAC digest (for datagram authentication) supported by the OpenSSL library,
  • choose between static-key based conventional encryption or certificate-based public key encryption,
  • use static, pre-shared keys or TLS-based dynamic key exchange,
  • use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization,
  • tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients,
  • tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules,
  • tunnel networks over NAT, and
  • create secure ethernet bridges using virtual tap devices.

OpenVPN is available for serveral operating systems. I have installed the VPN server on a Linux (Fedora Core 3) server. The client is Windows XP based. Use version 2 which is out as release candidate. This is because SP2 of Windows XP has broken version 1.6.0. (no raw access to sockets is allowed anymore).

Installation using the sample configuration files is traightforward. The main steps are:

  1. Build an RPM (since we are using RedHat): rpmbuild -tb [tarbal]
  2. Install the rpm: rpm -ivh [binary-rpm]. This will add a deamon service to the system. The configuration files are based in /etc/openvpn
  3. Generate the SSL shared keys
  4. Edit the sample server config file in /etc/openvpn
  5. Install the windows32 software. This installs a windows service which can be used to create a VPN connection
  6. Edit the client configuration file. Copy the appropriate keys an certificates to the client
  7. Optionally install a client shell so that the VPN connection can be created by just clicking on an item that’s in your system tray

All these steps are very well documented on the OpenVPN website.

The VPN is based on UDP port 1194. This port should be open in your firewall. I use a separate linux machine as firewall. The 1194 port is forwarded to my VPN/Database server. This is done with the following line in my firewall script:

iptables -t nat -A PREROUTING -p udp -i $EXTIF –dport 1194 -j NAT –to $DMZIP:1194
Where $EXTIF is the ip address of my external (internet) network card. $DMZIP of the address of my VPN/Database server (placed in a DMZ setup).

The nice thing is that this server is always available on my laptop. My laptop holds a host file where the address of my server is resolved with the internal address of my server:
192.168.1.200 www.myserver.nl

This way I can access the server at home (from my intranet) by using www.myserver.nl

This doesn’t work outside my intranet. OpenVPN solves this. The server config file of OpenVPN holds an entry:
push “route 192.168.1.200 255.255.255.255″
This add a new route to my laptop as soon as the VPN is created. The 192.168.1.200 is routed through the OpenVPN tunnel to my server. So I can use www.myserver.nl anywhere I want; it’s always secure. At home it’s behing my firewall (where these addresses are filtered out). Outside my intranet I can still access the server by using OpenVPN.
The following iptables entries in my firewall make sure that my intranet range is protected from outside:
IPABLES=/sbin/iptables
$IPTABLES -A FORWARD -i $EXTIF -s 192.168.0.0/16 -j DROP
$IPTABLES -A FORWARD -i $EXTIF -s 192.168.1.0/16 -j DROP
$IPTABLES -A FORWARD -i $EXTIF -s 172.16.0.0/12 -j DROP
$IPTABLES -A FORWARD -i $EXTIF -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $EXTIF -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -i $EXTIF -s 192.168.1.0/16 -j DROP
$IPTABLES -A INPUT -i $EXTIF -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i $EXTIF -s 10.0.0.0/8 -j DROP

Now we can safely access the database that is on the VPN/Linux server. We can use the name www.myserver.nl as the database host in the tnsnames.ora file. This host will always resolve and route to the correct server regardless where my laptop is connected to the internet.

Share.

About Author

Comments are closed.