VPN with an IPcop firewall in a windows XP network - VPN with an IPcop firewall in a windows XP network - page 2
| Networking - IPcop |
Important step: Don't skip this. Click on the Advanced Server Options button, then Save Advanced Options without making any changes to the options.
Now back on the VPN Configuration page, you need to set the following parameters as shown below:
For the Local VPN Hostname/IP parameter, I use Dynamic Dns for my static IP. This is where you put either your static IP, or your DynDns address. Its nice, because its free!
Next you need to set your OpenVPN subnet. This is the range of IP addresses that will be handed out to remote computers that will be logging in via the VPN. This IP address range must be a private IP address range, but outside the IPcop's green IP address range. For example, if your IPcop firewall was set up with a green IP range of 10.26.0.0 with a submet mask of 255.255.255.0, then this IP range is 10.26.0.1 to 10.26.0.254. So we select an IP range outside this one. So I will choose 10.26.2.0 with a subnet mask of 255.255.255.0. So in the field labeled OpenVPN subnet I enter: 10.26.2.0/255.255.255.0.
Here is a screenshot:
Now the above IP info is for one of my networks. I just used this as an example. You need to figure out what you need for your network based on your IP address scheme.
Once you have all of your data properly entered per the screenshots above, click on the Save button.
Since this is a fresh install of OpenVPN, we haven't generated any certificates. In order for your VPN to accept connections, we need a root/host certificate for the IPcop firewall, and a host certificate for each client that will be logging into the VPN.
So the first thing to do is to generate IPcops Root and Host certificate. To do this, just clidk on the Generate Root/Host Certificates button. This can take a long time to do this, so just be patient and wait until its finished.
After this is all set up, click the Save button. This should start the VPN. This will be indicated by the Current OpenVPN Server Status changing to a green background and say Running.
Next we need to make certificates for each computer that will be logging in via the VPN. to do this, on the main OpenVPN page near the bottom in the Client status and control section, click on the Add button. This will take you to another screen. Your only choice is Host-to-Net Virtual Private Network (RoadWarrior) so just click the Add button. You will see the following screen:
Enter in the pertinent information for the particular user. When finished, click the Save. You will need to do this for each computer that will be logging in via the VPN. Important: Be sure to enter a PKCS12 password, and remenber it. You will need this password to log into the VPN.
In order for Windows computers to properly access the servers through the VPN, you have to manually add an iptables command in the /etc/rc.d/rc.firewall.local start up file. Here is a portion of my file. The comment in the line above the iptables command shows what you need to do. Remember, the IP address range only applies ti my IP address range. You will need to adjust the IP address settings to match waht you defined as your OpenVPN subnet.
#!/bin/sh
# Used for private firewall rules
# See how we were called.
case "$1" in
start)
## add your 'start' rules here
#Added for zerina start - BEGIN
/usr/local/bin/openvpnctrl --create-chains-and-rules
#Added for zerina start - END
#
# Line below is added to allow Windows PC's access thru the VPN
iptables -t nat -A CUSTOMPOSTROUTING -s 10.26.2.0/24 -o eth0 -j MASQUERADE
One more thing. The line above refers to eth0. On my VPN, this is IPcop's green network. If your green network is something other than eth0, then you need to change this to match the network card for your green interface.
After you have added the iptables line, save the file, and reboot your IPcop firewall.
This completes configuring your IPcop firewall for VPN. The next thing is to configure the Windows XP computer to connect to the VPN.