Multi-Tenant Road Warrior VPN Howto

From VyOS Wiki
Revision as of 12:54, 8 July 2017 by Max1e6 (talk | contribs)
Jump to: navigation, search

Executive Summary

This HowTo describes the process of building a multi-tenant VPN using VYOS. The concepts covered are OpenVPN, Vlans and OpenVPN GUI client for windows

Business Issue/Problem Overview

QCN Cleaning Corp. is based in New York City. They operate multiple businesses out of their office: QNT Cleaning, DNT Security and rent spare offices to two other independent companies. For legal purposes the operations of QNT Cleaning and DNT Security must be separate. The CEO wants key employees of both companies to be able to access local network resources remotely for productivity and business continuity purposes.

Recommended Solution

  1. Configure a VyOS router to provide OpenVPN roadwarrior access to all entities. VyOS OpenVPN is compatible with Windows, Mac and Linux end points

Benefits

  • Affordable
    • VyOS OpenVPN server can be run on commodity hardware or even a modest virtual machine.
    • VyOS is available for free and is open source.
    • OpenVPN client software is available for Windows, OSX & Linus and is free and open source.
  • Easy to use
    • Minimal training required for end users

Multi-Tenant Road Warrior VPN Setup and Configuration

This HowTo will asssume that you have already installed VyOS on hardware or in a virtual machine and have configured your network switches to implement vlans.

Network Environment

Network Environment
Company Network vlan
QCN Cleaning 10.88.1.0/24 88
DNT Security 10.89.1.0/24 89
Tentants 10.40.1.0/24 40

Initial Configuration

OpenVPN Configuration

set interfaces openvpn vtun1
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 local-port 11944
set interfaces openvpn vtun1 remote-port 11944
set interfaces openvpn vtun1 local-address 172.17.101.1
set interfaces openvpn vtun1 remote-address 172.17.101.2
set interfaces openvpn vtun1 remote-host 24.97.212.10
set interfaces openvpn vtun1 shared-secret-key-file /config/auth/secret
set interfaces openvpn vtun1 openvpn-option "--comp-lzo" 
set interfaces openvpn vtun1 openvpn-option "--float" 
set interfaces openvpn vtun1 openvpn-option "--ping 10" 
set interfaces openvpn vtun1 openvpn-option "--ping-restart 20" 
set interfaces openvpn vtun1 openvpn-option "--ping-timer-rem" 
set interfaces openvpn vtun1 openvpn-option "--persist-tun" 
set interfaces openvpn vtun1 openvpn-option "--persist-key" 
set interfaces openvpn vtun1 openvpn-option "--user nobody" 
set interfaces openvpn vtun1 openvpn-option "--group nogroup" 
set protocols static interface-route 10.200.101.0/24 next-hop-interface vtun1
set interfaces openvpn vtun1
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 local-port 11944
set interfaces openvpn vtun1 remote-port 11944
set interfaces openvpn vtun1 local-address 172.17.101.2
set interfaces openvpn vtun1 remote-address 172.17.101.1
set interfaces openvpn vtun1 remote-host wmcfw001.williammax.com
set interfaces openvpn vtun1 shared-secret-key-file /config/auth/secret
set interfaces openvpn vtun1 openvpn-option "--comp-lzo" 
set interfaces openvpn vtun1 openvpn-option "--float" 
set interfaces openvpn vtun1 openvpn-option "--ping 10" 
set interfaces openvpn vtun1 openvpn-option "--ping-restart 20" 
set interfaces openvpn vtun1 openvpn-option "--ping-timer-rem" 
set interfaces openvpn vtun1 openvpn-option "--persist-tun" 
set interfaces openvpn vtun1 openvpn-option "--persist-key" 
set interfaces openvpn vtun1 openvpn-option "--user nobody" 
set interfaces openvpn vtun1 openvpn-option "--group nogroup" 
set protocols static interface-route 10.100.104.0/24 next-hop-interface vtun1

=== Creating an OpenVPN "Road Warrior" Key

  1. Login to firewall
  2. sudo su -
  3. cd /config/auth/wmc
  4. source ./vars
  5. ./build-key-pkcs12 <ConnectionName>
  6. cp keys/<ConnectionName>.p12 ~vyos/
  7. cd ~vyos
  8. chown vyos:users <ConnectionName>.p12
  9. Copy .p12 file to OpenVPN config directory

How to create a Certificate Authority on a VyOS router

sudo su -
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /config/auth/wmc