Multi-Tenant Road Warrior VPN Howto

From VyOS Wiki
Jump to: navigation, search

Executive Summary

This HowTo describes the process of building a multi-tenant VPN using VYOS. The concepts covered are OpenVPN, vlans, zone based policies and OpenVPN GUI client for windows

Benefits

  • Affordable
    • VyOS OpenVPN server can be run on commodity hardware or even a modest virtual machine.
    • VyOS is available for free and is open source.
    • OpenVPN client software is available for Windows, OSX & Linus and is free and open source.
  • Easy to use
    • Minimal training required for end users

Multi-Tenant Road Warrior VPN Setup and Configuration

Business Issue/Problem Overview

QCN Cleaning Corp. is based in New York City. They operate multiple businesses out of their office: QNT Cleaning, DNT Security and rent spare offices to two other independent companies. For legal purposes the operations of QNT Cleaning and DNT Security must be separate. The CEO wants key employees of both companies to be able to access local network resources remotely for productivity and business continuity purposes. This HowTo will asssume that you have already installed VyOS on hardware or in a virtual machine and have configured your network switches to implement vlans.

Network Environment Overview

Network Environment
Company Network vlan
Management Network 10.77.1.0/24 77
QCN Cleaning 10.88.1.0/24 88
DNT Security 10.89.1.0/24 89
Tentants 10.40.1.0/24 40

For this example we will be setting up three VPNs:

  1. Management VPN - Allow remote access to network resources on Management, QCN, DNT and Tenant subnets.
  2. QCN VPN - Allow remote access to network resources on QCN network - only.
  3. DNT VPN - Allow remote access to network resources on DNT network - only.

Each VPN will require its own network:

Network Environment
Company Network vlan
Management Network 172.16.10.0/24 1610
QCN Cleaning 172.16.88.0/24 1688
DNT Security 172.16.89.0/24 1689

Initial Configuration

The first step is to install easy-rsa. Unlike a "single" tenant VPN in a multi-tenant OpenVPN solution it will be necessary to create multiple certificate authorities, once for each tenant. It is recommended to create a directory /config/auth, this ensures your easy-rsa installations are preserved during VyOS upgrades and it helps keep the multiple certificate authorities organized.

su -
cp -rv /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /config/auth/management/
nano /config/auth/management/vars

Adjust the parameters of vars to be appropriate for your site/installation.

OpenVPN Configuration

set interfaces openvpn vtun1
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 local-port 11944
set interfaces openvpn vtun1 remote-port 11944
set interfaces openvpn vtun1 local-address 172.17.101.1
set interfaces openvpn vtun1 remote-address 172.17.101.2
set interfaces openvpn vtun1 remote-host 24.97.212.10
set interfaces openvpn vtun1 shared-secret-key-file /config/auth/secret
set interfaces openvpn vtun1 openvpn-option "--comp-lzo" 
set interfaces openvpn vtun1 openvpn-option "--float" 
set interfaces openvpn vtun1 openvpn-option "--ping 10" 
set interfaces openvpn vtun1 openvpn-option "--ping-restart 20" 
set interfaces openvpn vtun1 openvpn-option "--ping-timer-rem" 
set interfaces openvpn vtun1 openvpn-option "--persist-tun" 
set interfaces openvpn vtun1 openvpn-option "--persist-key" 
set interfaces openvpn vtun1 openvpn-option "--user nobody" 
set interfaces openvpn vtun1 openvpn-option "--group nogroup" 
set protocols static interface-route 10.200.101.0/24 next-hop-interface vtun1
set interfaces openvpn vtun1
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 local-port 11944
set interfaces openvpn vtun1 remote-port 11944
set interfaces openvpn vtun1 local-address 172.17.101.2
set interfaces openvpn vtun1 remote-address 172.17.101.1
set interfaces openvpn vtun1 remote-host wmcfw001.williammax.com
set interfaces openvpn vtun1 shared-secret-key-file /config/auth/secret
set interfaces openvpn vtun1 openvpn-option "--comp-lzo" 
set interfaces openvpn vtun1 openvpn-option "--float" 
set interfaces openvpn vtun1 openvpn-option "--ping 10" 
set interfaces openvpn vtun1 openvpn-option "--ping-restart 20" 
set interfaces openvpn vtun1 openvpn-option "--ping-timer-rem" 
set interfaces openvpn vtun1 openvpn-option "--persist-tun" 
set interfaces openvpn vtun1 openvpn-option "--persist-key" 
set interfaces openvpn vtun1 openvpn-option "--user nobody" 
set interfaces openvpn vtun1 openvpn-option "--group nogroup" 
set protocols static interface-route 10.100.104.0/24 next-hop-interface vtun1

=== Creating an OpenVPN "Road Warrior" Key

  1. Login to firewall
  2. sudo su -
  3. cd /config/auth/wmc
  4. source ./vars
  5. ./build-key-pkcs12 <ConnectionName>
  6. cp keys/<ConnectionName>.p12 ~vyos/
  7. cd ~vyos
  8. chown vyos:users <ConnectionName>.p12
  9. Copy .p12 file to OpenVPN config directory

How to create a Certificate Authority on a VyOS router

sudo su -
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /config/auth/wmc