Set Up a client to site VPN

Version / Revision: V1.1 R1
For: Beginner

Skill: General audience.
Published: 2016-03-17
Review: 2016-03-17
Last Update: 2016-04-14

Contact: Nethserver community forum

The Howto describe the principle steps to set up a VPN connection. It will not handle any special configuration.
The Howto refer to a simple network as shown in the picture.

For the VPN are following software modules necessary. If not already done install them via Menu → Software Centre
VPN
Firewall

If your Nethserver is not your gateway (“router”) perform the following steps: Login in your modem/router and look where you can assign a port forwarding. Every brand has an different GUI and the port forwarding can be located under different menu entries.

In our example the port 1194 will be forwarded to the RED network of the Nethserver with its IP address 192.168.0.10 port 1194

 UDP Port 1194 -> 192.168.0.10

For L2TP/IPSec VPN connections several ports have to be forwarded. This are the following Ports:

 UDP Port 500   (For IKE Internet Key Exchange)
 UDP Port 1701  (For the L2TP-Connection)
 UDP Port 4500  (For NAT-T IPSec-Traffic)
 

In our example the three ports will be forwarded to the RED network of the Nethserver with its IP address 192.168.0.10

 UDP Port 500-> 192.168.0.10
 UDP Port 1707-> 192.168.0.10
 UDP Port 4500-> 192.168.0.10

In the menu left hand side click on VPN.
On the top of the VPN administration windows are five TABS: Accounts, Clients, L2TP/IPsec, IPsecTunel, OpenVPN

Create a new user. You can create a new user or add an exist Nethserver user.

Enable roadwarrior server by clicking in the box.

Decide which authentication should be use.
More information about OpenVPN setting can be found at Howto OpenVPN

Under Mode choose Routed Mode.

With Routed Mode your are connected with the server.
To prevent any conflict with the IP range at your location and where the server is
the Network IP address has to be different. In our example is the local
IP address 192.168.0.0/24 and where the server is as well.

We use another private IP address 10.10.0.0. You can also assign 10.0.0.0 or
172.16.0.0. or another starting address as long as you know what you are doing.
The Netmask is 255.255.255.0 in our case.

More about IP addressing can be found at Daryl's TCP/IP Primer

Under Advanced you can choose

• Route all client traffic through VPN
• Allow client-to-client network traffic

Route all client traffic through VPN you can choose if you intend to use your VPN
connection at public area or foreigner countries like China. If the connection not any more
checked by someone the speed can be higher. Everything will be routed via the server but have
in mind your download speed is limited from the upload speed of your server connection. If
you have a unsymmetrical the upload speed is usual 10% of the download speed.

Allow client-to-client network traffic is the right choice if you work at home and
need the connection to the server in the company. Your will use you local connection
if you brows the internet.

Enable Enable LZO compression by clicking in the box.

Connection parameters

In Contact this server on public IP / host is already the server name. If you don't have a fix
IP address, which is common by non commercial contracts, you have to broadcast your public host name via
a dynamic DNS service. Your IP address will usual assign new after every disconnection.
In some counties is this done by the ISP every 24 hours.

Via e.g. DynDNS.org is it possible to broadcast your public host name. E.g SuperDuperServer.com.
Some modem support the dynamic DNS service and inform the e.g DynDNS.org if the IP address changed.

If you don't want to use or you can't a host name insert your public IP address.

 In our case it would be 212.111.122.xxx.

You have to be aware that the IP address can change if you don't have fix IP.

In Accounts is on the right hand side the Edit field for your previous created user. If you click on the black triangle the menu pops down. Choose Download.

On top of the page a new windows opens.

Download OpenVPN configuration and save it on your computer where you will find it again.

First of all you have to configure the Nethserver as a Domain Controller. You don't have to use it as a Domain Controller in your Network but it is a requirement for the L2TP/IPSec connection. For configuring Nethserver as a Domain Controller, change to the Windows Network page in the Configuration-category of the menu. Select Primary Domain Controller on that page and enter your Domainname. If a domain, your Nethserver is using, is already used by the Nethserver, you may choose this domain (i.e. “mydomain.com”). If you don't use a domain, feel free to choose any other name.

After you configured the domain, change to the tab L2TP/IPsec on the VPN configuration page. Enable the checkbox Enable L2TP. Select the option PSK (Private Shared Key) for IPsec authentication. Configure the Network Address and the Network Mask that will be assigned to the remote client after connection.

Finally change to the Account tab on the VPN page and and click on Create new. You can choose if you want to use an existing user or if you want to create a user, that is only for the VPN connection. System user is recommended. After you selected the type of user, you have to configure the remote Network (Address and Mask) and finally click submit. The server configuration is done after this step.

Download from OpenVPN.org the right client for you OS system.

On a Windows PC install the openvpn-installer-xxx.exe

Because the client has to write and need access to system relevant data it has to run as administrator. You can set it permanently via right click on the icon. In the pop up menu choose Properties.

Choose Advance.. and in the new windows choose the first option: Run as administrator

You have different option to start the client:

• Right click on an FILE.ovpn. Choose Start OpenVPN on this config file.

• Save your config file File.ovpn in \Program Files\OpenVPN\config.
  Start the OpenVPN client via menu or double click on the icon.
  In the lower right corner of Windows search for the OpenVPN icon of the running client.
  Right click will open the menu. Choose Connect.

If you use a L2TP/IPSec VPN, you don't need to install any additional Software, if you are using Windows Vista or higher.
To configure Windows for connecting to the Nethserver follow the next steps. The steps may be slightly different compared to the screenshots - depending on your Windows version.

Right click the Network icon on the top right corner of Windows next to the clock (“Traybar”) and select Open Network and Sharing Center.

In the Network and Sharing Center click on the text Set up a new connection or network. A new window will appear.

Select Connect to a workplace.

Choose Use my Internet connection (VPN).

Enter your Nethserver Internet Address. This can be a DNS-Name or an IP-Address. Also enter a name for that connection.

After you finished that dialog, the base configuration will be finished - but not the complete configuration. In the Network an Sharing Center click on Change adapter settings on the left of the window. In the Network Connections right click the new VPN Connection and select Properties.

Change to the Tab Security and change the Type of VPN to Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec). Change Data encryption to Require encryption (disconnect if server declines) and select Allow these protocols and check Microsoft CHAP Version 2 (MS-CHAP v2).

Click on the Advanced Settings-Button next to the VPN-Type Combobox. Select Use preshared key for authentication and enter the PSK you entered in the Nethserver L2TP/IPsec-Settings before.

These step is optional, if you want to route ALL TRAFFIC via the VPN. If you only want to route the Remote Network (i.e. 192.168.1.0/24 like in the example), you can skip this step.
Change to the Tab Networking and select Internet Protocol Version 4 (TCP/IPv4). When the line is highlighted, click on the Properties-Button. In the next window, click the Advanced…-Button. Uncheck the checkbox Use default gateway on remote network and click on OK on all windows that are opened until you are back to the “network adapter settings” Window.

Left click on the networkicon in the bottom right corner of the desktop next to the clock (“Traybar”).

In Windows 8 and higher, a Charm will appear at the right side of the desktop. Select your VPN Connection and click on Connect.

Enter the accounts credentials you selected for the VPN Connection on the Nethserver.

Finally the connection is established.