Openvpn – Linksys/Cisco RVS4000 VPN Setup

openvpnvpn

My company has a user leaving the office and will be working from home often. I need to setup a VPN connection for him. Here is the situation.

  1. The user will be working from remote locations. The remote IP address won't be static.

  2. Our network setup is as follows:

    a. Internet comes in from a cable modem and has a static IP address, which is known.

    b. The modem is connected to a Linksys/Cisco RVS4000 VPN Firewall/Router. This device has a static IP address on our internal network and does not provide DHCP services to the network. Its firmware version is 1.3.2

    c. The RVS4000 is then connected to our internal network. Everything on the internal network is in the same subnet and their IP addresses are assigned by a Windows Server 2003 domain controller.

  3. The user needs to be able to access network resources first and foremost. Ideally, he should be able to authenticate with the domain as well, but that is secondary. Authentication with the domain will make it easier to access the intranet.

What I have looked at and tried:

  1. Linksys/Cisco quickvpn client. This thing has never worked across all firmware upgrades. Maybe I am doing something wrong. Using this, I have set up user accounts on the RVS4000, exported a certificate and put it int he quickvpn directory on the remote machine. It does not work when I try to connect. It won't establish the connection.

  2. ShrewVPN client: I am not entirely certain how to configure this.

  3. OpenVPN: Due to limited linux-fu, I haven't gotten very far.

At this point, I am ready to be treated like an idiot. Apparently I am missing something and don't know where to start.

Best Answer

We use OpenVPN for our "home" and "field" workers. There are clients available for Windows, Linux and Mac OS X (called tunnelblik). We run our access server off a Fedora box, but according to the openvpn website, there are also access servers available as virtual appliances or for VHD. However, this will require either a server connected directly to the Internet, or some port forwarding from your firewall to the access server. From your description above, it sounds like port forwarding is the way to go for you.

We use this with self-signed certificates (i.e. certificates we create ourselves for each user) and it works like a charm. Our access server is configured to run on port 443, which makes it easier for the "field" workers to connect from hotels (which often have strong restrictions on which ports are allowed).

With Windows clients, the OpenVPN client can be configured to start up before the Windows login prompt comes up, which means that at the point of logon, you already have a connection to your LAN, and authentication against AD is simple: The user gets a choice which domain he wants to log on to (local domain or AD domain). Alternatively, if the client is NOT configured to start up automatically, users can still log on with their domain credentials, if the computer is registered, because Windows will cache their credentials for a certain time. However, if no connection is made before the cache expires, your homeworker can get a bit stuck, particularly if he doesn't have credentials for any local accounts on the machine.

Related Topic