Jump to content

Business Continuity with SUSE Home Office Workplace

The Covid-19 pandemic has radically changed many things within a few weeks. Companies and organizations around the world now need to take action very quickly to keep their business running as smoothly as possible. Home office workplaces play a key role here. If as many users as possible carry out their tasks from home, the risk of infection decreases - and companies remain capable of acting despite the crisis.

To help you work from home, SUSE offers a cost-effective business continuity solution that you can implement quickly and easily: the SUSE Linux Enterprise Server. It consists of three components:

SUSE Linux Enterprise Desktop: The Linux desktop from SUSE comes with a complete LibreOffice package and more free applications, including software for e-mail, collaboration and instant messaging. Employees can also access Microsoft Office 365 applications via Web browser. Furthermore, they are able to connect to virtual desktops from Citrix, VMware, Microsoft, and other vendors. This gives employees in the home office access to all applications enabling them to start working immediately.

SUSE Linux Enterprise Server: Powerful open source software solutions are also available for securely connecting home office workstations to the company via the Internet. SUSE recommends using the virtual private network (VPN) solution OpenVPN. This provides users with very easy, protected access to all resources in the corporate network, secured by 256-bit encryption and other security features. The SUSE Linux Enterprise Server product comes with all software that is required to set up an VPN server for your business.

SUSE Manager: With the SUSE Manager, IT departments can efficiently manage even a large number of remote workstations. It offers automatic installation and creation of disk images and also provides centralized configuration management of all clients. Administrators also have a complete overview of all necessary updates and patches at all times. Should the increase in remote workstations require the operation of additional virtual servers, load balancing in the data center is possible using SUSE Linux Enterprise Server and the open source virtualization solution KVM.

Publication Date: August 07, 2020

1 Requirements

Recommended hardware requirements for each products can be found on the respective download pages mentioned in Section 2, “Software Download”.

To set up a VPN server with SUSE Linux Enterprise Server you need RFC3280 TLS compliant certificates and keys generated by your corporate public key infrastructure (PKI) team (these files cannot be generated with SUSE Linux Enterprise Server).

2 Software Download

Downloads for all three products are available from https://www.suse.com/download-linux/. Each download comes with a 60-day evaluation key that you need to register the product during installation. Before you will be able to download, log in with your existing SUSE account or create a new account.

Direct download links for the AMD64/Intel 64 architecture:

3 Creating the Installation Media

The easiest way to install SUSE Linux is to boot the installation media from a USB Flash drive. To create a bootable USB drive, proceed as follows:

Tip
Tip: Virtual Machine Installation

Creating bootable installation media is only needed when installing on bare metal. In case you are installing on a virtual machine, you can directly use the ISO images you downloaded from the SUSE Web site.

3.1 On Linux, MacOS

Copy/download the respective product as described in Section 2, “Software Download” and run the following command:

tux > sudo dd if=PATH_TO_ISO_IMAGE of=USB_STORAGE_DEVICE bs=4M

Replace PATH_TO_ISO_IMAGE with the relative or absolute path to the file you downloaded from the SUSE Web server. Replace USB_STORAGE_DEVICE with the path to the USB flash drive. If you are unsure about the path to the USB drive, run the following command as root:

root # grep -Ff <(hwinfo --disk --short) <(hwinfo --usb --short)

3.2 On Windows

There is a large number of USB flashing tools for Windows. One example would be the open source tool called Etcher which is available from https://www.balena.io/etcher/.

4 Installation Instructions

Information on how to install each product is available in a separate guide:

5 Setting Up the VPN Infrastructure

Key part of the SUSE Linux Enterprise Server solution is the VPN infrastructure which consists of a central VPN server to which the home office clients can connect. Setting up this infrastructure requires the following steps:

5.1 Provision Certificates and Keys

The following files certificate and key files, provided by your corporate PKI are needed:

Server
  • ca.crt

  • server.crt

  • server.key

Each client
  • ca.crt

  • client.crt

  • client.key

5.2 Prepare a SUSE Linux Enterprise Server Instance

In this step we are setting up a server with SUSE Linux Enterprise Server that will provide the VPN service. Installation can either be done on a virtual machine (VM) or on bare metal.

Important
Important: Network Infrastructure

For getting security patches and product updates this server needs to be able to either directly access the SUSE Customer Center (external) or an internal SUSE Manager or Repository Mirroring Tool server.

You also need to make sure that this machine can access your internal network in a secure fashion, so that VPN users can access their data.

  1. Download the SUSE Linux Enterprise Server ISO image from the SUSE Web site and make a note of the evaluation key.

  2. If you install on bare metal, prepare a bootable USB flash drive as described in Section 3, “Creating the Installation Media”. If you install on a VM, attach the ISO image as a bootable optical device.

  3. Follow the installation instructions from the Quick Start.

    1. Make sure to register SUSE Linux Enterprise Server during the installation using the evaluation key. This ensures that the product is installed with the latest patch level.

    2. In the Extension and Module Selection step, only select the modules Basesystem and Server Applications (both should be selected by default).

    3. In the System Role step, choose Minimal.

5.3 Install and Configure the VPN Service

In this step we are setting up the VPN service.

  1. Install the VPN server software package:

    tux > sudo zypper in openvpn
  2. Copy the server certificates and keys (ca.crt, server.crt, server.key) to /etc/openvpn.

  3. Generate the VPN secrets:

    tux > sudo openssl dhparam -out /etc/openvpn/dh2048.pem 2048
    tux > sudo openvpn --genkey --secret ta.key
  4. Add a copy of the previously generated /etc/openvpn/ta.key to the set of certificates and keys for the clients—it will be needed on each client machine. We recommend to create a zip or tar file containing the four files needed on the clients: ca.crt, client.crt, client.key, ta.key.

  5. If you use a firewall, open the required ports by allowing the openvpn service:

    tux > sudo firewall-cmd --add-service openvpn
    tux > sudo firewall-cmd --permanent --add-service openvpn
  6. Create an initial server configuration file by copying the template:

    tux > sudo cp /usr/share/doc/packages/openvpn/sample-config-files/server.conf \
    /etc/openvpn
  7. Edit /etc/openvpn/server.conf by adapting and/or uncommenting existing lines as follows (leave the rest unchanged):

    dev tun0
    user nobody
    group nobody
    log  openvpn.log
    log-append  openvpn.log
  8. Set up a tun device configuration by creating /etc/sysconfig/network/ifcfg-tun0 with the following content:

    STARTMODE='manual'
    BOOTPROTO='static'
    TUNNEL='tun'
    TUNNEL_SET_OWNER='nobody'
    TUNNEL_SET_GROUP='nobody'
    LINK_REQUIRED=no
    PRE_UP_SCRIPT='systemd:openvpn@server'
    PRE_DOWN_SCRIPT='systemd:openvpn@service'
  9. Activate the tun0 device:

    sudo wicked ifup tun0
  10. Start and enable the OpenVPN service:

    tux > sudo systemctl start openvpn@server.service
    tux > sudo systemctl enable openvpn@server.service
  11. Check if the tun0 is assigned with an IP address by running ip a show tun0.

    In case tun0 does not get an IP address, validate all steps above. If you change /etc/openvpn/server.conf, make sure to restart the service with systemctl restart openvpn@server.service. To check the log messages for VPN, run journalctl -xb -u openvpn@server.

    Congratulations. You have successfully set up the VPN server.

5.4 Prepare a Home Office Client

In this step we are setting up a home office client with SUSE Linux Enterprise Desktop.

  1. Download the SUSE Linux Enterprise Desktop ISO image from the SUSE Web site and make a note of the evaluation key.

  2. Prepare a bootable USB flash drive as described in Section 3, “Creating the Installation Media”.

  3. Follow the installation instructions from the Quick Start.

  4. Make sure to register SUSE Linux Enterprise Server during the installation using the evaluation key. This ensures that the product is installed with the latest patch level.

5.5 Configure the VPN Client

The SUSE Linux Enterprise Desktop installation you performed in the previous step already has the required OpenVPN packages already installed by default. In addition to that, you need the client certificates and keys (including the ta.key generated on the OpenVPN server machine). You will also need to know the external IP address of the VPN server.

Warning
Warning: Ensure Secure delivery of Certificates and Keys

The VPN certificates and keys for each client must always be distributed in a secure fashion, for example as an encrypted over a secure connection. These files must never be made publicly available. Also ensure that no home office worker passes them along to any other person.

These files are the admission ticket to your intranet and everybody owning them can access your virtual private network.

  1. Import the client certificates (ca.crt, client.crt, client.key, ta.key) to /etc/openvpn.

  2. Create an initial client configuration file by copying the template:

    tux > sudo cp /usr/share/doc/packages/openvpn/sample-config-files/client.conf \
    /etc/openvpn
  3. Edit /etc/openvpn/client.conf by adapting and/or uncommenting existing lines as follows (leave the rest unchanged):

    dev tun0
    remote VPN_Server_IP 1194
    user nobody
    group nobody

    VPN_Server_IP needs to be replaced by the external IP address of the VPN server.

  4. Set up a tun device configuration by creating /etc/sysconfig/network/ifcfg-tun0 with the following content:

    STARTMODE='manual'
    BOOTPROTO='static'
    TUNNEL='tun'
    TUNNEL_SET_OWNER='nobody'
    TUNNEL_SET_GROUP='nobody'
    LINK_REQUIRED=no
    PRE_UP_SCRIPT='systemd:openvpn@client'
    PRE_DOWN_SCRIPT='systemd:openvpn@client'
  5. Activate the tun0 device:

    sudo wicked ifup tun0
  6. Start the OpenVPN service:

    tux > sudo systemctl start openvpn@client.service

    This command is required every time you would like to establish a VPN connection from the Home office. To terminate an existing connection, run sudo systemctl stop openvpn@client.service. Alternatively, you can use the NetworkManager on SUSE Linux Enterprise Desktop to establish and terminate the VPN connection without requiring root privileges.

  7. Check if the tun0 is assigned with an IP address by running ip a show tun0. If so, check whether you can reach the VPN server:

    ping -c 5 VPN_Server_IP

    VPN_Server_IP needs to be replaced by the external IP address of the VPN server.

  8. Congratulations. You have successfully set up a VPN client.

6 For More Information

Apart from the quick starts, SUSE provides detailed documentation for each product on https://doc.suse.com/:

Tips and troubleshooting help is available in the SUSE Knowledgebase. Choose the respective product and enter a search term to get help on certain topics.

Print this page