8/6/2019 Linux Fest 2006
1/90
OpenVPNOpenVPN
Tom EastepTom Eastep
April 29, 2006April 29, 2006
Linuxfest NWLinuxfest NWhttp://www.shorewall.net/LinuxFest2006.pdfhttp://www.shorewall.net/LinuxFest2006.pdf
8/6/2019 Linux Fest 2006
2/90
22
AgendaAgenda About me VPNs
Why do we need them? VPN Software choices Basics Where can they be used?
OpenVPN Overview How to install it How to configure it
Bridge Tunnel
Demo Q&A
8/6/2019 Linux Fest 2006
3/90
33
Tom EastepTom Eastep
Work for Hewlett-Packard Development Company
This presentation is my own and is not sponsored or endorsedby HP
Creator and Maintainer of Shorewall Open source firewall configuration tool for Linux
36+ Years of Software Development and Support
I have no connection to the OpenVPN project I use it
Ive added support for it to Shorewall
I think that it is really cool
I recommend it enthusiastically
I am not an expert
8/6/2019 Linux Fest 2006
4/90
44
VPNs Why do we need them?VPNs Why do we need them?
Secure communication over an insecure network
Internet Wireless
In this environment, we need Authentication
Initial authentication (logon)
Continuing to insure that packets are not being tampered with intransit
Confidentiality Protect against eavesdropping
Handling Problem Applications securely NFS is an example
8/6/2019 Linux Fest 2006
5/90
55
VPN SoftwareVPN Software
Microsoft
PPTP (Road-warrior/Telecommuter) IPSEC/L2TP (Road-warrior/Telecommuter)
Industry Standard IPSEC
Developed as part of IPv6
Back-ported to IPv4
A complete IP security framework (not just a VPN solution)
Complex to configure (see my LinuxFest NW 2005 presentation athttp://www.shorewall.net/LinuxFest2005.pdf)
Open Source Vtun
OpenVPN
8/6/2019 Linux Fest 2006
6/90
66
VPN BasicsVPN Basics
VPN software runs ongateways
Traffic is sentunencrypted fromapplications to thenearest gateway (whichmay be the local system)
Traffic is encrypted andtransmitted to the remote
gateway where it isdecrypted and forwardeden clairto the remoteapplication
Client A
Client B
Gateway A
Gateway B
Unencrypted
Encrypted
Unencrypted
8/6/2019 Linux Fest 2006
7/90
77
VPNs Basics (continued)VPNs Basics (continued)
Under Linux, the VPN software typically creates
a Virtual Network Device on each gateway PPP creates pppn where n=1,2,
Older IPSEC implementations create ipsecn
OpenVPN uses either tunn (routed) or tapn (bridged)
VPN software performs IP configuration of the
device as part of connection establishment Routing is used to direct traffic through the VPN
Including the default route in some cases
8/6/2019 Linux Fest 2006
8/90
88
VPNs Where can they be used?VPNs Where can they be used?
Connecting private networks at two or
more locations.
Road-warrior/Telecommuter access to
private network
Wireless Bridge
8/6/2019 Linux Fest 2006
9/90
99
Connecting Private NetworksConnecting Private Networks
Allows secure communicationbetween private networks
(even those with RFC 1918addresses)
Most straight-forward ifOpenVPN runs on yourgateway firewall but alsoworks with OpenVPN runningon host behind firewall (even ifthat host has a private
address). See
http://shorewall.net/OPENVPN.htmfor configuration details
http://shorewall.net/OPENVPN.htmhttp://shorewall.net/OPENVPN.htm8/6/2019 Linux Fest 2006
10/90
1010
Road-warrior/TelecommuterRoad-warrior/Telecommuter
AccessAccess
Creates a Star
Topology OpenVPN can be
configured toallow client-clientconnections from
within theOpenVPN server.
8/6/2019 Linux Fest 2006
11/90
1111
Wireless BridgeWireless Bridge
Help protect LAN from a
Wireless Network VPN clients are assigned
IP addresses in the localLAN
Broadcast-basedApplications like games
and Windows NetworkBrowsing worktransparently
8/6/2019 Linux Fest 2006
12/90
1212
OpenVPN OverviewOpenVPN Overview
Developed and maintained by James
Yonan
Available on a wide range of platforms
Linux
Windows 2000/XP and higher
OpenBSD, FreeBSD and NetBSD Mac OS X
Solaris
8/6/2019 Linux Fest 2006
13/90
1313
OpenVPN Overview (continued)OpenVPN Overview (continued)
Tunnel any IP subnetwork or virtual ethernet
adapter over a single UDP or TCP port Default is UDP Port 1194
Only use TCP where you cannot use UDP for somereason
Can use all of the encryption, authentication,
and certification features of the OpenSSL library Can use any cipher, key size, or HMAC digest
(for datagram integrity checking) supported bythe OpenSSL Library
8/6/2019 Linux Fest 2006
14/90
1414
OpenVPN Overview (continued)OpenVPN Overview (continued)
You can choose between static-key based
conventional encryption or certificate-basedpublic key encryption
May use static, pre-shared keys or TLS-baseddynamic key exchange
I recommend using TLS (Transport Layer Security)
Includes optional real-time adaptive linkcompression and traffic shaping to manage linkbandwidth utilization
8/6/2019 Linux Fest 2006
15/90
1515
OpenVPN Overview (continued)OpenVPN Overview (continued)
Can tunnel networks through connection-
oriented stateful firewalls (like Netfilter) Works over NAT
Allows creation of secure ethernet bridges usingvirtual tap devices
GUIs for configuration and control available on
Windows and Mac OS Also some available for Linux but I havent used them SuSE 10.1 with NetworkManager can
configure/control OpenVPN
8/6/2019 Linux Fest 2006
16/90
1616
OpenVPN Overview (continued)OpenVPN Overview (continued)
Good News Requires no kernel patching
Bad News Because it is implemented in
user-space, it generates many user/kernel
transitions which limits performance on
fast networks.
8/6/2019 Linux Fest 2006
17/90
1717
OpenVPN Overview (continued)OpenVPN Overview (continued)
OpenVPN 1
Point-to-point only either gateway can initiate theconnection
OpenVPN 2
Still supports point-to-point
Also supports server mode (both routed and bridged)
and client mode (both routed and bridged) Server can handle an arbitrary number of clients
Server can be configured to permit client->clientconnectivity
8/6/2019 Linux Fest 2006
18/90
1818
Routed vs. BridgedRouted vs. Bridged
Routed
Gateways act as routers More efficient than bridged (definitely preferred over
high-latency networks like the Internet)
Generally easier to configure
Gateways virtual network device is assigned an IPaddress in a dedicated VPN network
Routing is used to allow the client to access thenetwork(s) at the remote end.
Encapsulated IP packets are sent between thegateways.
8/6/2019 Linux Fest 2006
19/90
1919
Routed vs. Bridged (continued)Routed vs. Bridged (continued)
Bridged
VPN connection acts as an Ethernet bridge(think of it as a Ethernet switch and a reallylong cable)
Harder to set up, especially under Linux(although some distributions such as Debian
make it easier than do others)
8/6/2019 Linux Fest 2006
20/90
2020
Routed vs. Bridged (continued)Routed vs. Bridged (continued)
Bridged (continued)
Preferred when: Need to handle non-IP protocols like IPX,
You want to preserve IP addresses when you move laptops
from the private LAN to the wireless network or to the
Internet
You run applications over the VPN which rely on network
broadcasts (such as LAN games), or
You would like to allow browsing of Windows file shares
across the VPN without setting up a Samba or WINS server
(weak reason Samba WINS server is trivial to set up)
8/6/2019 Linux Fest 2006
21/90
2121
Routed vs. Bridged (continued)Routed vs. Bridged (continued)
Difference between routed & bridged is
primarily on the server side Routed server routes between the virtual
device(s) and other devices on the server
Bridged the virtual device is bridgedto oneof the real network devices on the server. Thebridge itself gets the IP configuration
8/6/2019 Linux Fest 2006
22/90
2222
Routed vs. Bridged (continued)Routed vs. Bridged (continued)
Bridged (continued)
Remote clients virtual network device isassigned an IP address in one of the serverslocal networks
Allows the client transparent access to thatlocal network (including broadcasts, other
protocols like IPX, etc).
Encapsulated Ethernet frames are sentbetween the gateways
8/6/2019 Linux Fest 2006
23/90
2323
Installing OpenVPNInstalling OpenVPN
Linux
Install your distributions OpenVPN packagealong with any prerequisites.
Note: OpenVPN must be installed and run byroot
Requires OpenSSL
8/6/2019 Linux Fest 2006
24/90
2424
Installing OpenVPN (continued)Installing OpenVPN (continued)
Windows
Download the Windows OpenVPN installer fromopenvpn.net.
Run the self-installing .exe on the windows system.The installer also installs the Tap-Win32 driver andcreates a virtual network device for use by OpenVPN.
If you need additional virtual devices, you can run thetapinstall.exe program included with OpenVPN.
Note: OpenVPN must be installed and run by a userthat has administrative privileges.
8/6/2019 Linux Fest 2006
25/90
2525
Installing OpenVPN (continued)Installing OpenVPN (continued)
(Public Key Infrastructure PKI)(Public Key Infrastructure PKI)
Disclaimer: I know just enough about
Public Key Encryption to make it work. OpenVPN includes a toolkit called easy-
rsa for establishing your own CertificateAuthority(CA) that can then issue X.509certificates.
Very easy-to-follow instructions in theOpenVPN HOWTO (http://openvpn.net/howto.html).
http://openvpn.net/howto.htmlhttp://openvpn.net/howto.htmlhttp://openvpn.net/howto.htmlhttp://openvpn.net/howto.html8/6/2019 Linux Fest 2006
26/90
2626
Installing OpenVPNInstalling OpenVPN
PKI (continued)PKI (continued) You create a CA Certificate and key which can then be
used to sign signing requests which in turn creates newcertificates for your gateways (clients and servers). easy-rsa doesnt encrypt the CA key by default
The CA certificate (but not the CA key) needs to becopied to each gateway (on Windows, you do not needto install the certificates in the Windows certificate store).
Create Diffie Hellman parameters using build-dh script
(required for TLS Servers only). Create an empty Certificate Revocation List (CRL)
8/6/2019 Linux Fest 2006
27/90
2727
Installing OpenVPNInstalling OpenVPN
PKI (continued)PKI (continued) I recommend creating a separate certificate for each
gateway (clients and servers); that way, you can revokeif private key lost or stolen.
The gateways certificate and keymust be available onthe gateway to start OpenVPN there.
I dont recommend assigning a password to the key ofthe certificate used on your OpenVPN server if you startyour server using your distributions init scripts.
I strongly recommend assigning a password on clientsystems, especially on laptops.
For added security, you can install the client certificateon a smart card or (as I do), keep it on a USB stick.
8/6/2019 Linux Fest 2006
28/90
2828
Configuring OpenVPNConfiguring OpenVPN
Each running instance of OpenVPN
requires a configuration file. Actually, you can specify the configuration on
the run-line but thats pretty cumbersome.
man openvpn describes the command-linearguments which are prefixed with --.
In the configuration file, the prefix is omitted. Example:
Command line: --push-route
Configuration file: push-route
8/6/2019 Linux Fest 2006
29/90
2929
Configuring OpenVPN (continued)Configuring OpenVPN (continued)
On Windows, configuration files have the
extension .ovpn. I place mine in C:\ProgramFiles\OpenVPN\configs\ (default)
On Linux, configuration files have the suffix.config and are generally placed in/etc/openvpn/.
8/6/2019 Linux Fest 2006
30/90
3030
Routed ServerRouted Server
Dual Homed
(has twointerfaces)
Internet
LocalNetwork(s)
8/6/2019 Linux Fest 2006
31/90
3131
Example Configuration for aExample Configuration for a
Routed ServerRouted Server
Server: gateway.shorewall.net
IP address: 206.124.146.176
VPN Network: 192.168.2.0/24
Because of limitations in the Tap-Win32driver, each client in a routed configuration
needs its own /30 network (4 IP addresses). In OpenVPN 2.1, if you dont have any
Windows clients, there is an option to avoidthat waste.
8/6/2019 Linux Fest 2006
32/90
3232
Configuration file (Routed Server)Configuration file (Routed Server)
dev tun
local 206.124.146.176 #Servers IP address
server 192.168.2.0 255.255.255.0 #VPN Network
dh dh1024.pem #Diffie-Hellman parameters
#Only required on TLS servers
ca /etc/certs/cacert.pem #CA certificate
crl-verify /etc/certs/crl.pem #Certificate Revocation List
cert /etc/certs/gateway.pem #Gateways certificate
key /etc/certs/gateway_key.pem #Gateways key
port 1194 #Default OpenVPN 2.0 Port
comp-lzo #Use fast LZO compression
user nobody #drop root priv after
group nogroup #initialization
8/6/2019 Linux Fest 2006
33/90
3333
Routed Server (continued)Routed Server (continued)
keepalive 15 45 #ping every 15 seconds#restart if no ping#received in 45 seconds
ping-timer-rem #Dont start ping clock#until we have a client
persist-tun #Dont close/open tun#device during
#ping-restart
persist-key #dont re-read key after
#ping restart
client-config-dir /etc/openvpn/clients #Directory where client-
#specific params are kept
ccd-exclusive #Require client-specific#params
client-to-client #allow client->client
verb 3 #verbosity of the log
8/6/2019 Linux Fest 2006
34/90
3434
Sample Configuration for a RoutedSample Configuration for a Routed
Client (Windows Roadwarrior)Client (Windows Roadwarrior)dev tun #Routedremote gateway.shorewall.net #Servers Nametls-remote gateway.shorewall.net #Common Name in Servers Certificatetls-client #We are a TLS clientexplicit-exit-notify #Notify when we exitpull #Accept servers pushed parametersca "/Program Files/OpenVPN/certs/cacert.pem"cert E:/easy-rsa/keys/eastepnc6000.crt"key E:/easy-rsa/keys/eastepnc6000.key"port 1194comp-lzoping-timer-rempersist-tun
persist-keymute-replay-warningsverb 3
Only difference in a Linux config is the file names!
8/6/2019 Linux Fest 2006
35/90
3535
RoadWarriors CCD FileRoadWarriors CCD File
On the server in /etc/openvpn/clients/
Name is the same as the CN in theclients certificate
#CCD for eastepnc6000.shorewall.net
#Local (server) IP and client IP
ifconfig-push 192.168.2.14 192.168.2.13
#Route to local network
push route 192.168.1.0 255.255.255.0#Route to DNS server
push route 206.124.146.177.255.255.255.255
8/6/2019 Linux Fest 2006
36/90
3636
Wireless BridgeWireless Bridge
Wireless Bridge is
multi-homed: Wireless
Local LAN
8/6/2019 Linux Fest 2006
37/90
3737
Sample Configuration of a BridgedSample Configuration of a Bridged
Server (Wireless Gateway)Server (Wireless Gateway)
Servers Wireless IP address:
192.168.3.254 Wireless Network: 192.168.3.0/24
Local Network: 192.168.1.0/24
Local IP address: 192.168.1.7
Default Gateway: 192.168.1.254 Local Interface: eth0
Server Name: wireless.shorewall.net
8/6/2019 Linux Fest 2006
38/90
3838
Configuration file (Bridged Server)Configuration file (Bridged Server)
dev tap0 #Indicates Bridge with pre-
#created device
local 192.168.3.254 #Server address#Local network plus a pool of
#addresses to assign
server-bridge 192.168.1.7 255.255.255.0 192.168.1.64 192.168.1.71
client-to-client #Server handles client->client
#traffic
dh dh1024.pem #Diffie Hellman Parameters
ca /etc/certs/cacert.pem #CA Certificate
crl-verify /etc/certs/crl.pem #Certificate Revocation List
cert /etc/certs/wireless.pem #Gateways Certificatekey /etc/certs/wireless_key.pem #Gateways Key
port 1194 #Default port #
comp-lzo #Use LZO fast compression
user nobody #drop root priv after
group nogroup #initialization
8/6/2019 Linux Fest 2006
39/90
3939
Bridged Server (continued)Bridged Server (continued)
keepalive 15 45 #ping every 15 seconds#restart if no ping#received in 45 seconds
ping-timer-rem #Dont start ping clock#until we have a client
persist-tun #Dont close/open tun#device during
#ping-restart
persist-key #dont re-read key after
#ping restart
client-config-dir /etc/openvpn/bridge-clients
#Directory where client-
#specific params are keptccd-exclusive #Require client-specific
#params
verb 3 #verbosity of the log
8/6/2019 Linux Fest 2006
40/90
4040
Bridged Server (continued)Bridged Server (continued)
#
# The client supports a redirect-gateway option that redirects
# the default gateway through the VPN. Ive found that to be
# somewhat unreliable whereas this trick works always
#
push route 0.0.0.0 128.0.0.0 192.168.1.254
push route 128.0.0.0 128.0.0.0 192.168.1.254
8/6/2019 Linux Fest 2006
41/90
4141
Bridged Server Creating theBridged Server Creating the
BridgeBridge
See http://www.shorewall.net/Bridge.html
for distribution-specific instructions
/usr/sbin/openvpn --mktun --dev tap0 #create dev
/sbin/brctl addbr br0 #create bridge
/sbin/ip link set tap0 up #Up dev
/sbin/ip link set eth0 up #Up local IF
/sbin/brctl addif br0 tap0 #Add devs to/sbin/brctl addif br0 eth0 #to the bridge
br0 is configured using Distributions tools
http://www.shorewall.net/Bridge.htmlhttp://www.shorewall.net/Bridge.html8/6/2019 Linux Fest 2006
42/90
4242
Sample Configuration for a BridgedSample Configuration for a Bridged
Client (Windows)Client (Windows)dev tap
remote 192.168.3.254
tls-remote wireless.shorewall.nettls-client
explicit-exit-notify
pull
ca "/Program Files/OpenVPN/certs/cacert.pem"
cert E:/easy-rsa/keys/eastepnc6000.crt"
key E:/easy-rsa/keys/eastepnc6000.key"
port 1194
comp-lzoping-timer-rem
persist-tun
persist-key
mute-replay-warnings
verb 3
8/6/2019 Linux Fest 2006
43/90
4343
Bridged Clients CCD FileBridged Clients CCD File
On the server in /etc/openvpn/bridged-
clients/
#CCD for eastepnc6000.shorewall.net
#Client IP
ifconfig-push 192.168.1.6 255.255.255.0
8/6/2019 Linux Fest 2006
44/90
DemoDemo
8/6/2019 Linux Fest 2006
45/90
Q&AQ&A
8/6/2019 Linux Fest 2006
46/90
11
OpenVPNOpenVPN
Tom EastepTom Eastep
April 29, 2006April 29, 2006
Linuxfest NWLinuxfest NW
http://www.shorewall.net/LinuxFest2006.pdfhttp://www.shorewall.net/LinuxFest2006.pdf
8/6/2019 Linux Fest 2006
47/90
22
AgendaAgenda About me VPNs
Why do we need them? VPN Software choices Basics Where can they be used?
OpenVPN Overview How to install it How to configure it
Bridge Tunnel
Demo Q&A
8/6/2019 Linux Fest 2006
48/90
33
Tom EastepTom Eastep
Work for Hewlett-Packard Development Company This presentation is my own and is not sponsored or endorsed
by HP
Creator and Maintainer of Shorewall Open source firewall configuration tool for Linux
36+ Years of Software Development and Support
I have no connection to the OpenVPN project I use it Ive added support for it to Shorewall I think that it is really cool
I recommend it enthusiastically I am not an expert
8/6/2019 Linux Fest 2006
49/90
44
VPNs Why do we need them?VPNs Why do we need them?
Secure communication over an insecure network Internet Wireless
In this environment, we need Authentication
Initial authentication (logon)
Continuing to insure that packets are not being tampered with intransit
Confidentiality Protect against eavesdropping
Handling Problem Applications securely
NFS is an example
8/6/2019 Linux Fest 2006
50/90
55
VPN SoftwareVPN Software
Microsoft PPTP (Road-warrior/Telecommuter) IPSEC/L2TP (Road-warrior/Telecommuter)
Industry Standard IPSEC
Developed as part of IPv6
Back-ported to IPv4
A complete IP security framework (not just a VPN solution)
Complex to configure (see my LinuxFest NW 2005 presentation athttp://www.shorewall.net/LinuxFest2005.pdf)
Open Source
Vtun OpenVPN
8/6/2019 Linux Fest 2006
51/90
66
VPN BasicsVPN Basics
VPN software runs on
gateways Traffic is sent
unencrypted fromapplications to thenearest gateway (whichmay be the local system)
Traffic is encrypted andtransmitted to the remotegateway where it isdecrypted and forwardeden clairto the remote
application
Client A
Client B
Gateway A
Gateway B
Unencrypted
Encrypted
Unencrypted
8/6/2019 Linux Fest 2006
52/90
77
VPNs Basics (continued)VPNs Basics (continued)
Under Linux, the VPN software typically createsa Virtual Network Device on each gateway
PPP creates pppn where n=1,2,
Older IPSEC implementations create ipsecn
OpenVPN uses either tunn (routed) or tapn (bridged)
VPN software performs IP configuration of thedevice as part of connection establishment
Routing is used to direct traffic through the VPN
Including the default route in some cases
8/6/2019 Linux Fest 2006
53/90
88
VPNs Where can they be used?VPNs Where can they be used?
Connecting private networks at two ormore locations.
Road-warrior/Telecommuter access toprivate network
Wireless Bridge
8/6/2019 Linux Fest 2006
54/90
99
Connecting Private NetworksConnecting Private Networks
Allows secure communication
between private networks(even those with RFC 1918addresses)
Most straight-forward ifOpenVPN runs on yourgateway firewall but alsoworks with OpenVPN runningon host behind firewall (even ifthat host has a privateaddress).
Seehttp://shorewall.net/OPENVPN.htm
for configuration details
8/6/2019 Linux Fest 2006
55/90
1010
Road-warrior/TelecommuterRoad-warrior/Telecommuter
AccessAccess
Creates a StarTopology
OpenVPN can beconfigured toallow client-clientconnections fromwithin theOpenVPN server.
8/6/2019 Linux Fest 2006
56/90
1111
Wireless BridgeWireless Bridge
Help protect LAN from aWireless Network
VPN clients are assignedIP addresses in the localLAN
Broadcast-basedApplications like gamesand Windows NetworkBrowsing worktransparently
8/6/2019 Linux Fest 2006
57/90
1212
OpenVPN OverviewOpenVPN Overview
Developed and maintained by JamesYonan
Available on a wide range of platforms
Linux
Windows 2000/XP and higher
OpenBSD, FreeBSD and NetBSD
Mac OS X
Solaris
8/6/2019 Linux Fest 2006
58/90
1313
OpenVPN Overview (continued)OpenVPN Overview (continued)
Tunnel any IP subnetwork or virtual ethernetadapter over a single UDP or TCP port
Default is UDP Port 1194
Only use TCP where you cannot use UDP for somereason
Can use all of the encryption, authentication,and certification features of the OpenSSL library
Can use any cipher, key size, or HMAC digest
(for datagram integrity checking) supported bythe OpenSSL Library
8/6/2019 Linux Fest 2006
59/90
1414
OpenVPN Overview (continued)OpenVPN Overview (continued)
You can choose between static-key basedconventional encryption or certificate-basedpublic key encryption
May use static, pre-shared keys or TLS-baseddynamic key exchange
I recommend using TLS (Transport Layer Security)
Includes optional real-time adaptive linkcompression and traffic shaping to manage link
bandwidth utilization
8/6/2019 Linux Fest 2006
60/90
1515
OpenVPN Overview (continued)OpenVPN Overview (continued)
Can tunnel networks through connection-oriented stateful firewalls (like Netfilter)
Works over NAT
Allows creation of secure ethernet bridges usingvirtual tap devices
GUIs for configuration and control available onWindows and Mac OS Also some available for Linux but I havent used them
SuSE 10.1 with NetworkManager canconfigure/control OpenVPN
8/6/2019 Linux Fest 2006
61/90
1616
OpenVPN Overview (continued)OpenVPN Overview (continued)
Good News Requires no kernel patching Bad News Because it is implemented in
user-space, it generates many user/kerneltransitions which limits performance onfast networks.
8/6/2019 Linux Fest 2006
62/90
1717
OpenVPN Overview (continued)OpenVPN Overview (continued)
OpenVPN 1 Point-to-point only either gateway can initiate theconnection
OpenVPN 2 Still supports point-to-point
Also supports server mode (both routed and bridged)and client mode (both routed and bridged)
Server can handle an arbitrary number of clients
Server can be configured to permit client->clientconnectivity
8/6/2019 Linux Fest 2006
63/90
1818
Routed vs. BridgedRouted vs. Bridged
Routed Gateways act as routers
More efficient than bridged (definitely preferred overhigh-latency networks like the Internet)
Generally easier to configure
Gateways virtual network device is assigned an IPaddress in a dedicated VPN network
Routing is used to allow the client to access thenetwork(s) at the remote end.
Encapsulated IP packets are sent between thegateways.
8/6/2019 Linux Fest 2006
64/90
1919
Routed vs. Bridged (continued)Routed vs. Bridged (continued)
Bridged VPN connection acts as an Ethernet bridge
(think of it as a Ethernet switch and a reallylong cable)
Harder to set up, especially under Linux(although some distributions such as Debianmake it easier than do others)
8/6/2019 Linux Fest 2006
65/90
2020
Routed vs. Bridged (continued)Routed vs. Bridged (continued)
Bridged (continued) Preferred when: Need to handle non-IP protocols like IPX,
You want to preserve IP addresses when you move laptopsfrom the private LAN to the wireless network or to theInternet
You run applications over the VPN which rely on networkbroadcasts (such as LAN games), or
You would like to allow browsing of Windows file sharesacross the VPN without setting up a Samba or WINS server
(weak reason Samba WINS server is trivial to set up)
8/6/2019 Linux Fest 2006
66/90
2121
Routed vs. Bridged (continued)Routed vs. Bridged (continued)
Difference between routed & bridged isprimarily on the server side
Routed server routes between the virtualdevice(s) and other devices on the server
Bridged the virtual device is bridgedto oneof the real network devices on the server. Thebridge itself gets the IP configuration
8/6/2019 Linux Fest 2006
67/90
2222
Routed vs. Bridged (continued)Routed vs. Bridged (continued)
Bridged (continued) Remote clients virtual network device is
assigned an IP address in one of the serverslocal networks
Allows the client transparent access to thatlocal network (including broadcasts, otherprotocols like IPX, etc).
Encapsulated Ethernet frames are sentbetween the gateways
8/6/2019 Linux Fest 2006
68/90
2323
Installing OpenVPNInstalling OpenVPN
Linux Install your distributions OpenVPN package
along with any prerequisites.
Note: OpenVPN must be installed and run byroot
Requires OpenSSL
8/6/2019 Linux Fest 2006
69/90
2424
Installing OpenVPN (continued)Installing OpenVPN (continued)
Windows Download the Windows OpenVPN installer fromopenvpn.net.
Run the self-installing .exe on the windows system.The installer also installs the Tap-Win32 driver andcreates a virtual network device for use by OpenVPN.
If you need additional virtual devices, you can run thetapinstall.exe program included with OpenVPN.
Note: OpenVPN must be installed and run by a user
that has administrative privileges.
8/6/2019 Linux Fest 2006
70/90
2525
Installing OpenVPN (continued)Installing OpenVPN (continued)
(Public Key Infrastructure PKI)(Public Key Infrastructure PKI)
Disclaimer: I know just enough aboutPublic Key Encryption to make it work.
OpenVPN includes a toolkit called easy-rsa for establishing your own CertificateAuthority(CA) that can then issue X.509certificates.
Very easy-to-follow instructions in theOpenVPN HOWTO (http://
openvpn.net/howto.html).
8/6/2019 Linux Fest 2006
71/90 2
2626
Installing OpenVPNInstalling OpenVPN
PKI (continued)PKI (continued) You create a CA Certificate and key which can then be
used to sign signing requests which in turn creates newcertificates for your gateways (clients and servers). easy-rsa doesnt encrypt the CA key by default
The CA certificate (but not the CA key) needs to becopied to each gateway (on Windows, you do not needto install the certificates in the Windows certificate store).
Create Diffie Hellman parameters using build-dh script(required for TLS Servers only).
Create an empty Certificate Revocation List (CRL)
Certificates are typically in PEM format although PKCS#12 is appropriate for
Smart Cards. PEM is basically
where DER == Distinguished Encoding Rules (from ANS.1). PKCS == Public
Key Cryptography Standards (RSA Labs).
8/6/2019 Linux Fest 2006
72/90
2727
Installing OpenVPNInstalling OpenVPN
PKI (continued)PKI (continued) I recommend creating a separate certificate for each
gateway (clients and servers); that way, you can revokeif private key lost or stolen.
The gateways certificate and keymust be available onthe gateway to start OpenVPN there.
I dont recommend assigning a password to the key ofthe certificate used on your OpenVPN server if you startyour server using your distributions init scripts.
I strongly recommend assigning a password on clientsystems, especially on laptops.
For added security, you can install the client certificateon a smart card or (as I do), keep it on a USB stick.
8/6/2019 Linux Fest 2006
73/90
2828
Configuring OpenVPNConfiguring OpenVPN
Each running instance of OpenVPNrequires a configuration file. Actually, you can specify the configuration on
the run-line but thats pretty cumbersome.
man openvpn describes the command-linearguments which are prefixed with --.
In the configuration file, the prefix is omitted.
Example:
Command line: --push-route Configuration file: push-route
8/6/2019 Linux Fest 2006
74/90
2929
Configuring OpenVPN (continued)Configuring OpenVPN (continued)
On Windows, configuration files have theextension .ovpn. I place mine in C:\ProgramFiles\OpenVPN\configs\ (default)
On Linux, configuration files have the suffix.config and are generally placed in/etc/openvpn/.
8/6/2019 Linux Fest 2006
75/90
3030
Routed ServerRouted Server
Dual Homed(has twointerfaces)
Internet
LocalNetwork(s)
8/6/2019 Linux Fest 2006
76/90
3131
Example Configuration for aExample Configuration for a
Routed ServerRouted Server
Server: gateway.shorewall.net IP address: 206.124.146.176
VPN Network: 192.168.2.0/24
Because of limitations in the Tap-Win32driver, each client in a routed configurationneeds its own /30 network (4 IP addresses).
In OpenVPN 2.1, if you dont have any
Windows clients, there is an option to avoidthat waste.
8/6/2019 Linux Fest 2006
77/90
3232
Configuration file (Routed Server)Configuration file (Routed Server)
dev tun
local 206.124.146.176 #Servers IP address
server 192.168.2.0 255.255.255.0 #VPN Network
dh dh1024.pem #Diffie-Hellman parameters#Only required on TLS servers
ca /etc/certs/cacert.pem #CA certificate
crl-verify /etc/certs/crl.pem #Certificate Revocation List
cert /etc/certs/gateway.pem #Gateways certificate
key /etc/certs/gateway_key.pem #Gateways key
port 1194 #Default OpenVPN 2.0 Port
comp-lzo #Use fast LZO compression
user nobody #drop root priv after
group nogroup #initialization
8/6/2019 Linux Fest 2006
78/90
3333
Routed Server (continued)Routed Server (continued)
keepalive 15 45 #ping every 15 seconds#restart if no ping#received in 45 seconds
ping-timer-rem #Dont start ping clock#until we have a client
persist-tun #Dont close/open tun#device during
#ping-restart
persist-key #dont re-read key after
#ping restart
client-config-dir /etc/openvpn/clients #Directory where client-
#specific params are kept
ccd-exclusive #Require client-specific
#params
client-to-client #allow client->client
verb 3 #verbosity of the log
8/6/2019 Linux Fest 2006
79/90
3434
Sample Configuration for a RoutedSample Configuration for a Routed
Client (Windows Roadwarrior)Client (Windows Roadwarrior)dev tun #Routedremote gateway.shorewall.net #Servers Nametls-remote gateway.shorewall.net #Common Name in Servers Certificatetls-client #We are a TLS clientexplicit-exit-notify #Notify when we exitpull #Accept servers pushed parametersca "/Program Files/OpenVPN/certs/cacert.pem"cert E:/easy-rsa/keys/eastepnc6000.crt"key E:/easy-rsa/keys/eastepnc6000.key"port 1194comp-lzoping-timer-rempersist-tunpersist-keymute-replay-warningsverb 3
Only difference in a Linux config is the file names!
8/6/2019 Linux Fest 2006
80/90
3535
RoadWarriors CCD FileRoadWarriors CCD File
On the server in /etc/openvpn/clients/ Name is the same as the CN in theclients certificate
#CCD for eastepnc6000.shorewall.net#Local (server) IP and client IPifconfig-push 192.168.2.14 192.168.2.13#Route to local networkpush route 192.168.1.0 255.255.255.0#Route to DNS serverpush route 206.124.146.177.255.255.255.255
8/6/2019 Linux Fest 2006
81/90
3636
Wireless BridgeWireless Bridge
Wireless Bridge ismulti-homed:
Wireless
Local LAN
8/6/2019 Linux Fest 2006
82/90
3737
Sample Configuration of a BridgedSample Configuration of a Bridged
Server (Wireless Gateway)Server (Wireless Gateway)
Servers Wireless IP address:192.168.3.254
Wireless Network: 192.168.3.0/24
Local Network: 192.168.1.0/24
Local IP address: 192.168.1.7
Default Gateway: 192.168.1.254
Local Interface: eth0
Server Name: wireless.shorewall.net
8/6/2019 Linux Fest 2006
83/90
3838
Configuration file (Bridged Server)Configuration file (Bridged Server)
dev tap0 #Indicates Bridge with pre-
#created devicelocal 192.168.3.254 #Server address
#Local network plus a pool of
#addresses to assign
server-bridge 192.168.1.7 255.255.255.0 192.168.1.64 192.168.1.71
client-to-client #Server handles client->client
#traffic
dh dh1024.pem #Diffie Hellman Parameters
ca /etc/certs/cacert.pem #CA Certificate
crl-verify /etc/certs/crl.pem #Certificate Revocation List
cert /etc/certs/wireless.pem #Gateways Certificate
key /etc/certs/wireless_key.pem #Gateways Key
port 1194 #Default port #
comp-lzo #Use LZO fast compression
user nobody #drop root priv aftergroup nogroup #initialization
8/6/2019 Linux Fest 2006
84/90
3939
Bridged Server (continued)Bridged Server (continued)
keepalive 15 45 #ping every 15 seconds#restart if no ping#received in 45 seconds
ping-timer-rem #Dont start ping clock#until we have a client
persist-tun #Dont close/open tun#device during
#ping-restart
persist-key #dont re-read key after
#ping restart
client-config-dir /etc/openvpn/bridge-clients
#Directory where client-
#specific params are kept
ccd-exclusive #Require client-specific
#params
verb 3 #verbosity of the log
8/6/2019 Linux Fest 2006
85/90
4040
Bridged Server (continued)Bridged Server (continued)
#
# The client supports a redirect-gateway option that redirects
# the default gateway through the VPN. Ive found that to be
# somewhat unreliable whereas this trick works always
#
push route 0.0.0.0 128.0.0.0 192.168.1.254
push route 128.0.0.0 128.0.0.0 192.168.1.254
8/6/2019 Linux Fest 2006
86/90
4141
Bridged Server Creating theBridged Server Creating the
BridgeBridge
See http://www.shorewall.net/Bridge.htmlfor distribution-specific instructions
/usr/sbin/openvpn --mktun --dev tap0 #create dev
/sbin/brctl addbr br0 #create bridge
/sbin/ip link set tap0 up #Up dev
/sbin/ip link set eth0 up #Up local IF
/sbin/brctl addif br0 tap0 #Add devs to
/sbin/brctl addif br0 eth0 #to the bridge
br0 is configured using Distributions tools
8/6/2019 Linux Fest 2006
87/90
4242
Sample Configuration for a BridgedSample Configuration for a Bridged
Client (Windows)Client (Windows)dev tap
remote 192.168.3.254tls-remote wireless.shorewall.net
tls-clientexplicit-exit-notifypullca "/Program Files/OpenVPN/certs/cacert.pem"cert E:/easy-rsa/keys/eastepnc6000.crt"key E:/easy-rsa/keys/eastepnc6000.key"port 1194comp-lzoping-timer-rempersist-tunpersist-keymute-replay-warningsverb 3
8/6/2019 Linux Fest 2006
88/90
4343
Bridged Clients CCD FileBridged Clients CCD File
On the server in /etc/openvpn/bridged-clients/
#CCD for eastepnc6000.shorewall.net
#Client IP
ifconfig-push 192.168.1.6 255.255.255.0
8/6/2019 Linux Fest 2006
89/90
4444
DemoDemo
Click to add textClick to add text
8/6/2019 Linux Fest 2006
90/90
4545
Q&AQ&A
Click to add textClick to add text
Top Related