Linux Fest 2006

8/6/2019 Linux Fest 2006

1/90

OpenVPNOpenVPN

Tom EastepTom Eastep

April 29, 2006April 29, 2006

Linuxfest NWLinuxfest NWhttp://www.shorewall.net/LinuxFest2006.pdfhttp://www.shorewall.net/LinuxFest2006.pdf

8/6/2019 Linux Fest 2006

2/90

22

AgendaAgenda About me VPNs

Why do we need them? VPN Software choices Basics Where can they be used?

OpenVPN Overview How to install it How to configure it

Bridge Tunnel

Demo Q&A

8/6/2019 Linux Fest 2006

3/90

33


Work for Hewlett-Packard Development Company

This presentation is my own and is not sponsored or endorsedby HP

Creator and Maintainer of Shorewall Open source firewall configuration tool for Linux

36+ Years of Software Development and Support

I have no connection to the OpenVPN project I use it

Ive added support for it to Shorewall

I think that it is really cool

I recommend it enthusiastically

I am not an expert

8/6/2019 Linux Fest 2006

4/90

44

VPNs Why do we need them?VPNs Why do we need them?

Secure communication over an insecure network

Internet Wireless

In this environment, we need Authentication

Initial authentication (logon)

Continuing to insure that packets are not being tampered with intransit

Confidentiality Protect against eavesdropping

Handling Problem Applications securely NFS is an example

8/6/2019 Linux Fest 2006

5/90

55

VPN SoftwareVPN Software

Microsoft

PPTP (Road-warrior/Telecommuter) IPSEC/L2TP (Road-warrior/Telecommuter)

Industry Standard IPSEC

Developed as part of IPv6

Back-ported to IPv4

A complete IP security framework (not just a VPN solution)

Complex to configure (see my LinuxFest NW 2005 presentation athttp://www.shorewall.net/LinuxFest2005.pdf)

Open Source Vtun

OpenVPN

8/6/2019 Linux Fest 2006

6/90

66

VPN BasicsVPN Basics

VPN software runs ongateways

Traffic is sentunencrypted fromapplications to thenearest gateway (whichmay be the local system)

Traffic is encrypted andtransmitted to the remote

gateway where it isdecrypted and forwardeden clairto the remoteapplication

Client A

Client B

Gateway A

Gateway B

Unencrypted

Encrypted

Unencrypted

8/6/2019 Linux Fest 2006

7/90

77

VPNs Basics (continued)VPNs Basics (continued)

Under Linux, the VPN software typically creates

a Virtual Network Device on each gateway PPP creates pppn where n=1,2,

Older IPSEC implementations create ipsecn

OpenVPN uses either tunn (routed) or tapn (bridged)

VPN software performs IP configuration of the

device as part of connection establishment Routing is used to direct traffic through the VPN

Including the default route in some cases

8/6/2019 Linux Fest 2006

8/90

88

VPNs Where can they be used?VPNs Where can they be used?

Connecting private networks at two or

more locations.

Road-warrior/Telecommuter access to

private network

Wireless Bridge

8/6/2019 Linux Fest 2006

9/90

99

Connecting Private NetworksConnecting Private Networks

Allows secure communicationbetween private networks

(even those with RFC 1918addresses)

Most straight-forward ifOpenVPN runs on yourgateway firewall but alsoworks with OpenVPN runningon host behind firewall (even ifthat host has a private

address). See

http://shorewall.net/OPENVPN.htmfor configuration details
http://shorewall.net/OPENVPN.htmhttp://shorewall.net/OPENVPN.htm

8/6/2019 Linux Fest 2006

10/90

1010

Road-warrior/TelecommuterRoad-warrior/Telecommuter

AccessAccess

Creates a Star

Topology OpenVPN can be

configured toallow client-clientconnections from

within theOpenVPN server.

8/6/2019 Linux Fest 2006

11/90

1111

Wireless BridgeWireless Bridge

Help protect LAN from a

Wireless Network VPN clients are assigned

IP addresses in the localLAN

Broadcast-basedApplications like games

and Windows NetworkBrowsing worktransparently

8/6/2019 Linux Fest 2006

12/90

1212

OpenVPN OverviewOpenVPN Overview

Developed and maintained by James

Yonan

Available on a wide range of platforms

Linux

Windows 2000/XP and higher

OpenBSD, FreeBSD and NetBSD Mac OS X

Solaris

8/6/2019 Linux Fest 2006

13/90

1313

OpenVPN Overview (continued)OpenVPN Overview (continued)

Tunnel any IP subnetwork or virtual ethernet

adapter over a single UDP or TCP port Default is UDP Port 1194

Only use TCP where you cannot use UDP for somereason

Can use all of the encryption, authentication,

and certification features of the OpenSSL library Can use any cipher, key size, or HMAC digest

(for datagram integrity checking) supported bythe OpenSSL Library

8/6/2019 Linux Fest 2006

14/90

1414


You can choose between static-key based

conventional encryption or certificate-basedpublic key encryption

May use static, pre-shared keys or TLS-baseddynamic key exchange

I recommend using TLS (Transport Layer Security)

Includes optional real-time adaptive linkcompression and traffic shaping to manage linkbandwidth utilization

8/6/2019 Linux Fest 2006

15/90

1515


Can tunnel networks through connection-

oriented stateful firewalls (like Netfilter) Works over NAT

Allows creation of secure ethernet bridges usingvirtual tap devices

GUIs for configuration and control available on

Windows and Mac OS Also some available for Linux but I havent used them SuSE 10.1 with NetworkManager can

configure/control OpenVPN

8/6/2019 Linux Fest 2006

16/90

1616


Good News Requires no kernel patching

Bad News Because it is implemented in

user-space, it generates many user/kernel

transitions which limits performance on

fast networks.

8/6/2019 Linux Fest 2006

17/90

1717


OpenVPN 1

Point-to-point only either gateway can initiate theconnection

OpenVPN 2

Still supports point-to-point

Also supports server mode (both routed and bridged)

and client mode (both routed and bridged) Server can handle an arbitrary number of clients

Server can be configured to permit client->clientconnectivity

8/6/2019 Linux Fest 2006

18/90

1818

Routed vs. BridgedRouted vs. Bridged

Routed

Gateways act as routers More efficient than bridged (definitely preferred over

high-latency networks like the Internet)

Generally easier to configure

Gateways virtual network device is assigned an IPaddress in a dedicated VPN network

Routing is used to allow the client to access thenetwork(s) at the remote end.

Encapsulated IP packets are sent between thegateways.

8/6/2019 Linux Fest 2006

19/90

1919

Routed vs. Bridged (continued)Routed vs. Bridged (continued)

Bridged

VPN connection acts as an Ethernet bridge(think of it as a Ethernet switch and a reallylong cable)

Harder to set up, especially under Linux(although some distributions such as Debian

make it easier than do others)

8/6/2019 Linux Fest 2006

20/90

2020


Bridged (continued)

Preferred when: Need to handle non-IP protocols like IPX,

You want to preserve IP addresses when you move laptops

from the private LAN to the wireless network or to the

Internet

You run applications over the VPN which rely on network

broadcasts (such as LAN games), or

You would like to allow browsing of Windows file shares

across the VPN without setting up a Samba or WINS server

(weak reason Samba WINS server is trivial to set up)

8/6/2019 Linux Fest 2006

21/90

2121


Difference between routed & bridged is

primarily on the server side Routed server routes between the virtual

device(s) and other devices on the server

Bridged the virtual device is bridgedto oneof the real network devices on the server. Thebridge itself gets the IP configuration

8/6/2019 Linux Fest 2006

22/90

2222


Bridged (continued)

Remote clients virtual network device isassigned an IP address in one of the serverslocal networks

Allows the client transparent access to thatlocal network (including broadcasts, other

protocols like IPX, etc).

Encapsulated Ethernet frames are sentbetween the gateways

8/6/2019 Linux Fest 2006

23/90

2323

Installing OpenVPNInstalling OpenVPN

Linux

Install your distributions OpenVPN packagealong with any prerequisites.

Note: OpenVPN must be installed and run byroot

Requires OpenSSL

8/6/2019 Linux Fest 2006

24/90

2424

Installing OpenVPN (continued)Installing OpenVPN (continued)

Windows

Download the Windows OpenVPN installer fromopenvpn.net.

Run the self-installing .exe on the windows system.The installer also installs the Tap-Win32 driver andcreates a virtual network device for use by OpenVPN.

If you need additional virtual devices, you can run thetapinstall.exe program included with OpenVPN.

Note: OpenVPN must be installed and run by a userthat has administrative privileges.

8/6/2019 Linux Fest 2006

25/90

2525


(Public Key Infrastructure PKI)(Public Key Infrastructure PKI)

Disclaimer: I know just enough about

Public Key Encryption to make it work. OpenVPN includes a toolkit called easy-

rsa for establishing your own CertificateAuthority(CA) that can then issue X.509certificates.

Very easy-to-follow instructions in theOpenVPN HOWTO (http://openvpn.net/howto.html).
http://openvpn.net/howto.htmlhttp://openvpn.net/howto.htmlhttp://openvpn.net/howto.htmlhttp://openvpn.net/howto.html

8/6/2019 Linux Fest 2006

26/90

2626


PKI (continued)PKI (continued) You create a CA Certificate and key which can then be

used to sign signing requests which in turn creates newcertificates for your gateways (clients and servers). easy-rsa doesnt encrypt the CA key by default

The CA certificate (but not the CA key) needs to becopied to each gateway (on Windows, you do not needto install the certificates in the Windows certificate store).

Create Diffie Hellman parameters using build-dh script

(required for TLS Servers only). Create an empty Certificate Revocation List (CRL)

8/6/2019 Linux Fest 2006

27/90

2727


PKI (continued)PKI (continued) I recommend creating a separate certificate for each

gateway (clients and servers); that way, you can revokeif private key lost or stolen.

The gateways certificate and keymust be available onthe gateway to start OpenVPN there.

I dont recommend assigning a password to the key ofthe certificate used on your OpenVPN server if you startyour server using your distributions init scripts.

I strongly recommend assigning a password on clientsystems, especially on laptops.

For added security, you can install the client certificateon a smart card or (as I do), keep it on a USB stick.

8/6/2019 Linux Fest 2006

28/90

2828

Configuring OpenVPNConfiguring OpenVPN

Each running instance of OpenVPN

requires a configuration file. Actually, you can specify the configuration on

the run-line but thats pretty cumbersome.

man openvpn describes the command-linearguments which are prefixed with --.

In the configuration file, the prefix is omitted. Example:

Command line: --push-route

Configuration file: push-route

8/6/2019 Linux Fest 2006

29/90

2929

Configuring OpenVPN (continued)Configuring OpenVPN (continued)

On Windows, configuration files have the

extension .ovpn. I place mine in C:\ProgramFiles\OpenVPN\configs\ (default)

On Linux, configuration files have the suffix.config and are generally placed in/etc/openvpn/.

8/6/2019 Linux Fest 2006

30/90

3030

Routed ServerRouted Server

Dual Homed

(has twointerfaces)

Internet

LocalNetwork(s)

8/6/2019 Linux Fest 2006

31/90

3131

Example Configuration for aExample Configuration for a


Server: gateway.shorewall.net

IP address: 206.124.146.176

VPN Network: 192.168.2.0/24

Because of limitations in the Tap-Win32driver, each client in a routed configuration

needs its own /30 network (4 IP addresses). In OpenVPN 2.1, if you dont have any

Windows clients, there is an option to avoidthat waste.

8/6/2019 Linux Fest 2006

32/90

3232

Configuration file (Routed Server)Configuration file (Routed Server)

dev tun

local 206.124.146.176 #Servers IP address

server 192.168.2.0 255.255.255.0 #VPN Network

dh dh1024.pem #Diffie-Hellman parameters

#Only required on TLS servers

ca /etc/certs/cacert.pem #CA certificate

crl-verify /etc/certs/crl.pem #Certificate Revocation List

cert /etc/certs/gateway.pem #Gateways certificate

key /etc/certs/gateway_key.pem #Gateways key

port 1194 #Default OpenVPN 2.0 Port

comp-lzo #Use fast LZO compression

user nobody #drop root priv after

group nogroup #initialization

8/6/2019 Linux Fest 2006

33/90

3333

Routed Server (continued)Routed Server (continued)

keepalive 15 45 #ping every 15 seconds#restart if no ping#received in 45 seconds

ping-timer-rem #Dont start ping clock#until we have a client

persist-tun #Dont close/open tun#device during

#ping-restart

persist-key #dont re-read key after

#ping restart

client-config-dir /etc/openvpn/clients #Directory where client-

#specific params are kept

ccd-exclusive #Require client-specific#params

client-to-client #allow client->client

verb 3 #verbosity of the log

8/6/2019 Linux Fest 2006

34/90

3434

Sample Configuration for a RoutedSample Configuration for a Routed

Client (Windows Roadwarrior)Client (Windows Roadwarrior)dev tun #Routedremote gateway.shorewall.net #Servers Nametls-remote gateway.shorewall.net #Common Name in Servers Certificatetls-client #We are a TLS clientexplicit-exit-notify #Notify when we exitpull #Accept servers pushed parametersca "/Program Files/OpenVPN/certs/cacert.pem"cert E:/easy-rsa/keys/eastepnc6000.crt"key E:/easy-rsa/keys/eastepnc6000.key"port 1194comp-lzoping-timer-rempersist-tun

persist-keymute-replay-warningsverb 3

Only difference in a Linux config is the file names!

8/6/2019 Linux Fest 2006

35/90

3535

RoadWarriors CCD FileRoadWarriors CCD File

On the server in /etc/openvpn/clients/

Name is the same as the CN in theclients certificate

#CCD for eastepnc6000.shorewall.net

#Local (server) IP and client IP

ifconfig-push 192.168.2.14 192.168.2.13

#Route to local network

push route 192.168.1.0 255.255.255.0#Route to DNS server

push route 206.124.146.177.255.255.255.255

8/6/2019 Linux Fest 2006

36/90

3636


Wireless Bridge is

multi-homed: Wireless

Local LAN

8/6/2019 Linux Fest 2006

37/90

3737

Sample Configuration of a BridgedSample Configuration of a Bridged

Server (Wireless Gateway)Server (Wireless Gateway)

Servers Wireless IP address:

192.168.3.254 Wireless Network: 192.168.3.0/24

Local Network: 192.168.1.0/24

Local IP address: 192.168.1.7

Default Gateway: 192.168.1.254 Local Interface: eth0

Server Name: wireless.shorewall.net

8/6/2019 Linux Fest 2006

38/90

3838

Configuration file (Bridged Server)Configuration file (Bridged Server)

dev tap0 #Indicates Bridge with pre-

#created device

local 192.168.3.254 #Server address#Local network plus a pool of

#addresses to assign

server-bridge 192.168.1.7 255.255.255.0 192.168.1.64 192.168.1.71

client-to-client #Server handles client->client

#traffic

dh dh1024.pem #Diffie Hellman Parameters

ca /etc/certs/cacert.pem #CA Certificate


cert /etc/certs/wireless.pem #Gateways Certificatekey /etc/certs/wireless_key.pem #Gateways Key

port 1194 #Default port #

comp-lzo #Use LZO fast compression



8/6/2019 Linux Fest 2006

39/90

3939

Bridged Server (continued)Bridged Server (continued)




#ping-restart


#ping restart

client-config-dir /etc/openvpn/bridge-clients

#Directory where client-

#specific params are keptccd-exclusive #Require client-specific

#params


8/6/2019 Linux Fest 2006

40/90

4040


#

# The client supports a redirect-gateway option that redirects

# the default gateway through the VPN. Ive found that to be

# somewhat unreliable whereas this trick works always

#

push route 0.0.0.0 128.0.0.0 192.168.1.254

push route 128.0.0.0 128.0.0.0 192.168.1.254

8/6/2019 Linux Fest 2006

41/90

4141

Bridged Server Creating theBridged Server Creating the

BridgeBridge

See http://www.shorewall.net/Bridge.html

for distribution-specific instructions

/usr/sbin/openvpn --mktun --dev tap0 #create dev

/sbin/brctl addbr br0 #create bridge

/sbin/ip link set tap0 up #Up dev

/sbin/ip link set eth0 up #Up local IF

/sbin/brctl addif br0 tap0 #Add devs to/sbin/brctl addif br0 eth0 #to the bridge

br0 is configured using Distributions tools
http://www.shorewall.net/Bridge.htmlhttp://www.shorewall.net/Bridge.html

8/6/2019 Linux Fest 2006

42/90

4242

Sample Configuration for a BridgedSample Configuration for a Bridged

Client (Windows)Client (Windows)dev tap

remote 192.168.3.254

tls-remote wireless.shorewall.nettls-client

explicit-exit-notify

pull

ca "/Program Files/OpenVPN/certs/cacert.pem"

cert E:/easy-rsa/keys/eastepnc6000.crt"

key E:/easy-rsa/keys/eastepnc6000.key"

port 1194

comp-lzoping-timer-rem

persist-tun

persist-key

mute-replay-warnings

verb 3

8/6/2019 Linux Fest 2006

43/90

4343

Bridged Clients CCD FileBridged Clients CCD File

On the server in /etc/openvpn/bridged-

clients/


#Client IP

ifconfig-push 192.168.1.6 255.255.255.0

8/6/2019 Linux Fest 2006

44/90

DemoDemo

8/6/2019 Linux Fest 2006

45/90

Q&AQ&A

8/6/2019 Linux Fest 2006

46/90

11

OpenVPNOpenVPN


April 29, 2006April 29, 2006

Linuxfest NWLinuxfest NW

http://www.shorewall.net/LinuxFest2006.pdfhttp://www.shorewall.net/LinuxFest2006.pdf

8/6/2019 Linux Fest 2006

47/90

22

AgendaAgenda About me VPNs

Why do we need them? VPN Software choices Basics Where can they be used?

OpenVPN Overview How to install it How to configure it

Bridge Tunnel

Demo Q&A

8/6/2019 Linux Fest 2006

48/90

33


Work for Hewlett-Packard Development Company This presentation is my own and is not sponsored or endorsed

by HP

Creator and Maintainer of Shorewall Open source firewall configuration tool for Linux

36+ Years of Software Development and Support

I have no connection to the OpenVPN project I use it Ive added support for it to Shorewall I think that it is really cool

I recommend it enthusiastically I am not an expert

8/6/2019 Linux Fest 2006

49/90

44

VPNs Why do we need them?VPNs Why do we need them?

Secure communication over an insecure network Internet Wireless

In this environment, we need Authentication

Initial authentication (logon)

Continuing to insure that packets are not being tampered with intransit

Confidentiality Protect against eavesdropping

Handling Problem Applications securely

NFS is an example

8/6/2019 Linux Fest 2006

50/90

55

VPN SoftwareVPN Software

Microsoft PPTP (Road-warrior/Telecommuter) IPSEC/L2TP (Road-warrior/Telecommuter)

Industry Standard IPSEC

Developed as part of IPv6

Back-ported to IPv4

A complete IP security framework (not just a VPN solution)

Complex to configure (see my LinuxFest NW 2005 presentation athttp://www.shorewall.net/LinuxFest2005.pdf)

Open Source

Vtun OpenVPN

8/6/2019 Linux Fest 2006

51/90

66

VPN BasicsVPN Basics

VPN software runs on

gateways Traffic is sent

unencrypted fromapplications to thenearest gateway (whichmay be the local system)

Traffic is encrypted andtransmitted to the remotegateway where it isdecrypted and forwardeden clairto the remote

application

Client A

Client B

Gateway A

Gateway B

Unencrypted

Encrypted

Unencrypted

8/6/2019 Linux Fest 2006

52/90

77

VPNs Basics (continued)VPNs Basics (continued)

Under Linux, the VPN software typically createsa Virtual Network Device on each gateway

PPP creates pppn where n=1,2,

Older IPSEC implementations create ipsecn

OpenVPN uses either tunn (routed) or tapn (bridged)

VPN software performs IP configuration of thedevice as part of connection establishment

Routing is used to direct traffic through the VPN

Including the default route in some cases

8/6/2019 Linux Fest 2006

53/90

88

VPNs Where can they be used?VPNs Where can they be used?

Connecting private networks at two ormore locations.

Road-warrior/Telecommuter access toprivate network

Wireless Bridge

8/6/2019 Linux Fest 2006

54/90

99

Connecting Private NetworksConnecting Private Networks

Allows secure communication

between private networks(even those with RFC 1918addresses)

Most straight-forward ifOpenVPN runs on yourgateway firewall but alsoworks with OpenVPN runningon host behind firewall (even ifthat host has a privateaddress).

Seehttp://shorewall.net/OPENVPN.htm

for configuration details

8/6/2019 Linux Fest 2006

55/90

1010

Road-warrior/TelecommuterRoad-warrior/Telecommuter

AccessAccess

Creates a StarTopology

OpenVPN can beconfigured toallow client-clientconnections fromwithin theOpenVPN server.

8/6/2019 Linux Fest 2006

56/90

1111


Help protect LAN from aWireless Network

VPN clients are assignedIP addresses in the localLAN

Broadcast-basedApplications like gamesand Windows NetworkBrowsing worktransparently

8/6/2019 Linux Fest 2006

57/90

1212

OpenVPN OverviewOpenVPN Overview

Developed and maintained by JamesYonan

Available on a wide range of platforms

Linux

Windows 2000/XP and higher

OpenBSD, FreeBSD and NetBSD

Mac OS X

Solaris

8/6/2019 Linux Fest 2006

58/90

1313


Tunnel any IP subnetwork or virtual ethernetadapter over a single UDP or TCP port

Default is UDP Port 1194

Only use TCP where you cannot use UDP for somereason

Can use all of the encryption, authentication,and certification features of the OpenSSL library

Can use any cipher, key size, or HMAC digest

(for datagram integrity checking) supported bythe OpenSSL Library

8/6/2019 Linux Fest 2006

59/90

1414


You can choose between static-key basedconventional encryption or certificate-basedpublic key encryption

May use static, pre-shared keys or TLS-baseddynamic key exchange

I recommend using TLS (Transport Layer Security)

Includes optional real-time adaptive linkcompression and traffic shaping to manage link

bandwidth utilization

8/6/2019 Linux Fest 2006

60/90

1515


Can tunnel networks through connection-oriented stateful firewalls (like Netfilter)

Works over NAT

Allows creation of secure ethernet bridges usingvirtual tap devices

GUIs for configuration and control available onWindows and Mac OS Also some available for Linux but I havent used them

SuSE 10.1 with NetworkManager canconfigure/control OpenVPN

8/6/2019 Linux Fest 2006

61/90

1616


Good News Requires no kernel patching Bad News Because it is implemented in

user-space, it generates many user/kerneltransitions which limits performance onfast networks.

8/6/2019 Linux Fest 2006

62/90

1717


OpenVPN 1 Point-to-point only either gateway can initiate theconnection

OpenVPN 2 Still supports point-to-point

Also supports server mode (both routed and bridged)and client mode (both routed and bridged)

Server can handle an arbitrary number of clients

Server can be configured to permit client->clientconnectivity

8/6/2019 Linux Fest 2006

63/90

1818

Routed vs. BridgedRouted vs. Bridged

Routed Gateways act as routers

More efficient than bridged (definitely preferred overhigh-latency networks like the Internet)

Generally easier to configure

Gateways virtual network device is assigned an IPaddress in a dedicated VPN network

Routing is used to allow the client to access thenetwork(s) at the remote end.

Encapsulated IP packets are sent between thegateways.

8/6/2019 Linux Fest 2006

64/90

1919


Bridged VPN connection acts as an Ethernet bridge

(think of it as a Ethernet switch and a reallylong cable)

Harder to set up, especially under Linux(although some distributions such as Debianmake it easier than do others)

8/6/2019 Linux Fest 2006

65/90

2020


Bridged (continued) Preferred when: Need to handle non-IP protocols like IPX,

You want to preserve IP addresses when you move laptopsfrom the private LAN to the wireless network or to theInternet

You run applications over the VPN which rely on networkbroadcasts (such as LAN games), or

You would like to allow browsing of Windows file sharesacross the VPN without setting up a Samba or WINS server

(weak reason Samba WINS server is trivial to set up)

8/6/2019 Linux Fest 2006

66/90

2121


Difference between routed & bridged isprimarily on the server side

Routed server routes between the virtualdevice(s) and other devices on the server

Bridged the virtual device is bridgedto oneof the real network devices on the server. Thebridge itself gets the IP configuration

8/6/2019 Linux Fest 2006

67/90

2222


Bridged (continued) Remote clients virtual network device is

assigned an IP address in one of the serverslocal networks

Allows the client transparent access to thatlocal network (including broadcasts, otherprotocols like IPX, etc).

Encapsulated Ethernet frames are sentbetween the gateways

8/6/2019 Linux Fest 2006

68/90

2323


Linux Install your distributions OpenVPN package

along with any prerequisites.

Note: OpenVPN must be installed and run byroot

Requires OpenSSL

8/6/2019 Linux Fest 2006

69/90

2424


Windows Download the Windows OpenVPN installer fromopenvpn.net.

Run the self-installing .exe on the windows system.The installer also installs the Tap-Win32 driver andcreates a virtual network device for use by OpenVPN.

If you need additional virtual devices, you can run thetapinstall.exe program included with OpenVPN.

Note: OpenVPN must be installed and run by a user

that has administrative privileges.

8/6/2019 Linux Fest 2006

70/90

2525


(Public Key Infrastructure PKI)(Public Key Infrastructure PKI)

Disclaimer: I know just enough aboutPublic Key Encryption to make it work.

OpenVPN includes a toolkit called easy-rsa for establishing your own CertificateAuthority(CA) that can then issue X.509certificates.

Very easy-to-follow instructions in theOpenVPN HOWTO (http://

openvpn.net/howto.html).

8/6/2019 Linux Fest 2006

71/90 2

2626


PKI (continued)PKI (continued) You create a CA Certificate and key which can then be

used to sign signing requests which in turn creates newcertificates for your gateways (clients and servers). easy-rsa doesnt encrypt the CA key by default

The CA certificate (but not the CA key) needs to becopied to each gateway (on Windows, you do not needto install the certificates in the Windows certificate store).

Create Diffie Hellman parameters using build-dh script(required for TLS Servers only).

Create an empty Certificate Revocation List (CRL)

Certificates are typically in PEM format although PKCS#12 is appropriate for

Smart Cards. PEM is basically

where DER == Distinguished Encoding Rules (from ANS.1). PKCS == Public

Key Cryptography Standards (RSA Labs).

8/6/2019 Linux Fest 2006

72/90

2727


PKI (continued)PKI (continued) I recommend creating a separate certificate for each

gateway (clients and servers); that way, you can revokeif private key lost or stolen.

The gateways certificate and keymust be available onthe gateway to start OpenVPN there.

I dont recommend assigning a password to the key ofthe certificate used on your OpenVPN server if you startyour server using your distributions init scripts.

I strongly recommend assigning a password on clientsystems, especially on laptops.

For added security, you can install the client certificateon a smart card or (as I do), keep it on a USB stick.

8/6/2019 Linux Fest 2006

73/90

2828

Configuring OpenVPNConfiguring OpenVPN

Each running instance of OpenVPNrequires a configuration file. Actually, you can specify the configuration on

the run-line but thats pretty cumbersome.

man openvpn describes the command-linearguments which are prefixed with --.

In the configuration file, the prefix is omitted.

Example:

Command line: --push-route Configuration file: push-route

8/6/2019 Linux Fest 2006

74/90

2929

Configuring OpenVPN (continued)Configuring OpenVPN (continued)

On Windows, configuration files have theextension .ovpn. I place mine in C:\ProgramFiles\OpenVPN\configs\ (default)

On Linux, configuration files have the suffix.config and are generally placed in/etc/openvpn/.

8/6/2019 Linux Fest 2006

75/90

3030


Dual Homed(has twointerfaces)

Internet

LocalNetwork(s)

8/6/2019 Linux Fest 2006

76/90

3131

Example Configuration for aExample Configuration for a


Server: gateway.shorewall.net IP address: 206.124.146.176

VPN Network: 192.168.2.0/24

Because of limitations in the Tap-Win32driver, each client in a routed configurationneeds its own /30 network (4 IP addresses).

In OpenVPN 2.1, if you dont have any

Windows clients, there is an option to avoidthat waste.

8/6/2019 Linux Fest 2006

77/90

3232

Configuration file (Routed Server)Configuration file (Routed Server)

dev tun

local 206.124.146.176 #Servers IP address

server 192.168.2.0 255.255.255.0 #VPN Network

dh dh1024.pem #Diffie-Hellman parameters#Only required on TLS servers

ca /etc/certs/cacert.pem #CA certificate


cert /etc/certs/gateway.pem #Gateways certificate

key /etc/certs/gateway_key.pem #Gateways key

port 1194 #Default OpenVPN 2.0 Port

comp-lzo #Use fast LZO compression



8/6/2019 Linux Fest 2006

78/90

3333

Routed Server (continued)Routed Server (continued)




#ping-restart


#ping restart

client-config-dir /etc/openvpn/clients #Directory where client-


ccd-exclusive #Require client-specific

#params

client-to-client #allow client->client


8/6/2019 Linux Fest 2006

79/90

3434

Sample Configuration for a RoutedSample Configuration for a Routed

Client (Windows Roadwarrior)Client (Windows Roadwarrior)dev tun #Routedremote gateway.shorewall.net #Servers Nametls-remote gateway.shorewall.net #Common Name in Servers Certificatetls-client #We are a TLS clientexplicit-exit-notify #Notify when we exitpull #Accept servers pushed parametersca "/Program Files/OpenVPN/certs/cacert.pem"cert E:/easy-rsa/keys/eastepnc6000.crt"key E:/easy-rsa/keys/eastepnc6000.key"port 1194comp-lzoping-timer-rempersist-tunpersist-keymute-replay-warningsverb 3

Only difference in a Linux config is the file names!

8/6/2019 Linux Fest 2006

80/90

3535

RoadWarriors CCD FileRoadWarriors CCD File

On the server in /etc/openvpn/clients/ Name is the same as the CN in theclients certificate

#CCD for eastepnc6000.shorewall.net#Local (server) IP and client IPifconfig-push 192.168.2.14 192.168.2.13#Route to local networkpush route 192.168.1.0 255.255.255.0#Route to DNS serverpush route 206.124.146.177.255.255.255.255

8/6/2019 Linux Fest 2006

81/90

3636


Wireless Bridge ismulti-homed:

Wireless

Local LAN

8/6/2019 Linux Fest 2006

82/90

3737

Sample Configuration of a BridgedSample Configuration of a Bridged

Server (Wireless Gateway)Server (Wireless Gateway)

Servers Wireless IP address:192.168.3.254

Wireless Network: 192.168.3.0/24

Local Network: 192.168.1.0/24

Local IP address: 192.168.1.7

Default Gateway: 192.168.1.254

Local Interface: eth0

Server Name: wireless.shorewall.net

8/6/2019 Linux Fest 2006

83/90

3838

Configuration file (Bridged Server)Configuration file (Bridged Server)

dev tap0 #Indicates Bridge with pre-

#created devicelocal 192.168.3.254 #Server address

#Local network plus a pool of

#addresses to assign

server-bridge 192.168.1.7 255.255.255.0 192.168.1.64 192.168.1.71

client-to-client #Server handles client->client

#traffic

dh dh1024.pem #Diffie Hellman Parameters

ca /etc/certs/cacert.pem #CA Certificate


cert /etc/certs/wireless.pem #Gateways Certificate

key /etc/certs/wireless_key.pem #Gateways Key

port 1194 #Default port #

comp-lzo #Use LZO fast compression

user nobody #drop root priv aftergroup nogroup #initialization

8/6/2019 Linux Fest 2006

84/90

3939





#ping-restart


#ping restart

client-config-dir /etc/openvpn/bridge-clients

#Directory where client-


ccd-exclusive #Require client-specific

#params


8/6/2019 Linux Fest 2006

85/90

4040


#

# The client supports a redirect-gateway option that redirects

# the default gateway through the VPN. Ive found that to be

# somewhat unreliable whereas this trick works always

#

push route 0.0.0.0 128.0.0.0 192.168.1.254

push route 128.0.0.0 128.0.0.0 192.168.1.254

8/6/2019 Linux Fest 2006

86/90

4141

Bridged Server Creating theBridged Server Creating the

BridgeBridge

See http://www.shorewall.net/Bridge.htmlfor distribution-specific instructions

/usr/sbin/openvpn --mktun --dev tap0 #create dev

/sbin/brctl addbr br0 #create bridge

/sbin/ip link set tap0 up #Up dev

/sbin/ip link set eth0 up #Up local IF

/sbin/brctl addif br0 tap0 #Add devs to

/sbin/brctl addif br0 eth0 #to the bridge

br0 is configured using Distributions tools

8/6/2019 Linux Fest 2006

87/90

4242

Sample Configuration for a BridgedSample Configuration for a Bridged

Client (Windows)Client (Windows)dev tap

remote 192.168.3.254tls-remote wireless.shorewall.net

tls-clientexplicit-exit-notifypullca "/Program Files/OpenVPN/certs/cacert.pem"cert E:/easy-rsa/keys/eastepnc6000.crt"key E:/easy-rsa/keys/eastepnc6000.key"port 1194comp-lzoping-timer-rempersist-tunpersist-keymute-replay-warningsverb 3

8/6/2019 Linux Fest 2006

88/90

4343

Bridged Clients CCD FileBridged Clients CCD File

On the server in /etc/openvpn/bridged-clients/


#Client IP

ifconfig-push 192.168.1.6 255.255.255.0

8/6/2019 Linux Fest 2006

89/90

4444

DemoDemo

Click to add textClick to add text

8/6/2019 Linux Fest 2006

90/90

4545

Q&AQ&A

Click to add textClick to add text

Documents

Linux Fest 2006