Introduction to OpenVPN for GOLUG

possibledisastrousSecurity

Dec 9, 2013 (3 years and 9 months ago)

77 views

Introduction to OpenVPN for GOLUG
Written and presented by Kevin Korb
September 2,2009
1 What is OpenVPN?
 OpenVPN is an open source software package that is used to create VPN
tunnels to other systems running OpenVPN usually on different networks.
 OpenVPN was originally created as an alternative to IPSEC which was
taking a very long time to standardize and it has been maintained because
it is somewhat easier to setup.
 It is also similar in functionality to commercial closed source VPN prod-
ucts from companies like Cisco.
 OpenVPN can run over UDP or TCP (port 1194 is the default).
 OpenVPN requires OpenSSL and the tun/tap driver from the kernel.
 The openvpn program is both client and server.
 OpenVPN runs on most UNIX and UNIX-like systems such as Linux,
*BSD,and OSX and it has been ported to Windows.
2 What is a VPN?
A VPN is an encrypted authenticated tunnel through an insecure network (such
as the Internet).It operates by encapsulating standard network traffic (HTTP,
DNS,email,ssh,whatever) inside of a single encrypted connection.Anyone
who “sniffs” the network traffic will see nothing but encrypted data.They can
determine the end point IP addresses and they may even be able to tell that
you are using OpenVPN but they will have no idea what data is going through
it or even what underlying protocols are in use.
3 What OpenVPN is good for
There are many potential and creative uses for OpenVPN but I will only cover
the ones I have personal experience with.
1
Afavorite use of OpenVPNis to setup encrypted tunnels for mobile computer
users.OpenVPN can allow themto access internal computer resources as if they
were in the building even if they are in a hotel on the other side of the planet.
The tunnel is both encrypted and authenticated so no sensitive data is exposed
even if there is a trojaned router at the other end sniffing for passwords.This
works even if the systems on both ends have private IP addresses as long as the
OpenVPN client can reach the OpenVPN server and as long as the two networks
involved didn’t happen to pick the same private IP range.
The other most common use is to link multiple corporate offices together.If
a company has multiple locations and each one has an Internet connection they
can use OpenVPN to connect the sites together securely allowing computers
at one site to communicate with computers at the other sites.Since the VPN
would be handled by the routers at the sites the individual desktops would not
have to know about it at all.This is often a cheaper alternative to dedicated
point-to-point connections that are often used to construct a corporate WAN
while the effect is almost the same.
Another common use is to tunnel personal Internet traffic to a point outside
of the network you are on so that your activities can’t be monitored by the
administrators of the network you are plugged into.People often use this to get
around network restrictions imposed by employers or hotels.If you are wanting
to use OpenVPN to circumvent restrictions placed on your computer usage by
your employer I would strongly suggest asking them and checking for written
policies before you jeopardize your job to check your personal email or whatever
it is you are trying to get away with doing at work.
4 OpenVPN Encryption
OpenVPN uses OpenSSL to encrypt all data flowing through the VPN tunnel
(it can compress it too).The default cipher is blowfish (bf-cbc) however it
can use anything that OpenSSL provides.The encryption key lengths are also
configurable.
5 OpenVPN Authentication
Of course all of this is completely insecure if just anyone can connect to your
OpenVPN server and setup a tunnel into your private network.OpenVPN also
uses two different authentication systems.
The most simple authentication system is a pre-shared key file that you give
to each user.If you just have a single laptop that you want to connect to your
network from the outside then this is probably all you need.The disadvantage
of this system is that every user gets the same key file so the only way to revoke
a user’s access is to change the key and give the new one to everyone else.Note
that this is not simply a password it is a file full of random bits generated by
openssl with the key length you specify.
2
The more advanced authentication system is an OpenSSL based public key
system.The VPN administrator creates a private certificate authority (CA) key
then uses that key to sign the SSL certificate of the server and of each authorized
client.The server will allow access to any SSL certificate that is signed by that
CA key.To revoke a user’s access you simply revoke your signature of their key
and the server will no longer accept it.
It is also common practice to use both authentication systems at the same
time.The advantage is that since the simple shared key file system happens
first it prevents the SSL start up overhead from consuming CPU time every
time someone connects to your OpenVPN server without authenticating via the
shared key file.This reduces the chance of a DoS attack against your OpenVPN
service and it reduces the load placed on your server by port scanning,password
guessing,and other attempts to breach your security.There isn’t much more
administrative hassle because most people generate all of the SSL keys on the
VPN server so the shared key is simply one more file to copy to the client (ta.key
in addition to client.*).Since revoked users will still be rejected by the second
layer it isn’t a huge deal that revoked users still have the shared key file.
6 OpenVPN Best Practices
OpenVPN has many different modes some of which are needed only for special
purposes but it is common for new users to pick the specialized mode instead
of the standard one which generally causes them problems.These are the two
biggies:
6.1 TUN vs TAP
OpenVPN can use two different virtual interface drivers which forces two differ-
ent communication models.The tun/routing model is the standard one.This
is where OpenVPN creates a virtual tun interface and routes traffic through it
using the standard kernel routing table (there are ways to make it more com-
plicated if needed).The other model is the tap/bridging model.In tap mode
OpenVPN tunnels Ethernet frames instead of IP packets.This is needed if you
have a special need to tunnel layer 2 traffic (traffic that is addressed to an Eth-
ernet MAC address instead of an IP address).Using the tap interface gives the
illusion that the remote system is plugged into the same Ethernet switch.If you
don’t need this extra capability (very few people do) then you want to use the
standard tun/routing model.
6.2 UDP vs TCP
OpenVPN can use either UDP or TCP for transport (the default port number is
1194 either way but it can always be changed).Many people configure OpenVPN
to use TCP assuming that it will be more reliable over the unreliable Internet.
However,this is almost always a bad idea.When you are running a UDP
3
protocol through the VPN it doesn’t need or want the guarantees of TCP (or
else it wouldn’t be UDP in the first place).When you are running a TCP
protocol through the VPN you end up with two layers of guarantees which
often results in extra retransmissions of packets that are no longer needed or
wanted by the other layer causing increasing delays.Essentially UDP and TCP
are both designed to handle unreliable networks in their own ways and running
them through a guaranteed network is a waste and a conflict.
7 Important files
All of these are generally in/etc/openvpn
server.conf The server’s configuration file.It can be named anything really
and it only needs to be on the server.
client.conf The client’s configuration file.It only needs to be on the client
however many people prefer to store them all on the server using the
client’s name as the file name.
ca.key This is the key file for the SSL Certificate Authority certificate.This is
the secret file that lets you sign certificates to authorize clients.It should
only be on the server or on whatever system you use to generate keys.
ca.crt This is the SSL Certificate Authority certificate.It needs to be on the
server and distributed to all clients.
dh*.pem This is a file generated by OpenSSL and will contain the key length
in the file name.It is only needed by the server but is not secret.
server.crt This is the server’s SSL certificate.It can be named something else
such as the server’s host name.It only needs to be on the server but is
not secret.
server.key This is the private half of the server’s SSL certificate.The file name
will match the crt file listed above.It is secret and should only be on the
server.
client*.crt These are the certificates for the individual clients.They only need
to be on the particular client they are for.They could use any file names.
They are not secret.
client*.key These are the private halves of the individual client certificates.
The file names will match the crt files listed above.They only need to be
on the particular client they are for.They can also be kept in a central
safe place for administrative purposes.They are secret.
ta.key This is the shared key file used for the other authentication system.If
you are using the shared key system it must be on the server and each
client.It is secret but it is a shared secret for all users.
4
8 Further References,Finding Help,and Com-
mon Questions
 The##openvpn IRC channel on freenode.net is often very helpful and
many helpful resources are listed right in the channel topic.If you ask a
question be prepared to pastebin your configuration files.
 The OpenVPN HOWTO is a very good starting point and it includes sam-
ple configuration files with very good comments:http://openvpn.net/howto
 Documentation on routing IP traffic through OpenVPNin both directions:
http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
 Make sure you check your firewall rules as you will have a new interface
to deal with.
 Make sure you enable IP forwarding where needed.
5