Book Image

OpenVPN 2 Cookbook

Book Image

OpenVPN 2 Cookbook

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
OpenVPN 2 Cookbook
Feb, 2011 | 356 pages
No titles found
Table of Contents (19 chapters)
OpenVPN 2 Cookbook
OpenVPN 2 Cookbook
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Point-to-Point Networks
Point-to-Point Networks
Introduction
Shortest setup possible
OpenVPN secret keys
Multiple secret keys
Plaintext tunnel
Routing
Configuration files versus the command-line
Complete site-to-site setup
3-way routing
2
Client-server IP-only Networks
Client-server IP-only Networks
Introduction
Setting up the public and private keys
Simple configuration
Server-side routing
Using 'client-config-dir' files
Routing: subnets on both sides
Redirecting the default gateway
Using an 'ifconfig-pool' block
Using the status file
Management interface
Proxy-arp
3
Client-server Ethernet-style Networks
Client-server Ethernet-style Networks
Introduction
Simple configuration—non-bridged
Enabling client-to-client traffic
Bridging—Linux
Bridging—Windows
Checking broadcast and non-IP traffic
External DHCP server
Using the status file
Management interface
4
PKI, Certificates, and OpenSSL
PKI, Certificates, and OpenSSL
Introduction
Certificate generation
xCA: a GUI for managing a PKI (Part 1)
xCA : a GUI for managing a PKI (Part 2)
OpenSSL tricks: x509, pkcs12, verify output
Revoking certificates
The use of CRLs
Checking expired/revoked certificates
Intermediary CAs
Multiple CAs: stacking, using --capath
5
Two-factor Authentication with PKCS#11
Two-factor Authentication with PKCS#11
Introduction
Initializing a hardware token
Getting a hardware token ID
Using a hardware token
Using the management interface to list PKCS#11 certificates
Selecting a PKCS#11 certificate using the management interface
Generating a key on the hardware token
Private method for getting a PKCS#11 certificate
Pin caching example
6
Scripting and Plugins
Scripting and Plugins
Introduction
Using a client-side up/down script
Windows login greeter
Using client-connect/client-disconnect scripts
Using a 'learn-address' script
Using a 'tls-verify' script
Using an 'auth-user-pass-verify' script
Script order
Script security and logging
Using the 'down-root' plugin
Using the PAM authentication plugin
7
Troubleshooting OpenVPN: Configurations
Troubleshooting OpenVPN: Configurations
Introduction
Cipher mismatches
TUN versus TAP mismatches
Compression mismatches
Key mismatches
Troubleshooting MTU and tun-mtu issues
Troubleshooting network connectivity
Troubleshooting 'client-config-dir' issues
How to read the OpenVPN log files
8
Troubleshooting OpenVPN: Routing
Troubleshooting OpenVPN: Routing
Introduction
The missing return route
Missing return routes when 'iroute' is used
All clients function except the OpenVPN endpoints
Source routing
Routing and permissions on Windows
Troubleshooting client-to-client traffic routing
Understanding the 'MULTI: bad source' warnings
Failure when redirecting the default gateway
9
Performance Tuning
Performance Tuning
Introduction
Optimizing performance using 'ping'
Optimizing performance using 'iperf'
OpenSSL cipher speed
Compression tests
Traffic shaping
Tuning UDP-based connections
Tuning TCP-based connections
Analyzing performance using tcpdump
10
OS Integration
OS Integration
Introduction
Linux: using NetworkManager
Linux: using 'pull-resolv-conf'
MacOS: using Tunnelblick
Windows Vista/7: elevated privileges
Windows: using the CryptoAPI store
Windows: updating the DNS cache
Windows: running OpenVPN as a service
Windows: public versus private network adapters
Windows: routing methods
11
Advanced Configuration
Advanced Configuration
Introduction
Including configuration files in config files
Multiple remotes and remote-random
Details of ifconfig-pool-persist
Connecting using a SOCKS proxy
Connecting via an HTTP proxy
Connecting via an HTTP proxy with authentication
Using dyndns
IP-less setups (ifconfig-noexec)
12
New Features of OpenVPN 2.1 and 2.2
New Features of OpenVPN 2.1 and 2.2
Introduction
Inline certificates
Connection blocks
Port sharing with an HTTPS server
Routing features: redirect-private, allow-pull-fqdn
Handing out the public IPs
OCSP support
New for 2.2: the 'x509_user_name' parameter
Index
Index

Revoking certificates

A common task when managing a PKI is to revoke certificates that are no longer needed or that have been compromised. This recipe demonstrates how certificates can be revoked using the easy-rsa script and how OpenVPN can be configured to make use of a Certificate Revocation List (CRL).

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2. This recipe was performed on a computer running CentOS 5 Linux, but it can easily be run on Windows or Mac OS.

How to do it...

  1. First, we generate a certificate:

    $ cd /etc/openvpn/cookbook
$ . ./vars
$ ./build-key client4
[…]

  2. Then, we immediately revoke it:

    $ ./revoke-full client4
Using configuration from /etc/openvpn/cookbook/openssl.cnf
Revoking Certificate 08.
Data Base Updated
Using configuration from /etc/openvpn/cookbook/openssl.cnf
client4.crt: /C=NL/O=Cookbook/CN=client4/emailAddress=[...]
error 23 at 0 depth lookup:certificate revoked

  3. This will also update the CRL list. The CRL can be viewed...

Previous Section
End of Section 7
Next Section