Book Image

OpenVPN 2 Cookbook

Book Image

OpenVPN 2 Cookbook

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
OpenVPN 2 Cookbook
Feb, 2011 | 356 pages
No titles found
Table of Contents (19 chapters)
OpenVPN 2 Cookbook
OpenVPN 2 Cookbook
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Point-to-Point Networks
Point-to-Point Networks
Introduction
Shortest setup possible
OpenVPN secret keys
Multiple secret keys
Plaintext tunnel
Routing
Configuration files versus the command-line
Complete site-to-site setup
3-way routing
2
Client-server IP-only Networks
Client-server IP-only Networks
Introduction
Setting up the public and private keys
Simple configuration
Server-side routing
Using 'client-config-dir' files
Routing: subnets on both sides
Redirecting the default gateway
Using an 'ifconfig-pool' block
Using the status file
Management interface
Proxy-arp
3
Client-server Ethernet-style Networks
Client-server Ethernet-style Networks
Introduction
Simple configuration—non-bridged
Enabling client-to-client traffic
Bridging—Linux
Bridging—Windows
Checking broadcast and non-IP traffic
External DHCP server
Using the status file
Management interface
4
PKI, Certificates, and OpenSSL
PKI, Certificates, and OpenSSL
Introduction
Certificate generation
xCA: a GUI for managing a PKI (Part 1)
xCA : a GUI for managing a PKI (Part 2)
OpenSSL tricks: x509, pkcs12, verify output
Revoking certificates
The use of CRLs
Checking expired/revoked certificates
Intermediary CAs
Multiple CAs: stacking, using --capath
5
Two-factor Authentication with PKCS#11
Two-factor Authentication with PKCS#11
Introduction
Initializing a hardware token
Getting a hardware token ID
Using a hardware token
Using the management interface to list PKCS#11 certificates
Selecting a PKCS#11 certificate using the management interface
Generating a key on the hardware token
Private method for getting a PKCS#11 certificate
Pin caching example
6
Scripting and Plugins
Scripting and Plugins
Introduction
Using a client-side up/down script
Windows login greeter
Using client-connect/client-disconnect scripts
Using a 'learn-address' script
Using a 'tls-verify' script
Using an 'auth-user-pass-verify' script
Script order
Script security and logging
Using the 'down-root' plugin
Using the PAM authentication plugin
7
Troubleshooting OpenVPN: Configurations
Troubleshooting OpenVPN: Configurations
Introduction
Cipher mismatches
TUN versus TAP mismatches
Compression mismatches
Key mismatches
Troubleshooting MTU and tun-mtu issues
Troubleshooting network connectivity
Troubleshooting 'client-config-dir' issues
How to read the OpenVPN log files
8
Troubleshooting OpenVPN: Routing
Troubleshooting OpenVPN: Routing
Introduction
The missing return route
Missing return routes when 'iroute' is used
All clients function except the OpenVPN endpoints
Source routing
Routing and permissions on Windows
Troubleshooting client-to-client traffic routing
Understanding the 'MULTI: bad source' warnings
Failure when redirecting the default gateway
9
Performance Tuning
Performance Tuning
Introduction
Optimizing performance using 'ping'
Optimizing performance using 'iperf'
OpenSSL cipher speed
Compression tests
Traffic shaping
Tuning UDP-based connections
Tuning TCP-based connections
Analyzing performance using tcpdump
10
OS Integration
OS Integration
Introduction
Linux: using NetworkManager
Linux: using 'pull-resolv-conf'
MacOS: using Tunnelblick
Windows Vista/7: elevated privileges
Windows: using the CryptoAPI store
Windows: updating the DNS cache
Windows: running OpenVPN as a service
Windows: public versus private network adapters
Windows: routing methods
11
Advanced Configuration
Advanced Configuration
Introduction
Including configuration files in config files
Multiple remotes and remote-random
Details of ifconfig-pool-persist
Connecting using a SOCKS proxy
Connecting via an HTTP proxy
Connecting via an HTTP proxy with authentication
Using dyndns
IP-less setups (ifconfig-noexec)
12
New Features of OpenVPN 2.1 and 2.2
New Features of OpenVPN 2.1 and 2.2
Introduction
Inline certificates
Connection blocks
Port sharing with an HTTPS server
Routing features: redirect-private, allow-pull-fqdn
Handing out the public IPs
OCSP support
New for 2.2: the 'x509_user_name' parameter
Index
Index

Generating a key on the hardware token

In this recipe, we will generate a private key on the hardware token itself, after which we generate a certificate to match this private key. For security-sensitive purposes, this is one of the safest ways to generate a certificates/private-key pair, as the private key cannot be copied off the hardware token. It also means that if the hardware token fails or is stolen then the private key and corresponding certificate are lost.

Getting ready

Keep the hardware token from the previous recipe at hand. In this recipe the computer used was running Fedora 12 Linux, pcsc-lite 1.5.2, opensc-0.11.12, engine_pkcs11 0.1.4 and PKI Client 5.00, but the commands used should work with other PKCS#11 libraries as well. The engine_pkcs11 library is the "engine" interface between the openssl command and a PKCS#11 driver. This package can be found on the OpenSC project website for Linux, Windows, and Mac OS X.

How to do it...

The easy-rsa scripts that are supplied with OpenVPN...

Previous Section
End of Section 8
Next Section