Book Image

OpenVPN 2 Cookbook

Book Image

OpenVPN 2 Cookbook

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
OpenVPN 2 Cookbook
Feb, 2011 | 356 pages
No titles found
Table of Contents (19 chapters)
OpenVPN 2 Cookbook
OpenVPN 2 Cookbook
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Point-to-Point Networks
Point-to-Point Networks
Introduction
Shortest setup possible
OpenVPN secret keys
Multiple secret keys
Plaintext tunnel
Routing
Configuration files versus the command-line
Complete site-to-site setup
3-way routing
2
Client-server IP-only Networks
Client-server IP-only Networks
Introduction
Setting up the public and private keys
Simple configuration
Server-side routing
Using 'client-config-dir' files
Routing: subnets on both sides
Redirecting the default gateway
Using an 'ifconfig-pool' block
Using the status file
Management interface
Proxy-arp
3
Client-server Ethernet-style Networks
Client-server Ethernet-style Networks
Introduction
Simple configuration—non-bridged
Enabling client-to-client traffic
Bridging—Linux
Bridging—Windows
Checking broadcast and non-IP traffic
External DHCP server
Using the status file
Management interface
4
PKI, Certificates, and OpenSSL
PKI, Certificates, and OpenSSL
Introduction
Certificate generation
xCA: a GUI for managing a PKI (Part 1)
xCA : a GUI for managing a PKI (Part 2)
OpenSSL tricks: x509, pkcs12, verify output
Revoking certificates
The use of CRLs
Checking expired/revoked certificates
Intermediary CAs
Multiple CAs: stacking, using --capath
5
Two-factor Authentication with PKCS#11
Two-factor Authentication with PKCS#11
Introduction
Initializing a hardware token
Getting a hardware token ID
Using a hardware token
Using the management interface to list PKCS#11 certificates
Selecting a PKCS#11 certificate using the management interface
Generating a key on the hardware token
Private method for getting a PKCS#11 certificate
Pin caching example
6
Scripting and Plugins
Scripting and Plugins
Introduction
Using a client-side up/down script
Windows login greeter
Using client-connect/client-disconnect scripts
Using a 'learn-address' script
Using a 'tls-verify' script
Using an 'auth-user-pass-verify' script
Script order
Script security and logging
Using the 'down-root' plugin
Using the PAM authentication plugin
7
Troubleshooting OpenVPN: Configurations
Troubleshooting OpenVPN: Configurations
Introduction
Cipher mismatches
TUN versus TAP mismatches
Compression mismatches
Key mismatches
Troubleshooting MTU and tun-mtu issues
Troubleshooting network connectivity
Troubleshooting 'client-config-dir' issues
How to read the OpenVPN log files
8
Troubleshooting OpenVPN: Routing
Troubleshooting OpenVPN: Routing
Introduction
The missing return route
Missing return routes when 'iroute' is used
All clients function except the OpenVPN endpoints
Source routing
Routing and permissions on Windows
Troubleshooting client-to-client traffic routing
Understanding the 'MULTI: bad source' warnings
Failure when redirecting the default gateway
9
Performance Tuning
Performance Tuning
Introduction
Optimizing performance using 'ping'
Optimizing performance using 'iperf'
OpenSSL cipher speed
Compression tests
Traffic shaping
Tuning UDP-based connections
Tuning TCP-based connections
Analyzing performance using tcpdump
10
OS Integration
OS Integration
Introduction
Linux: using NetworkManager
Linux: using 'pull-resolv-conf'
MacOS: using Tunnelblick
Windows Vista/7: elevated privileges
Windows: using the CryptoAPI store
Windows: updating the DNS cache
Windows: running OpenVPN as a service
Windows: public versus private network adapters
Windows: routing methods
11
Advanced Configuration
Advanced Configuration
Introduction
Including configuration files in config files
Multiple remotes and remote-random
Details of ifconfig-pool-persist
Connecting using a SOCKS proxy
Connecting via an HTTP proxy
Connecting via an HTTP proxy with authentication
Using dyndns
IP-less setups (ifconfig-noexec)
12
New Features of OpenVPN 2.1 and 2.2
New Features of OpenVPN 2.1 and 2.2
Introduction
Inline certificates
Connection blocks
Port sharing with an HTTPS server
Routing features: redirect-private, allow-pull-fqdn
Handing out the public IPs
OCSP support
New for 2.2: the 'x509_user_name' parameter
Index
Index

Using the 'down-root' plugin

OpenVPN supports a plugin architecture, where external plugins can be used to extend the functionality of OpenVPN. Plugins are special modules or libraries that adhere to the OpenVPN Plugin API. One of these plugins is the down-root plugin, which is available only on Linux. This allows the user to run specified commands as user root when OpenVPN shuts down. Normally, the OpenVPN process drops root privileges (if the --user directive is used) for security reasons. While this is a good security measure, it makes it hard to undo some of the actions that an up script can perform, which is run as user root. For this, the down-root plugin was developed. This recipe will demonstrate how the down-root plugin can be used to remove a file that was created by an up script.

Getting ready

Set up the server certificates using the first recipe from Chapter 2, Client-server IP-only. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. No client computer...

Previous Section
End of Section 11
Next Section