Book Image

Mastering OpenVPN

By : Jan Just Keijser, Eric F Crist
Book Image

Mastering OpenVPN

By: Jan Just Keijser, Eric F Crist

Overview of this book

Security on the internet is increasingly vital to both businesses and individuals. Encrypting network traffic using Virtual Private Networks is one method to enhance security. The internet, corporate, and “free internet” networks grow more hostile every day. OpenVPN, the most widely used open source VPN package, allows you to create a secure network across these systems, keeping your private data secure. The main advantage of using OpenVPN is its portability, which allows it to be embedded into several systems. This book is an advanced guide that will help you build secure Virtual Private Networks using OpenVPN. You will begin your journey with an exploration of OpenVPN, while discussing its modes of operation, its clients, its secret keys, and their format types. You will explore PKI: its setting up and working, PAM authentication, and MTU troubleshooting. Next, client-server mode is discussed, the most commonly used deployment model, and you will learn about the two modes of operation using "tun" and "tap" devices. The book then progresses to more advanced concepts, such as deployment scenarios in tun devices which will include integration with back-end authentication, and securing your OpenVPN server using iptables, scripting, plugins, and using OpenVPN on mobile devices and networks. Finally, you will discover the strengths and weaknesses of the current OpenVPN implementation, understand the future directions of OpenVPN, and delve into the troubleshooting techniques for OpenVPN. By the end of the book, you will be able to build secure private networks across the internet and hostile networks with confidence.
Table of Contents (17 chapters)
Mastering OpenVPN
About the Authors
About the Reviewers

Comparison of VPNs

Each of the different VPN technologies has its own characteristics, advantages, and disadvantages. Even though this book is about OpenVPN, there are use-cases where, for example, an IPSec-based VPN is more suitable, depending on the requirement of the users.

Advantages and disadvantages of PPTP

The main advantage of PPTP-based VPNs is that the VPN client software is built into most operating systems. Also, the startup time for configuring and initializing a PPTP VPN connection is quite short.

Disadvantages of PPTP-based VPNs are the lack of security and the lack of configuration options on both the client and server side. Furthermore, the EAP-TLS extension that enables the use of X.509 certificates is fully supported only on Microsoft Windows, although a patch exists for the open source pppd package to enable EAP-TLS support. The pppd package is included in almost every Linux distribution. Also, if one must resort to using EAP-TLS, then the ease of setting up a PPTP VPN is greatly diminished. This is because EAP-TLS requires setting up a public key infrastructure, just like IPSec and OpenVPN.

Another major disadvantage of PPTP is the use of the GRE protocol, which does not integrate well with NAT'ing devices.

Advantages and disadvantages of IPSec

Advantages of the IPSec protocol are its strong security, good support from different vendors and platforms, including xDSL and Wi-Fi routers, as well as the ability to use fine-grained security policies to control the flow of traffic.

The downsides of IPSec are that it is notoriously difficult to configure and troubleshoot, different IPSec implementations from different vendors do not play nicely together, and IPSec does not integrate well with NAT'ted networks. Most notably, it is not recommended, and sometimes not even possible, to run an IPSec server that is on a NAT'ted network.

Advantages and disadvantages of SSL-based VPNs

SSL-based VPNs, or web-based VPNs, have the advantage of there being no or very little client software involved. This makes installation and initialization on the client side very easy.

The disadvantage of a web-based VPN is that it is often not a full-blown VPN and allows access to a single server or set of servers. Also, it is harder to share local data with the remote site or server.

Advantages and disadvantages of OpenVPN

Advantages of OpenVPN are its ease of deployment, its configurability, and the ability to deploy OpenVPN in restricted networks, including NAT'ted networks. Also, OpenVPN includes security features that are as strong as IPSec-based solutions, including hardware token security and support for different user authentication mechanisms.

Disadvantages of OpenVPN are its current lack of scalability and its dependence on the installation of client-side software. Another disadvantage is the lack of a GUI for configuration and management. Notably the tap interface driver for Microsoft Windows has often caused deployment issues when a new version of Windows is released.

History of OpenVPN

OpenVPN was originally written by James Yonan with an initial release, Version 0.90, in 2001 under the GPL. The initial release allowed users to create a simple point-to-point VPN over UDP using the Blowfish cipher and, optionally, the SHA1 HMAC signature. With Version 1.0, TLS-based authentication and key exchange was added along with a man page.

Improvements for OpenVPN 1.x included better TLS support, replay protection, and porting to other operating systems. Some ports included OpenBSD, Mac OS, and better packaging for RedHat. Prior to Version 1.1.1, the tun device had to be configured manually outside OpenVPN. This release added the --ifconfig option, which automatically configured the tun device, greatly simplifying the overall configuration.

The 1.x series was relatively crude compared to the current OpenVPN Version, 2.3.8, as would be expected of a new project. One primary hurdle was the integration of OpenSSL. As OpenSSL was notorious for its poor or completely absent documentation, the developer had to go directly to the source code to integrate the project with OpenVPN. License changes were also required early on to allow the more-specific GNU Public Licensed code to link against the non-GPL OpenSSL library. Those issues were worked out and feature additions were prominently present in the change log throughout the 1.x series.

Some notable updates in the 1.x series include:

  • 2001.05.13 (0.90): This was the initial release

  • 2002.03.23 (1.0): This allowed TLS authentication and key exchange

  • 2002.04.09 (1.1.0): This had a OpenBSD port and OpenSSL linking

  • 2002.04.22 (1.1.1): This had the --ifconfig option

  • 2002.05.22 (1.2.0): This had configuration files (instead of just command-line options, pthread support, and a Solaris port)

  • 2002.07.10 (1.3.0): This had better FreeBSD support and logging improvements

  • 2002.10.23 (1.3.2): This had initial IPv6 support and more FreeBSD improvements

  • 2003.05.07 (1.4.0): This included MTU features

  • 2003.07.24 (1.5-beta1): This had TCP support

  • 2003.11.03 (1.5-beta13): This had support for configuration parameters --http-proxy, --redirect-gateway, and --crl-verify

  • 2004.02.01 (1.6-beta5): This had the SOCKS5 proxy and IPv6 on FreeBSD

  • 2004.05.09 (1.6.0): This is the final 1.x release

OpenVPN 2.0 has seen great advances from the 1.x releases. With 2.0, effort was put in to provide multiclient server instances, improved threading, and a better Windows tun/tap adapter. Development for 2.0 overlapped 1.x for over a year, with initial test releases for 2.0 dating back to November 2003 and the final 1.x release not arriving until May 9, 2004. When it was finally released, 2.0 saw 29 test releases, 20 beta releases, and 21 release candidates over a year and a half of effort (November 2003 to April 2005).

Some key features of the 2.0 release, in comparison to 1.6.0, are as follows:

  • It allows a server instance to accept connections from multiple clients

  • It enables the server-side config option push to clients (--push/--pull)

  • It allows username/password authentication

  • It supports chroot and the downgrading of daemon privileges (--user/--group/--chroot)

  • It supports client connect scripts

  • It has a management interface

  • The inception of Easy-RSA

Development from 2.0 to 2.0.9 mostly consisted of bug fixes and corrections for a few security vulnerabilities. Apart from some sporadic contributions from a few others, OpenVPN was primarily developed by James up to and into the 2.1 release. 2.0.9 remained a stagnant official release from October 2006 until Version 2.1.0 in December 2009.

OpenVPN 2.1 was the first major release with a notable amount of code written by someone other than James Yonan. Alon Bar-Lev has many significant contributions dating back to 2.1-beta3 with many patches for cryptography support and corrections. Considered the first real community release, 2.1 saw much work in the core code base involving the management interface and network addressing. Some notable release notes include the following:

  • 2005.11.12 (2.1-beta7): The ca, cert, key, and dh files could be specified inline in the configuration file.

  • 2006.01.03 (2.1-beta8): The --topology subnet was added.

  • 2006.02.16 (2.1-beta9): Port sharing was allowed so that OpenVPN and HTTPS could share a port.

  • 2008.09.10 (2.1_rc10): Warn if the common or subnets are used. --server-bridge was added for DHCP proxy support.

  • 2010.08.09 (2.1.2): It had a Python-based Windows build system, with improved handling of AUTH_FAIL for the management interface.

  • 2010.11.09 (2.1.4): This was the final release of the 2.1 series.

In August 2008, there had been no official release since 2.0.9. Additionally, there was very little community support apart from the mailing list. There was interest in building a community and Krzee King and Eric Crist pushed to build one around the project. Initially, all effort was directed at supporting users.

As the group of individuals supporting OpenVPN grew, it attracted folks who could write good code. Contact was made with OpenVPN Inc., with the goal to not only provide better levels of support for OpenVPN, but to also build and extend the software James had written, but the efforts of the cooperation were rebuffed.

Talks began on Internet Relay Chat (IRC) which is a communication tool preferred by many developers for porting the project so that advancements could be made. Development began; some members managed IRC and helped on the mailing lists. Others built a source repository, wiki, and a web forum. The average usage was roughly 2 posts per day on the forum and about 8 users on IRC.

In early 2009, OpenVPN technologies hired Samuli Seppänen to help build and interact with the open source community. Samuli has been instrumental in forging a solid relationship between the corporation and the enthusiasts and volunteers. A strong community has been built around the project. Today, the forum averages 16 posts per day (more than 35,000 messages in total), and IRC fluctuates between 150 and 250 users on any given day.

OpenVPN 2.2 was the first release after the switch to a more community-oriented development model. After hashing out a development model and a direction, the community wanted to move with the project and work started right away.

Initially, for OpenVPN 2.2, James was still in overall control of what was merged into the main source tree, as the tree was still managed using subversion at OpenVPN Technologies. Later, the source tree was migrated to GIT and the roles reversed, where James' changes were accepted and merged into the open source project tree.

The notable changes in OpenVPN 2.2 were:

  • SOCKS plaintext authentication

  • Improved platform support for --topology subnet

  • The tap mode on Solaris

  • Windows build compiled with ENABLE_PASSWORD_SAVE enabled

  • Windows IPv6 tun support

  • Client certificates could be omitted with behavior similar to a web browser (--client-cert-not-required)

  • Client certificates could now indicate a separate username instead of using the certificate common name (--x509-username-field)

  • Support was removed for Windows 2000 and earlier

  • 2011.04.26 Version 2.2.0 was released

  • 2011.07.06 Version 2.2.1 was released with minor changes, mostly build/install related

  • 2011.12.22 Version 2.2.2 was released with Windows tap driver changes

OpenVPN 2.3 is the beginning of a major turn in build structure within OpenVPN. The end goal, in a nutshell, is to create a more extensible and plugin-friendly source. With the build for mobile platforms such as Android and iOS already requiring a ground-up rewrite, James and other developers cleaned up older code in favor of more compact and normalized functions. Those rewrites are done in C++, as opposed to the current C language used.

While listed in the change log of past revisions, IPv6 support, both as a payload as well as for transit in OpenVPN, did not really mature until the 2.3 release. The vast majority of the IPv6 contributions were a result of hard work by Gert Döring.

Another important feature of the 2.3 release was the addition of PolarSSL support. PolarSSL is an alternative cryptographic library to OpenSSL and OpenVPN can now be built against either library. This topic is discussed in greater detail later in this chapter.

The list of improvements and additions for the 2.3 release is vast, but the highlights are as follows (the full change log is at

  • Cross-platform IPv6 support (transit AND payload)

  • New plugin API

  • Support for building against PolarSSL, and ground work for other potential alternatives

  • Clients can now inform the server of LZO support, and the server can automatically disable LZO for that client

  • Workaround for local routing conflicts (--client-nat)

  • A new --crl-verify directory mode, files named as common names disable certificates as if they were revoked

  • Certificate UTF-8 support for certificate fields

  • Project split for various subprojects:

    • OpenVPN core project

    • tap-windows

    • Easy-RSA

    • OpenVPN build system

  • Kill client connections from the management interface

Version 2.3.8 was most recent release at the time of writing.