OpenVPN Cookbook - Second Edition

OpenVPN Cookbook - Second Edition

By : Jan Just Keijser

Buy this Book

OpenVPN Cookbook - Second Edition

By: Jan Just Keijser

Buy this Book

Overview of this book

OpenVPN provides an extensible VPN framework that has been designed to ease site-specific customization, such as providing the capability to distribute a customized installation package to clients, and supporting alternative authentication methods via OpenVPN’s plugin module interface. This book provides you with many different recipes to help you set up, monitor, and troubleshoot an OpenVPN network. You will learn to configure a scalable, load-balanced VPN server farm that can handle thousands of dynamic connections from incoming VPN clients. You will also get to grips with the encryption, authentication, security, extensibility, and certifications features of OpenSSL. You will also get an understanding of IPv6 support and will get a demonstration of how to establish a connection via IPv64. This book will explore all the advanced features of OpenVPN and even some undocumented options, covering all the common network setups such as point-to-point networks and multi-client TUN-style and TAP-style networks. Finally, you will learn to manage, secure, and troubleshoot your virtual private networks using OpenVPN 2.4.

OpenVPN Cookbook - Second Edition

Credits

About the Author

About the Reviewer

www.PacktPub.com

Customer Feedback

Preface

Free Chapter

Point-to-Point Networks

Introduction

The shortest setup possible

OpenVPN secret keys

Multiple secret keys

Plaintext tunnel

Routing

Configuration files versus the command line

Complete site-to-site setup

Three-way routing

Using IPv6

Client-server IP-only Networks

Introduction

Setting up the public and private keys

A simple configuration

Server-side routing

Adding IPv6 support

Using client-config-dir files

Routing - subnets on both sides

Redirecting the default gateway

Redirecting the IPv6 default gateway

Using an ifconfig-pool block

Using the status file

The management interface

Proxy ARP

Client-server Ethernet-style Networks

Introduction

Simple configuration - non-bridged

Enabling client-to-client traffic

Bridging - Linux

Bridging- Windows

Checking broadcast and non-IP traffic

An external DHCP server

Using the status file

The management interface

Integrating IPv6 into TAP-style networks

PKI, Certificates, and OpenSSL

Introduction

Certificate generation

OpenSSL tricks - x509, pkcs12, verify output

Revoking certificates

The use of CRLs

Checking expired/revoked certificates

Intermediary CAs

Multiple CAs - stacking, using the capath directive

Determining the crypto library to be used

Crypto features of OpenSSL and PolarSSL

Pushing ciphers

Elliptic curve support

Scripting and Plugins

Introduction

Using a client-side up/down script

Using a client-connect script

Using a learn-address script

Using a tls-verify script

Using an auth-user-pass-verify script

Script order

Script security and logging

Scripting and IPv6

Using the down-root plugin

Using the PAM authentication plugin

Troubleshooting OpenVPN - Configurations

Introduction

Cipher mismatches

TUN versus TAP mismatches

Compression mismatches

Key mismatches

Troubleshooting MTU and tun-mtu issues

Troubleshooting network connectivity

Troubleshooting client-config-dir issues

Troubleshooting multiple remote issues

Troubleshooting bridging issues

How to read the OpenVPN log files

Troubleshooting OpenVPN - Routing

Introduction

The missing return route

Missing return routes when iroute is used

All clients function except the OpenVPN endpoints

Source routing

Routing and permissions on Windows

Unable to change Windows network location

Troubleshooting client-to-client traffic routing

Understanding the MULTI: bad source warnings

Failure when redirecting the default gateway

Performance Tuning

Introduction

Optimizing performance using ping

Optimizing performance using iperf

Comparing IPv4 and IPv6 speed

OpenSSL cipher speed

OpenVPN in Gigabit networks

Compression tests

Traffic shaping

Tuning UDP-based connections

Tuning TCP-based connections

Analyzing performance using tcpdump

OS Integration

Introduction

Linux - using NetworkManager

Linux - using pull-resolv-conf

Windows - elevated privileges

Windows - using the CryptoAPI store

Windows - updating the DNS cache

Windows - running OpenVPN as a service

Windows - public versus private network adapters

Windows - routing methods

Windows 8+ - ensuring DNS lookups are secure

Android - using the OpenVPN for Android clients

Push-peer-info - pushing options to Android clients

Advanced Configuration

Introduction

Including configuration files in config files

Multiple remotes and remote-random

Inline certificates

Connection blocks

Details of ifconfig-pool-persist

Connecting using a SOCKS proxy

Connecting via an HTTP proxy

Connecting via an HTTP proxy with authentication

IP-less setups - ifconfig-noexec

Port sharing with an HTTPS server

Routing features - redirect-private, allow-pull-fqdn

Filtering out pushed options

Handing out the public IPs

Customer Reviews

5 star

4 star

3 star

2 star

1 star

OpenVPN secret keys

This recipe uses OpenVPN secret keys to secure the VPN tunnel. It is very similar to the previous recipe, but this time, we will use a shared secret key to encrypt the traffic between the client and the server.

Getting ready

Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 64 bit and OpenVPN 2.3.10.

How to do it...

First, generate a secret key on the server (listener):

          [root@server]# openvpn --genkey --secret secret.key

Transfer this key to the client side over a secure channel (for example, using scp).

Next, launch the server-side (listening) OpenVPN process:

          [root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2 \
            --dev tun --secret secret.key

Then, launch the client-side OpenVPN process:

         [WinClient] C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \
           --ifconfig 10.200.0.2 10.200.0.1 \
           --dev tun --secret secret.key \
           --remote openvpnserver.example.com

The connection is now established, as shown in the following screenshot:

How it works...

This example works exactly as the first one: the server listens to the incoming connections on UDP port 1194. The client connects to the server on this port. After the initial handshake, the server configures the first available TUN device with the IP address 10.200.0.1 and it expects the remote end (Peer address) to be 10.200.0.2. The client does the opposite.

There's more...

By default, OpenVPN uses two symmetric keys when setting up a point-to-point connection:

A cipher key to encrypt the contents of the packets being exchanged.
An HMAC key to sign packets. When packets arrive that are not signed using the appropriate HMAC key, they are dropped immediately. This is the first line of defense against a "denial-of-service" attack.
The same set of keys are used on both ends and both keys are derived from the file specified using the --secret parameter.

An OpenVPN secret key file is formatted as follows:

# 
# 2048 bit OpenVPN static key 
# 
-----BEGIN OpenVPN Static key V1----- 
<16 lines of random bytes> 
-----END OpenVPN Static key V1-----

From the random bytes, the OpenVPN Cipher and HMAC keys are derived. Note that these keys are the same for each session.

OpenVPN Cookbook - Second Edition

By : Jan Just Keijser

OpenVPN Cookbook - Second Edition

By: Jan Just Keijser

Overview of this book

Related Content you might be interested in

Current Title:

OpenVPN Cookbook - Second Edition

Troubleshooting OpenVPN

Demystifying Cryptography with OpenSSL 3.0

OpenVPN secret keys

Getting ready

How to do it...

How it works...

There's more...

See also