Book Image

OpenVPN 2 Cookbook

Book Image

OpenVPN 2 Cookbook

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
OpenVPN 2 Cookbook
Feb, 2011 | 356 pages
No titles found
Table of Contents (19 chapters)
OpenVPN 2 Cookbook
OpenVPN 2 Cookbook
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Point-to-Point Networks
Point-to-Point Networks
Introduction
Shortest setup possible
OpenVPN secret keys
Multiple secret keys
Plaintext tunnel
Routing
Configuration files versus the command-line
Complete site-to-site setup
3-way routing
2
Client-server IP-only Networks
Client-server IP-only Networks
Introduction
Setting up the public and private keys
Simple configuration
Server-side routing
Using 'client-config-dir' files
Routing: subnets on both sides
Redirecting the default gateway
Using an 'ifconfig-pool' block
Using the status file
Management interface
Proxy-arp
3
Client-server Ethernet-style Networks
Client-server Ethernet-style Networks
Introduction
Simple configuration—non-bridged
Enabling client-to-client traffic
Bridging—Linux
Bridging—Windows
Checking broadcast and non-IP traffic
External DHCP server
Using the status file
Management interface
4
PKI, Certificates, and OpenSSL
PKI, Certificates, and OpenSSL
Introduction
Certificate generation
xCA: a GUI for managing a PKI (Part 1)
xCA : a GUI for managing a PKI (Part 2)
OpenSSL tricks: x509, pkcs12, verify output
Revoking certificates
The use of CRLs
Checking expired/revoked certificates
Intermediary CAs
Multiple CAs: stacking, using --capath
5
Two-factor Authentication with PKCS#11
Two-factor Authentication with PKCS#11
Introduction
Initializing a hardware token
Getting a hardware token ID
Using a hardware token
Using the management interface to list PKCS#11 certificates
Selecting a PKCS#11 certificate using the management interface
Generating a key on the hardware token
Private method for getting a PKCS#11 certificate
Pin caching example
6
Scripting and Plugins
Scripting and Plugins
Introduction
Using a client-side up/down script
Windows login greeter
Using client-connect/client-disconnect scripts
Using a 'learn-address' script
Using a 'tls-verify' script
Using an 'auth-user-pass-verify' script
Script order
Script security and logging
Using the 'down-root' plugin
Using the PAM authentication plugin
7
Troubleshooting OpenVPN: Configurations
Troubleshooting OpenVPN: Configurations
Introduction
Cipher mismatches
TUN versus TAP mismatches
Compression mismatches
Key mismatches
Troubleshooting MTU and tun-mtu issues
Troubleshooting network connectivity
Troubleshooting 'client-config-dir' issues
How to read the OpenVPN log files
8
Troubleshooting OpenVPN: Routing
Troubleshooting OpenVPN: Routing
Introduction
The missing return route
Missing return routes when 'iroute' is used
All clients function except the OpenVPN endpoints
Source routing
Routing and permissions on Windows
Troubleshooting client-to-client traffic routing
Understanding the 'MULTI: bad source' warnings
Failure when redirecting the default gateway
9
Performance Tuning
Performance Tuning
Introduction
Optimizing performance using 'ping'
Optimizing performance using 'iperf'
OpenSSL cipher speed
Compression tests
Traffic shaping
Tuning UDP-based connections
Tuning TCP-based connections
Analyzing performance using tcpdump
10
OS Integration
OS Integration
Introduction
Linux: using NetworkManager
Linux: using 'pull-resolv-conf'
MacOS: using Tunnelblick
Windows Vista/7: elevated privileges
Windows: using the CryptoAPI store
Windows: updating the DNS cache
Windows: running OpenVPN as a service
Windows: public versus private network adapters
Windows: routing methods
11
Advanced Configuration
Advanced Configuration
Introduction
Including configuration files in config files
Multiple remotes and remote-random
Details of ifconfig-pool-persist
Connecting using a SOCKS proxy
Connecting via an HTTP proxy
Connecting via an HTTP proxy with authentication
Using dyndns
IP-less setups (ifconfig-noexec)
12
New Features of OpenVPN 2.1 and 2.2
New Features of OpenVPN 2.1 and 2.2
Introduction
Inline certificates
Connection blocks
Port sharing with an HTTPS server
Routing features: redirect-private, allow-pull-fqdn
Handing out the public IPs
OCSP support
New for 2.2: the 'x509_user_name' parameter
Index
Index

Script security and logging

One of the major differences between OpenVPN 2.0 and 2.1 is related to the security when running scripts. With OpenVPN 2.0, all scripts were executed using a 'system' call and the entire set of server environment variables was passed to each script. With OpenVPN 2.1, the script-security configuration directive is introduced and the default for executing scripts is now the execv call, which is more secure. Also, it is wise to log output of your scripts for security reasons. With script logging output, including timestamps, it becomes much easier to track down problems and possible security incidents.

In this recipe, we will focus on the different options for the script-security configuration directive and on the methods to ease the logging of script output.

Getting ready

Install OpenVPN 2.1 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates using the first recipe from Chapter 2. For this recipe...

Previous Section
End of Section 10
Next Section