Book Image

OpenVPN Cookbook - Second Edition

By : Jan Just Keijser
Book Image

OpenVPN Cookbook - Second Edition

By: Jan Just Keijser

Overview of this book

OpenVPN provides an extensible VPN framework that has been designed to ease site-specific customization, such as providing the capability to distribute a customized installation package to clients, and supporting alternative authentication methods via OpenVPN’s plugin module interface. This book provides you with many different recipes to help you set up, monitor, and troubleshoot an OpenVPN network. You will learn to configure a scalable, load-balanced VPN server farm that can handle thousands of dynamic connections from incoming VPN clients. You will also get to grips with the encryption, authentication, security, extensibility, and certifications features of OpenSSL. You will also get an understanding of IPv6 support and will get a demonstration of how to establish a connection via IPv64. This book will explore all the advanced features of OpenVPN and even some undocumented options, covering all the common network setups such as point-to-point networks and multi-client TUN-style and TAP-style networks. Finally, you will learn to manage, secure, and troubleshoot your virtual private networks using OpenVPN 2.4.

Related Content you might be interested in

Current Title:

Small book image
OpenVPN Cookbook - Second Edition
Jan Just Keijser
Feb, 2017 | 400 pages
Small book image
Troubleshooting OpenVPN
Eric F Crist
Mar, 2017 | 178 pages
Small book image
Demystifying Cryptography with OpenSSL 3.0
Alexei Khlebnikov
Oct, 2022 | 342 pages
Table of Contents (17 chapters)
OpenVPN Cookbook - Second Edition
OpenVPN Cookbook - Second Edition
Credits
Credits
About the Author
About the Author
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Customer Feedback
Customer Feedback
Preface
Preface
Free Chapter
1
Point-to-Point Networks
Point-to-Point Networks
Introduction
The shortest setup possible
OpenVPN secret keys
Multiple secret keys
Plaintext tunnel
Routing
Configuration files versus the command line
Complete site-to-site setup
Three-way routing
Using IPv6
2
Client-server IP-only Networks
Client-server IP-only Networks
Introduction
Setting up the public and private keys
A simple configuration
Server-side routing
Adding IPv6 support
Using client-config-dir files
Routing - subnets on both sides
Redirecting the default gateway
Redirecting the IPv6 default gateway
Using an ifconfig-pool block
Using the status file
The management interface
Proxy ARP
3
Client-server Ethernet-style Networks
Client-server Ethernet-style Networks
Introduction
Simple configuration - non-bridged
Enabling client-to-client traffic
Bridging - Linux
Bridging- Windows
Checking broadcast and non-IP traffic
An external DHCP server
Using the status file
The management interface
Integrating IPv6 into TAP-style networks
4
PKI, Certificates, and OpenSSL
PKI, Certificates, and OpenSSL
Introduction
Certificate generation
OpenSSL tricks - x509, pkcs12, verify output
Revoking certificates
The use of CRLs
Checking expired/revoked certificates
Intermediary CAs
Multiple CAs - stacking, using the capath directive
Determining the crypto library to be used
Crypto features of OpenSSL and PolarSSL
Pushing ciphers
Elliptic curve support
5
Scripting and Plugins
Scripting and Plugins
Introduction
Using a client-side up/down script
Using a client-connect script
Using a learn-address script
Using a tls-verify script
Using an auth-user-pass-verify script
Script order
Script security and logging
Scripting and IPv6
Using the down-root plugin
Using the PAM authentication plugin
6
Troubleshooting OpenVPN - Configurations
Troubleshooting OpenVPN - Configurations
Introduction
Cipher mismatches
TUN versus TAP mismatches
Compression mismatches
Key mismatches
Troubleshooting MTU and tun-mtu issues
Troubleshooting network connectivity
Troubleshooting client-config-dir issues
Troubleshooting multiple remote issues
Troubleshooting bridging issues
How to read the OpenVPN log files
7
Troubleshooting OpenVPN - Routing
Troubleshooting OpenVPN - Routing
Introduction
The missing return route
Missing return routes when iroute is used
All clients function except the OpenVPN endpoints
Source routing
Routing and permissions on Windows
Unable to change Windows network location
Troubleshooting client-to-client traffic routing
Understanding the MULTI: bad source warnings
Failure when redirecting the default gateway
8
Performance Tuning
Performance Tuning
Introduction
Optimizing performance using ping
Optimizing performance using iperf
Comparing IPv4 and IPv6 speed
OpenSSL cipher speed
OpenVPN in Gigabit networks
Compression tests
Traffic shaping
Tuning UDP-based connections
Tuning TCP-based connections
Analyzing performance using tcpdump
9
OS Integration
OS Integration
Introduction
Linux - using NetworkManager
Linux - using pull-resolv-conf
Windows - elevated privileges
Windows - using the CryptoAPI store
Windows - updating the DNS cache
Windows - running OpenVPN as a service
Windows - public versus private network adapters
Windows - routing methods
Windows 8+ - ensuring DNS lookups are secure
Android - using the OpenVPN for Android clients
Push-peer-info - pushing options to Android clients
10
Advanced Configuration
Advanced Configuration
Introduction
Including configuration files in config files
Multiple remotes and remote-random
Inline certificates
Connection blocks
Details of ifconfig-pool-persist
Connecting using a SOCKS proxy
Connecting via an HTTP proxy
Connecting via an HTTP proxy with authentication
IP-less setups - ifconfig-noexec
Port sharing with an HTTPS server
Routing features - redirect-private, allow-pull-fqdn
Filtering out pushed options
Handing out the public IPs

Plaintext tunnel

In the very first recipe, we created a tunnel in which the data traffic was not encrypted. To create a completely plain text tunnel, we also disable the HMAC authentication. This can be useful when debugging a bad connection, as all traffic over the tunnel can now easily be monitored. In this recipe, we will look at how to do this. This type of tunnel is also useful when doing performance measurements, as it is the least CPU-intensive tunnel that can be established.

Getting ready

Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 22 Linux and OpenVPN 2.3.10.

As we are not using any encryption, no secret keys are needed.

How to do it...

  1. Launch the server-side (listening) OpenVPN process:

             [root@server]# openvpn \
            --ifconfig 10.200.0.1 10.200.0.2 \
            --dev tun --auth none

  2. Then launch the client-side OpenVPN process:

             [root@client]# openvpn \
            --ifconfig 10.200.0.2 10.200.0.1 \
            --dev tun --auth none\
            --remote openvpnserver.example.com

  3. The connection will be established with the following two warning messages as the output:

    
... ******* WARNING *******: null cipher specified, no encryption will be 
                      used


... ******* WARNING *******: null MAC specified, no authentication will 
                      be used

How it works...

With this setup, absolutely no encryption is performed. All of the traffic that is sent over the tunnel is encapsulated in an OpenVPN packet and then sent as is.

There's more...

To actually view the traffic, we can use tcpdump; follow these steps:

  1. Set up the connection as outlined.

  2. Start tcpdump and listen on the network interface, not the tunnel interface itself:

           [root@client]# tcpdump -l -w -  -i eth0 -s 0 host 
           openvpnserver | strings

  3. Now, send some text across the tunnel, using something like nc (Netcat). First, launch nc on the server side:

           [server]$ nc -l 31000

  4. On the client side, launch the nc command in client mode and type hello and goodbye:

           [client]$ nc 10.200.0.1 3100
         hello
         goodbye

  5. In the tcpdump window, you should now see the following:

  6. Press CtrlC to terminate tcpdump as well as nc.

Previous Section
End of Section 6
Next Section