Book Image

OpenVPN Cookbook - Second Edition

By : Jan Just Keijser
Book Image

OpenVPN Cookbook - Second Edition

By: Jan Just Keijser

Overview of this book

OpenVPN provides an extensible VPN framework that has been designed to ease site-specific customization, such as providing the capability to distribute a customized installation package to clients, and supporting alternative authentication methods via OpenVPN’s plugin module interface. This book provides you with many different recipes to help you set up, monitor, and troubleshoot an OpenVPN network. You will learn to configure a scalable, load-balanced VPN server farm that can handle thousands of dynamic connections from incoming VPN clients. You will also get to grips with the encryption, authentication, security, extensibility, and certifications features of OpenSSL. You will also get an understanding of IPv6 support and will get a demonstration of how to establish a connection via IPv64. This book will explore all the advanced features of OpenVPN and even some undocumented options, covering all the common network setups such as point-to-point networks and multi-client TUN-style and TAP-style networks. Finally, you will learn to manage, secure, and troubleshoot your virtual private networks using OpenVPN 2.4.

Related Content you might be interested in

Current Title:

Small book image
OpenVPN Cookbook - Second Edition
Jan Just Keijser
Feb, 2017 | 400 pages
Small book image
Troubleshooting OpenVPN
Eric F Crist
Mar, 2017 | 178 pages
Small book image
Demystifying Cryptography with OpenSSL 3.0
Alexei Khlebnikov
Oct, 2022 | 342 pages
Table of Contents (17 chapters)
OpenVPN Cookbook - Second Edition
OpenVPN Cookbook - Second Edition
Credits
Credits
About the Author
About the Author
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Customer Feedback
Customer Feedback
Preface
Preface
Free Chapter
1
Point-to-Point Networks
Point-to-Point Networks
Introduction
The shortest setup possible
OpenVPN secret keys
Multiple secret keys
Plaintext tunnel
Routing
Configuration files versus the command line
Complete site-to-site setup
Three-way routing
Using IPv6
2
Client-server IP-only Networks
Client-server IP-only Networks
Introduction
Setting up the public and private keys
A simple configuration
Server-side routing
Adding IPv6 support
Using client-config-dir files
Routing - subnets on both sides
Redirecting the default gateway
Redirecting the IPv6 default gateway
Using an ifconfig-pool block
Using the status file
The management interface
Proxy ARP
3
Client-server Ethernet-style Networks
Client-server Ethernet-style Networks
Introduction
Simple configuration - non-bridged
Enabling client-to-client traffic
Bridging - Linux
Bridging- Windows
Checking broadcast and non-IP traffic
An external DHCP server
Using the status file
The management interface
Integrating IPv6 into TAP-style networks
4
PKI, Certificates, and OpenSSL
PKI, Certificates, and OpenSSL
Introduction
Certificate generation
OpenSSL tricks - x509, pkcs12, verify output
Revoking certificates
The use of CRLs
Checking expired/revoked certificates
Intermediary CAs
Multiple CAs - stacking, using the capath directive
Determining the crypto library to be used
Crypto features of OpenSSL and PolarSSL
Pushing ciphers
Elliptic curve support
5
Scripting and Plugins
Scripting and Plugins
Introduction
Using a client-side up/down script
Using a client-connect script
Using a learn-address script
Using a tls-verify script
Using an auth-user-pass-verify script
Script order
Script security and logging
Scripting and IPv6
Using the down-root plugin
Using the PAM authentication plugin
6
Troubleshooting OpenVPN - Configurations
Troubleshooting OpenVPN - Configurations
Introduction
Cipher mismatches
TUN versus TAP mismatches
Compression mismatches
Key mismatches
Troubleshooting MTU and tun-mtu issues
Troubleshooting network connectivity
Troubleshooting client-config-dir issues
Troubleshooting multiple remote issues
Troubleshooting bridging issues
How to read the OpenVPN log files
7
Troubleshooting OpenVPN - Routing
Troubleshooting OpenVPN - Routing
Introduction
The missing return route
Missing return routes when iroute is used
All clients function except the OpenVPN endpoints
Source routing
Routing and permissions on Windows
Unable to change Windows network location
Troubleshooting client-to-client traffic routing
Understanding the MULTI: bad source warnings
Failure when redirecting the default gateway
8
Performance Tuning
Performance Tuning
Introduction
Optimizing performance using ping
Optimizing performance using iperf
Comparing IPv4 and IPv6 speed
OpenSSL cipher speed
OpenVPN in Gigabit networks
Compression tests
Traffic shaping
Tuning UDP-based connections
Tuning TCP-based connections
Analyzing performance using tcpdump
9
OS Integration
OS Integration
Introduction
Linux - using NetworkManager
Linux - using pull-resolv-conf
Windows - elevated privileges
Windows - using the CryptoAPI store
Windows - updating the DNS cache
Windows - running OpenVPN as a service
Windows - public versus private network adapters
Windows - routing methods
Windows 8+ - ensuring DNS lookups are secure
Android - using the OpenVPN for Android clients
Push-peer-info - pushing options to Android clients
10
Advanced Configuration
Advanced Configuration
Introduction
Including configuration files in config files
Multiple remotes and remote-random
Inline certificates
Connection blocks
Details of ifconfig-pool-persist
Connecting using a SOCKS proxy
Connecting via an HTTP proxy
Connecting via an HTTP proxy with authentication
IP-less setups - ifconfig-noexec
Port sharing with an HTTPS server
Routing features - redirect-private, allow-pull-fqdn
Filtering out pushed options
Handing out the public IPs

Three-way routing

For a small number (less than four) of fixed endpoints, a point-to-point setup is very flexible. In this recipe, we set up three OpenVPN tunnels between three sites, including routing between the endpoints. By setting up three tunnels, we create redundant routing so that all the sites are connected even if one of the tunnels is disrupted.

Getting ready

Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 22 Linux and OpenVPN 2.3.10.

We will use the following network layout:

Make sure that the routing (IP forwarding) is configured on all the OpenVPN endpoints.

How to do it...

  1. We generate three static keys:

              [root@siteA]# openvpn --genkey --secret AtoB.key
          [root@siteA]# openvpn --genkey --secret AtoC.key
          [root@siteA]# openvpn --genkey --secret BtoC.key

  2. Transfer these keys to all the endpoints over a secure channel (for example, using scp).

  3. Create the server (listener) configuration file named example1-8-serverBtoA.conf:

            dev tun 
        proto udp 
        port  1194 
 
        secret AtoB.key 0 
        ifconfig 10.200.0.1 10.200.0.2 
 
        route 192.168.4.0 255.255.255.0 vpn_gateway 5 
        route 192.168.6.0 255.255.255.0 vpn_gateway 10 
        route-delay 
 
        keepalive 10 60 
        verb 3

  4. Next, create an example1-8-serverCtoA.conf file:

            dev tun 
        proto udp 
        port  1195 
 
        secret AtoC.key 0 
        ifconfig 10.200.0.5 10.200.0.6 
 
        route 192.168.4.0 255.255.255.0 vpn_gateway 5 
        route 192.168.5.0 255.255.255.0 vpn_gateway 10 
        route-delay 
 
        keepalive 10 60 
        verb 3

  5. Also, create an example1-8-serverBtoC.conf file:

            dev tun 
        proto udp 
        port  1196 
 
        secret BtoC.key 0 
        ifconfig 10.200.0.9 10.200.0.10 
 
        route 192.168.4.0 255.255.255.0 vpn_gateway 10 
        route 192.168.6.0 255.255.255.0 vpn_gateway 5 
        route-delay 
 
        keepalive 10 60 
        verb 3

  6. Now, create the client (connector) configuration files, example1-8-clientAtoB.conf:

            dev tun 
        proto udp 
        remote siteB 
        port  1194 
 
        secret AtoB.key 1 
        ifconfig 10.200.0.2 10.200.0.1 
 
        route 192.168.5.0 255.255.255.0 vpn_gateway 5 
        route 192.168.6.0 255.255.255.0 vpn_gateway 10 
        route-delay 
 
        keepalive 10 60 
        verb 3

  7. Also, create an example1-8-clientAtoC.conf file:

            dev tun 
        proto udp 
        remote siteC 
        port  1195 
 
        secret AtoC.key 1 
        ifconfig 10.200.0.6 10.200.0.5 
 
        route 192.168.5.0 255.255.255.0 vpn_gateway 10 
        route 192.168.6.0 255.255.255.0 vpn_gateway 5 
        route-delay 
 
        verb 3

  8. And finally, create example1-8-clientCtoB.conf:

            dev tun 
        proto udp 
        remote siteB 
        port  1196 
 
        secret BtoC.key 1 
        ifconfig 10.200.0.10 10.200.0.9 
 
        route 192.168.4.0 255.255.255.0 vpn_gateway 10 
        route 192.168.5.0 255.255.255.0 vpn_gateway 5 
        route-delay 
 
        keepalive 10 60 
        verb 3

First, we start all the listener tunnels:

[root@siteB]# openvpn --config example1-8-serverBtoA.conf
[root@siteB]# openvpn --config example1-8-serverBtoC.conf
[root@siteC]# openvpn --config example1-8-serverCtoA.conf

These are followed by the connector tunnels:

[root@siteA]# openvpn --config example1-8-clientAtoB.conf
[root@siteA]# openvpn --config example1-8-clientAtoC.conf
[root@siteC]# openvpn --config example1-8-clientCtoB.conf

And with that, our three-way site-to-site network is established.

How it works...

It can be clearly seen that the number of configuration files gets out of hand too quickly. In principle, two tunnels would have been sufficient to connect three remote sites, but then there would have been no redundancy.

With the third tunnel and with the configuration options, there are always two routes available for each remote network:

route 192.168.5.0 255.255.255.0 vpn_gateway 5
route 192.168.6.0 255.255.255.0 vpn_gateway 10
route-delay
keepalive 10 60

For example, site A has two routes to site B (LAN 192.168.5.0/24), as seen from the following routing table:

[siteA]$ ip route show
[...]
192.168.5.0/24 via 10.200.0.1 dev tun0  metric 5
192.168.5.0/24 via 10.200.0.5 dev tun1  metric 10
[...]

These are the two routes to site A:

  • Via the "direct" tunnel to site B; this route has the lowest metric

  • Via an indirect tunnel: first to site C and then to site B; this route has a higher metric and is not chosen until the first route is down

This setup has the advantage that if one tunnel fails, then after 60 seconds, the connection and its corresponding routes are dropped and restarted. The backup route to the other network then automatically takes over and all three sites can reach each other again.

When the direct tunnel is restored, the direct routes are also restored and the network traffic will automatically choose the best path to the remote site.

There's more...

Let's discuss a bit about scalability and routing protocols.

Scalability

In this recipe, we connect three remote sites. This results in six different configuration files that provide the limitations of the point-to-point setup. In general, to connect n number of possible sites with full redundancy, you will have n * ( n - 1 ) configuration files. This is manageable for up to four sites, but after that, a server/multiple-client setup, as described in the next chapters, is much easier.

Routing protocols

To increase the availability of the networks, it is better to run a routing protocol, such as RIPv2 or OSPF. Using a routing protocol, the failing routes are discovered much faster, resulting in less network downtime.

See also

  • Chapter 7Troubleshooting OpenVPN - Routing, in which the most common routing issues are explained

Previous Section
End of Section 10
Next Section