Book Image

OpenVPN Cookbook - Second Edition

By : Jan Just Keijser
Book Image

OpenVPN Cookbook - Second Edition

By: Jan Just Keijser

Overview of this book

OpenVPN provides an extensible VPN framework that has been designed to ease site-specific customization, such as providing the capability to distribute a customized installation package to clients, and supporting alternative authentication methods via OpenVPN’s plugin module interface. This book provides you with many different recipes to help you set up, monitor, and troubleshoot an OpenVPN network. You will learn to configure a scalable, load-balanced VPN server farm that can handle thousands of dynamic connections from incoming VPN clients. You will also get to grips with the encryption, authentication, security, extensibility, and certifications features of OpenSSL. You will also get an understanding of IPv6 support and will get a demonstration of how to establish a connection via IPv64. This book will explore all the advanced features of OpenVPN and even some undocumented options, covering all the common network setups such as point-to-point networks and multi-client TUN-style and TAP-style networks. Finally, you will learn to manage, secure, and troubleshoot your virtual private networks using OpenVPN 2.4.

Related Content you might be interested in

Current Title:

Small book image
OpenVPN Cookbook - Second Edition
Jan Just Keijser
Feb, 2017 | 400 pages
Small book image
Troubleshooting OpenVPN
Eric F Crist
Mar, 2017 | 178 pages
Small book image
Demystifying Cryptography with OpenSSL 3.0
Alexei Khlebnikov
Oct, 2022 | 342 pages
Table of Contents (17 chapters)
OpenVPN Cookbook - Second Edition
OpenVPN Cookbook - Second Edition
Credits
Credits
About the Author
About the Author
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Customer Feedback
Customer Feedback
Preface
Preface
Free Chapter
1
Point-to-Point Networks
Point-to-Point Networks
Introduction
The shortest setup possible
OpenVPN secret keys
Multiple secret keys
Plaintext tunnel
Routing
Configuration files versus the command line
Complete site-to-site setup
Three-way routing
Using IPv6
2
Client-server IP-only Networks
Client-server IP-only Networks
Introduction
Setting up the public and private keys
A simple configuration
Server-side routing
Adding IPv6 support
Using client-config-dir files
Routing - subnets on both sides
Redirecting the default gateway
Redirecting the IPv6 default gateway
Using an ifconfig-pool block
Using the status file
The management interface
Proxy ARP
3
Client-server Ethernet-style Networks
Client-server Ethernet-style Networks
Introduction
Simple configuration - non-bridged
Enabling client-to-client traffic
Bridging - Linux
Bridging- Windows
Checking broadcast and non-IP traffic
An external DHCP server
Using the status file
The management interface
Integrating IPv6 into TAP-style networks
4
PKI, Certificates, and OpenSSL
PKI, Certificates, and OpenSSL
Introduction
Certificate generation
OpenSSL tricks - x509, pkcs12, verify output
Revoking certificates
The use of CRLs
Checking expired/revoked certificates
Intermediary CAs
Multiple CAs - stacking, using the capath directive
Determining the crypto library to be used
Crypto features of OpenSSL and PolarSSL
Pushing ciphers
Elliptic curve support
5
Scripting and Plugins
Scripting and Plugins
Introduction
Using a client-side up/down script
Using a client-connect script
Using a learn-address script
Using a tls-verify script
Using an auth-user-pass-verify script
Script order
Script security and logging
Scripting and IPv6
Using the down-root plugin
Using the PAM authentication plugin
6
Troubleshooting OpenVPN - Configurations
Troubleshooting OpenVPN - Configurations
Introduction
Cipher mismatches
TUN versus TAP mismatches
Compression mismatches
Key mismatches
Troubleshooting MTU and tun-mtu issues
Troubleshooting network connectivity
Troubleshooting client-config-dir issues
Troubleshooting multiple remote issues
Troubleshooting bridging issues
How to read the OpenVPN log files
7
Troubleshooting OpenVPN - Routing
Troubleshooting OpenVPN - Routing
Introduction
The missing return route
Missing return routes when iroute is used
All clients function except the OpenVPN endpoints
Source routing
Routing and permissions on Windows
Unable to change Windows network location
Troubleshooting client-to-client traffic routing
Understanding the MULTI: bad source warnings
Failure when redirecting the default gateway
8
Performance Tuning
Performance Tuning
Introduction
Optimizing performance using ping
Optimizing performance using iperf
Comparing IPv4 and IPv6 speed
OpenSSL cipher speed
OpenVPN in Gigabit networks
Compression tests
Traffic shaping
Tuning UDP-based connections
Tuning TCP-based connections
Analyzing performance using tcpdump
9
OS Integration
OS Integration
Introduction
Linux - using NetworkManager
Linux - using pull-resolv-conf
Windows - elevated privileges
Windows - using the CryptoAPI store
Windows - updating the DNS cache
Windows - running OpenVPN as a service
Windows - public versus private network adapters
Windows - routing methods
Windows 8+ - ensuring DNS lookups are secure
Android - using the OpenVPN for Android clients
Push-peer-info - pushing options to Android clients
10
Advanced Configuration
Advanced Configuration
Introduction
Including configuration files in config files
Multiple remotes and remote-random
Inline certificates
Connection blocks
Details of ifconfig-pool-persist
Connecting using a SOCKS proxy
Connecting via an HTTP proxy
Connecting via an HTTP proxy with authentication
IP-less setups - ifconfig-noexec
Port sharing with an HTTPS server
Routing features - redirect-private, allow-pull-fqdn
Filtering out pushed options
Handing out the public IPs

The shortest setup possible

This recipe will explain the shortest setup possible when using OpenVPN. For this setup, you require two computers that are connected over a network (LAN or Internet). We will use both a TUN-style network and a TAP-style network and will focus on the differences between them. A TUN device is used mostly for VPN tunnels where only IP traffic is used. A TAP device allows all the Ethernet frames to be passed over the OpenVPN tunnel, hence providing support for non-IP based protocols, such as IPX and AppleTalk.

While this may seem useless at first glance, it can be very useful to quickly test whether OpenVPN can connect to a remote system.

Getting ready

Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 Pro 64bit and OpenVPN 2.3.10.

How to do it...

Here are the steps that you need to follow:

  1. Launch the server-side (listening) OpenVPN process for the TUN-style network:

              [root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2 \
            --dev tun

    Note

    The preceding command should be entered as a single line. The character \ is used to denote the fact that the command continues on the next line.

  2. Then, launch the client-side OpenVPN process:

             [WinClient] C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \
            --ifconfig 10.200.0.2 10.200.0.1 --dev tun \
            --remote openvpnserver.example.com

    The following screenshot shows how a connection is established:

    As soon as the connection is established, we can ping the other end of the tunnel.

  3. Next, stop the tunnel by pressing the F4 function key in the command window and restart both ends of the tunnel using the TAP device.

  4. Launch the server-side (listening) OpenVPN process for the TAP-style network:

    [root@server]# openvpn --ifconfig 10.200.0.1 255.255.255.0 \
        --dev tap

  5. Then launch the client-side OpenVPN process:

              [WinClient] C:\>"
\Program Files\OpenVPN\bin\openvpn.exe" \
            --ifconfig 10.200.0.2 255.255.255.0 --dev tap \
            --remote openvpnserver.example.com

The connection will now be established and we can again ping the other end of the tunnel.

How it works...

The server listens on UDP port 1194, which is the OpenVPN default port for incoming connections. The client connects to the server on this port. After the initial handshake, the server configures the first available TUN device with the IP address 10.200.0.1 and it expects the remote end (the Peer address) to be 10.200.0.2.

The client does the opposite: after the initial handshake, the first TUN or TAP-Win32 device is configured with the IP address 10.200.0.2. It expects the remote end (the Peer address) to be 10.200.0.1. After this, the VPN is established.

Note

Notice the warning:

******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext

Here, the data is not secure: all of the data that is sent over the VPN tunnel can be read!

There's more...

Let's look at a couple of different scenarios and check whether they would modify the process.

Using the TCP protocol

In the previous example, we chose the UDP protocol. It would not have made any difference if we had chosen the TCP protocol, provided that we had done that on the server side (the side without --remote) as well as the client side. The following is the code for doing this on the server side:

[root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2 \
    --dev tun --proto tcp-server

Here's the code for the client side:

[root@client]# openvpn --ifconfig 10.200.0.2 10.200.0.1 \
    --dev tun --proto tcp-client --remote openvpnserver.example.com

Forwarding non-IP traffic over the tunnel

With the TAP-style interface, it is possible to run non-IP traffic over the tunnel. For example, if AppleTalk is configured correctly on both sides, we can query a remote host using the aecho command:

aecho openvpnserver
22 bytes from 65280.1: aep_seq=0. time=26. ms
22 bytes from 65280.1: aep_seq=1. time=26. ms
22 bytes from 65280.1: aep_seq=2. time=27. ms

A tcpdump -nnel -i tap0 command shows that the type of traffic is indeed non-IP-based AppleTalk.

Previous Section
End of Section 3
Next Section