Virtual Private Networking with OpenVPN

Wim Kerkhoff Fraser Valley Linux Users Group April 15, 2004

The Basics: What is VPN?

Short

for Virtual Private Network Creates a private network over a public medium Typically uses for encrypting/securing traffic sent across the Internet between two locations Can also be used for single hosts on a LAN (even a wireless one) Nobody with access to the public network can see the traffic moving through the VPN looks like garbage
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff 2

What does OpenVPN offer?

Its

Open Source (GPL), flexible, easy to setup Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP or TCP port Cross platform (Linux, *BSD/OSX, Windows 2000/XP, Solaris) Encryption provided via OpenSSL tons of options/ciphers/etc Can use a 2048 bit shared key or digital certificates (PKI) Compression, traffic-shaping Works nicely with restrictive firewalls
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff 3

How is OpenVPN different from other VPN packages?

Only open source package that uses SSL Doesnt need a special kernel module, unlike FreeS/WAN. Only the generic TAP/TUN driver is needed Very portable Easy lots of configuration examples Traffic shaping per tunnel Can support hundreds of tunnels User-space: can co-exist with other networking packages eg IP/SEC. Can connect through an HTTP proxy Easier to set up on non-Win32 systems then PPTP
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff 4

Modes
Routed
More

IP tunnels (layer 3)

efficient then bridged ethernet tunnels Easier to configure

Bridged
Can

Ethernet tunnels (layer 2)

tunnel IP and non-IP traffic IPX, NetBEUI, etc Both sides of VPN see network broadcasts Required for some LAN games
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff 5

Routed IP Tunnels
Possible

Topologies:

Network <-> Network Network <-> Host Host <-> Network Host <-> Host

When

doing VPNs with networks, an iptables script will have to created to set up IP Masquerading and some firewalling rules Uses TUN mode
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff 6

Bridged Ethernet tunnel

Really

just operates like a transparent ethernet bridge. Hence, special IP tables, NAT magic, or routing is required Uses TAP mode Bridge tools (bcrtl) are required Need to create a script to bind eth1 and tap0 together into a bridged device called br0 Then assign an IP to br0
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff 7

OpenVPN on Windows XP/2000

Double

click installer Can be configured as a Windows Service that starts on boot Some simple configuration changes in the .ovpn config file Just need to put the shared key or certificates in
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff 8

OpenVPN 2.0 Beta Series

Can

handle multiple UDP clients using a single UDP port Can support thousands of clients depending on hardware and network connection Has DHCP-like mechanism to push/pull specific settings to clients Better multithreading/SMP support Can run with least-privileges
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff 9

Beyond OpenVPN 2.0

True

point-to-multipoint Use a dynamic routing protocol to route through a larger and more complicated VPN cloud Reduce need to get route through a central server/office to access a system in another branch office

FVLUG/OpenVPN presentation, April 2004

Wim Kerkhoff

10

Conclusions
Definitely

the way to go for anything VPN using Windows clients Way easier to setup then IPSec on either Windows or Linux Stable/Reliable
OpenVPN

website: http://openvpn.sf.net
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff 11