Transcript Virtual Private Networking with OpenVPN

Virtual Private Networking
with OpenVPN
Wim Kerkhoff
Fraser Valley Linux Users Group
April 15, 2004
The Basics: What is VPN?
 Short for Virtual Private Network
 Creates a private network over a public medium
 Typically uses for encrypting/securing traffic sent
across the Internet between two locations
 Can also be used for single hosts on a LAN
(even a wireless one)
 Nobody with access to the public network can
see the traffic moving through the VPN – looks
like garbage
FVLUG/OpenVPN presentation, April 2004
Wim Kerkhoff
2
What does OpenVPN offer?
 It’s Open Source (GPL), flexible, easy to setup
 Can tunnel any IP (layer 3) or Ethernet (layer 2)
over a single UDP or TCP port
 Cross platform (Linux, *BSD/OSX, Windows
2000/XP, Solaris)
 Encryption provided via OpenSSL – tons of
options/ciphers/etc
 Can use a 2048 bit shared key or digital
certificates (PKI)
 Compression, traffic-shaping
 Works nicely with restrictive firewalls
FVLUG/OpenVPN presentation, April 2004
Wim Kerkhoff
3
How is OpenVPN different from other
VPN packages?
 Only open source package that uses SSL
 Doesn’t need a special kernel module, unlike
FreeS/WAN. Only the generic TAP/TUN driver is needed
 Very portable
 Easy – lots of configuration examples
 Traffic shaping per tunnel
 Can support hundreds of tunnels
 User-space: can co-exist with other networking
packages eg IP/SEC.
 Can connect through an HTTP proxy
 Easier to set up on non-Win32 systems then PPTP
FVLUG/OpenVPN presentation, April 2004
Wim Kerkhoff
4
Modes
Routed IP tunnels (layer 3)
More efficient then bridged ethernet tunnels
Easier to configure
Bridged Ethernet tunnels (layer 2)
Can tunnel IP and non-IP traffic
IPX, NetBEUI, etc
Both sides of VPN see network broadcasts
Required for some LAN games
FVLUG/OpenVPN presentation, April 2004
Wim Kerkhoff
5
Routed IP Tunnels
 Possible Topologies:
Network <-> Network
Network <-> Host
Host <-> Network
Host <-> Host
 When doing VPNs with networks, an iptables
script will have to created to set up IP
Masquerading and some firewalling rules
 Uses “TUN” mode
FVLUG/OpenVPN presentation, April 2004
Wim Kerkhoff
6
Bridged Ethernet tunnel
Really just operates like a transparent
ethernet bridge. Hence, special IP tables,
NAT magic, or routing is required
Uses “TAP” mode
Bridge tools (bcrtl) are required
Need to create a script to bind eth1 and
tap0 together into a bridged device called
br0
Then assign an IP to br0
FVLUG/OpenVPN presentation, April 2004
Wim Kerkhoff
7
OpenVPN on Windows XP/2000
Double click installer
Can be configured as a Windows Service
that starts on boot
Some simple configuration changes in the
.ovpn config file
Just need to put the shared key or
certificates in
FVLUG/OpenVPN presentation, April 2004
Wim Kerkhoff
8
OpenVPN 2.0 Beta Series
Can handle multiple UDP clients using a
single UDP port
Can support thousands of clients
depending on hardware and network
connection
Has DHCP-like mechanism to push/pull
specific settings to clients
Better multithreading/SMP support
Can run with least-privileges
FVLUG/OpenVPN presentation, April 2004
Wim Kerkhoff
9
Beyond OpenVPN 2.0
True point-to-multipoint
Use a dynamic routing protocol to route
through a larger and more complicated
VPN cloud
Reduce need to get route through a
central server/office to access a system in
another branch office
FVLUG/OpenVPN presentation, April 2004
Wim Kerkhoff
10
Conclusions…
Definitely the way to go for anything VPN
using Windows clients
Way easier to setup then IPSec on either
Windows or Linux
Stable/Reliable
OpenVPN website: http://openvpn.sf.net
FVLUG/OpenVPN presentation, April 2004
Wim Kerkhoff
11