OPENVPN - The Easy Tutorial - Tutorial

http://www.openmaniak.com/openvpn_tutorial.php

OpenVPN Tutorial Last update: 12-03-2008 Search What is OpenVPN? Screenshots Prerequisites & Installation Tutorial OpenVPN -----SECURITY MODE----------Transparent Tunnel Static key SSL & PKI (certificates) -----CASE STUDY----------IP VPN (TUN) Ethernet VPN (TAP) VPN Advanced Settings ---------------Bridging Routing

Tool Install Ergonomy Forum

Details

INSTALL OPENVPN: Follow the OpenVPN installation tutorial. CLIENT/SERVER ARCHITECTURE: Upon the two OpenVPN boxes, you have to declare one as server and the other as client. In some scenarios, each box can be declared as server or client, but in other scenarios you must specifically choose a device as client and the other as server. Let us see when. Before establishing the SSL VPN, the client first reaches the server on a specific port, whereas the server doesn't need to reach the client. Let's take an example where you are in a professional environment and want to establish a VPN with a device connected directly to the Internet, let's say a box at your home. In this frequent case, the client can reach the server but not the contrary. This is due to the fact that the client is located in a local network and reaches the internet via a proxy or Firewall which will substitute its own IP address or another one (Hide NAT) for the source IP address. Nevertheless, when the tunnel is created, the bi-directional traffic inside it is of course possible.

CONFIGURATION FILE: Create a file where you store your OpenVPN configuration. In our example, we will call this file config.txt and save it in the /home/user/ or "C:\Program Files\OpenVPN \config\" directory depending on whether it is a Linux/Unix or Microsoft machine. The configuration settings are presented in the next paragraphs. CLIENT/SERVER DESIGNATION: SERVER # SERVER IP ADDRESS # The Client WAN IP address is not # needed TUNNEL MODE: You can choose between an IP (TUN driver) and an Ethernet (TAP driver) tunnel. IP tunneling is also referred as routing mode, and Ethernet tunneling as bridging mode. Prefer the IP tunnel mode (default setting) unless you need to pass Ethernet traffic such as NetBIOS inside the tunnel. TUNNEL PORT: Default source and destination tunneling port is UDP 1194. You should keep the default setting unless you need to change it for Firewall reasons otherwise you can keep it. Prefer UDP ports. The use of TCP can lead to degraded performances. CLIENT # SERVER IP ADDRESS remote 100.0.0.1 #

1 of 5

2/7/2009 6:33

OPENVPN - The Easy Tutorial - Tutorial

http://www.openmaniak.com/openvpn_tutorial.php

As the majority of the applications uses TCP, if you opt for TCP tunneling, you will create a TCP over TCP tunnel. This is not recommended because in case of packets retransmissions on the interior TCP tunnel, recomputation will occur in both tunnels leading to slow performances such as high response time. Thus, prefer the UDP protocol to tunnel your application since contrary to TCP, it does not suffer from an overhead error checking mechanism.. Read this article to get details about the problems with TCP over TCP tunnels. SERVER and CLIENT

# TCP OR UDP TUNNEL # TCP tunnel proto tcp # UDP tunnel is recommended proto udp # use TCP or UDP but not both # # TCP OR UDP PORT port 1194 FIREWALL SETTINGS: You must ascertain that your OpenVPN client IP address can reach the OpenVPN server IP address and the TCP/UDP port. Here is an example of a security rule that can be implemented on the Firewall illustrated in the picture below.

Because of to the simplicity of the OpenVPN configurations, problems establishing a connection are often due to IP or port restrictions on the client and/or server side. ETHERNET/IP TUNNEL: You can choose to build either Ethernet (Bridged) or IP (Routed) VPNs with the help of respectively the TAP or TUN network drivers. TAP/TUN are available on all the platforms and are already bundled with the Linux 2.4 kernel or higher. Prefer TUN (default setting) unless you need to pass Ethernet traffic such as NetBIOS inside the VPN. To check whether or not the TUN/TAP drivers are properly loaded: #lsmod | grep tun tun 12672 1 Note that the "tun" driver is also the TAP driver. If you don't receive any answer, you can load the kernel module as follows: #modprobe tun SERVER and CLIENT

# ETHERNET OR IP TUNNEL # "dev tun" will create a routed IP tunnel dev tun # "dev tap" will create an Ethernet tunnel dev tap # use "dev tun" or "dev tap" but not both OPENVPN SECURITY ARCHITECTURE: Transparent tunnel: OpenVPN just tunnels the data without authentication, confidentiality, or integrity. In other words there is no security checks whatsoever, and the data can be read as it passes through the tunnel. SERVER and CLIENT

# Client AND Server configs # No integritiy (hash function # algorithm) auth none # No encryption (cipher algorithm) cipher none Preshared keys: A secret and permanent key is shared between the VPN gateways. First create the preshared keys with the preshared keys creation tutorials.

2 of 5

2/7/2009 6:33

OPENVPN - The Easy Tutorial - Tutorial

http://www.openmaniak.com/openvpn_tutorial.php

SERVER and

CLIENT

# PRESHARED KEYS # Linux system static /home/user/openvpn/key.txt # Windows system static "C:\\Program Files\\OpenVPN\\config\\key.txt" #openvpn /home/teddybear/openvpn/config.txt >openvpn "C:\Program Files\OpenVPN\config\config.txt" SSL/TLS: - SSL/TLS server or client: SERVER # SSL/TLS SERVER tls-server - Certificates and public keys: Each device must have its private and public keys, the latter being included in a certificate. The CA (Certification Authority) certificate must also be owned by each OpenVPN device. See the PKI Tutorial to understand the Public Key Infrastructure and know how to create private keys and certificates. SERVER # CERTIFICATES AND PRIVATE KEY # Authority certificate (CA public key) ca ca.key # Server certificate (server public key) cert server.crt # Server private key key server.key - Diffie-Hellmann (DH) settings: Once the OpenVPN peers are sure about each other's identity, DH can be used to create a shared secret key for the hash function and the cipher algorithm. By combining a DH private key with the other OpenVPN box DH public key, it is possible to calculate a shared secret that only the two OpenVPN peers know. See the SSL Tutorial to get information about how to create the DH settings. CLIENT # CERTIFICATES AND PRIVATE KEY # Authority certificate (CA public key) ca ca.key # Client certificate (client public key) cert client.crt # Client private key key client.key # SSL/TLS CLIENT tls-client CLIENT

SERVER # Diffie-Hellman settings dh dh1024.pem

CLIENT # No DH setting on the client #

This DH shared secret could be compared to the OpenVPN preshared key. These keys will be used by the symmetric ciphers and hash functions algorithms as shown in the two next paragraphs. CIPHER ALGORITHM SERVER and # CIPHER ALGORITHM cipher AES-256-CBC - The confidentiality is ensured with symmetric ciphers such as 3DES or AES to protect the data from being read. The OpenVPN default cipher algorithm is Blowfish. To check the available algorithms: #openvpn --show-ciphers DES-CBC 64 bit default key (fixed) IDEA-CBC 128 bit default key (fixed) RC2-CBC 128 bit default key (variable) DES-EDE-CBC 128 bit default key (fixed) DES-EDE3-CBC 192 bit default key (fixed) DESX-CBC 192 bit default key (fixed) BF-CBC 128 bit default key (variable) RC2-40-CBC 40 bit default key (variable) CAST5-CBC 128 bit default key (variable) RC5-CBC 128 bit default key (variable) RC2-64-CBC 64 bit default key (variable) AES-128-CBC 128 bit default key (fixed) AES-192-CBC 192 bit default key (fixed) AES-256-CBC 256 bit default key (fixed) CLIENT

3 of 5

2/7/2009 6:33

OPENVPN - The Easy Tutorial - Tutorial

http://www.openmaniak.com/openvpn_tutorial.php

CBC for Cipher Block Chaining is a cryptography operational modes used to encrypt data with a cipher block algorithm like the AES, DES or Blowfish. CBC uses small piece of data, instead of processing an entire block at a time, other cryptography operational mode are EBC, OFB, CFB. CBC mode is recommended. HASH FUNCTION ALGORITHM - The Integrity uses hash function algorithms to protect the data from being altered. HMAC is often used in addition with SHA1 or MD5. The OpenVPN default hash functions are HMAC-SHA1. To check the available algorithms: #openvpn --show-digests MD2 128 bit digest size MD5 128 bit digest size RSA-MD2 128 bit digest size RSA-MD5 128 bit digest size SHA 160 bit digest size RSA-SHA 160 bit digest size SHA1 160 bit digest size RSA-SHA1 160 bit digest size DSA-SHA 160 bit digest size DSA-SHA1-old 160 bit digest size MDC2 128 bit digest size RSA-MDC2 128 bit digest size DSA-SHA1 160 bit digest size RSA-SHA1-2 160 bit digest size DSA 160 bit digest size RIPEMD160 160 bit digest size RSA-RIPEMD160 160 bit digest size MD4 128 bit digest size RSA-MD4 128 bit digest size SERVER and CLIENT

# HASH FUNCTION ALGORYTHM auth MD5 "openvpn --show-tls" displays the cipher and message authentication code (MAC) used during the SSL/TLS negotiation. They should not be confounded with the cipher and MAC used to secure the OpenVPN tunnel. IP ADDRESSES: Choose the IP addresses you want to use inside the tunnel. Static IP addresses: In routed mode, two IP addresses (local and remote) inside a 30 bits subnet mask must be chosen. In bridge mode, one IP address for the local OpenVPN box and a subnet mask including the server IP address are chosen. SERVER # IP ADDRESSING # IP mode example: # Server IP: 10.8.0.1 ; Client IP: 10.8.0.2 ifconfig 10.8.0.1 10.8.0.2 # Bridge mode example # Server IP: 10.8.0.1 ifconfig 10.8.0.1 255.255.255.0 # Use bridged or routed settings but not # both # Client and Server must use the same # tunnel mode Dynamic IP addresses: In this case, the server owns a static IP address and provides IP addresses to the clients as a DHCP server. SERVER # DHCP SETTINGS # DHCP range # Server will take the first IP address server 10.8.0.0 255.255.255.0 OPTIONAL SETTINGS: OpenVPN offers a very large number of optional settings. Refer to the OpenVPN man page for assistance. LOG SETTINGS: The log verbosity is configured from 0 (minimum) to 15 (maximal). For a normal use, the "2" and "4" verbose levels will already provide sufficient logs. # Verbosity level. CLIENT # CLIENT ACCEPTS SERVER OPTIONS # The client should accept options pushed # by the server pull CLIENT # IP ADDRESSING # IP mode example: # Server IP: 10.8.0.1 ; Client IP: 10.8.0.2 ifconfig 10.8.0.2 10.8.0.1 # Bridge mode example # Client IP: 10.8.0.2 ifconfig 10.8.0.2 255.255.255.0 # Use bridged or routed settings but not # both # Client and Server must use the same # tunnel mode

4 of 5

2/7/2009 6:33

OPENVPN - The Easy Tutorial - Tutorial

http://www.openmaniak.com/openvpn_tutorial.php

#0 #1 #3 #9

-----

quiet except for fatal errors. mostly quiet, but displays non-fatal network errors. medium output, good for normal operation. verbose, good for troubleshooting SERVER and CLIENT

# LOG VERBOSITY # log verbosity setting, 0=min 15=max verb 3

OPENVPN USER: For security reasons, it's always better to run a software without the root privileges. You can reduce the OpenVPN daemon's privileges after initialization in order to operate as user "nobody". Another interesting security point is to limit the right OpenVPN has to access files after initialization with "chroot". Note that these two security settings are available under Linux/UNIX systems, but not under Windows. Another reason to prefer opens source tools like Linux OS ... SERVER and CLIENT

# OPENVPN SECURITY - Linux only # OpenVPN User user nobody # After initialization, OpenVPN can only # access a directory # The directory can be empty # OpenVPN process limitation chroot /etc/openvpn/ LAUNCH OPENVPN: Use the following syntax to launch OpenVPN. #openvpn path-to-config-file Below are two examples with Linux and Windows. The config file is "config.txt": #openvpn /home/teddybear/openvpn/config.txt >openvpn "C:\Program Files\OpenVPN\config\config.txt" LOG CHECK: The log should end will the following line: Initialization Sequence Completed This indicates that the OpenVPN tunnel has been created successfully. CONNECTIVITY TESTS: Ping is a common utility to check IP connectivities. The VPN gateway should ping the tunnel IP address of the other. For example, in our scenario, we ping the client tunnel IP address from the server: ping 10.8.0.2 OPENVPN PROCESS CHECK: Coming soon ...

Here are some OpenVPN default values: SETTING: Src & dest port: Tunnel mode: Symmetric cipher: Hash functions: Compression: Tunnel MTU: Verbose mode: Top of the page VALUE: UDP 1194 IP tunnel (tun mode) Blowfish - CBC (128 bits) HMAC - SHA1 (160 bits) NO 1500 bytes 0

5 of 5

2/7/2009 6:33