Virtual Private Networking with OpenVPN

1. Virtual Private Networkingwith OpenVPN Wim Kerkhoff Fraser Valley Linux Users Group April 15, 2004

2. The Basics: What is VPN? • Short for Virtual Private Network • Creates a private network over a public medium • Typically uses for encrypting/securing traffic sent across the Internet between two locations • Can also be used for single hosts on a LAN (even a wireless one) • Nobody with access to the public network can see the traffic moving through the VPN – looks like garbage FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff

3. What does OpenVPN offer? • It’s Open Source (GPL), flexible, easy to setup • Can tunnel any IP (layer 3) or Ethernet (layer 2) over a single UDP or TCP port • Cross platform (Linux, *BSD/OSX, Windows 2000/XP, Solaris) • Encryption provided via OpenSSL – tons of options/ciphers/etc • Can use a 2048 bit shared key or digital certificates (PKI) • Compression, traffic-shaping • Works nicely with restrictive firewalls FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff

4. How is OpenVPN different from other VPN packages? • Only open source package that uses SSL • Doesn’t need a special kernel module, unlike FreeS/WAN. Only the generic TAP/TUN driver is needed • Very portable • Easy – lots of configuration examples • Traffic shaping per tunnel • Can support hundreds of tunnels • User-space: can co-exist with other networking packages eg IP/SEC. • Can connect through an HTTP proxy • Easier to set up on non-Win32 systems then PPTP FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff

5. Modes • Routed IP tunnels (layer 3) • More efficient then bridged ethernet tunnels • Easier to configure • Bridged Ethernet tunnels (layer 2) • Can tunnel IP and non-IP traffic • IPX, NetBEUI, etc • Both sides of VPN see network broadcasts • Required for some LAN games FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff

6. Routed IP Tunnels • Possible Topologies: • Network <-> Network • Network <-> Host • Host <-> Network • Host <-> Host • When doing VPNs with networks, an iptables script will have to created to set up IP Masquerading and some firewalling rules • Uses “TUN” mode FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff

7. Bridged Ethernet tunnel • Really just operates like a transparent ethernet bridge. Hence, special IP tables, NAT magic, or routing is required • Uses “TAP” mode • Bridge tools (bcrtl) are required • Need to create a script to bind eth1 and tap0 together into a bridged device called br0 • Then assign an IP to br0 FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff

8. OpenVPN on Windows XP/2000 • Double click installer • Can be configured as a Windows Service that starts on boot • Some simple configuration changes in the .ovpn config file • Just need to put the shared key or certificates in FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff

9. OpenVPN 2.0 Beta Series • Can handle multiple UDP clients using a single UDP port • Can support thousands of clients depending on hardware and network connection • Has DHCP-like mechanism to push/pull specific settings to clients • Better multithreading/SMP support • Can run with least-privileges FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff

10. Beyond OpenVPN 2.0 • True point-to-multipoint • Use a dynamic routing protocol to route through a larger and more complicated VPN cloud • Reduce need to get route through a central server/office to access a system in another branch office FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff

11. Conclusions… • Definitely the way to go for anything VPN using Windows clients • Way easier to setup then IPSec on either Windows or Linux • Stable/Reliable • OpenVPN website: http://openvpn.sf.net FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff