Virtual%20Private%20Networking%20with%20OpenVPN

1
Virtual Private Networkingwith OpenVPN

• Wim Kerkhoff
• Fraser Valley Linux Users Group
• April 15, 2004

2
The Basics What is VPN?

• Short for Virtual Private Network
• Creates a private network over a public medium
• Typically uses for encrypting/securing traffic
  sent across the Internet between two locations
• Can also be used for single hosts on a LAN (even
  a wireless one)
• Nobody with access to the public network can see
  the traffic moving through the VPN looks like
  garbage

3
What does OpenVPN offer?

• Its Open Source (GPL), flexible, easy to setup
• Can tunnel any IP (layer 3) or Ethernet (layer 2)
  over a single UDP or TCP port
• Cross platform (Linux, BSD/OSX, Windows 2000/XP,
  Solaris)
• Encryption provided via OpenSSL tons of
  options/ciphers/etc
• Can use a 2048 bit shared key or digital
  certificates (PKI)
• Compression, traffic-shaping
• Works nicely with restrictive firewalls

4
How is OpenVPN different from other VPN packages?

• Only open source package that uses SSL
• Doesnt need a special kernel module, unlike
  FreeS/WAN. Only the generic TAP/TUN driver is
  needed
• Very portable
• Easy lots of configuration examples
• Traffic shaping per tunnel
• Can support hundreds of tunnels
• User-space can co-exist with other networking
  packages eg IP/SEC.
• Can connect through an HTTP proxy
• Easier to set up on non-Win32 systems then PPTP

5
Modes

• Routed IP tunnels (layer 3)
• More efficient then bridged ethernet tunnels
• Easier to configure
• Bridged Ethernet tunnels (layer 2)
• Can tunnel IP and non-IP traffic
• IPX, NetBEUI, etc
• Both sides of VPN see network broadcasts
• Required for some LAN games

6
Routed IP Tunnels

• Possible Topologies
• Network lt-gt Network
• Network lt-gt Host
• Host lt-gt Network
• Host lt-gt Host
• When doing VPNs with networks, an iptables script
  will have to created to set up IP Masquerading
  and some firewalling rules
• Uses TUN mode

7
Bridged Ethernet tunnel

• Really just operates like a transparent ethernet
  bridge. Hence, special IP tables, NAT magic, or
  routing is required
• Uses TAP mode
• Bridge tools (bcrtl) are required
• Need to create a script to bind eth1 and tap0
  together into a bridged device called br0
• Then assign an IP to br0

8
OpenVPN on Windows XP/2000

• Double click installer
• Can be configured as a Windows Service that
  starts on boot
• Some simple configuration changes in the .ovpn
  config file
• Just need to put the shared key or certificates in

9
OpenVPN 2.0 Beta Series

• Can handle multiple UDP clients using a single
  UDP port
• Can support thousands of clients depending on
  hardware and network connection
• Has DHCP-like mechanism to push/pull specific
  settings to clients
• Better multithreading/SMP support
• Can run with least-privileges

10
Beyond OpenVPN 2.0

• True point-to-multipoint
• Use a dynamic routing protocol to route through a
  larger and more complicated VPN cloud
• Reduce need to get route through a central
  server/office to access a system in another
  branch office

11
Conclusions

• Definitely the way to go for anything VPN using
  Windows clients
• Way easier to setup then IPSec on either Windows
  or Linux
• Stable/Reliable
• OpenVPN website http//openvpn.sf.net