defense.at Onlinemagazin

VPN - OpenVPN summary

What is VPN?

VPN stands for Virtual Private Network and offers a possibility to transfer data securely through the Internet. This method is used by small and big firms which have lots of shops in other cities or countries all over the world. But it can also be used for a secure communication in a wireless LAN.

For such reasons the software “OpenVPN” is a good choice.

Why OpenVPN?

OpenVPN is an Open Source project and is licensed under the GPL (General Public Licence). That means that it is for free and you don’t have to pay a lot for a non GPL VPN solution.
It’s also simple to use and easy to install when you compare it with other VPN software. It is possible to run and configure a tunnel with a single command on the command line.
It runs under several Operation systems such as: Linux, Windows 2000/XP, OpenBSD, FreeBSD, NetBSD, Mac OS X and Solaris.
OpenVPN offers you a simple pre shared key encryption1 or a complicated public key structure.
The firewall configuration isn’t very complicated because OpenVPN just uses UDP port 1149, this is the default OpenVPN port, but you can change it in the configuration file.

Security / Encryption

OpenVPN doesn’t use IPSEC like almost all of the other VPN solutions, for example Freeswan, Openswan, Strongswan etc.
TLS is used instead as underlying authentication and key negotiation protocol, it is the latest evolution in the OpenSSL protocol family. SSL/TLS is considered to be one of the strongest and securest protocols available. And for that reason I think SSL/TLS is a good choice for a VPN product like OpenVPN.

TLS stands for Transport Layer Security and is also licensed under the GPL.

When you compare SSL/TLS with IPSEC, in my opinion SSL/TLS is more flexible and easier to configure.

Installation

Linux

Here OpenVPN is going to be installed on a SUSE Linux machine.
For that reason you have to install the following packages first:
(If these packages are already installed you can proceed with the next step)

openssl
Openssl-devil
lzo
Lzo-devil
pam
pam-devil

After this you can easily download the newest version of OpenVPN from the homepage openvpn.net (openvpn-2.0.5.tar.gz)

The Installation is not very difficult on both platforms (Linux and Windows).
If you are using a Linux distribution which supports RPM packages (like SuSE, Fedora, Redhat, etc.) then the best way would be to install OpenVPN using this mechanism. The easiest method is to find an existing binary RPM file for your distribution, then you can also build your own binary RPM file and the installation runs automatically.

You just have to type this commands on the command line:

rpmbuild -tb openvpn-2.0.5.tar.gz


This command creates the rpm file.

rpm -ivh openvpn-2.0.5.rpm


This command runs the installation.
After this step OpenVPN should be successfully installed on your Computer.

Windows

If you install it on Windows you have to download the .exe file form the homepage. In addition you have got the possibility to install a GUI (Graphical User Interface) or a console based program.
I would recommend do download the GUI from openvpn.se

Basic configuration example

For this basic configuration example I have chosen a static key encryption because it offers the simplest setup and is ideal for a point to point VPN or just a good test for the installation.

Static Key advantages
Simple Setup
You don’t need to build a X509 PKI (Public Key Infrastructure)
Static Key disadvantages
Limited scalability
The secret key must exist in plaintext form on each VPN peer. When the secret key file was stolen on one of the two computers by a criminal individual a new one must be generated and shared between the communication partners.
The secret key must be exchanged securely by using a pre-existing secure channel, or you have to bring it to the other Computer manually.

This example demonstrates a point-to-point OpenVPN configuration between two SUSE Linux computers. A VPN tunnel will be created with a server endpoint of 10.8.0.1 and a client endpoint of 10.8.0.2. Encrypted communication between client and server will occur over UDP port 1194, the default OpenVPN port.

Generate a static key:
(You can generate the key on any computer unless OpenVPN is installed)

openvpn --genkey --secret static.key



Now copy the static key to both client and server, over a pre-existing secure channel.
The configuration file is located in the /etc/openvpn/ folder on both machines. The name of the configuration file isn’t important, I called them server.conf and client.conf

Server configuration file /etc/openvpn/server.conf dev tun ifconfig 10.8.0.1 10.8.0.2 secret static.key

Client configuration file /etc/openvpn/client.conf remote [Public IP address of the Server] dev tun ifconfig 10.8.0.2 10.8.0.1 secret static.key

This text needs to be written in the configuration files on the two sides. After this step you just have to type the following command at the client side of the tunnel.

Openvpn –-config server.conf

At the end of the output there should stand something like established.
To verify that the VPN is running, you should be able to ping 10.8.0.2 from the server and 10.8.0.1 from the client.

Conclusion

In conclusion I would like to say that I have made good experiences with OpenVPN by connecting several clients (Linux and Windows) with a Linux based OpenVPN Server. For this type of VPN solution OpenVPN is the best choice, because it works fine with multiple clients in different subnets and on different Operating systems but when you have to connect several VPN servers I would recommend an IPSEC based program because in most cases it offers you a stronger encryption and a better handling of a PKI (Public Key Infrastructure).

Dieses englische Paper über VPN - OpenVPN wurde uns von unserem defense.at-Mitglied madsince85 zur Verfügung gestellt. Vielen Dank an dieser Stelle.