book

Mastering OpenVPN

Name: Mastering OpenVPN
ISBN: 9781783553136

by Eric F Crist, Jan Just Keijser

August 2015

Intermediate to advanced

364 pages

7h 35m

English

Packt Publishing

Read now

Unlock full access

Mastering OpenVPN
Table of Contents
Mastering OpenVPN
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and moreWhy subscribe?Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for

Conventions
Reader feedback
Customer support
Downloading the example codeErrataPiracyQuestions
1. Introduction to OpenVPN
What is a VPN?
Types of VPNs
PPTPIPSecSSL-based VPNsOpenVPN
Comparison of VPNs
Advantages and disadvantages of PPTPAdvantages and disadvantages of IPSecAdvantages and disadvantages of SSL-based VPNsAdvantages and disadvantages of OpenVPNHistory of OpenVPN
OpenVPN packages
The open source (community) versionThe closed source (commercial) Access ServerThe mobile platform (mixed) OpenVPN/OpenVPN ConnectOther platforms
OpenVPN internals
The tun/tap driverThe UDP and TCP modesThe encryption protocolThe control and data channelsCiphers and hashing algorithmsOpenSSL versus PolarSSL
Summary
2. Point-to-point Mode
Pros and cons of the key modeThe first example
TCP protocol and different ports
The TAP modeThe topology subnetThe cleartext tunnel
OpenVPN secret keys
Using multiple keysUsing different encryption and authentication algorithms
Routing
Configuration files versus the command line
The complete setup
Advanced IP-less setup
Three-way routing
Route, net_gateway, vpn_gateway, and metrics
Bridged tap adapter on both ends
Removing the bridges
Combining point-to-point mode with certificates
Summary
3. PKIs and Certificates
An overview of PKIPKI using Easy-RSABuilding the CACertificate revocation listServer certificatesClient certificatesPKI using ssl-admin
OpenVPN server certificates
OpenVPN client certificates
Other features
Multiple CAs and CRLs
Extra security – hardware tokens, smart cards, and PKCS#11
Background informationSupported platformsInitializing a hardware tokenGenerating a certificate/private key pairGenerating a private key on a tokenGenerating a certificate requestWriting an X.509 certificate to the tokenGetting a hardware token IDUsing a hardware token with OpenVPN
Summary
4. Client/Server Mode with tun Devices
Understanding the client/server mode
Setting up the Public Key Infrastructure
Initial setup of the client/server mode
Detailed explanation of the configuration filesTopology subnet versus topology net30
Adding extra security
Using tls-auth keysGenerating a tls-auth keyChecking certificate key usage attributes
Basic production-level configuration files
TCP-based configurationConfiguration files for Windows
Routing and server-side routing
Special parameters for the route optionMasquerading
Redirecting the default gateway
Client-specific configuration – CCD files
How to determine whether a CCD file is properly processedCCD files and topology net30
Client-side routing
In-depth explanation of the client-config-dir configurationClient-to-client traffic
The OpenVPN status file
Reliable connection tracking for UDP mode
The OpenVPN management interface
Session key renegotiation
A note on PKCS#11 devices
Using IPv6
Protected IPv6 trafficUsing IPv6 as transit
Advanced configuration options
Proxy ARPHow does Proxy ARP work?Assigning public IP addresses to clients
Summary
5. Advanced Deployment Scenarios in tun Mode
Enabling file sharing over VPNUsing NetBIOS namesUsing nbtstat to troubleshoot connection problems
Using LDAP as a backend authentication mechanism
Troubleshooting the LDAP backend authentication
Filtering OpenVPN
FreeBSD exampleA Windows examplePolicy-based routing
Windows network locations – public versus private
BackgroundChanging the TAP-Win adapter location using the redirect-gatewayUsing the Group Policy editor to force an adapter to be privateChanging the TAP-Win adapter location using extra gatewaysRedirecting all traffic in combination with extra gateways
Using OpenVPN with HTTP or SOCKS proxies
HTTP proxiesSOCKS proxies
Summary
6. Client/Server Mode with tap Devices
The basic setup
Enabling client-to-client traffic
Filtering traffic between clientsDisadvantage of the proxy_arp_pvlan methodFiltering traffic using the pf filter of OpenVPN
Using the tap device (bridging)
Bridging on LinuxTearing down the bridgeBridging on Windows
Using an external DHCP server
Checking broadcast and non-IP traffic
Address Resolution Protocol trafficNetBIOS traffic
Comparing tun mode to tap mode
Layer 2 versus layer 3Routing differences and irouteClient-to-client filteringBroadcast traffic and "chattiness" of the networkBridging
Summary
7. Scripting and Plugins
ScriptingServer-side scripts--setenv and --setenv-safe--script-security--up-restart--up--route-up--tls-verify--auth-user-pass-verify--client-connect--learn-address--client-disconnect--route-pre-down--downClient-side scripts--setenv and --setenv-safe--script-security--up-restart--tls-verify--ipchange--up--route-up--route-pre-down--downExamples of server scriptsClient-connect scriptsClient authenticationClient authorizationExample 1—client-selected routesExample 2—track client connection statisticsExample 3—disconnect user after X minutesExamples of client scriptsExample 4—mount NFS shareExample 5—using all scripts at onceThe server-side script logEnvironment variables set in the server-side scripts--up--route-up--tls-verify--auth-user-pass-verify--client-connect--learn-address--client-disconnect--route-pre-down and --downThe client-side script logEnvironment variables set in the client-side scripts
Plugins
Down-rootThe auth-pam plugin
Summary
8. Using OpenVPN on Mobile Devices and Home Routers
Using the OpenVPN for an Android appCreating an OpenVPN app profileUsing the PKCS#12 file
Using the OpenVPN Connect app for Android
Using the OpenVPN Connect app for iOS
Integrating smart phones into an existing VPN setup
Using a home router as a VPN client
Using a home router as a VPN server
Summary
9. Troubleshooting and Tuning
How to read the log filesDetecting a non-working setup
Fixing common configuration mistakes
Wrong CA certificate in the client configurationHow to fixClient certificate not recognized by the serverHow to fixClient certificate and private key mismatchHow to fixThe auth and tls-auth key mismatchHow to fixThe MTU size mismatchHow to fixThe Cipher mismatchHow to fix The Compression mismatchHow to fixThe fragment mismatchHow to fixThe tun versus tap mismatchHow to fixThe client-config-dir issuesHow to fixNo access to the tun device in LinuxHow to fixMissing elevated privileges in WindowsHow to fix
Troubleshooting routing issues
Drawing a detailed pictureStart in the middle and work your way outwardFind a time to temporarily disable firewallIf all else fails, use tcpdump
How to optimize performance by using ping and iperf
Using pingUsing iperfGigabit networking
Analyzing OpenVPN traffic by using tcpdump
Summary
10. Future Directions
Current strengths
Current weaknesses
Scaling at gigabit speeds and above
Where we are going
Improved compression supportPer-client compressionNew cryptographic routinesMixed certificate/username authenticationIPv6 supportWindows privilege separation
Summary
Index

Content preview from Mastering OpenVPN

Basic production-level configuration files

We extend the previous client and server configuration files to use the newly created tls-auth key. We do this by adding a line to the configuration file movpn-04-01-server.conf, as well as the second security-enhancing option:

proto udp
port 1194
dev tun
server 10.200.0.0 255.255.255.0
topology subnet
persist-key
persist-tun
keepalive 10 60

remote-cert-tls client
tls-auth /etc/openvpn/movpn/ta.key 0
dh       /etc/openvpn/movpn/dh2048.pem
ca       /etc/openvpn/movpn/movpn-ca.crt
cert     /etc/openvpn/movpn/server.crt
key      /etc/openvpn/movpn/server.key

user  nobody
group nobody

verb 3
daemon
log-append /var/log/openvpn.log

Note

Note that the order of the statements in this configuration file is random. The remote-cert-tls ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781783553136

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Mastering OpenVPN

by Eric F Crist, Jan Just Keijser

Basic production-level configuration files

Note

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.