O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

OpenVPN Cookbook - Second Edition

Book Description

Tag line

About This Book

  • Discover over 90 practical and exciting recipes that leverage the power of OpenVPN 2.4 to help you obtain a reliable and secure VPN
  • Master the skills of configuring, managing, and securing your VPN using the latest OpenVPN
  • Gain expertise in establishing IPv6 connections and understand PolarSSL using the latest version of OpenVPN
  • This book contains enticing recipes about OpenVPN functionalities that cater to mission critical applications

Who This Book Is For

This book is for system administrators who have a basic knowledge of OpenVPN and are eagerly waiting to build, secure, and manage VPNs using the latest version. This book assumes some prior knowledge of TCP/IP networking and OpenVPN and you must have network administration skills to get the most out of this book.

What You Will Learn

  • Determine the best type of OpenVPN setup for your networking needs
  • Get to grips with the encryption, authentication, and certifications features of OpenSSL.
  • Integrate an OpenVPN server into the local IT infrastructure with the scripting features of OpenVPN
  • Ease the integration of Windows clients into the VPN using Windows-specific client-side configuration
  • Understand the authentication plugins for PAM and LDAP
  • Get to know the difference between TUN-style and TAP-style networks and when to use what
  • Troubleshoot your VPN setup
  • Establish a connection via IPv6 along with demonstrations

In Detail

OpenVPN provides an extensible VPN framework that has been designed to ease site-specific customization, such as providing the capability to distribute a customized installation package to clients, and supporting alternative authentication methods via OpenVPN's plugin module interface.

This book provides you with many different recipes to help you set up, monitor, and troubleshoot an OpenVPN network. You will learn to configure a scalable, load-balanced VPN server farm that can handle thousands of dynamic connections from incoming VPN clients. You will also get to grips with the encryption, authentication, security, extensibility, and certifications features of OpenSSL.

You will also get an understanding of IPv6 support and will get a demonstration of how to establish a connection via IPv64. This book will explore all the advanced features of OpenVPN and even some undocumented options, covering all the common network setups such as point-to-point networks and multi-client TUN-style and TAP-style networks. Finally, you will learn to manage, secure, and troubleshoot your virtual private networks using OpenVPN 2.4.

Style and approach

This practical, recipe-based book covers the core functionalities of OpenVPN ending with troubleshooting, performance tuning and making the readers inquisitive about the advanced features.

Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

Table of Contents

  1. OpenVPN Cookbook - Second Edition
    1. OpenVPN Cookbook - Second Edition
    2. Credits
    3. About the Author
    4. About the Reviewer
    5. www.PacktPub.com
      1. Why subscribe?
    6. Customer Feedback
    7. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
        1. Downloading the example code
        2. Errata
        3. Piracy
        4. Questions
    8. 1. Point-to-Point Networks
      1. Introduction
      2. The shortest setup possible
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Using the TCP protocol
          2. Forwarding non-IP traffic over the tunnel
      3. OpenVPN secret keys
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      4. Multiple secret keys
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      5. Plaintext tunnel
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      6. Routing
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Routing issues
          2. Automating the setup
        5. See also
      7. Configuration files versus the command line
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Exceptions to the rule
      8. Complete site-to-site setup
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      9. Three-way routing
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Scalability
          2. Routing protocols
        5. See also
      10. Using IPv6
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Log file errors
          2. IPv6-only tunnel
        5. See also
    9. 2. Client-server IP-only Networks
      1. Introduction
      2. Setting up the public and private keys
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Using the easy-rsa scripts on Windows
          2. Some notes on the different variables
        5. See also
      3. A simple configuration
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      4. Server-side routing
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Linear addresses
          2. Using the TCP protocol
          3. Server certificates and ns-cert-type server
          4. Masquerading
      5. Adding IPv6 support
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. IPv6 endpoints
          2. IPv6-only setup
      6. Using client-config-dir files
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. The default configuration file
          2. Troubleshooting
          3. Options allowed in a client-config-dir file
      7. Routing - subnets on both sides
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Masquerading
          2. Client-to-client subnet routing
          3. No route statements in a CCD file
        5. See also
      8. Redirecting the default gateway
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Redirect-gateway parameters
          2. The redirect-private option
          3. Split tunneling
        5. See also
      9. Redirecting the IPv6 default gateway
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      10. Using an ifconfig-pool block
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more..
          1. Configuration files on Windows
          2. Client-to-client access
          3. Using the TCP protocol
      11. Using the status file
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Status parameters
          2. Disconnecting clients
          3. Explicit-exit-notify
      12. The management interface
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See Also
      13. Proxy ARP
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. TAP-style networks
        5. User nobody
          1. Broadcast traffic might not always work
        6. See also
    10. 3. Client-server Ethernet-style Networks
      1. Introduction
      2. Simple configuration - non-bridged
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Differences between TUN and TAP
          2. Using the TCP protocol
          3. Making IP forwarding permanent
        5. See also
      3. Enabling client-to-client traffic
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Broadcast traffic may affect scalability
          2. Filtering traffic
          3. TUN-style networks
      4. Bridging - Linux
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Fixed addresses and the default gateway
          2. Name resolution
        5. See also
      5. Bridging- Windows
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. See also
      6. Checking broadcast and non-IP traffic
        1. Getting ready
        2. How to do it...
        3. How it works...
      7. An external DHCP server
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. DHCP server configuration
          2. DHCP relay
          3. Tweaking /etc/sysconfig/network-scripts
      8. Using the status file
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Difference with TUN-style networks
          2. Disconnecting clients
        5. See also
      9. The management interface
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      10. Integrating IPv6 into TAP-style networks
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
    11. 4. PKI, Certificates, and OpenSSL
      1. Introduction
      2. Certificate generation
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      3. OpenSSL tricks - x509, pkcs12, verify output
        1. Getting ready
        2. How to do it...
        3. How it works...
      4. Revoking certificates
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. What is needed to revoke a certificate
        5. See also
      5. The use of CRLs
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      6. Checking expired/revoked certificates
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      7. Intermediary CAs
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      8. Multiple CAs - stacking, using the capath directive
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Using the -capath directive
      9. Determining the crypto library to be used
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      10. Crypto features of OpenSSL and PolarSSL
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. AEAD Ciphers
          2. Encryption speed
      11. Pushing ciphers
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Future enhancements
      12. Elliptic curve support
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Elliptic curve support
    12. 5. Scripting and Plugins
      1. Introduction
      2. Using a client-side up/down script
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Environment variables
          2. Calling the down script before the connection terminates
          3. Advanced - verify the remote hostname
      3. Using a client-connect script
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Pitfall in using ifconfig-push
          2. The client-disconnect scripts
          3. Environment variables
          4. Absolute paths
      4. Using a learn-address script
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. User nobody
          2. The update action
      5. Using a tls-verify script
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      6. Using an auth-user-pass-verify script
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Specifying the username and password in a file on the client
          2. Passing the password via environment variables
      7. Script order
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      8. Script security and logging
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      9. Scripting and IPv6
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      10. Using the down-root plugin
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      11. Using the PAM authentication plugin
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
    13. 6. Troubleshooting OpenVPN - Configurations
      1. Introduction
      2. Cipher mismatches
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Pushable ciphers
      3. TUN versus TAP mismatches
        1. Getting ready
        2. How to do it...
        3. How it works...
      4. Compression mismatches
        1. Getting ready
        2. How to do it...
        3. How it works...
      5. Key mismatches
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. See also
      6. Troubleshooting MTU and tun-mtu issues
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      7. Troubleshooting network connectivity
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      8. Troubleshooting client-config-dir issues
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. More verbose logging
          2. Other frequent client-config-dir mistakes
        5. See also
      9. Troubleshooting multiple remote issues
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      10. Troubleshooting bridging issues
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. See also
      11. How to read the OpenVPN log files
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
    14. 7. Troubleshooting OpenVPN - Routing
      1. Introduction
      2. The missing return route
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Masquerading
          2. Adding routes on the LAN hosts
        5. See also
      3. Missing return routes when iroute is used
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      4. All clients function except the OpenVPN endpoints
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      5. Source routing
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      6. Routing and permissions on Windows
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      7. Unable to change Windows network location
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      8. Troubleshooting client-to-client traffic routing
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      9. Understanding the MULTI: bad source warnings
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Other occurrences of the MULTI: bad source message
        5. See also
      10. Failure when redirecting the default gateway
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
    15. 8. Performance Tuning
      1. Introduction
      2. Optimizing performance using ping
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      3. Optimizing performance using iperf
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Client versus server iperf results
          2. Network latency
          3. Gigabit networks
        5. See also
      4. Comparing IPv4 and IPv6 speed
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Client versus server iperf results
      5. OpenSSL cipher speed
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      6. OpenVPN in Gigabit networks
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Plain-text tunnel
          2. Windows performance
      7. Compression tests
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      8. Traffic shaping
        1. Getting ready
        2. How to do it...
        3. How it works...
      9. Tuning UDP-based connections
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      10. Tuning TCP-based connections
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      11. Analyzing performance using tcpdump
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. See also
    16. 9. OS Integration
      1. Introduction
      2. Linux - using NetworkManager
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Setting up routes using NetworkManager
          2. DNS settings
          3. Scripting
      3. Linux - using pull-resolv-conf
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      4. Windows - elevated privileges
        1. Getting ready
        2. How to do it...
        3. How it works...
      5. Windows - using the CryptoAPI store
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. The CA certificate file
          2. Certificate fingerprint
      6. Windows - updating the DNS cache
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. See also
      7. Windows - running OpenVPN as a service
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Automatic service startup
          2. OpenVPN user name
        5. See also
      8. Windows - public versus private network adapters
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. See also
      9. Windows - routing methods
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      10. Windows 8+ - ensuring DNS lookups are secure
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      11. Android - using the OpenVPN for Android clients
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also
      12. Push-peer-info - pushing options to Android clients
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
    17. 10. Advanced Configuration
      1. Introduction
      2. Including configuration files in config files
        1. Getting ready
        2. How to do it...
        3. How it works...
      3. Multiple remotes and remote-random
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Mixing TCP and UDP-based setups
          2. Advantage of using TCP-based connections
          3. Automatically reverting to the first OpenVPN server
        5. See also
      4. Inline certificates
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
      5. Connection blocks
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Allowed directives inside connection blocks
          2. Pitfalls when mixing TCP and UDP-based setups
        5. See also
      6. Details of ifconfig-pool-persist
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Specifying the update interval
          2. Caveat - the duplicate-cn option
          3. When topology net30 is used
      7. Connecting using a SOCKS proxy
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Performance
          2. SOCKS proxies via SSH
          3. SOCKS proxies using plain-text authentication
        5. See also
      8. Connecting via an HTTP proxy
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. http-proxy options
          2. Dodging firewalls
          3. Performance
          4. Using the OpenVPN GUI
        5. See also
      9. Connecting via an HTTP proxy with authentication
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. NTLM proxy authorization
          2. Authentication methods
          3. OpenVPN GUI limitations
        5. See also
      10. IP-less setups - ifconfig-noexec
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Point-to-point and TUN-style networks
          2. Routing and firewalling
      11. Port sharing with an HTTPS server
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. Alternatives
      12. Routing features - redirect-private, allow-pull-fqdn
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
          1. The route-nopull directive
          2. The max-routes directive
        5. See also
      13. Filtering out pushed options
        1. Getting ready
        2. How to do it...
        3. How it works...
      14. Handing out the public IPs
        1. Getting ready
        2. How to do it...
        3. How it works...
        4. There's more...
        5. See also