J.J. KeijserNikhefAmsterdamGrid Group
OpenVPN Guest LectureOS3 System & Network Engineering
Jan Just KeijserNikhef
11 May 2011
J.J. KeijserNikhefAmsterdamGrid Group
Working as grid system engineer since 2005Working in IT industry since 1995“discovered” OpenVPN in 2004Used and supported OpenVPN since thenAuthor of the “OpenVPN 2 Cookbook”,
published in 2011 IT interests include open source, networking,
VPNs, security, openssl, socat
A few words about me
J.J. KeijserNikhefAmsterdamGrid Group
What is a VPN? Types of VPNs What is OpenVPN? OpenVPN protocol Modes of operation: preshared keys, certificates,
'tun' vs 'tap', bridging Routing Smart card support Scripting and plugins Other features Weaknesses Future work Summary
Outline
J.J. KeijserNikhefAmsterdamGrid Group
What is a VPN?
Internet / WAN
NAT&Firewall Firewall&NAT
Without the use of a VPN…
Server
Your TROL (Typical Remote Office Layout)
Client
J.J. KeijserNikhefAmsterdamGrid Group
What is a VPN?
Internet / WAN
NAT&Firewall Firewall&NAT
Using a VPN…
Server
VPN Setup
Client
J.J. KeijserNikhefAmsterdamGrid Group
Types of VPNsWeb based: Proxies, SOCKSSolutions based on SSHPPTP based: Microsoft PPTP VPN client IPSec based: OpenS/WAN, raccoon IPSec+L2TP based: Microsoft L2TP VPN clientSSL based: OpenVPN
J.J. KeijserNikhefAmsterdamGrid Group
Virtual network adapterMost VPNs use the concept of a Virtual Network
Adapter. This allows for:◦ Separate IP address;
◦ Control over the routing and protocols allowed over the VPN.
The Virtual Network Adapter is the interface between the VPN client (or server) software and the Operating System.
Virtual Network Adapter
Ethernet1
23
VPN client
J.J. KeijserNikhefAmsterdamGrid Group
Web-based VPNsAlso known as “clientless VPNs”
Work only with web-based applications
Basically, a souped-up Secure Proxy server or SOCKS server
The VPN never leaves the “sandbox” of the webbrowser:
HTTPSencrypted traffic
Ethernet 1 Web browser
VPN applet
J.J. KeijserNikhefAmsterdamGrid Group
SSH-based solutions Not a true VPN – tunnelling of specific TCP ports only
Client and server software available for nearly every platform
OpenSSH includes SOCKS server support, allowing more flexible tunnels
SSH Tunnel
hostA:80
hostB:23127.0.0.1:8080127.0.0.1:1200
127.0.0.1 port 8080
127.0.0.1 port 1200
hostA port 80 (http)
hostB port 23 (telnet)
J.J. KeijserNikhefAmsterdamGrid Group
Web&SSH Pro's and con'sPro’s:
◦ Cient software for nearly all platforms;
◦ Uses standard TCP traffic so no NAT’ting issues;
◦ Easy to configure.
Con’s:
◦ Web-based (TCP, HTTPS) only;
◦ Not easy to share local data with remote site/server;
◦ Not a true VPN solution.
J.J. KeijserNikhefAmsterdamGrid Group
PPTP: the Microsoft solution
PPTP adapter
Ethernet1
23
VPN client
GREencrypted traffic
Developed by Microsoft and Ascend (RFC2637) Authentication using username/password
OR X.509 certificates (EAP-TLS) Runs over single TCP port and GRE tunnels (protocol 47) Frequently used for ADSL ethernet modems Interface to OS through PPTP adapter:
J.J. KeijserNikhefAmsterdamGrid Group
PPTP: Pro's and con'sPro’s:
◦ Client built into Microsoft platform;
◦ Other platforms supported for both client and server:
Linux;
FreeBSD/OpenBSD/NetBSD;
Macintosh OS X.
Con’s:
◦ PPTP considered fundamentally insecure;
◦ Secure version (EAP-TLS) supported fully only on Windows;
◦ GRE tunnelling does not work well with NAT’ting devices.
J.J. KeijserNikhefAmsterdamGrid Group
IPsec Official IEEE/IETF standard voor IP security (RFC2411)
Operates at Level2/Level3 of IP stack
Part of IPv6 specification
Introduces the concept of Security Policies
Uses Encapsulated Security Payload (ESP, IP protocol 50) for payload security, Hash-based Message Authentication Code (HMAC) for integrity
Authentication using X.509 certificates or pre-shared keys
Two modes supported:
◦ Transport mode;
◦ Tunnelling mode;
J.J. KeijserNikhefAmsterdamGrid Group
IPsec+L2TP Developed by Microsoft and Cisco Systems (RFC3193) Utilizes IPSec Transport mode Authentication using X.509 certificates or pre-shared
keys, in combination with a username/password Uses both UDP ports 500 and 4500 as well as ESP
(protocol 50) Interface to OS through L2TP adapter:
L2TP adapter
3
L2TP clientIPSec
Ethernet
IPsecencrypted traffic
2
1
J.J. KeijserNikhefAmsterdamGrid Group
IPsec: Pro's and con'sPro’s:
◦ Industry standard;
◦ Good platform support, including ADSL and Wifi routers;
◦ Security policies allow for a very modular approach.
Con’s:
◦ Configuration and troubleshooting can be difficult;◦ Notoriously difficult to configure, especially in
combination with NAT-Traversal (NAT-T);◦ Server-side cannot be NAT’ted, often forcing the use
of a DMZ;◦ IPSec and NAT’ting devices do not go well together.
J.J. KeijserNikhefAmsterdamGrid Group
OpenVPN: an SSL based VPN
tun/tap device
Ethernet1
23
OpenVPN
Uses TLS/SSL for payload security, HMAC for integrity
Authentication using X.509 certificates or pre-shared keys
UDP, TCP and SOCKS/HTTP Proxy support
Supports tunnelling (TCP/IP) and bridging (Ethernet) mode
Interface to OS through tun/tap device or TAP-Win32 adapter:
UDP/TCPencrypted traffic
J.J. KeijserNikhefAmsterdamGrid Group
What is OpenVPN?With OpenVPN, you can:
◦ tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port,
◦ configure a scalable, load-balanced VPN server farm using one or more machines which can handle thousands of dynamic connections from incoming VPN clients,
◦ use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic as it transits the internet,
◦ use any cipher, key size, or HMAC digest (for datagram integrity checking) supported by the OpenSSL library,
◦ choose between static-key based conventional encryption or certificate-based public key encryption,
◦ use static, pre-shared keys or TLS-based dynamic key exchange,
◦ use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization,
◦ tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients,
◦ tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules,
◦ tunnel networks over NAT,
◦ create secure ethernet bridges using virtual tap devices, and
◦ control OpenVPN using a GUI on Windows or Mac OS X.
(from http://openvpn.net/index.php/open-source/333-what-is-openvpn.html)
J.J. KeijserNikhefAmsterdamGrid Group
OpenVPN: some historyStarted in 2002 by James Yonan
First version only supported preshared keys and site-to-site connectivity
2004: OpenVPN 2.0 which supported◦ X509 certificates◦ Multiple clients to same server
2009: OpenVPN 2.1 which added◦ PKCS#11 support◦ Windows Vista/7 support
2011: OpenVPN 2.2 released◦ First community-built version
J.J. KeijserNikhefAmsterdamGrid Group
OpenVPN protocol In SSL/TLS mode two channels are used:
◦ A reliable control channel for exchanging SSL/TLS information and keys
◦ A data channel for transporting actual payload. In UDP mode this channel is not reliable
Each encrypted packet is formatted as follows:◦ HMAC(explicit IV, encrypted envelope)◦ Explicit IV◦ Encrypted Envelope
The content of the encrypted envelope is formatted as follows:◦ 64 bit sequence number◦ payload data, i.e. IP packet or Ethernet frame
J.J. KeijserNikhefAmsterdamGrid Group
Modes of operation
OpenVPN supports several modes of operation:
Preshared static keys
AuthN using X509 certificates
AuthN using username+password
Tunnelling mode (point-to-point, aka 'tun')
Ethernet mode (aka 'tap')
Ethernet bridging
J.J. KeijserNikhefAmsterdamGrid Group
Basic static key exampleFirst, generate a static key:$ openvpn --genkey --secret secret.key
Transfer the key to the remote end using a secure channel (e.g. scp)
Start the server/listener:$ openvpn --ifconfig 10.200.0.1 10.200.0.2 \
--dev tun --secret secret.key
And connect to it using the client:$ openvpn --ifconfig 10.200.0.2 10.200.0.1 \
--dev tun --secret secret.key \
--remote openvpnserver.example.com
J.J. KeijserNikhefAmsterdamGrid Group
Setting up a PKIOpenVPN supplies 'easy-rsa' scripts, which are
wrappers around 'openssl ca' commandsOther PKI solutions can also be used, provided they
can supply PEM-encoded certificates and keys or PKCS#12 formatted files
Example usage of 'easy-rsa':$ <edit vars file>
$ . ./vars
$ ./clean-all
$ ./build-ca
$ ./build-key-server <servername>
$ ./build-key <clientname>
J.J. KeijserNikhefAmsterdamGrid Group
Basic X509 example (server)proto udp
port 1194
dev tun
server 10.8.0.0 255.255.255.0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
persist-key
persist-tun
keepalive 10 60
user nobody
group nobody
J.J. KeijserNikhefAmsterdamGrid Group
Basic X509 example (client)client
proto udp
remote openvpnserver.example.com
port 1194
dev tun
nobind
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
J.J. KeijserNikhefAmsterdamGrid Group
Network topologiesOpenVPN 2.1 introduced a new keyword topology subnet
Previously, each client was assigned a miniature /30 network:◦ Server uses 10.8.0.0-10.8.0.3◦ First client is assigned 10.8.0.4-10.8.0.7◦ Second client is assigned 10.8.0.8-10.8.0.11, etc.
10.8.0.4 /30 network address
10.8.0.5 remote endpoint (virtual)
10.8.0.6 actual client VPN IP
10.8.0.7 /30 broadcast address
With 'topology subnet' each client is assigned only a single IP address: 10.8.0.2, 10.8.0.3, etc.
J.J. KeijserNikhefAmsterdamGrid Group
'tun' versus 'tap'OpenVPN supports two transport modes:
◦ 'tun' mode: Create a mini point-to-point connection to each
client The headers of each incoming packet are stripped
and new headers are added Can support IP protocols only (TCP, UDP, ICMP,
IPsec, GRE)
◦ 'tap' mode: Pass full ethernet frames between client and server Great for supporting non-IP protocols Slightly higher overhead Server and clients form a single broadcast domain
J.J. KeijserNikhefAmsterdamGrid Group
Bridging 'tap' mode allows the creation of a full Ethernet
bridge:◦ A regular network interface and a 'tap' interface are
bridged◦ All traffic which enters on one interface is copied out
to the other interface◦ Result: the LAN and the VPN form a single broadcast
domain - great for multi-player gaming!◦ A second advantage is that the VPN clients can be
incorporated almost fully into the server-side LAN (e.g. can use the same DHCP server)
◦ Downside: performance! Even the throughput speed of the LAN interface is affected, as all incoming traffic is ALWAYS copied over to the 'tap' interface
J.J. KeijserNikhefAmsterdamGrid Group
Bridging example (server)proto udp
port 1194
dev tap0
server-bridge 10.8.0.100 255.255.255.0 10.8.0.101 \
10.8.0.140
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
persist-key
persist-tun
keepalive 10 60
user nobody
J.J. KeijserNikhefAmsterdamGrid Group
Routing and masqueradingA VPN is one thing, routing traffic over it is another80+ % of all OpenVPN support questions are about
routingMost commonly used trick (on Linux servers)$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ iptables -i FORWARD -i tun+ -j ACCEPT
$ iptables -i FORWARD -o tun+ -j ACCEPT
$ iptables -t nat -I POSTROUTING -o eth0 \
-j MASQUERADE
J.J. KeijserNikhefAmsterdamGrid Group
Smart card supportTwo factor authentication: you can connect to my
system based on something you KNOW (a password) and something you HAVE (a smart card)
OpenVPN supports the PKCS#11 interface Any smart card or hardware security device with a
PKCS#11 interface can be used (in theory...)However: PKCS#11 support on Linux (and MacOS)
is far from perfectKnown to work:
◦ Aladdin eToken PRO (now SafeNet)◦ Feitian ePass
J.J. KeijserNikhefAmsterdamGrid Group
PKCS#11 example (client)client
proto udp
remote openvpnserver.example.com
port 1194
dev tun
nobind
ca ca.crt
pkcs11-providers etpkcs11.dll
pkcs11-id "Aladdin\\x20Ltd\\x2E/eToken/001a0ab6/Jan\\x20Just\\x20Keijser/39453945373335312D333545442D343031612D384637302D3238463636393036363042303A30"
tls-auth ta.key 1
J.J. KeijserNikhefAmsterdamGrid Group
Scripting (1)OpenVPN offers several ways to influcence what
happens when a client connects or disconnects, both on the server side and on the client side
On the client side the following scripts are run when the client connects:◦ 'up' : when the virtual interface is brought up
◦ 'route-up': when routes need to be added to the local routing tables
Similarly, when the client disconnects:◦ 'down' : when the virtual interface is taken down
J.J. KeijserNikhefAmsterdamGrid Group
Scripting (2)On the server side the following scripts are run when
a client connects:◦ 'client-connect' : allows you to write out configuration
statements which are pushed out to the client
◦ 'learn-address add'
◦ 'tls-verify': verify the entire certificate chain of the client
◦ 'auth-user-pass-verify': allows for authentication using username and password
Similarly, when the client disconnects:◦ 'learn-address delete'
◦ 'client-disconnect'
J.J. KeijserNikhefAmsterdamGrid Group
Scripting example (server)...
script-security 2# run when server starts and shuts down
up sample-script.sh
route-up sample-script.sh
down sample-script.sh
# run when a client connects or disconnects
client-connect sample-script.sh
client-disconnect sample-script.sh
learn-address sample-script.sh
tls-verify sample-script.sh
auth-user-pass-verify sample-script.sh via-env
J.J. KeijserNikhefAmsterdamGrid Group
PluginsNext to scripts, OpenVPN can also be extended
using pluginsPlugins can be inserted at almost all points where
scripts are runMost common plugins are
◦ auth-pam: for authentication users using PAM;
◦ down-root: for running a command as root when openvpn shuts down.
Why would you use a plugin?◦ Speed: plugins are run in a separate thread
◦ Security: it's easy to make a mistake in a script which can be exploited.
J.J. KeijserNikhefAmsterdamGrid Group
Other featuresDifferent cipher algorithms for encryptionDifferent signing algorithms for HMAC signingOn-the-fly compression using 'lzo'Connect via a SOCKS proxyConnect via an HTTP proxyShare a VPN server with an HTTPS server on the
same IP and portManagement interface (on both client and server):
◦ View connected clients;
◦ View statistics;
◦ Disconnect clients.
J.J. KeijserNikhefAmsterdamGrid Group
WeaknessesWindows Vista/7/2008 support is lackingSupport for IPv6 endpoints is still missing; tunnelling
IPv6 traffic via either 'tun' or 'tap' mode is in 2.2Monolithic design: both a strength and a weakness,
but does affect scalabilityThroughput over gigabit links could be betterDifficult to port to new OSes (such as smartphones):
a 'tun' driver needs to be present (iPhone!)
J.J. KeijserNikhefAmsterdamGrid Group
Future developmentsFull IPv6 support is expected in 2.3 (beta: July)A grand, completely modular redesign is being
worked on (OpenVPN 3.0) Improve negotiation capabilities between client and
server; make client configuration as minimal as possible
Improve Windows 7 support (esp tap-win32 driver)Add ability to 'mimick' HTTPS traffic for ducking
firewallsNew transport protocols next to UDP and TCP:
◦ sctp
◦ ICMP