virtual private networking with openvpn wim kerkhoff fraser valley linux users group april 15, 2004

Virtual Private Networkingwith OpenVPN

Wim Kerkhoff

Fraser Valley Linux Users Group

April 15, 2004

FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff

2

The Basics: What is VPN?

Short for Virtual Private Network Creates a private network over a public medium Typically uses for encrypting/securing traffic sent

across the Internet between two locations Can also be used for single hosts on a LAN

(even a wireless one) Nobody with access to the public network can

see the traffic moving through the VPN – looks like garbage


3

What does OpenVPN offer?

It’s Open Source (GPL), flexible, easy to setup Can tunnel any IP (layer 3) or Ethernet (layer 2)

over a single UDP or TCP port Cross platform (Linux, *BSD/OSX, Windows

2000/XP, Solaris) Encryption provided via OpenSSL – tons of

options/ciphers/etc Can use a 2048 bit shared key or digital

certificates (PKI) Compression, traffic-shaping Works nicely with restrictive firewalls


4

How is OpenVPN different from other VPN packages? Only open source package that uses SSL Doesn’t need a special kernel module, unlike

FreeS/WAN. Only the generic TAP/TUN driver is needed Very portable Easy – lots of configuration examples Traffic shaping per tunnel Can support hundreds of tunnels User-space: can co-exist with other networking

packages eg IP/SEC. Can connect through an HTTP proxy Easier to set up on non-Win32 systems then PPTP


5

Modes

Routed IP tunnels (layer 3) More efficient then bridged ethernet tunnels Easier to configure

Bridged Ethernet tunnels (layer 2) Can tunnel IP and non-IP traffic IPX, NetBEUI, etc Both sides of VPN see network broadcasts Required for some LAN games


6

Routed IP Tunnels

Possible Topologies: Network <-> Network Network <-> Host Host <-> Network Host <-> Host

When doing VPNs with networks, an iptables script will have to created to set up IP Masquerading and some firewalling rules

Uses “TUN” mode


7

Bridged Ethernet tunnel

Really just operates like a transparent ethernet bridge. Hence, special IP tables, NAT magic, or routing is required

Uses “TAP” modeBridge tools (bcrtl) are requiredNeed to create a script to bind eth1 and

tap0 together into a bridged device called br0

Then assign an IP to br0


8

OpenVPN on Windows XP/2000

Double click installerCan be configured as a Windows Service

that starts on bootSome simple configuration changes in

the .ovpn config fileJust need to put the shared key or

certificates in


9

OpenVPN 2.0 Beta Series

Can handle multiple UDP clients using a single UDP port

Can support thousands of clients depending on hardware and network connection

Has DHCP-like mechanism to push/pull specific settings to clients

Better multithreading/SMP supportCan run with least-privileges


10

Beyond OpenVPN 2.0

True point-to-multipointUse a dynamic routing protocol to route

through a larger and more complicated VPN cloud

Reduce need to get route through a central server/office to access a system in another branch office


11

Conclusions…

Definitely the way to go for anything VPN using Windows clients

Way easier to setup then IPSec on either Windows or Linux

Stable/Reliable

OpenVPN website: http://openvpn.sf.net

virtual private networking with openvpn wim kerkhoff fraser valley linux users group april 15, 2004

Documents