virtual private networking with openvpn wim kerkhoff fraser valley linux users group april 15, 2004
TRANSCRIPT
Virtual Private Networkingwith OpenVPN
Wim Kerkhoff
Fraser Valley Linux Users Group
April 15, 2004
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff
2
The Basics: What is VPN?
Short for Virtual Private Network Creates a private network over a public medium Typically uses for encrypting/securing traffic sent
across the Internet between two locations Can also be used for single hosts on a LAN
(even a wireless one) Nobody with access to the public network can
see the traffic moving through the VPN – looks like garbage
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff
3
What does OpenVPN offer?
It’s Open Source (GPL), flexible, easy to setup Can tunnel any IP (layer 3) or Ethernet (layer 2)
over a single UDP or TCP port Cross platform (Linux, *BSD/OSX, Windows
2000/XP, Solaris) Encryption provided via OpenSSL – tons of
options/ciphers/etc Can use a 2048 bit shared key or digital
certificates (PKI) Compression, traffic-shaping Works nicely with restrictive firewalls
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff
4
How is OpenVPN different from other VPN packages? Only open source package that uses SSL Doesn’t need a special kernel module, unlike
FreeS/WAN. Only the generic TAP/TUN driver is needed Very portable Easy – lots of configuration examples Traffic shaping per tunnel Can support hundreds of tunnels User-space: can co-exist with other networking
packages eg IP/SEC. Can connect through an HTTP proxy Easier to set up on non-Win32 systems then PPTP
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff
5
Modes
Routed IP tunnels (layer 3) More efficient then bridged ethernet tunnels Easier to configure
Bridged Ethernet tunnels (layer 2) Can tunnel IP and non-IP traffic IPX, NetBEUI, etc Both sides of VPN see network broadcasts Required for some LAN games
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff
6
Routed IP Tunnels
Possible Topologies: Network <-> Network Network <-> Host Host <-> Network Host <-> Host
When doing VPNs with networks, an iptables script will have to created to set up IP Masquerading and some firewalling rules
Uses “TUN” mode
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff
7
Bridged Ethernet tunnel
Really just operates like a transparent ethernet bridge. Hence, special IP tables, NAT magic, or routing is required
Uses “TAP” modeBridge tools (bcrtl) are requiredNeed to create a script to bind eth1 and
tap0 together into a bridged device called br0
Then assign an IP to br0
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff
8
OpenVPN on Windows XP/2000
Double click installerCan be configured as a Windows Service
that starts on bootSome simple configuration changes in
the .ovpn config fileJust need to put the shared key or
certificates in
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff
9
OpenVPN 2.0 Beta Series
Can handle multiple UDP clients using a single UDP port
Can support thousands of clients depending on hardware and network connection
Has DHCP-like mechanism to push/pull specific settings to clients
Better multithreading/SMP supportCan run with least-privileges
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff
10
Beyond OpenVPN 2.0
True point-to-multipointUse a dynamic routing protocol to route
through a larger and more complicated VPN cloud
Reduce need to get route through a central server/office to access a system in another branch office
FVLUG/OpenVPN presentation, April 2004 Wim Kerkhoff
11
Conclusions…
Definitely the way to go for anything VPN using Windows clients
Way easier to setup then IPSec on either Windows or Linux
Stable/Reliable
OpenVPN website: http://openvpn.sf.net