Adventures with OpenVPN

Tunneling over the network

Paul Waring

What is a VPN?

• Virtual Private Network
• Tunnel through one network to another (e.g. home over Internet to office)
• Dedicated connection
• Independent IP address space
• Security usually a main feature

Why run a VPN?

• Because your supervisor/manager tells you to
• Secure communications over an insecure network
• Access resources on internal networks which are using NAT
• Off-campus access to subscription materials
• Auditing
• Utilise free wireless points

VPN software

• OpenVPN
• OpenSSH
• As of version 4.2 (4.4 for full support)
• Supports tun devices
• Cisco
• Microsoft
• Various others
• Wikipedia has the full list

Why OpenVPN?

• (Mostly) free software
• OpenVPN itself is under GPL v2
• Windows binary distribution includes some files which are non-free
• OpenSSL is dual-licensed
• Commercial licences available if you want them
• Relatively easy to get going
• Clients for Windows, Mac OS X, GNU/Linux and *BSD
• Available as a package for Debian and other distributions

Routing

• Virtual point to point interface (tun device)
• Default option
• Simple to set up (default config will generally suffice)
• Largely works "out of the box"
• Good enough for most purposes
• Doesn't allow broadcasts

Bridging

• Virtual ethernet adapter (tap device)
• Actually become a part of the network
• Can capture ethernet frames
• Allows broadcasting across the network
• Bit tricky to get working
• Doesn't work "out of the box"
• Scripts required to bridge ethernet devices
• Necessary if you want to use auto-discover with Bonjour/Rendezvous

Additional features

• Same certificate for all clients (not recommended!)
• Force all traffic to be routed through VPN
• Bi-authentication (client->server and server->client)
• Clients can talk to other clients (or not)
• Push resolver information to clients
• Use UDP (default) or TCP
• Wide range of authentication methods

Authentication methods

• Pre-shared secret key
• Certificates
• Recommended method
• No need for accounts on the server
• Support for PAM (and therefore lots of other mechanisms)
• Combination of the above
• Anything else you can write a plugin for

Gotchas

• Overlapping address ranges
• Resolver information not always propagated to clients
• DHCP requests may cross networks
• Support can vary across operating systems
• iptables forwarding rules
• Fast (20+Mb/s) connections might cause problems
• Not IPsec compatible
• Debian init script tries to load:
  /etc/openvpn/*.conf

Further reading

• Linux Networking Cookbook (Carla Shroder) has a chapter on OpenVPN
• OpenVPN: Building and Integrating Virtual Private Networks (Markus Feilner)
• Different Flavours of VPN: Technology and Applications (Victor Olifer) - JANET document