TOTAL
Since dec 2006
1'942'871 Visitors
4'218'042 Pages

Nov 2010 Stats
82'909 Visitors
146'476 Pages
196 countries
Full statistics



Help us translate
our tutorials!

JOIN the
OpenManiak Team.
OM TEAM
Director:
Blaise Carrera
Tutorials creation:
Blaise Carrera
Translaters:
Giovanni Fredducci
Angel Chraniotis
Moham. H. Karvan
Alexandro Silva
Blaise Carrera
Andrei Chertolyas
Sergiy Uvarov
Nickola Kolev
Łukasz Nowatkowski
Ivo Raisr
Catalin Bivolaru
Bogdan A. Costea
Kirill Simonov
Oliver Mucafir
JaeYoung Jeon
Seungyoon Lee
Jie Yu & Si Cheng
Tao Wei
YukiAlex
Fumihito Yoshida
Muhammad Takdir
Çağdaş Tülek
Auditors
Leslie Luthi
Joe Anderson
Jennifer Ockwell
Nigel Titley
Alison Rees
Webmaster:
Blaise Carrera
OPENVPN - The Easy Tutorial - Introduction

openmaniak little square blue OpenVPN openmaniak little arrow right blue Introduction
Last Change : Feb 04 2011


Tool
Install
Ergonomy
Forum



Details What is OpenVPN?
Screenshots
Prerequisites & Installation
Tutorial OpenVPN
-----SECURITY MODE-----------
Transparent Tunnel
Static key
SSL & PKI (certificates)
-----CASE STUDY-----------
IP VPN (TUN)
Ethernet VPN (TAP)
VPN Advanced Settings
----------------
Bridging
Routing



⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!



OpenVPN OpenSSL


openmaniak little square blue OPENVPN

Created in 2002, OpenVPN is an open source tool used to build site-to-site VPNs with the SSL/TLS protocol or with pre-share keys. It has the role to securely tunnel the data through a single TCP/UDP port over an unsecured network such as Internet and thus establish VPNs.

openmaniak openvpn tunnel picture

openmaniak little arrow right blue EASINESS

The big strength of OpenVPN is to be extremely easy to install and configure which is rarely the case for tools used to create VPNs

openmaniak little arrow right blue PORTABILITY

OpenVPN can be installed on nearly any platform including Linux, Windows 2000/XP/Vista, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris.
The Linux systems must have a 2.4 kernel or higher. The configuration principle remains the same on any platform.

openmaniak little arrow right blue CLIENT/SERVER ARCHITECTURE

OpenVPN is based on a client/server architecture. It must be installed on both VPN extremities, one is designated as server the other one as client.

openmaniak little arrow right blue TUNNELLING

OpenVPN creates a TCP or UDP tunnel and then encrypts the data inside the tunnel.
OpenVPN's default port number is UDP 1194, based on an official port number assignment by IANA. You can use any other TCP or UDP port and since the 2.0 release, a unique port can be used for several tunnels on the OpenVPN server.

openmaniak little arrow right blue SECURITY MODES:

When using static keys the two VPN gateways share the same key to cipher and decipher the data. In this case, the configurations will be very simple but the problem is you may need to give the key (over a secure channel) to somebody you don't necessarily trust at the other end of the tunnel.
The Public Key Infrastructure (PKI) is used to solve this problem. It is based on the fact that each party owns two keys, a public key known by everybody and a private key kept secret. This process is used by OpenSSL, the free and open source SSL version intagrated in OpenVPN, to authenticate the VPN peers before proceeding to the data encryption.

Let's see the advantages of the two modes:

OpenVPN mode Pre-shared keys SSL
Cryptography mode Symmetric Asymmetric/Symmetric
Implementation Easier Harder
Speed: Quicker Slower
CPU consumption: Smaller Higher
Key exchange: YES NO
Encryption keys renewal: NO YES
Peers authentication: NO YES
In the next section, we will focus our explanations on OpenVPN in SSL mode (asymmetric cryptography) which is recommended over the pre-shared mode (symmetric cryptography).

openmaniak little arrow right blue BRIDGING/ROUTING

You can choose to build either Ethernet (Bridged) or IP (Routed) VPNs with the help of, respectively, the TAP or TUN network drivers. TAP/TUN are available on all the platforms and are already bundled with the Linux 2.4 kernel or higher.

openmaniak little arrow right blue OPTIONS

The OpenVPN options are particularly important, for example the server can push network routes on the client or can be used as DHCP server.
Have a look at the OpenVPN man page for information.
Check the OpenVPN tutorial to learn how to configure OpenVPN or continue below by reading explanations about the SSL protocol.

Let's look at network and security key concepts to understand better the OpenVPN tool.

Top of the page



1. SSL 2. VPN 3. OPENSSL 4. IPSEC & SSL 5. IPSEC



openmaniak little square blue SSL

openmaniak little arrow right blue INTRODUCTION:

For many years, IPSec was the only security protocol available to secure the site-to-site or client-to-server VPNs. By chance, this is now changed with the release of the SSL protocol. Available at the beginning to secure specific protocols like HTTP, SSL is now able to secure any application and encrypt TCP or UDP tunnels to create site-to-site or client-to-site VPNs.
In this tutorial, we will focus our work on SSL site-to-site VPNs with the help of an excellent tool called OpenVPN ...

openmaniak little arrow right blue SSL DESCRIPTION:

SSL (for Secure Sockets Layers) has been created by Netscape in the 90s. Two SSL versions have been released v2 (1994) and v3 (1995). The patent was then bought and updated by the IETF in 2001. At the same time it was renamed as TLS which stands for Transport Layer Security (RFC 2246).
The SSL word is commonly used to designate both the SSL and TLS protocols. The last version of TLS is v1.1

openmaniak little arrow right blueSSL GOALS:

The two main SSL goals are the following:

- Authenticate the server and the client using the Public Key Infrastructure (PKI).
- Provide an encrypted connection for the client and server to exchange messages.

openmaniak little arrow right blue OpenVPN AND THE OSI MODEL:

Where could we place the SSL protocol in the OSI model?
The standard OSI model is composed of seven layers while a four layer model matches more closely the TCP/IP architecture used by the large majority of the applications.

SSL is located between the application and transport layers and will encrypt the application layer.

openmaniak osi model openvpn tcp/ip

openmaniak little arrow right blue TYPE OF SSL VPN:

In the past, SSL was a protocol used with specific applications like HTTP; however for some years able it has been able to potentially secure the transactions of any applications over Internet and to create encrypted tunnel (VPNs) in the same manner than IPSec does.

Two types of VPNs are available:
- Client-to-server (or remote access) VPNs where the client needs a web browser such as Firefox.
- Site-to-site where a specific software is required such as OpenVPN

openmaniak little square blue SSL process:

Here are the four SSL/TLS steps:

SSL Handshake:
SSL Change Cipher Spec:
SSL Alert:
SSL Record:
Negotiate the Cipher Suite to be used during data transfer
Establish and share a session key between client and server
Conveying SSL error messages between client and server
Transfer Data
Top of the page   Key concepts Menu



openmaniak little square blue VPN PRINCIPLES:

VPN (Virtual Private Network) is an acronym used to designate the encrypted tunnel between two devices over an unsecured network, typically Internet.
The VPN will group together the two local networks behind the VPN devices and thus will create a unique private network.
The word "VPN" can be used for site-to-site as well as client-to-server secure links. As a reminder, we will use OpenVPN to create site-to-Site VPNs.

To be considered as secure a VPN must respect the following key concepts:

-
 
 

-
 
 

-
 
 
Confidentiality or privacy:
The data cannot be seen in a readable format.
Typical symmetric cipher algorithm: DES, 3DES, AES, Blowfish

Integrity:
The data cannot be altered.
Typical hash-functions algorithms: sha1, md5

Authentication:
The VPN gateways are sure about the identity of the other.
Typical algorithm: RSA, DH
The picture below provides the status of a packet state when travelling inside the LAN and the VPN.

openmaniak openvpn packets tcp/ip description


Also just to remind everyone VPN is different from VPS.

Top of the page    Key concepts Menu



openmaniak little square blue OPENSSL:

OpenVPN uses a free and open source version of SSL called OpenSSL for the encryption and authentication tasks. OpenSSL is a toolkit composed of the:
- SSL library.
- Crypto library.
- Command line tool.

The cryptography library implements a wide range of cryptographic algorithms such as:
- Symmetric algorithms: Blowfish, DES, 3DES, AES, etc...
- Certificates: x509
- Hash function: HMAC, MD5

Top of the page    Key concepts Menu



openmaniak little square blue IPSEC - SSL COMPARISON:

The goal of SSL and IPSec is the same: create VPNs and thus encrypt traffic between two devices with the same algorithms. But as you will see, the way to accomplish this task is very different.
Of course, IPSec and SSL are not compatible.

Let's look first at a basic SSL-IPSec comparison table.

  IPSEC SSL
RFC: 2401 4346 (TLS 1.1)
OSI position:
 
Internet Layer
 
Between Transport and Application Layers
Software location: Kernel space User space
Installation: Vendor non-specific Vendor specific
Configuration: Complex Simple
NAT: Problematic No problem
Firewall: Not friendly Friendly
Interoperability: YES NO
Let's give some more explanations about the comparison table:

IPSec is a layer 3 protocol. In order to be implemented it will require a modification to the IP stack in the IPSec device kernel space. Because of this kernel related change, each operating system (i.e.: Cisco, Windows, Nortel, Linux, etc.) needs its own implementation of IPSec.

OpenVPN will behave much more like a standard application. It is implemented in the user space and thus has the advantage to be much more secure and portable.

-
 
 
 
 
 
-
 
Secure because in the IPSec case when the software is closely linked with the kernel, an application crash can damage the kernel and thus the entire system. No problem with OpenVPN because it is completely separated from the kernel. Another thing to underline concerning security is that, in case of software hacking, with IPSec the pirate will get kernel access, in other words the root access. With OpenVPN, a specific user will run the application with limited rights only.
Portable because OpenVPN can be installed on virtually any platform and this will therefore spare you time because you will have always the same software to configure.
A very common problem with IPSec is the need to change firewall rules to permit the protocol and the address translation (NAT) processing but even this has been partially solved by the NAT Traversal protocol.
Read details about problems associated with Using IPSec over NAT.

With OpenVPN, you just need to open a TCP or UDP port on a Firewall if it is not already open. OpenVPN can even work through proxy servers meaning that no firewall changes at all!
As the IP Layer is not modified by SSL, there is no problem with the NAT protocol.

Building a site-to-site SSL tunnel is much simpler than under IPSec. The complexity of the IPSec configurations leads often to security holes or missed configurations even when built by a network administrator. Furthermore, the IPSec configurations are always different for each manufacturer, whereas with SSL and OpenVPN, the configurations are very similar on any system.

The big advantage of IPSec remains that it can virtually be used on any manufacturers supporting its RFC. For example, it is normally possible to establish a VPN between a Cisco and a Nortel router. Normally, because the time has shown that even if the different manufacturers are supposed to respect the IPSec standards, it remains sometimes compatibility problems.
With OpenVPN it is, of course, not possible to install the software on the major manufacturers such as Cisco, Checkpoint, Juniper or Nortel.

SSL has now progressed very quickly in the client-to-server VPN segment compared to IPSec and will progressively replace it in the future.
In the site-to-site VPN segment, this is different because, as explained immedialely above, there are for the moment no standardized papers (RFCs) to create site-to site SSL VPNs on closed code manufacturers such as Cisco. As the big majority of site-to-site VPNs are created on closed code devices, IPSec remains for the moment king in this sector.

Top of the page    Key concepts Menu



openmaniak little square blueIPSEC:

IPSec can be composed by one of the following layer 3 protocols or both of them: ESP (IP protocol 50, RFC 2406), AH (IP protocol 51, RFC 2402). ESP can be used for integrity and confidentiality and AH for integrity only.

Two protocols are closely linked with IPSec: ISAKMP (RFC 2408) and IKE (RFC 2409).
ISAKMP (Internet Security Association and Key Management Protocol) is used to establish security associations and IKE (Internet Key Exchange) for automatic key exchange management via the UDP port 500.

Top of the page    Key concepts Menu