Difference between revisions of "OpenVPN"

From Secure Computing Wiki
Jump to: navigation, search
(DH Param Notes)
 
(47 intermediate revisions by 13 users not shown)
Line 1: Line 1:
here is an example from ##OpenVPN on freenode.
+
{{OpenVPN_Menu}}
 +
[[image:openvpn_logo.png|right]]OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-targeted for the SME and enterprise markets.
  
The user had the following in his server.conf:
+
This page is designed to provide an applied-level of support. The [http://openvpn.net/index.php/documentation/howto.html OpenVPN HowTo] has lots of great examples and configuration option.
  
<blockquote>
+
<p>
push "route 192.168.2.0 255.255.255.0" <br>
+
Help with creating a VPN which connects multiple lans. Server and clients have lans behind them. This will help you understand how to use the route, push route, and iroute commands.<br>
route 192.168.1.0 255.255.255.0 <br>
+
* [[OpenVPN/Routing]]
route 192.168.3.0 255.255.255.0 <br>
+
route 192.168.4.0 255.255.255.0 <br>
+
route 192.168.5.0 255.255.255.0 <br>
+
route 192.168.6.0 255.255.255.0 <br>
+
route 192.168.7.0 255.255.255.0 <br>
+
client-to-client
+
</blockquote>
+
  
The push route means that he is telling his server to let ALL clients to know about the fact that they should add an entry in their routing table to route 192.168.2.0/24 through their vpn. That is because 192.168.2.0 is a LAN behind his VPN server, which the clients should be able to communicate with.
+
== Client Software/Packages==
 +
=== Windows ===
 +
=== Linux ===
 +
OpenVPN is readily available through most distributions package managers. Gnome's network-manager can manage various types of VPN's, including OpenVPN through plugins.
  
The route entries are telling his server to add a route for each of .1.0 .3.0 .4.0 .5.0 .6.0 7.0 to its kernel's routing table, which should go through the tunnel interface. The server's kernel now has an entry for 6 LANs to all go through the vpn interface, but when that happens how will openvpn know what client to send each network to?
+
=== Mac ===
The answer is iroute!
+
* [http://www.viscosityvpn.com/ Viscosity ($$$)]
 +
** Supports 2.0.9 AND 2.1-rc15
 +
* [http://code.google.com/p/tunnelblick/ Tunnelblick (FREE)]
 +
** Supports 2.0.9 in release version, 2.1.1 in beta version.
 +
** [[Tunnelblick|Tunnelblick How-To]]
  
Iroute does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about.  The Iroute entry tells the openvpn server which client is responsible for the network.  Without the iroute entry you will find the following in your logfiles:
+
== Building custom Win32/64 OpenVPN installer ==
<blockquote>
+
* [[OpenVPN/HowTo for Windows|HowTo for Windows]]
MULTI: bad source address from client [IP ADDRESS], packet dropped
+
* [[OpenVPN/HowTo for Windows 2|HowTo for Windows 2]]
</blockquote>
+
  
The thing is, we cant just drop the iroute into server.conf because it would then be used for every client, and iroute is only to tell the server <!-- or client if pushed, only useful for complex setups outside the scope of this writeup --> at which client it should send traffic destined for a network that the kernel said should go to the openvpn interface.
+
== Related Links ==
That is why we add the iroute commands to a ccd entry.
+
* [http://www.eurephia.net/ eurephia Authentication Plugin for OpenVPN]
 +
* [http://www.linuxjournal.com/article/9915 Linux Journal: Building a Multisourced Infrastructure Using OpenVPN]
  
You will need ''client-config-dir /path/to/ccd/'' in your server config file to enable ccd entries.  ccd entries are basically included into server.conf, but only for the specified client.  You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/.
+
== DH Param Notes ==
 +
Just for laughs, I generate three 4096-bit primes using openssl on three different systems; the results are here.
  
In this example lets assume the client owning the network 1.0 has a common-name of client1.  In ccd/client1 He should have the following:
+
<pre>FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009
<blockquote>
+
    root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
iroute 192.168.1.0 255.255.255.0
+
Timecounter "i8254" frequency 1193182 Hz quality 0
</blockquote>
+
CPU: Intel(R) Xeon(R) CPU          E5530  @ 2.40GHz (2394.01-MHz K8-class CPU)
  
But our user also wants client-to-client to work, so lets say he also wants the LANs behind those clients to be able to communicate. In ccd/client1 we add some more entries... now it would look like this:
+
976.093u 0.060s 16:16.66 99.9% 494+1043k 7+0io 12pf+0w</pre>
<blockquote>
+
iroute 192.168.1.0 255.255.255.0
+
push "route 192.168.3.0 255.255.255.0"
+
push "route 192.168.4.0 255.255.255.0"
+
push "route 192.168.5.0 255.255.255.0"
+
push "route 192.168.6.0 255.255.255.0"
+
push "route 192.168.7.0 255.255.255.0"
+
</blockquote>
+
  
As you can see, each client our user has will have a ccd/ entry including an iroute for the network behind the client, and pushed routes for all networks behind other clients.
+
<pre>FreeBSD 8.1-PRERELEASE #5: Tue Jul 13 14:10:29 CDT 2010
 +
    root@jaguar-2.claimlynx.com:/usr/obj/usr/src/sys/GENERIC-CARP amd64
 +
Timecounter "i8254" frequency 1193182 Hz quality 0
 +
CPU: Intel(R) Xeon(R) CPU          E5520  @ 2.27GHz (2261.01-MHz K8-class CPU)
 +
 
 +
685.101u 0.022s 11:25.47 99.9%  495+1037k 2+0io 6pf+0w</pre>
 +
 
 +
<pre>machdep.cpu.vendor: GenuineIntel
 +
machdep.cpu.brand_string: Intel(R) Core(TM) i7 CPU      M 620  @ 2.67GHz
 +
Darwin Swordfish.local 10.6.0 Darwin Kernel Version 10.6.0: Wed Nov 10 18:13:17 PST 2010; root:xnu-1504.9.26~3/RELEASE_I386 i386
 +
 
 +
2249.944u 1.799s 37:32.94 99.9% 0+0k 2+9io 0pf+0w</pre>
 +
[[Category: OpenVPN]]

Latest revision as of 09:50, 9 February 2011

OpenVPN Topics

GENERAL: RoutingRIP RoutingBridgingFAQFirewallVPN ChainingHigh-AvailabilityTroubleshootingDonationsIRC meetingsDeveloper DocsTester Docs
OS RELATED: FreeBSD Routed FreeBSD Bridged

Openvpn logo.png
OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-targeted for the SME and enterprise markets.

This page is designed to provide an applied-level of support. The OpenVPN HowTo has lots of great examples and configuration option.

Help with creating a VPN which connects multiple lans. Server and clients have lans behind them. This will help you understand how to use the route, push route, and iroute commands.

Client Software/Packages

Windows

Linux

OpenVPN is readily available through most distributions package managers. Gnome's network-manager can manage various types of VPN's, including OpenVPN through plugins.

Mac

Building custom Win32/64 OpenVPN installer

Related Links

DH Param Notes

Just for laughs, I generate three 4096-bit primes using openssl on three different systems; the results are here.

FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009
    root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Xeon(R) CPU           E5530  @ 2.40GHz (2394.01-MHz K8-class CPU)

976.093u 0.060s 16:16.66 99.9%	494+1043k 7+0io 12pf+0w
FreeBSD 8.1-PRERELEASE #5: Tue Jul 13 14:10:29 CDT 2010
    root@jaguar-2.claimlynx.com:/usr/obj/usr/src/sys/GENERIC-CARP amd64
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Xeon(R) CPU           E5520  @ 2.27GHz (2261.01-MHz K8-class CPU)

685.101u 0.022s 11:25.47 99.9%  495+1037k 2+0io 6pf+0w
machdep.cpu.vendor: GenuineIntel
machdep.cpu.brand_string: Intel(R) Core(TM) i7 CPU       M 620  @ 2.67GHz
Darwin Swordfish.local 10.6.0 Darwin Kernel Version 10.6.0: Wed Nov 10 18:13:17 PST 2010; root:xnu-1504.9.26~3/RELEASE_I386 i386

2249.944u 1.799s 37:32.94 99.9%	0+0k 2+9io 0pf+0w