39,59 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
OpenVPN provides an extensible VPN framework that has been designed to ease site-specific customization, such as providing the capability to distribute a customized installation package to clients, and supporting alternative authentication methods via OpenVPN’s plugin module interface.
This book provides you with many different recipes to help you set up, monitor, and troubleshoot an OpenVPN network. You will learn to configure a scalable, load-balanced VPN server farm that can handle thousands of dynamic connections from incoming VPN clients. You will also get to grips with the encryption, authentication, security, extensibility, and certifications features of OpenSSL.
You will also get an understanding of IPv6 support and will get a demonstration of how to establish a connection via IPv64. This book will explore all the advanced features of OpenVPN and even some undocumented options, covering all the common network setups such as point-to-point networks and multi-client TUN-style and TAP-style networks. Finally, you will learn to manage, secure, and troubleshoot your virtual private networks using OpenVPN 2.4.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 401
Veröffentlichungsjahr: 2017
Ähnliche
Table of Contents
OpenVPN Cookbook - Second Edition
OpenVPN Cookbook - Second Edition
Copyright © 2017 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: February 2011
Second edition: February 2017
Production reference: 1100217
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78646-312-8
www.packtpub.com
Credits
Author
Jan Just Keijser
Copy Editor
Pranjali Chury
Reviewer
Ralf Hildebrandt
Project Coordinator
Izzat Contractor
Commissioning Editor
Pratik Shah
Proofreader
Safis Editing
Acquisition Editor
Rahul Nair
Indexer
Tejal Soni
Content Development Editor
Zeeyan Pinheiro
Production Coordinator
Melwyn D'sa
Technical Editor
Vivek Pala
About the Author
Jan Just Keijser is an open source professional from Utrecht, the Netherlands. He has a wide range of experience in IT, ranging from providing user support, system administration, and systems programming to network programming. He has worked for various IT companies since 1989. He was an active USENET contributor in the early 1990s and has been working mainly on Unix/Linux platforms since 1995.
Currently, he is employed as a senior scientific programmer in Amsterdam, the Netherlands, at Nikhef, the institute for subatomic physics from the Dutch Foundation for Fundamental Research on Matter (FOM). He works on multi-core and many-core computing systems and grid computing as well as smartcard applications. His open source interests include all types of virtual private networking, including IPSec, PPTP, and, of course, OpenVPN. In 2004, he discovered OpenVPN and has been using it ever since.
His first book was OpenVPN 2 Cookbook by Packt Publishing in 2011, followed by Mastering OpenVPN, also by Packt Publishing, in 2015.
About the Reviewer
Ralf Hildebrandt is an active and well-known figure in the Postfix community. He’s currently employed at Charite, Europe’s largest university hospital. OpenVPN has successfully been used at Charite for over 10 years now on a multitude of client operating systems.
Together with Patrick Koetter, he has written the Book of Postfix.
www.PacktPub.com
For support files and downloads related to your book, please visit www.PacktPub.com.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www.packtpub.com/mapt
Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.
Why subscribe?
Customer Feedback
Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review on this book's Amazon page at https://goo.gl/A3V0ND.
If you'd like to join our team of regular reviewers, you can e-mail us at [email protected]. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products!
Preface
OpenVPN is one of the world's most popular packages for setting up a Virtual Private Network (VPN). OpenVPN provides an extensible VPN framework that has been designed to ease site-specific customization, such as providing the capability to distribute a customized installation package to clients or supporting alternative authentication methods via OpenVPN's plugin module interface. It is widely used by many individuals and companies, and some service providers even offer OpenVPN access as a service to users in remote, unsecured environments.
This book provides you with many different recipes for setting up, monitoring, and troubleshooting an OpenVPN network. The author's experience in troubleshooting OpenVPN and networking configurations enables him to share his insights and solutions to help you get the most out of your OpenVPN setup.
What this book covers
Chapter 1, Point-to-Point Networks, gives an introduction to configuring OpenVPN. The recipes are based on a point-to-point-style network, meaning that only a single client can connect at a time.
Chapter 2, Client-Server IP-Only Networks, introduces the reader to the most commonly-used deployment model for OpenVPN: a single server with multiple remote clients capable of routing IP traffic. This chapter provides the foundation for many of the recipes found in the other chapters.
Chapter 3, Client-Server Ethernet-Style Networks, covers another popular deployment model for OpenVPN: a single server with multiple clients, capable of routing Ethernet traffic. This includes non-IP traffic as well as bridging. You will also learn about the use of an external DHCP server and the use of the OpenVPN status file.
Chapter 4, PKI, Certificates, and OpenSSL, introduces you to the public key infrastructure (PKI) and X.509 certificates, which are used in OpenVPN. You will learn how to generate, manage, manipulate, and view certificates, and you will also learn about the interactions between OpenVPN and the OpenSSL libraries that it depends upon.
Chapter 5, Scripting and Plugins, covers the powerful scripting and plugin capabilities that OpenVPN offers. You will learn to use client-side scripting, which can be used to tail the connection process to the site-specific needs. You will also learn about server-side scripting and the use of OpenVPN plugins.
Chapter 6, Troubleshooting OpenVPN - Configurations, is all about troubleshooting OpenVPN misconfigurations. Some of the configuration directives used in this chapter have not been demonstrated before, so even if your setup is functioning properly, this chapter will still be insightful.
Chapter 7, Troubleshooting OpenVPN - Routing, gives an insight into troubleshooting routing problems when setting up a VPN using OpenVPN. You will learn how to detect, diagnose, and repair common routing issues.
Chapter 8, Performance Tuning, explains how you can optimize the performance of your OpenVPN setup. You will learn how to diagnose performance issues and how to tune OpenVPN's settings to speed up your VPN.
Chapter 9, OS Integration, covers the intricacies of integrating OpenVPN with the operating system it is run on. You will learn how to use OpenVPN on the most commonly used client operating systems: Linux, Mac OS X, and Windows.
Chapter 10, Advanced Configuration, goes deeper into the configuration options that OpenVPN has to offer. The recipes will cover both advanced server configurations, such as the use of a dynamic DNS, as well as the advanced client configuration, such as using a proxy server to connect to an OpenVPN server.
What you need for this book
In order to get the most from this book, there are some expectations of prior knowledge and experience. It is assumed that the reader has a fair understanding of the system administration as well as knowledge of TCP/IP networking. Some knowledge on installing OpenVPN is required as well, for which you can refer to the book Beginning OpenVPN 2.0.9.
Who this book is for
This book is for system administrators who have basic knowledge of OpenVPN and are eagerly waiting to build, secure, and manage VPNs using the latest version. This book assumes some prior knowledge of TCP/IP networking and OpenVPN. And to get the most out of this book, you must have network administration skills.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "Copy over the tls-auth secret key file from the /etc/openvpn/cookbook/keys directory."
A block of code is set as follows:
user nobody group nobody persist-tun persist-key keepalive 10 60 ping-timer-remWhen we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
secret secret.key 1 ifconfig 10.200.0.2 10.200.0.1 route 172.31.32.0 255.255.255.0 tun-ipv6 ifconfig-ipv6 2001:db8:100::2 2001:db8:100::1Any command-line input or output is written as follows:
[root@server]# openvpn --genkey --secret secret.keyNew terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "Go to the Network and Sharing Center and observe that the TAP adapter is in the section Public Network and that it is not possible to change this."
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail [email protected], and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the example code
You can download the example code files for this book from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
You can download the code files by following these steps:
You can also download the code files by clicking on the Code Files button on the book's webpage at the Packt Publishing website. This page can be accessed by entering the book's name in the Search box. Please note that you need to be logged in to your Packt account.
Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:
The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/openvpncookbook. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at [email protected] with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
Questions
If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.
Chapter 1. Point-to-Point Networks
In this chapter, we will cover the following:
Introduction
The recipes in this chapter will provide an introduction to configuring OpenVPN. They are based on a point-to-point type of network, meaning that only a single client can connect at a given time.
A point-to-point network is very useful when connecting to a small number of sites or clients. It is easier to set up, as no certificates or public key infrastructure (PKI) is required. Also, routing is slightly easier to configure as no client-specific configuration files containing --iroute statements are required.
The drawbacks of a point-to-point network are as follows:
The shortest setup possible
This recipe will explain the shortest setup possible when using OpenVPN. For this setup, you require two computers that are connected over a network (LAN or Internet). We will use both a TUN-style network and a TAP-style network and will focus on the differences between them. A TUN device is used mostly for VPN tunnels where only IP traffic is used. A TAP device allows all the Ethernet frames to be passed over the OpenVPN tunnel, hence providing support for non-IP based protocols, such as IPX and AppleTalk.
While this may seem useless at first glance, it can be very useful to quickly test whether OpenVPN can connect to a remote system.
Getting ready
Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 Pro 64bit and OpenVPN 2.3.10.
How to do it...
Here are the steps that you need to follow:
Note
The preceding command should be entered as a single line. The character \ is used to denote the fact that the command continues on the next line.
The following screenshot shows how a connection is established:
As soon as the connection is established, we can ping the other end of the tunnel.
Next, stop the tunnel by pressing the F4 function key in the command window and restart both ends of the tunnel using the TAP device.Launch the server-side (listening) OpenVPN process for the TAP-style network:[root@server]# openvpn --ifconfig 10.200.0.1 255.255.255.0 \ --dev tapThen launch the client-side OpenVPN process: [WinClient] C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \ --ifconfig 10.200.0.2 255.255.255.0 --dev tap \ --remote openvpnserver.example.comThe connection will now be established and we can again ping the other end of the tunnel.
How it works...
The server listens on UDP port 1194, which is the OpenVPN default port for incoming connections. The client connects to the server on this port. After the initial handshake, the server configures the first available TUN device with the IP address 10.200.0.1 and it expects the remote end (the Peer address) to be 10.200.0.2.
The client does the opposite: after the initial handshake, the first TUN or TAP-Win32 device is configured with the IP address 10.200.0.2. It expects the remote end (the Peer address) to be 10.200.0.1. After this, the VPN is established.
Note
Notice the warning:
******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Here, the data is not secure: all of the data that is sent over the VPN tunnel can be read!
There's more...
Let's look at a couple of different scenarios and check whether they would modify the process.
Using the TCP protocol
In the previous example, we chose the UDP protocol. It would not have made any difference if we had chosen the TCP protocol, provided that we had done that on the server side (the side without --remote) as well as the client side. The following is the code for doing this on the server side:
[root@server]# openvpn --ifconfig 10.200.0.1 10.200.0.2 \ --dev tun --proto tcp-serverHere's the code for the client side:
[root@client]# openvpn --ifconfig 10.200.0.2 10.200.0.1 \ --dev tun --proto tcp-client --remote openvpnserver.example.comForwarding non-IP traffic over the tunnel
With the TAP-style interface, it is possible to run non-IP traffic over the tunnel. For example, if AppleTalk is configured correctly on both sides, we can query a remote host using the aecho command:
aecho openvpnserver22 bytes from 65280.1: aep_seq=0. time=26. ms22 bytes from 65280.1: aep_seq=1. time=26. ms22 bytes from 65280.1: aep_seq=2. time=27. msA tcpdump -nnel -i tap0 command shows that the type of traffic is indeed non-IP-based AppleTalk.
OpenVPN secret keys
This recipe uses OpenVPN secret keys to secure the VPN tunnel. It is very similar to the previous recipe, but this time, we will use a shared secret key to encrypt the traffic between the client and the server.
Getting ready
Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 64 bit and OpenVPN 2.3.10.
How to do it...
The connection is now established, as shown in the following screenshot:
How it works...
This example works exactly as the first one: the server listens to the incoming connections on UDP port 1194. The client connects to the server on this port. After the initial handshake, the server configures the first available TUN device with the IP address 10.200.0.1 and it expects the remote end (Peer address) to be 10.200.0.2. The client does the opposite.
There's more...
By default, OpenVPN uses two symmetric keys when setting up a point-to-point connection:
An OpenVPN secret key file is formatted as follows:
# # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- <16 lines of random bytes> -----END OpenVPN Static key V1-----From the random bytes, the OpenVPN Cipher and HMAC keys are derived. Note that these keys are the same for each session.
See also
Multiple secret keys
As stated in the previous recipe, OpenVPN uses two symmetric keys when setting up a point-to-point connection. However, it is also possible to use shared yet asymmetric keys in point-to-point mode. OpenVPN will use four keys in this case:
The same keying material is shared by both sides of the point-to-point connection, but the keys that are derived for encrypting and signing the data are different for each side. This recipe explains how to set up OpenVPN in this manner and how the keys can be made visible.
Getting ready
For this recipe, we use the secret.key file from the previous recipe. Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 64 bit and OpenVPN 2.3.10. We'll use the secret.key file from the OpenVPN secret keys recipe here.
How to do it...
The connection will be established with a lot of debugging messages.
If we look through the server-side messages (searching for crypt), we can find the negotiated keys on the server side. Note that the output has been reformatted for clarity:
... Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key ... Static Encrypt: CIPHER KEY: 80797ddc 547fbdef 79eb353f 2a1f3d1f ... Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication ... Static Encrypt: HMAC KEY: c752f254 cc4ac230 83bd8daf 6141e73d 844764d8 ... Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key ... Static Decrypt: CIPHER KEY: 8cf9abdd 371392b1 14b51523 25302c99 ... Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication ... Static Decrypt: HMAC KEY: 39e06d8e 20c0d3c6 0f63b3e7 d94f35af bd744b27On the client side, we will find the same keys but the "Encrypt" and "Decrypt" keys would have been reversed:
... Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key ... Static Encrypt: CIPHER KEY: 8cf9abdd 371392b1 14b51523 25302c99 ... Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication ... Static Encrypt: HMAC KEY: 39e06d8e 20c0d3c6 0f63b3e7 d94f35af bd744b27 ... Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key ... Static Decrypt: CIPHER KEY: 80797ddc 547fbdef 79eb353f 2a1f3d1f ... Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication ... Static Decrypt: HMAC KEY: c752f254 cc4ac230 83bd8daf 6141e73d 844764d8If you look at the keys carefully, you will see that each one of them is mirrored on the client and the server side.
How it works...
OpenVPN derives all the keys from the static.key file, provided there is enough entropy (randomness) in the file to reliably generate four keys. All the keys generated using the following will have enough entropy:
$ openvpn --genkey --secret secret.keyAn OpenVPN static key file is 2,048 bits in size. The cipher keys are each 128 bits, whereas the HMAC keys are 160 bits each, for a total of 776 bits. This allows OpenVPN to easily generate four random keys from the static key file, even if a cipher is chosen that requires a larger initialization key.
There's more...
The same secret key files are used in a client/server setup when the tls-auth ta.key parameter is used.
See also
Plaintext tunnel
In the very first recipe, we created a tunnel in which the data traffic was not encrypted. To create a completely plain text tunnel, we also disable the HMAC authentication. This can be useful when debugging a bad connection, as all traffic over the tunnel can now easily be monitored. In this recipe, we will look at how to do this. This type of tunnel is also useful when doing performance measurements, as it is the least CPU-intensive tunnel that can be established.
Getting ready
Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 22 Linux and OpenVPN 2.3.10.
As we are not using any encryption, no secret keys are needed.
How to do it...
How it works...
With this setup, absolutely no encryption is performed. All of the traffic that is sent over the tunnel is encapsulated in an OpenVPN packet and then sent as is.
There's more...
To actually view the traffic, we can use tcpdump; follow these steps:
Configuration files versus the command line
Most recipes in this book can be carried out without using configuration files. However, in most real-life cases, a configuration file is much easier to use than a lengthy command line. It is important to know that OpenVPN actually treats configuration file entries and command-line parameters identically. The only difference is that all command-line parameters start with a double dash (--) whereas the configuration file entries do not. This makes it very easy to overrule the configuration file entries using an extra command-line parameter.
Getting ready
Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Windows 7 64 bit and OpenVPN 2.3.10. In this recipe, we'll use the secret.key file from the OpenVPN secret keys recipe.
How to do it...
The connection is established:
Jan 11 16:14:04 2016 UDPv4 link local (bound): [undef]Jan 11 16:14:04 2016 UDPv4 link remote: [AF_INET]172.16.8.1:11000Jan 11 16:14:06 2016 Peer Connection Initiated with [AF_INET]172.16.8.1:11000Jan 11 16:14:12 2016 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=upJan 11 16:14:12 2016 Initialization Sequence CompletedHow it works...
The command line and the configuration file are read and parsed from left to right and top to bottom. This means that most options that are specified before the configuration file can be overruled by the entries in that file. Similarly, the options specified after the following directive overrule the entries in that file:
--config client.confHence, the following option overruled the line "port 1194" from the configuration file:
--port 11000However, some options can be specified multiple times, in which case, the first occurrence "wins." In such a case, it is also possible to specify the option before specifying the --config directive.
There's more...
Here is another example that shows the importance of the ordering of the command-line parameters:
C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \ --verb 0 \ --config client.conf \ --port 11000This produces the exact same connection log as shown before. The verb 3 command from the client.conf configuration file overruled --verb 0, as specified on the command line. However, refer to the following command line:
C:\>"\Program Files\OpenVPN\bin\openvpn.exe" \ --config client.conf \ --port 11000 \ --verb 0Using this command line, the connection log will remain entirely empty, yet the VPN connection will be in functioning mode.
Exceptions to the rule
Some of the newer features of OpenVPN deviate slightly from this principle, most notably the <connection> blocks and the inline certificates. Some people prefer to write the following command:
remote openvpnserver.example.com 1194They prefer this instead of the following command:
port 1194remote openvpnserver.example.comThe downside of this notation is that this is translated as a connection block by OpenVPN. For connection blocks, it is not possible to overrule the port using --port 11000.
Complete site-to-site setup
In this recipe, we set up a complete site-to-site network, using most of the built-in security features that OpenVPN offers. It is intended as a "one-stop-shop" example of how to set up a point-to-point network.
