Presentation is loading. Please wait.

Presentation is loading. Please wait.

J.J. Keijser Nikhef Amsterdam Grid Group OpenVPN Guest Lecture OS3 System & Network Engineering Jan Just Keijser Nikhef 11 May 2011.

Published byPaul Walsh Modified over 8 years ago

Similar presentations

Presentation on theme: "J.J. Keijser Nikhef Amsterdam Grid Group OpenVPN Guest Lecture OS3 System & Network Engineering Jan Just Keijser Nikhef 11 May 2011."— Presentation transcript:

1 J.J. Keijser Nikhef Amsterdam Grid Group OpenVPN Guest Lecture OS3 System & Network Engineering Jan Just Keijser Nikhef 11 May 2011

2 J.J. Keijser Nikhef Amsterdam Grid Group Working as grid system engineer since 2005 Working in IT industry since 1995 “discovered” OpenVPN in 2004 Used and supported OpenVPN since then Author of the “OpenVPN 2 Cookbook”, published in 2011 IT interests include open source, networking, VPNs, security, openssl, socat A few words about me

3 J.J. Keijser Nikhef Amsterdam Grid Group What is a VPN? Types of VPNs What is OpenVPN? OpenVPN protocol Modes of operation: preshared keys, certificates, 'tun' vs 'tap', bridging Routing Smart card support Scripting and plugins Other features Weaknesses Future work Summary Outline

4 J.J. Keijser Nikhef Amsterdam Grid Group What is a VPN? Internet / WAN NAT&FirewallFirewall&NAT Without the use of a VPN… Server Your TROL (Typical Remote Office Layout) Client

5 J.J. Keijser Nikhef Amsterdam Grid Group What is a VPN? Internet / WAN NAT&FirewallFirewall&NAT Using a VPN… Server VPN Setup Client

6 J.J. Keijser Nikhef Amsterdam Grid Group Types of VPNs Web based: Proxies, SOCKS Solutions based on SSH PPTP based: Microsoft PPTP VPN client IPSec based: OpenS/WAN, raccoon IPSec+L2TP based: Microsoft L2TP VPN client SSL based: OpenVPN

7 J.J. Keijser Nikhef Amsterdam Grid Group Virtual network adapter Most VPNs use the concept of a Virtual Network Adapter. This allows for: ◦ Separate IP address; ◦ Control over the routing and protocols allowed over the VPN. The Virtual Network Adapter is the interface between the VPN client (or server) software and the Operating System. 1 23

8 J.J. Keijser Nikhef Amsterdam Grid Group Web-based VPNs Also known as “clientless VPNs” Work only with web-based applications Basically, a souped-up Secure Proxy server or SOCKS server The VPN never leaves the “sandbox” of the webbrowser: HTTPS encrypted traffic 1 VPN applet

9 J.J. Keijser Nikhef Amsterdam Grid Group SSH-based solutions Not a true VPN – tunnelling of specific TCP ports only Client and server software available for nearly every platform OpenSSH includes SOCKS server support, allowing more flexible tunnels SSH Tunnel hostA:80 hostB:23 127.0.0.1:8080 127.0.0.1:1200 127.0.0.1 port 8080 127.0.0.1 port 1200 hostA port 80 (http) hostB port 23 (telnet)

10 J.J. Keijser Nikhef Amsterdam Grid Group Web&SSH Pro's and con's Pro’s: ◦ Cient software for nearly all platforms; ◦ Uses standard TCP traffic so no NAT’ting issues; ◦ Easy to configure. Con’s: ◦ Web-based (TCP, HTTPS) only; ◦ Not easy to share local data with remote site/server; ◦ Not a true VPN solution.

11 J.J. Keijser Nikhef Amsterdam Grid Group PPTP: the Microsoft solution 1 23 GRE encrypted traffic Developed by Microsoft and Ascend (RFC2637) Authentication using username/password OR X.509 certificates (EAP-TLS) Runs over single TCP port and GRE tunnels (protocol 47) Frequently used for ADSL ethernet modems Interface to OS through PPTP adapter:

12 J.J. Keijser Nikhef Amsterdam Grid Group PPTP: Pro's and con's Pro’s: ◦ Client built into Microsoft platform; ◦ Other platforms supported for both client and server:  Linux;  FreeBSD/OpenBSD/NetBSD;  Macintosh OS X. Con’s: ◦ PPTP considered fundamentally insecure; ◦ Secure version (EAP-TLS) supported fully only on Windows; ◦ GRE tunnelling does not work well with NAT’ting devices.

13 J.J. Keijser Nikhef Amsterdam Grid Group IPsec Official IEEE/IETF standard voor IP security (RFC2411) Operates at Level2/Level3 of IP stack Part of IPv6 specification Introduces the concept of Security Policies Uses Encapsulated Security Payload (ESP, IP protocol 50) for payload security, Hash-based Message Authentication Code (HMAC) for integrity Authentication using X.509 certificates or pre-shared keys Two modes supported: ◦ Transport mode; ◦ Tunnelling mode;

14 J.J. Keijser Nikhef Amsterdam Grid Group IPsec+L2TP Developed by Microsoft and Cisco Systems (RFC3193) Utilizes IPSec Transport mode Authentication using X.509 certificates or pre-shared keys, in combination with a username/password Uses both UDP ports 500 and 4500 as well as ESP (protocol 50) Interface to OS through L2TP adapter: 3 IPsec encrypted traffic 2 1

15 J.J. Keijser Nikhef Amsterdam Grid Group IPsec: Pro's and con's Pro’s: ◦ Industry standard; ◦ Good platform support, including ADSL and Wifi routers; ◦ Security policies allow for a very modular approach. Con’s: ◦ Configuration and troubleshooting can be difficult; ◦ Notoriously difficult to configure, especially in combination with NAT-Traversal (NAT-T); ◦ Server-side cannot be NAT’ted, often forcing the use of a DMZ; ◦ IPSec and NAT’ting devices do not go well together.

16 J.J. Keijser Nikhef Amsterdam Grid Group OpenVPN: an SSL based VPN 1 23 Uses TLS/SSL for payload security, HMAC for integrity Authentication using X.509 certificates or pre-shared keys UDP, TCP and SOCKS/HTTP Proxy support Supports tunnelling (TCP/IP) and bridging (Ethernet) mode Interface to OS through tun/tap device or TAP-Win32 adapter: UDP/TCP encrypted traffic

17 J.J. Keijser Nikhef Amsterdam Grid Group What is OpenVPN? With OpenVPN, you can: ◦ tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port, ◦ configure a scalable, load-balanced VPN server farm using one or more machines which can handle thousands of dynamic connections from incoming VPN clients, ◦ use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic as it transits the internet, ◦ use any cipher, key size, or HMAC digest (for datagram integrity checking) supported by the OpenSSL library, ◦ choose between static-key based conventional encryption or certificate-based public key encryption, ◦ use static, pre-shared keys or TLS-based dynamic key exchange, ◦ use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization, ◦ tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients, ◦ tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules, ◦ tunnel networks over NAT, ◦ create secure ethernet bridges using virtual tap devices, and ◦ control OpenVPN using a GUI on Windows or Mac OS X. (from http://openvpn.net/index.php/open-source/333-what-is-openvpn.html)

18 J.J. Keijser Nikhef Amsterdam Grid Group OpenVPN: some history Started in 2002 by James Yonan First version only supported preshared keys and site-to-site connectivity 2004: OpenVPN 2.0 which supported ◦ X509 certificates ◦ Multiple clients to same server 2009: OpenVPN 2.1 which added ◦ PKCS#11 support ◦ Windows Vista/7 support 2011: OpenVPN 2.2 released ◦ First community-built version

19 J.J. Keijser Nikhef Amsterdam Grid Group OpenVPN protocol In SSL/TLS mode two channels are used: ◦ A reliable control channel for exchanging SSL/TLS information and keys ◦ A data channel for transporting actual payload. In UDP mode this channel is not reliable Each encrypted packet is formatted as follows: ◦ HMAC(explicit IV, encrypted envelope) ◦ Explicit IV ◦ Encrypted Envelope The content of the encrypted envelope is formatted as follows: ◦ 64 bit sequence number ◦ payload data, i.e. IP packet or Ethernet frame

20 J.J. Keijser Nikhef Amsterdam Grid Group Modes of operation OpenVPN supports several modes of operation: Preshared static keys AuthN using X509 certificates AuthN using username+password Tunnelling mode (point-to-point, aka 'tun') Ethernet mode (aka 'tap') Ethernet bridging

21 J.J. Keijser Nikhef Amsterdam Grid Group Basic static key example First, generate a static key: $ openvpn --genkey --secret secret.key Transfer the key to the remote end using a secure channel (e.g. scp) Start the server/listener: $ openvpn --ifconfig 10.200.0.1 10.200.0.2 \ --dev tun --secret secret.key And connect to it using the client: $ openvpn --ifconfig 10.200.0.2 10.200.0.1 \ --dev tun --secret secret.key \ --remote openvpnserver.example.com

22 J.J. Keijser Nikhef Amsterdam Grid Group Setting up a PKI OpenVPN supplies 'easy-rsa' scripts, which are wrappers around 'openssl ca' commands Other PKI solutions can also be used, provided they can supply PEM-encoded certificates and keys or PKCS#12 formatted files Example usage of 'easy-rsa': $ $../vars $./clean-all $./build-ca $./build-key-server $./build-key

23 J.J. Keijser Nikhef Amsterdam Grid Group Basic X509 example (server) proto udp port 1194 dev tun server 10.8.0.0 255.255.255.0 ca ca.crt cert server.crt key server.key dh dh1024.pem tls-auth ta.key 0 persist-key persist-tun keepalive 10 60 user nobody group nobody

24 J.J. Keijser Nikhef Amsterdam Grid Group Basic X509 example (client) client proto udp remote openvpnserver.example.com port 1194 dev tun nobind ca ca.crt cert client.crt key client.key tls-auth ta.key 1

25 J.J. Keijser Nikhef Amsterdam Grid Group Network topologies OpenVPN 2.1 introduced a new keyword topology subnet Previously, each client was assigned a miniature /30 network: ◦ Server uses 10.8.0.0-10.8.0.3 ◦ First client is assigned 10.8.0.4-10.8.0.7 ◦ Second client is assigned 10.8.0.8-10.8.0.11, etc. 10.8.0.4/30 network address 10.8.0.5remote endpoint (virtual) 10.8.0.6actual client VPN IP 10.8.0.7/30 broadcast address With 'topology subnet' each client is assigned only a single IP address: 10.8.0.2, 10.8.0.3, etc.

26 J.J. Keijser Nikhef Amsterdam Grid Group 'tun' versus 'tap' OpenVPN supports two transport modes: ◦ 'tun' mode:  Create a mini point-to-point connection to each client  The headers of each incoming packet are stripped and new headers are added  Can support IP protocols only (TCP, UDP, ICMP, IPsec, GRE) ◦ 'tap' mode:  Pass full ethernet frames between client and server  Great for supporting non-IP protocols  Slightly higher overhead  Server and clients form a single broadcast domain

27 J.J. Keijser Nikhef Amsterdam Grid Group Bridging 'tap' mode allows the creation of a full Ethernet bridge: ◦ A regular network interface and a 'tap' interface are bridged ◦ All traffic which enters on one interface is copied out to the other interface ◦ Result: the LAN and the VPN form a single broadcast domain - great for multi-player gaming! ◦ A second advantage is that the VPN clients can be incorporated almost fully into the server-side LAN (e.g. can use the same DHCP server) ◦ Downside: performance! Even the throughput speed of the LAN interface is affected, as all incoming traffic is ALWAYS copied over to the 'tap' interface

28 J.J. Keijser Nikhef Amsterdam Grid Group Bridging example (server) proto udp port 1194 dev tap0 server-bridge 10.8.0.100 255.255.255.0 10.8.0.101 \ 10.8.0.140 ca ca.crt cert server.crt key server.key dh dh1024.pem tls-auth ta.key 0 persist-key persist-tun keepalive 10 60 user nobody

29 J.J. Keijser Nikhef Amsterdam Grid Group Routing and masquerading A VPN is one thing, routing traffic over it is another 80+ % of all OpenVPN support questions are about routing Most commonly used trick (on Linux servers) $ echo 1 > /proc/sys/net/ipv4/ip_forward $ iptables -i FORWARD -i tun+ -j ACCEPT $ iptables -i FORWARD -o tun+ -j ACCEPT $ iptables -t nat -I POSTROUTING -o eth0 \ -j MASQUERADE

30 J.J. Keijser Nikhef Amsterdam Grid Group Smart card support Two factor authentication: you can connect to my system based on something you KNOW (a password) and something you HAVE (a smart card) OpenVPN supports the PKCS#11 interface Any smart card or hardware security device with a PKCS#11 interface can be used (in theory...) However: PKCS#11 support on Linux (and MacOS) is far from perfect Known to work: ◦ Aladdin eToken PRO (now SafeNet) ◦ Feitian ePass

31 J.J. Keijser Nikhef Amsterdam Grid Group PKCS#11 example (client) client proto udp remote openvpnserver.example.com port 1194 dev tun nobind ca ca.crt pkcs11-providers etpkcs11.dll pkcs11-id "Aladdin\\x20Ltd\\x2E/eToken/001a0ab6/Jan\\x20Just\\ x20Keijser/39453945373335312D333545442D343031612D384 637302D3238463636393036363042303A30" tls-auth ta.key 1

32 J.J. Keijser Nikhef Amsterdam Grid Group Scripting (1) OpenVPN offers several ways to influcence what happens when a client connects or disconnects, both on the server side and on the client side On the client side the following scripts are run when the client connects: ◦ 'up' : when the virtual interface is brought up ◦ 'route-up': when routes need to be added to the local routing tables Similarly, when the client disconnects: ◦ 'down' : when the virtual interface is taken down

33 J.J. Keijser Nikhef Amsterdam Grid Group Scripting (2) On the server side the following scripts are run when a client connects: ◦ 'client-connect' : allows you to write out configuration statements which are pushed out to the client ◦ 'learn-address add' ◦ 'tls-verify': verify the entire certificate chain of the client ◦ 'auth-user-pass-verify': allows for authentication using username and password Similarly, when the client disconnects: ◦ 'learn-address delete' ◦ 'client-disconnect'

34 J.J. Keijser Nikhef Amsterdam Grid Group Scripting example (server)... script-security 2 # run when server starts and shuts down up sample-script.sh route-up sample-script.sh down sample-script.sh # run when a client connects or disconnects client-connect sample-script.sh client-disconnect sample-script.sh learn-address sample-script.sh tls-verify sample-script.sh auth-user-pass-verify sample-script.sh via-env

35 J.J. Keijser Nikhef Amsterdam Grid Group Plugins Next to scripts, OpenVPN can also be extended using plugins Plugins can be inserted at almost all points where scripts are run Most common plugins are ◦ auth-pam: for authentication users using PAM; ◦ down-root: for running a command as root when openvpn shuts down. Why would you use a plugin? ◦ Speed: plugins are run in a separate thread ◦ Security: it's easy to make a mistake in a script which can be exploited.

36 J.J. Keijser Nikhef Amsterdam Grid Group Other features Different cipher algorithms for encryption Different signing algorithms for HMAC signing On-the-fly compression using 'lzo' Connect via a SOCKS proxy Connect via an HTTP proxy Share a VPN server with an HTTPS server on the same IP and port Management interface (on both client and server): ◦ View connected clients; ◦ View statistics; ◦ Disconnect clients.

37 J.J. Keijser Nikhef Amsterdam Grid Group Weaknesses Windows Vista/7/2008 support is lacking Support for IPv6 endpoints is still missing; tunnelling IPv6 traffic via either 'tun' or 'tap' mode is in 2.2 Monolithic design: both a strength and a weakness, but does affect scalability Throughput over gigabit links could be better Difficult to port to new OSes (such as smartphones): a 'tun' driver needs to be present (iPhone!)

38 J.J. Keijser Nikhef Amsterdam Grid Group What's wrong @ Gigabit speed?

39 J.J. Keijser Nikhef Amsterdam Grid Group Future developments Full IPv6 support is expected in 2.3 (beta: July) A grand, completely modular redesign is being worked on (OpenVPN 3.0) Improve negotiation capabilities between client and server; make client configuration as minimal as possible Improve Windows 7 support (esp tap-win32 driver) Add ability to 'mimick' HTTPS traffic for ducking firewalls New transport protocols next to UDP and TCP: ◦ sctp ◦ ICMP

Download ppt "J.J. Keijser Nikhef Amsterdam Grid Group OpenVPN Guest Lecture OS3 System & Network Engineering Jan Just Keijser Nikhef 11 May 2011."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
VIRTUAL PRIVATE NETWORKS (VPN). GROUP MEMBERS ERVAND AKOPYAN ORLANDO CANTON JR. JUAN DAVID OROZCO.

VIRTUAL PRIVATE NETWORKS (VPN). GROUP MEMBERS ERVAND AKOPYAN ORLANDO CANTON JR. JUAN DAVID OROZCO.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.

1 © J. Liebeherr, All rights reserved Virtual Private Networks.

Similar presentations

Ads by Google