Changes between Version 1 and Version 2 of Openvpn1xHOWTO


Ignore:
Timestamp:
07/25/14 15:32:51 (6 years ago)
Author:
Samuli Seppänen
Comment:

Removed obsolete links

Legend:

Unmodified
Added
Removed
Modified
  • Openvpn1xHOWTO

    v1 v2  
    66<tr>
    77<td width="600">
    8 <p>This HOWTO is mainly relevant for setting up single-client or static site-to-site VPNs and is oriented more towards OpenVPN 1.x than 2.0. To take advantage of the OpenVPN 2.0 client/server capability, see the <a href="index.php/open-source/documentation/howto.html">OpenVPN 2.0 HOWTO</a>.</p>
    9 <p>This document describes setting up OpenVPN in a typical Home to Office telecommuting configuration. While this HOWTO presents in-depth configuration examples, simpler examples are shown in the <a href="index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html">examples section</a> of the man page.</p>
     8<p>This HOWTO is mainly relevant for setting up single-client or static site-to-site VPNs and is oriented more towards OpenVPN 1.x than 2.0. To take advantage of the OpenVPN 2.0 client/server capability, see the OpenVPN 2.0 HOWTO.</p>
     9<p>This document describes setting up OpenVPN in a typical Home to Office telecommuting configuration. While this HOWTO presents in-depth configuration examples, simpler examples are shown in the examples section of the man page.</p>
    1010<h2>Additional Articles and Documentation</h2>
    11 <p><a href="index.php/open-source/articles.html">Many excellent articles and HOWTOs</a> exist for configuring OpenVPN in different environments.</p>
     11Many excellent articles and HOWTOs exist for configuring OpenVPN in different environments.</p>
    1212<h2>Basic Tunnel Types</h2>
    1313<p>There are two basic types of tunnels that one can create with OpenVPN:</p>
    1414<ul>
    1515<li><strong>Routed IP tunnels</strong> -- best used to route point-to-point IP traffic without broadcasts. Slightly more efficient than bridged ethernet tunnels and easier to configure. This HOWTO (below) covers routed IP tunnels.</li>
    16 <li><strong>Bridged Ethernet Tunnels</strong> -- can be used to tunnel both IP and non-IP protocols. This type of tunnel is appropriate for applications which communicate via broadcasts, such as Windows file and print sharing (without a WINS server) and LAN games. Slightly more complex to configure. <a href="index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html">A Mini-HOWTO for bridged ethernet tunnels.</a></li>
     16<li><strong>Bridged Ethernet Tunnels</strong> -- can be used to tunnel both IP and non-IP protocols. This type of tunnel is appropriate for applications which communicate via broadcasts, such as Windows file and print sharing (without a WINS server) and LAN games. Slightly more complex to configure.</li>
    1717</ul>
    1818<h2>Routed IP tunnel HOWTO</h2>
     
    7070<p>If your system doesn't have the OpenSSL Library, you should <a href="http://www.openssl.org/">download and install it</a>.</p>
    7171<p>If you want to take advantage of compression on the VPN link, or you want to install OpenVPN as an RPM package, install the <a href="http://www.oberhumer.com/opensource/lzo/">LZO Library</a>.</p>
    72 <p>If you are using Linux 2.2 or earlier, download the <a href="http://vtun.sourceforge.net/tun/">TUN/TAP driver</a>. Users of Linux 2.4.7 or greater should find the TUN/TAP driver already bundled with their kernel. Users of Linux 2.4.0 -&gt; 2.4.6 should note the caveat at the end of the <a href="index.php/open-source/documentation/install.html">INSTALL</a> file.</p>
    73 <p>Now <a href="index.php/open-source/downloads.html">download</a> the latest release of OpenVPN.</p>
     72<p>If you are using Linux 2.2 or earlier, download the <a href="http://vtun.sourceforge.net/tun/">TUN/TAP driver</a>. Users of Linux 2.4.7 or greater should find the TUN/TAP driver already bundled with their kernel. Users of Linux 2.4.0 -&gt; 2.4.6 should note the caveat at the end of the INSTALL file.</p>
     73<p>Now download the latest release of OpenVPN.</p>
    7474<h3>Install from tarball</h3>
    7575<p>Unzip the distribution:</p>
     
    166166<li>If both OpenVPN peers reference the other with an explicit <strong>--remote</strong> option, and stateful firewalls that provide UDP connection tracking (such as <strong>iptables</strong>) exist between the peers, it is possible to run OpenVPN without any explicit firewall rules, if both peers originate regular pings to each other to keep the connection alive. To do this, simply run OpenVPN with the <strong>--remote <em>peer</em></strong> option, and specify <strong>--ping 15</strong> to ensure that packets flow over the tunnel at least once every 15 seconds.</li>
    167167<li>The above option is less convenient if one of the peers changes its IP address frequently such as a DHCP or a dial-in peer. For these cases, the sample firewall configuration above will allow incoming packets on UDP port 1194 (OpenVPN's default UDP port) from any IP address. This should be considered safe in any of OpenVPN's secure modes, since all incoming tunnel packets must pass an authentication test or they will be dropped.</li>
    168 <li>If you choose to fully open OpenVPN's incoming UDP port as in the sample firewall configuration above, you might want to take advantage of the <strong>--tls-auth</strong> option to do double authentication on the TLS control channel, using both the RSA key and a pre-shared secret passphrase as a second line of defense against DoS or active attacks. For more information on <strong>--tls-auth</strong>, see the <a href="man.html">openvpn man page</a>.</li>
     168<li>If you choose to fully open OpenVPN's incoming UDP port as in the sample firewall configuration above, you might want to take advantage of the <strong>--tls-auth</strong> option to do double authentication on the TLS control channel, using both the RSA key and a pre-shared secret passphrase as a second line of defense against DoS or active attacks. For more information on <strong>--tls-auth</strong>, see the openvpn man page.</li>
    169169</ul>
    170170</td>
     
    178178<tbody>
    179179<tr>
    180 <td width="600">OpenVPN has two secure modes, one based on SSL/TLS security using RSA certificates and keys, the other using a pre-shared static key. While SSL/TLS + RSA keys is arguably the most secure option, static keys have the benefit of simplicity. If you want to use RSA keys, read on. For static keys, jump forward to the <a href="index.php/open-source/documentation/miscellaneous/88-1xhowto.html">Build Pre-Shared Static Key</a>section.
     180<td width="600">OpenVPN has two secure modes, one based on SSL/TLS security using RSA certificates and keys, the other using a pre-shared static key. While SSL/TLS + RSA keys is arguably the most secure option, static keys have the benefit of simplicity. If you want to use RSA keys, read on. For static keys, jump forward to the Build Pre-Shared Static Key section.
    181181<p>We will build RSA certificates and keys using the <strong>openssl</strong> command, included in the OpenSSL library distribution.</p>
    182 <p>RSA certificates are public keys that also have other secure fields embedded in them such as the <strong>Common Name</strong> or <strong>email address</strong> of the certificate holder. OpenVPN provides the ability to write scripts to test these fields prior to authentication. For more information, see the <strong>--tls-verify</strong> option in the <a href="index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html">openvpn man page</a>.</p>
     182<p>RSA certificates are public keys that also have other secure fields embedded in them such as the <strong>Common Name</strong> or <strong>email address</strong> of the certificate holder. OpenVPN provides the ability to write scripts to test these fields prior to authentication. For more information, see the <strong>--tls-verify</strong> option in the openvpn man page.</p>
    183183<p>In our example we will follow the <strong>apache</strong> convention of using the <strong>.crt</strong> file extension to denote certificate files and the <strong>.key</strong> file extension to denote private key files. Private key files must always be kept secure. Certificate files can be freely published or shared.</p>
    184184<p>Select one machine such as Office to be the key management machine.</p>
     
    227227</blockquote>
    228228<p>Increase the bit size from 1024 to 2048 if you also increased it in <strong>openssl.cnf</strong>.</p>
    229 <p>For the paranoid, consider omitting the <strong>-nodes</strong> option on the <strong>openssl</strong> commands above. This will cause each private key to be encrypted with a password, making the keys secure even if someone broke onto your server and stole your private key files. The downside of this approach is that every time you run OpenVPN, you will need to type in the password. For more information see the <strong>--askpass</strong> option in the <a href="index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html">openvpn man page</a>.</p>
     229<p>For the paranoid, consider omitting the <strong>-nodes</strong> option on the <strong>openssl</strong> commands above. This will cause each private key to be encrypted with a password, making the keys secure even if someone broke onto your server and stole your private key files. The downside of this approach is that every time you run OpenVPN, you will need to type in the password. For more information see the <strong>--askpass</strong> option in the openvpn man page.</p>
    230230<p>If you find manual RSA key management confusing, note that OpenVPN will interoperate with any X509 certificate management tool or service including the commercial CAs such as <a href="http://www.thawte.com/">Thawte</a> or <a href="http://www.verisign.com/">Verisign</a>. Check out the <a href="http://www.openca.org/">OpenCA</a> project for an example of what's being done with certificate/key management in the Open Source realm.</p>
    231 <p>In addition, the OpenVPN distribution contains a small set of scripts which can be used to simplify <a href="index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html">RSA certificate and key management</a>.</p>
     231<p>In addition, the OpenVPN distribution contains a small set of scripts which can be used to simplify RSA certificate and key management.</p>
    232232</td>
    233233</tr>
     
    257257<tr>
    258258<td width="600">
    259 <p>See discussion <a href="howto.html#mitm">here</a>.</p>
     259<p>See discussion here (obsolete link).</p>
    260260</td>
    261261</tr>
     
    484484<pre><strong>ping 10.1.0.2</strong></pre>
    485485</blockquote>
    486 <p>If these tests silently fail, you may want to re-edit the configuration files and set the verbosity level to 8 which will produce much more detailed debugging output. Also consult the <a href="index.php/open-source/faq.html#cant-ping">FAQ</a> for more information on troubleshooting.</p>
     486<p>If these tests silently fail, you may want to re-edit the configuration files and set the verbosity level to 8 which will produce much more detailed debugging output. Also consult the FAQ for more information on troubleshooting.</p>
    487487<p>If these tests succeed, now try pinging through the tunnel using machines on the private networks other than the OpenVPN gateway machines, to test the routing. Basically any machine on the <strong>10.0.1.0/24</strong> subnet should be able to access any machine on the <strong>10.0.0.0/24</strong> subnet and vice versa.</p>
    488488<p>If that works, congratulations! If not, you might want to check out the <a href="http://sourceforge.net/mail/?group_id=48978">OpenVPN Mailing List</a> archives to see if anyone else has had a similar problem. If you don't find a resolution to your problem there, consider posting to the <strong>openvpn-users</strong> list.</p>
     
    507507<p>You should also use the <strong>--float</strong> option if you are connecting to a peer which may change its IP address due to a DHCP reset.</p>
    508508<p>It is also possible to handle DHCP resets with the <strong>SIGUSR1</strong> signal which is like <strong>SIGHUP</strong> except it offers more fine-grained control over which OpenVPN subsystems are reset. A SIGUSR1 signal can also be generated internally based on <strong>--ping</strong> and <strong>--ping-restart</strong>. The <strong>--persist-tun</strong> option allows a reset without closing and reopening the TUN device (which allows seamless connectivity through the tunnel across DHCP resets). The <strong>--persist-remote-ip</strong> option allows for preservation of remote IP address across DHCP resets. This allows both OpenVPN peers to be DHCP clients. The <strong>--persist-key</strong> option doesn't re-read key files on restart (which allows an OpenVPN daemon to be restarted even if its privileges were downgraded with <strong>--user</strong> or <strong>--group</strong>).</p>
    509 <p>For more information on using OpenVPN in a dynamic IP address context, see the <a href="index.php/open-source/faq.html#dynamic">FAQ</a>.</p>
    510 <p>OpenVPN can also be used in cases where <a href="index.php/open-source/faq.html#dynamic-address">both ends of the connection are dynamic</a>.</p>
     509<p>For more information on using OpenVPN in a dynamic IP address context, see the FAQ.</p>
     510<p>OpenVPN can also be used in cases where both ends of the connection are dynamic.</p>
    511511</td>
    512512</tr>