TOTAL
Since dec 2006
1'942'871 Visitors
4'218'042 Pages

Nov 2010 Stats
82'909 Visitors
146'476 Pages
196 countries
Full statistics



Help us translate
our tutorials!

JOIN the
OpenManiak Team.
OM TEAM
Director:
Blaise Carrera
Tutorials creation:
Blaise Carrera
Translaters:
Giovanni Fredducci
Angel Chraniotis
Moham. H. Karvan
Alexandro Silva
Blaise Carrera
Andrei Chertolyas
Sergiy Uvarov
Nickola Kolev
Łukasz Nowatkowski
Ivo Raisr
Catalin Bivolaru
Bogdan A. Costea
Kirill Simonov
Oliver Mucafir
JaeYoung Jeon
Seungyoon Lee
Jie Yu & Si Cheng
Tao Wei
YukiAlex
Fumihito Yoshida
Muhammad Takdir
Çağdaş Tülek
Auditors
Leslie Luthi
Joe Anderson
Jennifer Ockwell
Nigel Titley
Alison Rees
Sabrina Barbey
Webmaster:
Blaise Carrera
OPENVPN - The Easy Tutorial - Tutorial

openmaniak openvpn square little blue OpenVPN openmaniak openvpn arrow right little blue Tutorial
Last update: 07-12-2010


Tool
Install
Ergonomy
Forum



Details What is OpenVPN?
Screenshots
Prerequisites & Installation
Tutorial OpenVPN
-----SECURITY MODE-----------
Transparent Tunnel
Static key
SSL & PKI (certificates)
-----CASE STUDY-----------
IP VPN (TUN)
Ethernet VPN (TAP)
VPN Advanced Settings
----------------
Bridging
Routing




If you like our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!



openmaniak openvpn square little blue INSTALL OPENVPN:

Follow the OpenVPN installation tutorial.

openmaniak openvpn square little blue CLIENT/SERVER ARCHITECTURE:

Upon the two OpenVPN boxes, you have to declare one as server and the other as client. In some scenarios, each box can be declared as server or client, but in other scenarios you must specifically choose a device as client and the other as server. Let us see when.
Before establishing the SSL VPN, the client first reaches the server on a specific port, whereas the server doesn't need to reach the client. Let's take an example where you are in a professional environment and want to establish a VPN with a device connected directly to the Internet, let's say a box at your home.
In this frequent case, the client can reach the server but not the contrary. This is due to the fact that the client is located in a local network and reaches the internet via a proxy or Firewall which will substitute its own IP address or another one (Hide NAT) for the source IP address.
Nevertheless, when the tunnel is created, the bi-directional traffic inside it is of course possible.

openmaniak openvpn tutorial hide nat

openmaniak openvpn square little blue CONFIGURATION FILE:

Create a file where you store your OpenVPN configuration.
In our example, we will call this file config.txt and save it in the /home/user/ or "C:\Program Files\OpenVPN\config\" directory depending on whether it is a Linux/Unix or Microsoft machine.

The configuration settings are presented in the next paragraphs.

openmaniak openvpn square little blue CLIENT/SERVER DESIGNATION:

SERVER CLIENT
# SERVER IP ADDRESS
# The Client WAN IP address is not
# needed
# SERVER IP ADDRESS
remote 100.0.0.1
#
openmaniak openvpn square little blue TUNNEL MODE:

You can choose between an IP (TUN driver) and an Ethernet (TAP driver) tunnel.
IP tunneling is also referred as routing mode, and Ethernet tunneling as bridging mode.
Prefer the IP tunnel mode (default setting) unless you need to pass Ethernet traffic such as NetBIOS inside the tunnel.

openmaniak openvpn square little blue TUNNEL PORT:

Default source and destination tunneling port is UDP 1194. You should keep the default setting unless you need to change it for Firewall reasons otherwise you can keep it.
Prefer UDP ports. The use of TCP can lead to degraded performances.

As the majority of the applications uses TCP, if you opt for TCP tunneling, you will create a TCP over TCP tunnel. This is not recommended because in case of packets retransmissions on the interior TCP tunnel, recomputation will occur in both tunnels leading to slow performances such as high response time. Thus, prefer the UDP protocol to tunnel your application since contrary to TCP, it does not suffer from an overhead error checking mechanism..
Read this article to get details about the problems with TCP over TCP tunnels.

SERVER and CLIENT
# TCP OR UDP TUNNEL
# TCP tunnel

proto tcp
# UDP tunnel is recommended
proto udp
# use TCP or UDP but not both
#
# TCP OR UDP PORT

port 1194
openmaniak openvpn square little blue FIREWALL SETTINGS:

You must ascertain that your OpenVPN client IP address can reach the OpenVPN server IP address and the TCP/UDP port.
Here is an example of a security rule that can be implemented on the Firewall illustrated in the picture below.



Because of to the simplicity of the OpenVPN configurations, problems establishing a connection are often due to IP or port restrictions on the client and/or server side.

openmaniak openvpn square little blue ETHERNET/IP TUNNEL:

You can choose to build either Ethernet (Bridged) or IP (Routed) VPNs with the help of respectively the TAP or TUN network drivers. TAP/TUN are available on all the platforms and are already bundled with the Linux 2.4 kernel or higher.
Prefer TUN (default setting) unless you need to pass Ethernet traffic such as NetBIOS inside the VPN.

To check whether or not the TUN/TAP drivers are properly loaded:

#lsmod | grep tun
tun 12672 1

Note that the "tun" driver is also the TAP driver.
If you don't receive any answer, you can load the kernel module as follows:

#modprobe tun
SERVER and CLIENT
# ETHERNET OR IP TUNNEL
# "dev tun" will create a routed IP tunnel

dev tun
# "dev tap" will create an Ethernet tunnel
dev tap
# use "dev tun" or "dev tap" but not both
openmaniak openvpn square little blue OPENVPN SECURITY ARCHITECTURE:

openmaniak openvpn arrow right little blue Transparent tunnel:

OpenVPN just tunnels the data without authentication, confidentiality, or integrity. In other words there is no security checks whatsoever, and the data can be read as it passes through the tunnel.

SERVER and CLIENT
# Client AND Server configs
# No integritiy (hash function
# algorithm)

auth none
# No encryption (cipher algorithm)
cipher none
openmaniak openvpn arrow right little blue Preshared keys:

A secret and permanent key is shared between the VPN gateways.

First create the preshared keys with the preshared keys creation tutorials.
SERVER and CLIENT
# PRESHARED KEYS
# Linux system
static /home/user/openvpn/key.txt
# Windows system
static "C:\\Program Files\\OpenVPN\\config\\key.txt"
#openvpn /home/teddybear/openvpn/config.txt
>openvpn "C:\Program Files\OpenVPN\config\config.txt"

openmaniak openvpn arrow right little blue SSL/TLS:

- SSL/TLS server or client:

SERVER CLIENT
# SSL/TLS SERVER
tls-server
# SSL/TLS CLIENT
tls-client
- Certificates and public keys:

Each device must have its private and public keys, the latter being included in a certificate.
The CA (Certification Authority) certificate must also be owned by each OpenVPN device.

See the PKI Tutorial to understand the Public Key Infrastructure and know how to create private keys and certificates.
SERVER CLIENT
# CERTIFICATES AND PRIVATE KEY
# Authority certificate (CA public key)

ca ca.key
# Server certificate (server public key)
cert server.crt
# Server private key
key server.key
# CERTIFICATES AND PRIVATE KEY
# Authority certificate (CA public key)

ca ca.key
# Client certificate (client public key)
cert client.crt
# Client private key
key client.key
- Diffie-Hellmann (DH) settings:

Once the OpenVPN peers are sure about each other's identity, DH can be used to create a shared secret key for the hash function and the cipher algorithm.
By combining a DH private key with the other OpenVPN box DH public key, it is possible to calculate a shared secret that only the two OpenVPN peers know.

See the SSL Tutorial to get information about how to create the DH settings.


SERVER CLIENT
# Diffie-Hellman settings
dh dh1024.pem
# No DH setting on the client
#
This DH shared secret could be compared to the OpenVPN preshared key.
These keys will be used by the symmetric ciphers and hash functions algorithms as shown in the two next paragraphs.

openmaniak openvpn square little blue CIPHER ALGORITHM

SERVER and CLIENT
# CIPHER ALGORITHM
cipher AES-256-CBC
- The confidentiality is ensured with symmetric ciphers such as 3DES or AES to protect the data from being read.
The OpenVPN default cipher algorithm is Blowfish.
To check the available algorithms:

#openvpn --show-ciphers
DES-CBC 64 bit default key (fixed)
IDEA-CBC 128 bit default key (fixed)
RC2-CBC 128 bit default key (variable)
DES-EDE-CBC 128 bit default key (fixed)
DES-EDE3-CBC 192 bit default key (fixed)
DESX-CBC 192 bit default key (fixed)
BF-CBC 128 bit default key (variable)
RC2-40-CBC 40 bit default key (variable)
CAST5-CBC 128 bit default key (variable)
RC5-CBC 128 bit default key (variable)
RC2-64-CBC 64 bit default key (variable)
AES-128-CBC 128 bit default key (fixed)
AES-192-CBC 192 bit default key (fixed)
AES-256-CBC 256 bit default key (fixed)


CBC for Cipher Block Chaining is a cryptography operational modes used to encrypt data with a cipher block algorithm like the AES, DES or Blowfish. CBC uses small piece of data, instead of processing an entire block at a time, other cryptography operational mode are EBC, OFB, CFB. CBC mode is recommended.


openmaniak openvpn square little blue HASH FUNCTION ALGORITHM

- The Integrity uses hash function algorithms to protect the data from being altered.
HMAC is often used in addition with SHA1 or MD5.
The OpenVPN default hash functions are HMAC-SHA1.
To check the available algorithms:

#openvpn --show-digests
MD2 128 bit digest size
MD5 128 bit digest size
RSA-MD2 128 bit digest size
RSA-MD5 128 bit digest size
SHA 160 bit digest size
RSA-SHA 160 bit digest size
SHA1 160 bit digest size
RSA-SHA1 160 bit digest size
DSA-SHA 160 bit digest size
DSA-SHA1-old 160 bit digest size
MDC2 128 bit digest size
RSA-MDC2 128 bit digest size
DSA-SHA1 160 bit digest size
RSA-SHA1-2 160 bit digest size
DSA 160 bit digest size
RIPEMD160 160 bit digest size
RSA-RIPEMD160 160 bit digest size
MD4 128 bit digest size
RSA-MD4 128 bit digest size


SERVER and CLIENT
# HASH FUNCTION ALGORYTHM
auth MD5
"openvpn --show-tls" displays the cipher and message authentication code (MAC) used during the SSL/TLS negotiation. They should not be confounded with the cipher and MAC used to secure the OpenVPN tunnel.

openmaniak openvpn arrow right little blue IP ADDRESSES:

Choose the IP addresses you want to use inside the tunnel.

openmaniak openvpn arrow right little blue Static IP addresses:

In routed mode, two IP addresses (local and remote) inside a 30 bits subnet mask must be chosen.
In bridge mode, one IP address for the local OpenVPN box and a subnet mask including the server IP address are chosen.

SERVER CLIENT
# IP ADDRESSING
# IP mode example:
# Server IP: 10.8.0.1 ; Client IP: 10.8.0.2

ifconfig 10.8.0.1 10.8.0.2
# Bridge mode example
# Server IP: 10.8.0.1

ifconfig 10.8.0.1 255.255.255.0
# Use bridged or routed settings but not
# both
# Client and Server must use the same
# tunnel mode
# IP ADDRESSING
# IP mode example:
# Server IP: 10.8.0.1 ; Client IP: 10.8.0.2

ifconfig 10.8.0.2 10.8.0.1
# Bridge mode example
# Client IP: 10.8.0.2

ifconfig 10.8.0.2 255.255.255.0
# Use bridged or routed settings but not
# both
# Client and Server must use the same
# tunnel mode
openmaniak openvpn arrow right little blue Dynamic IP addresses:

In this case, the server owns a static IP address and provides IP addresses to the clients as a DHCP server.

SERVER CLIENT
# DHCP SETTINGS
# DHCP range
# Server will take the first IP address
server 10.8.0.0 255.255.255.0
# CLIENT ACCEPTS SERVER OPTIONS
# The client should accept options pushed
# by the server

pull
openmaniak openvpn square little blue OPTIONAL SETTINGS:

OpenVPN offers a very large number of optional settings.
Refer to the OpenVPN man page for assistance.

openmaniak openvpn square little blue LOG SETTINGS:

The log verbosity is configured from 0 (minimum) to 15 (maximal). For a normal use, the "2" and "4" verbose levels will already provide sufficient logs.

# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but displays non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting

SERVER and CLIENT
# LOG VERBOSITY
# log verbosity setting, 0=min 15=max

verb 3


openmaniak openvpn square little blue OPENVPN USER:

For security reasons, it's always better to run a software without the root privileges.
You can reduce the OpenVPN daemon's privileges after initialization in order to operate as user "nobody".
Another interesting security point is to limit the right OpenVPN has to access files after initialization with "chroot".

Note that these two security settings are available under Linux/UNIX systems, but not under Windows. Another reason to prefer opens source tools like Linux OS ...

SERVER and CLIENT
# OPENVPN SECURITY - Linux only
# OpenVPN User
user nobody
# After initialization, OpenVPN can only
# access a directory
# The directory can be empty
# OpenVPN process limitation

chroot /etc/openvpn/
openmaniak openvpn square little blue LAUNCH OPENVPN:

Use the following syntax to launch OpenVPN.

#openvpn path-to-config-file
Below are two examples with Linux and Windows. The config file is "config.txt":

#openvpn /home/teddybear/openvpn/config.txt
>openvpn "C:\Program Files\OpenVPN\config\config.txt"
openmaniak openvpn square little blue LOG CHECK:

The log should end will the following line:

Initialization Sequence Completed

This indicates that the OpenVPN tunnel has been created successfully.

openmaniak openvpn square little blue CONNECTIVITY TESTS:

Ping is a common utility to check IP connectivities.
The VPN gateway should ping the tunnel IP address of the other.
For example, in our scenario, we ping the client tunnel IP address from the server:

ping 10.8.0.2
openmaniak openvpn square little blue OPENVPN PROCESS CHECK:

Coming soon ...


openmaniak openvpn square little blue Here are some OpenVPN default values:

SETTING: VALUE:
Src & dest port: UDP 1194
Tunnel mode: IP tunnel (tun mode)
Symmetric cipher: Blowfish - CBC (128 bits)
Hash functions: HMAC - SHA1 (160 bits)
Compression: NO
Tunnel MTU: 1500 bytes
Verbose mode: 0
Top of the page





If you liked our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!