Difference between revisions of "OpenVPN"

From Exterior Memory
Jump to: navigation, search
(Running IPv6 through the Tunnel)
Line 21: Line 21:
 
* Wait for OpenVPN 2.3 or compile a development version;
 
* Wait for OpenVPN 2.3 or compile a development version;
 
* Use OpenVPN 2.2 with a custom connect- and disconnect script to set the IPv6 address of the tunnel.
 
* Use OpenVPN 2.2 with a custom connect- and disconnect script to set the IPv6 address of the tunnel.
 +
 +
I choose to compile a development version.
 +
 +
===Install Development Version===
 +
 +
On FreeBSD:
 +
cd /usr/ports/security/openvpn-devel
 +
sudo make install
 +
 +
On Mac OS X:
 +
sudo port install lzo2
 +
git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git
 +
cd openvpn
 +
git checkout 32ab329bc69c6292c205d4f33a4b8069341798d3
 +
autoreconf -i -v
 +
./configure --with-lzo-headers=/opt/local/include --with-lzo-lib=/opt/local/lib
 +
make
 +
make check
 +
sudo make install
 +
 +
===Configure IPv6 Tunnel===
 +
 +
Imagine the following setup:
 +
[[File:VPN server example.png]]

Revision as of 21:39, 12 February 2012

OpenVPN is a secure tunnel. I use it to connect to my home network.

OpenVPN uses certificates to both authenticate the client with the server, and the server with the client. The only hard part about OpenVPN is setting up the certificate infrastructure. You need a root certificate (the certificate authority, CA), and certificates for each server and each client, signed by this root certificate.

Setting up a public key infrastructure

The use of client certificates enhances the security, but makes it harder to deploy, as you need to distribute client certificates to each host. You can not use an existing public key infrastructure (PKI); you would allow anyone with a certificate of that PKI to connect to your server (the tls-remote and tls-verify options can limits the allowed clients). You either need to to set up your own certificate infrastructure, or limit OpenVPN to use password-based authentication (see the options auth-user-pass-verify, client-cert-not-required and username-as-common-name).

The easiest method it to use easy-rsa, as described in the OpenVPN How-to.

The article Create a OpenVPN Certificate Authority describes the steps in more detail, but basically gives the same result.

Certificates, when deployed correctly, are much more secure than passwords, since the secret (key) does not need to be exchanged or shared between the different hosts. However, doing so requires a security hygiene which may not be required for a small-scale deployment.

Running IPv6 through the Tunnel

OpenVPN can both use a tap or a tun interface. A tap interface tunnels Ethernet traffic, so that includes both IPv4, IPv6 and NetBIOS. A tun interface tunnels IP traffic. Version 2.3 of OpenVPN supports tunnelling bot IPv4 and IPv6 traffic through the tunnel. OpenVPN 2.2 can also tunnel IPv6 traffic, but requires a custom scripts to configure the IPv6 addresses and routing tables. At the time of writing, OpenVPN 2.3 is not yet released, so the following three options are available:

  • Use a tap interface to bridge all Ethernet traffic, including IPv4 and IPv6 traffic. The disadvantage is that is less efficient since the tunnel contains broadcast traffic not targeted to the client;
  • Wait for OpenVPN 2.3 or compile a development version;
  • Use OpenVPN 2.2 with a custom connect- and disconnect script to set the IPv6 address of the tunnel.

I choose to compile a development version.

Install Development Version

On FreeBSD:

cd /usr/ports/security/openvpn-devel
sudo make install

On Mac OS X:

sudo port install lzo2
git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git
cd openvpn
git checkout 32ab329bc69c6292c205d4f33a4b8069341798d3
autoreconf -i -v
./configure --with-lzo-headers=/opt/local/include --with-lzo-lib=/opt/local/lib
make
make check
sudo make install

Configure IPv6 Tunnel

Imagine the following setup: VPN server example.png