OpenVPN Guest Lecture OS3 System & Network Engineering...

J.J. KeijserNikhefAmsterdamGrid Group

OpenVPN Guest LectureOS3 System & Network Engineering

Jan Just KeijserNikhef

11 May 2011


Working as grid system engineer since 2005Working in IT industry since 1995“discovered” OpenVPN in 2004Used and supported OpenVPN since thenAuthor of the “OpenVPN 2 Cookbook”,

published in 2011 IT interests include open source, networking,

VPNs, security, openssl, socat

A few words about me


What is a VPN? Types of VPNs What is OpenVPN? OpenVPN protocol Modes of operation: preshared keys, certificates,

'tun' vs 'tap', bridging Routing Smart card support Scripting and plugins Other features Weaknesses Future work Summary

Outline


What is a VPN?

Internet / WAN

NAT&Firewall Firewall&NAT

Without the use of a VPN…

Server

Your TROL (Typical Remote Office Layout)

Client


What is a VPN?

Internet / WAN

NAT&Firewall Firewall&NAT

Using a VPN…

Server

VPN Setup

Client


Types of VPNsWeb based: Proxies, SOCKSSolutions based on SSHPPTP based: Microsoft PPTP VPN client IPSec based: OpenS/WAN, raccoon IPSec+L2TP based: Microsoft L2TP VPN clientSSL based: OpenVPN


Virtual network adapterMost VPNs use the concept of a Virtual Network

Adapter. This allows for:◦ Separate IP address;

◦ Control over the routing and protocols allowed over the VPN.

The Virtual Network Adapter is the interface between the VPN client (or server) software and the Operating System.

Virtual Network Adapter

Ethernet1

23

VPN client


Web-based VPNsAlso known as “clientless VPNs”

Work only with web-based applications

Basically, a souped-up Secure Proxy server or SOCKS server

The VPN never leaves the “sandbox” of the webbrowser:

HTTPSencrypted traffic

Ethernet 1 Web browser

VPN applet


SSH-based solutions Not a true VPN – tunnelling of specific TCP ports only

Client and server software available for nearly every platform

OpenSSH includes SOCKS server support, allowing more flexible tunnels

SSH Tunnel

hostA:80

hostB:23127.0.0.1:8080127.0.0.1:1200

127.0.0.1 port 8080

127.0.0.1 port 1200

hostA port 80 (http)

hostB port 23 (telnet)


Web&SSH Pro's and con'sPro’s:

◦ Cient software for nearly all platforms;

◦ Uses standard TCP traffic so no NAT’ting issues;

◦ Easy to configure.

Con’s:

◦ Web-based (TCP, HTTPS) only;

◦ Not easy to share local data with remote site/server;

◦ Not a true VPN solution.


PPTP: the Microsoft solution

PPTP adapter

Ethernet1

23

VPN client

GREencrypted traffic

Developed by Microsoft and Ascend (RFC2637) Authentication using username/password

OR X.509 certificates (EAP-TLS) Runs over single TCP port and GRE tunnels (protocol 47) Frequently used for ADSL ethernet modems Interface to OS through PPTP adapter:


PPTP: Pro's and con'sPro’s:

◦ Client built into Microsoft platform;

◦ Other platforms supported for both client and server:

Linux;

FreeBSD/OpenBSD/NetBSD;

Macintosh OS X.

Con’s:

◦ PPTP considered fundamentally insecure;

◦ Secure version (EAP-TLS) supported fully only on Windows;

◦ GRE tunnelling does not work well with NAT’ting devices.


IPsec Official IEEE/IETF standard voor IP security (RFC2411)

Operates at Level2/Level3 of IP stack

Part of IPv6 specification

Introduces the concept of Security Policies

Uses Encapsulated Security Payload (ESP, IP protocol 50) for payload security, Hash-based Message Authentication Code (HMAC) for integrity

Authentication using X.509 certificates or pre-shared keys

Two modes supported:

◦ Transport mode;

◦ Tunnelling mode;


IPsec+L2TP Developed by Microsoft and Cisco Systems (RFC3193) Utilizes IPSec Transport mode Authentication using X.509 certificates or pre-shared

keys, in combination with a username/password Uses both UDP ports 500 and 4500 as well as ESP

(protocol 50) Interface to OS through L2TP adapter:

L2TP adapter

3

L2TP clientIPSec

Ethernet

IPsecencrypted traffic

2

1


IPsec: Pro's and con'sPro’s:

◦ Industry standard;

◦ Good platform support, including ADSL and Wifi routers;

◦ Security policies allow for a very modular approach.

Con’s:

◦ Configuration and troubleshooting can be difficult;◦ Notoriously difficult to configure, especially in

combination with NAT-Traversal (NAT-T);◦ Server-side cannot be NAT’ted, often forcing the use

of a DMZ;◦ IPSec and NAT’ting devices do not go well together.


OpenVPN: an SSL based VPN

tun/tap device

Ethernet1

23

OpenVPN

Uses TLS/SSL for payload security, HMAC for integrity

Authentication using X.509 certificates or pre-shared keys

UDP, TCP and SOCKS/HTTP Proxy support

Supports tunnelling (TCP/IP) and bridging (Ethernet) mode

Interface to OS through tun/tap device or TAP-Win32 adapter:

UDP/TCPencrypted traffic


What is OpenVPN?With OpenVPN, you can:

◦ tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port,

◦ configure a scalable, load-balanced VPN server farm using one or more machines which can handle thousands of dynamic connections from incoming VPN clients,

◦ use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic as it transits the internet,

◦ use any cipher, key size, or HMAC digest (for datagram integrity checking) supported by the OpenSSL library,

◦ choose between static-key based conventional encryption or certificate-based public key encryption,

◦ use static, pre-shared keys or TLS-based dynamic key exchange,

◦ use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization,

◦ tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients,

◦ tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules,

◦ tunnel networks over NAT,

◦ create secure ethernet bridges using virtual tap devices, and

◦ control OpenVPN using a GUI on Windows or Mac OS X.

(from http://openvpn.net/index.php/open-source/333-what-is-openvpn.html)


OpenVPN: some historyStarted in 2002 by James Yonan

First version only supported preshared keys and site-to-site connectivity

2004: OpenVPN 2.0 which supported◦ X509 certificates◦ Multiple clients to same server

2009: OpenVPN 2.1 which added◦ PKCS#11 support◦ Windows Vista/7 support

2011: OpenVPN 2.2 released◦ First community-built version


OpenVPN protocol In SSL/TLS mode two channels are used:

◦ A reliable control channel for exchanging SSL/TLS information and keys

◦ A data channel for transporting actual payload. In UDP mode this channel is not reliable

Each encrypted packet is formatted as follows:◦ HMAC(explicit IV, encrypted envelope)◦ Explicit IV◦ Encrypted Envelope

The content of the encrypted envelope is formatted as follows:◦ 64 bit sequence number◦ payload data, i.e. IP packet or Ethernet frame


Modes of operation

OpenVPN supports several modes of operation:

Preshared static keys

AuthN using X509 certificates

AuthN using username+password

Tunnelling mode (point-to-point, aka 'tun')

Ethernet mode (aka 'tap')

Ethernet bridging


Basic static key exampleFirst, generate a static key:$ openvpn --genkey --secret secret.key

Transfer the key to the remote end using a secure channel (e.g. scp)

Start the server/listener:$ openvpn --ifconfig 10.200.0.1 10.200.0.2 \

--dev tun --secret secret.key

And connect to it using the client:$ openvpn --ifconfig 10.200.0.2 10.200.0.1 \

--dev tun --secret secret.key \

--remote openvpnserver.example.com


Setting up a PKIOpenVPN supplies 'easy-rsa' scripts, which are

wrappers around 'openssl ca' commandsOther PKI solutions can also be used, provided they

can supply PEM-encoded certificates and keys or PKCS#12 formatted files

Example usage of 'easy-rsa':$ <edit vars file>

$ . ./vars

$ ./clean-all

$ ./build-ca

$ ./build-key-server <servername>

$ ./build-key <clientname>


Basic X509 example (server)proto udp

port 1194

dev tun

server 10.8.0.0 255.255.255.0

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

tls-auth ta.key 0

persist-key

persist-tun

keepalive 10 60

user nobody

group nobody


Basic X509 example (client)client

proto udp

remote openvpnserver.example.com

port 1194

dev tun

nobind

ca ca.crt

cert client.crt

key client.key

tls-auth ta.key 1


Network topologiesOpenVPN 2.1 introduced a new keyword topology subnet

Previously, each client was assigned a miniature /30 network:◦ Server uses 10.8.0.0-10.8.0.3◦ First client is assigned 10.8.0.4-10.8.0.7◦ Second client is assigned 10.8.0.8-10.8.0.11, etc.

10.8.0.4 /30 network address

10.8.0.5 remote endpoint (virtual)

10.8.0.6 actual client VPN IP

10.8.0.7 /30 broadcast address

With 'topology subnet' each client is assigned only a single IP address: 10.8.0.2, 10.8.0.3, etc.


'tun' versus 'tap'OpenVPN supports two transport modes:

◦ 'tun' mode: Create a mini point-to-point connection to each

client The headers of each incoming packet are stripped

and new headers are added Can support IP protocols only (TCP, UDP, ICMP,

IPsec, GRE)

◦ 'tap' mode: Pass full ethernet frames between client and server Great for supporting non-IP protocols Slightly higher overhead Server and clients form a single broadcast domain


Bridging 'tap' mode allows the creation of a full Ethernet

bridge:◦ A regular network interface and a 'tap' interface are

bridged◦ All traffic which enters on one interface is copied out

to the other interface◦ Result: the LAN and the VPN form a single broadcast

domain - great for multi-player gaming!◦ A second advantage is that the VPN clients can be

incorporated almost fully into the server-side LAN (e.g. can use the same DHCP server)

◦ Downside: performance! Even the throughput speed of the LAN interface is affected, as all incoming traffic is ALWAYS copied over to the 'tap' interface


Bridging example (server)proto udp

port 1194

dev tap0

server-bridge 10.8.0.100 255.255.255.0 10.8.0.101 \

10.8.0.140

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

tls-auth ta.key 0

persist-key

persist-tun

keepalive 10 60

user nobody


Routing and masqueradingA VPN is one thing, routing traffic over it is another80+ % of all OpenVPN support questions are about

routingMost commonly used trick (on Linux servers)$ echo 1 > /proc/sys/net/ipv4/ip_forward

$ iptables -i FORWARD -i tun+ -j ACCEPT

$ iptables -i FORWARD -o tun+ -j ACCEPT

$ iptables -t nat -I POSTROUTING -o eth0 \

-j MASQUERADE


Smart card supportTwo factor authentication: you can connect to my

system based on something you KNOW (a password) and something you HAVE (a smart card)

OpenVPN supports the PKCS#11 interface Any smart card or hardware security device with a

PKCS#11 interface can be used (in theory...)However: PKCS#11 support on Linux (and MacOS)

is far from perfectKnown to work:

◦ Aladdin eToken PRO (now SafeNet)◦ Feitian ePass


PKCS#11 example (client)client

proto udp

remote openvpnserver.example.com

port 1194

dev tun

nobind

ca ca.crt

pkcs11-providers etpkcs11.dll

pkcs11-id "Aladdin\\x20Ltd\\x2E/eToken/001a0ab6/Jan\\x20Just\\x20Keijser/39453945373335312D333545442D343031612D384637302D3238463636393036363042303A30"

tls-auth ta.key 1


Scripting (1)OpenVPN offers several ways to influcence what

happens when a client connects or disconnects, both on the server side and on the client side

On the client side the following scripts are run when the client connects:◦ 'up' : when the virtual interface is brought up

◦ 'route-up': when routes need to be added to the local routing tables

Similarly, when the client disconnects:◦ 'down' : when the virtual interface is taken down


Scripting (2)On the server side the following scripts are run when

a client connects:◦ 'client-connect' : allows you to write out configuration

statements which are pushed out to the client

◦ 'learn-address add'

◦ 'tls-verify': verify the entire certificate chain of the client

◦ 'auth-user-pass-verify': allows for authentication using username and password

Similarly, when the client disconnects:◦ 'learn-address delete'

◦ 'client-disconnect'


Scripting example (server)...

script-security 2# run when server starts and shuts down

up sample-script.sh

route-up sample-script.sh

down sample-script.sh

# run when a client connects or disconnects

client-connect sample-script.sh

client-disconnect sample-script.sh

learn-address sample-script.sh

tls-verify sample-script.sh

auth-user-pass-verify sample-script.sh via-env


PluginsNext to scripts, OpenVPN can also be extended

using pluginsPlugins can be inserted at almost all points where

scripts are runMost common plugins are

◦ auth-pam: for authentication users using PAM;

◦ down-root: for running a command as root when openvpn shuts down.

Why would you use a plugin?◦ Speed: plugins are run in a separate thread

◦ Security: it's easy to make a mistake in a script which can be exploited.


Other featuresDifferent cipher algorithms for encryptionDifferent signing algorithms for HMAC signingOn-the-fly compression using 'lzo'Connect via a SOCKS proxyConnect via an HTTP proxyShare a VPN server with an HTTPS server on the

same IP and portManagement interface (on both client and server):

◦ View connected clients;

◦ View statistics;

◦ Disconnect clients.


WeaknessesWindows Vista/7/2008 support is lackingSupport for IPv6 endpoints is still missing; tunnelling

IPv6 traffic via either 'tun' or 'tap' mode is in 2.2Monolithic design: both a strength and a weakness,

but does affect scalabilityThroughput over gigabit links could be betterDifficult to port to new OSes (such as smartphones):

a 'tun' driver needs to be present (iPhone!)


What's wrong @ Gigabit speed?


Future developmentsFull IPv6 support is expected in 2.3 (beta: July)A grand, completely modular redesign is being

worked on (OpenVPN 3.0) Improve negotiation capabilities between client and

server; make client configuration as minimal as possible

Improve Windows 7 support (esp tap-win32 driver)Add ability to 'mimick' HTTPS traffic for ducking

firewallsNew transport protocols next to UDP and TCP:

◦ sctp

◦ ICMP

Date post:	18-Jul-2018
Category:	Documents
Upload:	leminh
View:	223 times
Download:	0 times

OpenVPN Guest Lecture OS3 System & Network Engineering...

Documents