Beginning OpenVPN 2.0.9

Transcription

1 Beginning OpenVPN Build and integrate Virtual Private Networks using OpenVPN Markus Feilner Norbert Graf PUBLISHING BIRMINGHAM - MUMBAI

2 Preface 1 Chapter 1: VPN Virtual Private Network 7 Broadband Internet access and VPNs 9 How does a VPN work? 10 What are VPNs used for? 12 Networking concepts protocols and layers 13 Tunneling and overhead 16 VPN concepts overview 17 A proposed standard for tunneling 17 Protocols implemented on OSI layer 2 18 Protocols implemented on OSI layer 3 19 Protocols implemented on OSI layer 4 20 OpenVPN a SSL/TLS-based solution 21 Summary 21 Chapter 2: VPN Security 23 VPN security 23 Privacy encrypting traffic 24 Symmetric encryption and pre-shared keys 25 Reliability and authentication 26 The problem of complexity in classic VPNs 26 Asymmetric encryption with SSL/TLS 27 SSL/TLS security 28 HTTPS 29 Understanding SSL/TLS certificates 30 Trusted certificates 30 Self-signed certificates 32

3 Table ofcontents SSL/TLS certificates and VPNs 33 Generating certificates and keys 34 Summary 34 Chapter 3: OpenVPN 35 Advantages of OpenVPN 35 History of OpenVPN 37 OpenVPN Version 1 38 OpenVPN Version 2 41 The road to version Networking with OpenVPN 44 OpenVPN and firewalls 46 Configuring OpenVPN 47 Problems with OpenVPN 48 OpenVPN compared to IPsec VPN 49 User space versus kernel space 51 Sources for help and documentation 51 The project community 52 Documentation in the software packages 52 Summary 53 Chapter 4: Installing OpenVPN on Windows and Mac 65 Obtaining the software 55 Installing OpenVPN on Windows 56 Downloading and starting installation 56 Selecting the components and location 57 Finishing installation 59 Testing the installation a first look at the panel applet 60 Installing OpenVPN on Mac OS X (Tunnelblick) 62 Testing the installation the Tunnelblick panel applet 64 Summary 65 Chapter 5: Installing OpenVPN on Linux and Unix Systems 67 Prerequisites 67 Installing OpenVPN on SuSE Linux 68 Using YaST to install software 69 Installing OpenVPN on Red Hat Fedora using yum 72 Installing OpenVPN on Red Hat Enterprise Linux 75 Installing OpenVPN on RPM-based systems 77 Using wget to download OpenVPN RPMs 78 Installing OpenVPN and the LZO library with wget and RPM 79 Using rpm to obtain information on the installed OpenVPN version 80

4 Installing OpenVPN on Debian and Ubuntu 82 Installing Debian packages 84 Using Aptitude to search and install packages 86 OpenVPN the files installed on Debian 88 Installing OpenVPN on FreeBSD 88 Installing a newer version of OpenVPN on FreeBSD the ports system 91 Installing the port system with sysinstall 91 Downloading and installing a BSD port 92 Summary 94 Chapter 6: Advanced OpenVPN Installation 95 Troubleshooting advanced installation methods 95 Installing OpenVPN from source code 96 Building and distributing.deb packages 102 Building your own RPM file 104 Enabling Linux kernel TUN/TAP support 106 Using menuconfig 107 Summary 109 Chapter 7: Configuring an OpenVPN Server The First Tunnel 111 OpenVPN on Microsoft Windows 112 Generating a static OpenVPN key 113 Creating a sample connection Adapting the sample configuration file provided by OpenVPN 117 Starting and testing the tunnel 119 A brief look at Windows OpenVPN network interfaces 121 Connecting Windows and Linux 122 File exchange between Windows and Linux 123 WinSCP 123 Transferring the key file from Windows to Linux with WinSCP 124 The second pitfall carriage return/end of line 126 Configuring the Linux system 127 Testing the tunnel 129 A look at the Linux network interfaces 130 Running OpenVPN automatically 131 OpenVPN as a server on Windows 131 OpenVPN as a server on Linux 133 Runlevels and init scripts on Linux 133 Using runlevel and init to change and check runlevels 134 The system control for runlevels 135 Managing init scripts 136 Using SuSE's YaST module system services (runlevel) 137

5 Troubleshooting firewall issues 139 Deactivating the Windows XP service pack 2 firewall 139 Stopping the SuSE firewall 141 Summary 142 Chapter 8: Setting Up OpenVPN with X.509 Certificates 143 Creating certificates 143 Certificate generation on Windows Server 2008 with easy-rsa 144 Setting variables editing vars.bat 145 Creating the Diffie-Hellman key 146 Building the certificate authority 147 Generating server and client keys 148 Distributing the files to the VPN partners 152 Configuring OpenVPN to use certificates 154 Using easy-rsa on Linux 157 Preparing variables in vars 158 Creating the Diffie-Hellman key and the certificate authority 158 Creating the first server certificate/key pair 159 Creating further certificates and keys 161 Troubleshooting 162 Summary 163 Chapter 9: The Command openvpn and Its Configuration File 165 Syntax of openvpn 166 OpenVPN command-line parameters 166 Using OpenVPN at the command line 167 Parameters used in the standard configuration file for a static key client 169 Compressing the data 169 Controlling and restarting the tunnel 172 Debugging output troubleshooting 173 Configuring OpenVPN with certificates simple TLS mode 175 Overview of OpenVPN parameters 176 General tunnel options 176 Routing 179 Controlling the tunnel 181 Scripting 182 Modules 182 Logging 184 Specifying a user and group 185 The management interface 186 Proxies 188 Encryption parameters 189

6 Testing the crypto system with -test-crypto 190 SSL information command line 191 Server mode 195 Server mode parameters client-config options 199 Client mode parameters 201 Push options 202 Important Windows-specific options 203 New in Version Connection profiles 204 Topology mode 205 Script-security 206 Port-sharing 206 Test 206 Summary 207 Chapter 10: Securing OpenVPN Tunnels and Servers 209 Securing and stabilizing OpenVPN 209 Authentication 212 Using authentication methods 213 Authentication plugins overview 216 Authentication with tokens 217 Individual authentication with Pam-per-user 218 Linux and Firewalls 220 Debian Linux and Webmin with Shorewall 221 Installing Webmin and Shorewall 221 Looking at Webmin 222 Preparing Webmin and Shorewall for the first start 223 Preparing the Shoreline firewall 224 Troubleshooting Shorewall editing the configuration files 225 OpenVPN and SuSEfirewall 228 Routing and firewalls 230 Configuring a router without a firewall 230 iptables the standard Linux firewall tool 230 Configuring the Windows Firewall for OpenVPN 234 Summary 238 Chapter 11: Advanced Certificate Management 239 Certificate management and security 239 Installing xca 240 Using xca 240 Creating a database 240

7 Maemo Table of Contents Importing a CA certificate 242 Creating and signing a new server/client certificate 244 Revoking certificates with xca 248 certificates 250 Using TinyCA2 to manage Importing our CA 250 Using TinyCA2 for CA administration 251 Creating new certificates and keys 252 Exporting keys and certificates with TinyCA2 254 Revoking certificates with TinyCA2 255 Other tools worth mentioning 255 Summary 256 Chapter 12: OpenVPN GUI Tools 257 OpenVPN server administration: Webmin's OpenVPN plugin 257 Client GUIs for Linux 260 KVpnc 260 GAdmin-OpenVPN-Client 262 NetworkManager 263 Summary 264 Chapter 13: Advanced OpenVPN Configuration 265 Tunneling a proxy server and protecting the proxy 266 Scripting OpenVPN an overview 268 Using a client configuration directory with per-client configurations 270 Individual firewall rules for connecting clients 273 Distributed compilation through VPN tunnels with distcc 275 Ethernet bridging with OpenVPN 277 Automatic installation for Windows clients 279 Clustering and redundancy 284 Summary 285 Chapter 14: Mobile Security with OpenVPN 287 Anonymous and uncensored Internet Access 287 OpenVPN on Windows Mobile Embedded Linux 292 Summary 294 Chapter 15: Troubleshooting and Monitoring 295 Testing network connectivity 295 Checking interfaces, routing, and connectivity on the VPN servers 298 Debugging with tcpdump and IPTraf 303 Using OpenVPN protocol and status files for debugging 305 Scanning servers with Nmap 307 [vi]

8 Monitoring tools 308 ntop 309 Munin 310 Nagios 311 OpenVPNgraph 312 Summary 313 Appendix: Internet Resources and More 315 Index 325