You are previewing Mastering OpenVPN.
O'Reilly logo
Mastering OpenVPN

Book Description

Master building and integrating secure private networks using OpenVPN

About This Book

  • Discover how to configure and set up a secure OpenVPN

  • Enhance user experience by using multiple authentication methods

  • Delve into better reporting, monitoring, logging, and control with OpenVPN

  • Who This Book Is For

    If you are familiar with TCP/IP networking and general system administration, then this book is ideal for you. Some knowledge and understanding of core elements and applications related to Virtual Private Networking is assumed.

    What You Will Learn

  • Identify different VPN protocols (IPSec, PPTP, OpenVPN)

  • Build your own PKI and manage certificates

  • Deploy your VPN on various devices like PCs, mobile phones, tablets, and more

  • Differentiate between the routed and bridged network

  • Enhance your VPN with monitoring and logging

  • Authenticate against third-party databases like LDAP or the Unix password file

  • Troubleshoot an OpenVPN setup that is not performing correctly

  • In Detail

    Security on the internet is increasingly vital to both businesses and individuals. Encrypting network traffic using Virtual Private Networks is one method to enhance security. The internet, corporate, and “free internet” networks grow more hostile every day. OpenVPN, the most widely used open source VPN package, allows you to create a secure network across these systems, keeping your private data secure. The main advantage of using OpenVPN is its portability, which allows it to be embedded into several systems.

    This book is an advanced guide that will help you build secure Virtual Private Networks using OpenVPN. You will begin your journey with an exploration of OpenVPN, while discussing its modes of operation, its clients, its secret keys, and their format types. You will explore PKI: its setting up and working, PAM authentication, and MTU troubleshooting. Next, client-server mode is discussed, the most commonly used deployment model, and you will learn about the two modes of operation using "tun" and "tap" devices.

    The book then progresses to more advanced concepts, such as deployment scenarios in tun devices which will include integration with back-end authentication, and securing your OpenVPN server using iptables, scripting, plugins, and using OpenVPN on mobile devices and networks.

    Finally, you will discover the strengths and weaknesses of the current OpenVPN implementation, understand the future directions of OpenVPN, and delve into the troubleshooting techniques for OpenVPN.

    By the end of the book, you will be able to build secure private networks across the internet and hostile networks with confidence.

    Style and approach

    An easy-to-follow yet comprehensive guide to building secure Virtual Private Networks using OpenVPN. A progressively complex VPN design is developed with the help of examples. More advanced topics are covered in each chapter, with subjects grouped according to their complexity, as well as their utility.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at If you purchased this book elsewhere, you can visit and register to have the files e-mailed directly to you.

    Table of Contents

    1. Mastering OpenVPN
      1. Table of Contents
      2. Mastering OpenVPN
      3. Credits
      4. About the Authors
      5. About the Reviewers
        1. Support files, eBooks, discount offers, and more
          1. Why subscribe?
          2. Free access for Packt account holders
      7. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Errata
          3. Piracy
          4. Questions
      8. 1. Introduction to OpenVPN
        1. What is a VPN?
        2. Types of VPNs
          1. PPTP
          2. IPSec
          3. SSL-based VPNs
          4. OpenVPN
        3. Comparison of VPNs
          1. Advantages and disadvantages of PPTP
          2. Advantages and disadvantages of IPSec
          3. Advantages and disadvantages of SSL-based VPNs
          4. Advantages and disadvantages of OpenVPN
          5. History of OpenVPN
        4. OpenVPN packages
          1. The open source (community) version
          2. The closed source (commercial) Access Server
          3. The mobile platform (mixed) OpenVPN/OpenVPN Connect
          4. Other platforms
        5. OpenVPN internals
          1. The tun/tap driver
          2. The UDP and TCP modes
          3. The encryption protocol
          4. The control and data channels
          5. Ciphers and hashing algorithms
          6. OpenSSL versus PolarSSL
        6. Summary
      9. 2. Point-to-point Mode
        1. Pros and cons of the key mode
          1. The first example
        2. TCP protocol and different ports
          1. The TAP mode
          2. The topology subnet
          3. The cleartext tunnel
        3. OpenVPN secret keys
          1. Using multiple keys
          2. Using different encryption and authentication algorithms
        4. Routing
          1. Configuration files versus the command line
        5. The complete setup
          1. Advanced IP-less setup
        6. Three-way routing
          1. Route, net_gateway, vpn_gateway, and metrics
        7. Bridged tap adapter on both ends
          1. Removing the bridges
        8. Combining point-to-point mode with certificates
        9. Summary
      10. 3. PKIs and Certificates
        1. An overview of PKI
          1. PKI using Easy-RSA
          2. Building the CA
          3. Certificate revocation list
          4. Server certificates
          5. Client certificates
          6. PKI using ssl-admin
        2. OpenVPN server certificates
        3. OpenVPN client certificates
        4. Other features
        5. Multiple CAs and CRLs
        6. Extra security – hardware tokens, smart cards, and PKCS#11
          1. Background information
          2. Supported platforms
          3. Initializing a hardware token
          4. Generating a certificate/private key pair
          5. Generating a private key on a token
          6. Generating a certificate request
          7. Writing an X.509 certificate to the token
          8. Getting a hardware token ID
          9. Using a hardware token with OpenVPN
        7. Summary
      11. 4. Client/Server Mode with tun Devices
        1. Understanding the client/server mode
        2. Setting up the Public Key Infrastructure
        3. Initial setup of the client/server mode
          1. Detailed explanation of the configuration files
          2. Topology subnet versus topology net30
        4. Adding extra security
          1. Using tls-auth keys
          2. Generating a tls-auth key
          3. Checking certificate key usage attributes
        5. Basic production-level configuration files
          1. TCP-based configuration
          2. Configuration files for Windows
        6. Routing and server-side routing
          1. Special parameters for the route option
          2. Masquerading
        7. Redirecting the default gateway
        8. Client-specific configuration – CCD files
          1. How to determine whether a CCD file is properly processed
          2. CCD files and topology net30
        9. Client-side routing
          1. In-depth explanation of the client-config-dir configuration
          2. Client-to-client traffic
        10. The OpenVPN status file
          1. Reliable connection tracking for UDP mode
        11. The OpenVPN management interface
        12. Session key renegotiation
          1. A note on PKCS#11 devices
        13. Using IPv6
          1. Protected IPv6 traffic
          2. Using IPv6 as transit
        14. Advanced configuration options
          1. Proxy ARP
            1. How does Proxy ARP work?
          2. Assigning public IP addresses to clients
        15. Summary
      12. 5. Advanced Deployment Scenarios in tun Mode
        1. Enabling file sharing over VPN
          1. Using NetBIOS names
          2. Using nbtstat to troubleshoot connection problems
        2. Using LDAP as a backend authentication mechanism
          1. Troubleshooting the LDAP backend authentication
        3. Filtering OpenVPN
          1. FreeBSD example
          2. A Windows example
          3. Policy-based routing
        4. Windows network locations – public versus private
          1. Background
          2. Changing the TAP-Win adapter location using the redirect-gateway
            1. Using the Group Policy editor to force an adapter to be private
            2. Changing the TAP-Win adapter location using extra gateways
            3. Redirecting all traffic in combination with extra gateways
        5. Using OpenVPN with HTTP or SOCKS proxies
          1. HTTP proxies
          2. SOCKS proxies
        6. Summary
      13. 6. Client/Server Mode with tap Devices
        1. The basic setup
        2. Enabling client-to-client traffic
          1. Filtering traffic between clients
            1. Disadvantage of the proxy_arp_pvlan method
            2. Filtering traffic using the pf filter of OpenVPN
        3. Using the tap device (bridging)
          1. Bridging on Linux
            1. Tearing down the bridge
          2. Bridging on Windows
        4. Using an external DHCP server
        5. Checking broadcast and non-IP traffic
          1. Address Resolution Protocol traffic
          2. NetBIOS traffic
        6. Comparing tun mode to tap mode
          1. Layer 2 versus layer 3
          2. Routing differences and iroute
          3. Client-to-client filtering
          4. Broadcast traffic and "chattiness" of the network
          5. Bridging
        7. Summary
      14. 7. Scripting and Plugins
        1. Scripting
          1. Server-side scripts
            1. --setenv and --setenv-safe
            2. --script-security
            3. --up-restart
            4. --up
            5. --route-up
            6. --tls-verify
            7. --auth-user-pass-verify
            8. --client-connect
            9. --learn-address
            10. --client-disconnect
            11. --route-pre-down
            12. --down
          2. Client-side scripts
            1. --setenv and --setenv-safe
            2. --script-security
            3. --up-restart
            4. --tls-verify
            5. --ipchange
            6. --up
            7. --route-up
            8. --route-pre-down
            9. --down
          3. Examples of server scripts
            1. Client-connect scripts
              1. Client authentication
              2. Client authorization
                1. Example 1—client-selected routes
                2. Example 2—track client connection statistics
                3. Example 3—disconnect user after X minutes
            2. Examples of client scripts
              1. Example 4—mount NFS share
              2. Example 5—using all scripts at once
            3. The server-side script log
            4. Environment variables set in the server-side scripts
              1. --up
              2. --route-up
              3. --tls-verify
              4. --auth-user-pass-verify
              5. --client-connect
              6. --learn-address
              7. --client-disconnect
              8. --route-pre-down and --down
            5. The client-side script log
            6. Environment variables set in the client-side scripts
        2. Plugins
          1. Down-root
          2. The auth-pam plugin
        3. Summary
      15. 8. Using OpenVPN on Mobile Devices and Home Routers
        1. Using the OpenVPN for an Android app
          1. Creating an OpenVPN app profile
          2. Using the PKCS#12 file
        2. Using the OpenVPN Connect app for Android
        3. Using the OpenVPN Connect app for iOS
        4. Integrating smart phones into an existing VPN setup
        5. Using a home router as a VPN client
        6. Using a home router as a VPN server
        7. Summary
      16. 9. Troubleshooting and Tuning
        1. How to read the log files
          1. Detecting a non-working setup
        2. Fixing common configuration mistakes
          1. Wrong CA certificate in the client configuration
            1. How to fix
          2. Client certificate not recognized by the server
            1. How to fix
          3. Client certificate and private key mismatch
            1. How to fix
          4. The auth and tls-auth key mismatch
            1. How to fix
          5. The MTU size mismatch
            1. How to fix
          6. The Cipher mismatch
            1. How to fix

          7. The Compression mismatch
            1. How to fix
          8. The fragment mismatch
            1. How to fix
          9. The tun versus tap mismatch
            1. How to fix
          10. The client-config-dir issues
            1. How to fix
          11. No access to the tun device in Linux
            1. How to fix
          12. Missing elevated privileges in Windows
            1. How to fix
        3. Troubleshooting routing issues
          1. Drawing a detailed picture
          2. Start in the middle and work your way outward
          3. Find a time to temporarily disable firewall
          4. If all else fails, use tcpdump
        4. How to optimize performance by using ping and iperf
          1. Using ping
          2. Using iperf
          3. Gigabit networking
        5. Analyzing OpenVPN traffic by using tcpdump
        6. Summary
      17. 10. Future Directions
        1. Current strengths
        2. Current weaknesses
          1. Scaling at gigabit speeds and above
        3. Where we are going
          1. Improved compression support
          2. Per-client compression
          3. New cryptographic routines
          4. Mixed certificate/username authentication
          5. IPv6 support
          6. Windows privilege separation
        4. Summary
      18. Index