You are previewing OpenVPN 2 Cookbook.
O'Reilly logo
OpenVPN 2 Cookbook

Book Description

100 simple and incredibly effective recipes for harnessing the power of the OpenVPN 2 network

  • Set of recipes covering the whole range of tasks for working with OpenVPN

  • The quickest way to solve your OpenVPN problems!

  • Set up, configure, troubleshoot and tune OpenVPN

  • Uncover advanced features of OpenVPN and even some undocumented options

  • In Detail

    OpenVPN http://www.openvpn.net is a free and open source virtual private network (VPN) program for creating point-to-point or server-to-multiclient encrypted tunnels between host computers. It is capable of establishing direct links between computers across networks and firewalls. It is powerful software, but getting the most from it can be a daunting task.

    OpenVPN 2 Cookbook provides solutions to common OpenVPN problems. The book covers everything a system administrator needs to manage and run an OpenVPN network, from point to point networks to troubleshooting.

    OpenVPN 2 Cookbook offers all the information you need to successfully manage your network. Covering all the common networks, including point to point networks, multi-client tun style networks and multi client tap style networks, this practical guide gives quick answers to common questions and problems.

    Each technical aspect is broken down into short recipes that demonstrate solutions with working code, then explain why and how that works. The book is intended to be a desk reference for users with a whole range of experience levels.

    Table of Contents

    1. OpenVPN 2 Cookbook
      1. Copyright
      2. Credits
      3. About the Author
      4. About the Reviewers
      5. www.PacktPub.com
        1. Support files, eBooks, discount offers and more
          1. Why Subscribe?
          2. Free Access for Packt account holders
      6. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Errata
          2. Piracy
          3. Questions
      7. 1. Point-to-Point Networks
        1. Introduction
        2. Shortest setup possible
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Using the TCP protocol
            2. Forwarding non-IP traffic over the tunnel
        3. OpenVPN secret keys
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        4. Multiple secret keys
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        5. Plaintext tunnel
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        6. Routing
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Routing issues
            2. Automating the setup
          5. See also
        7. Configuration files versus the command-line
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. OpenVPN 2.1 specifics
        8. Complete site-to-site setup
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        9. 3-way routing
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Scalability
            2. Routing protocols
          5. See also
      8. 2. Client-server IP-only Networks
        1. Introduction
        2. Setting up the public and private keys
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Using the easy-rsa scripts on Windows
            2. Some notes on the different variables
          5. See also
        3. Simple configuration
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. 'net30' addresses
        4. Server-side routing
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Linear addresses
            2. Using the TCP protocol
            3. Server certificates and ns-cert-type server
            4. Masquerading
        5. Using 'client-config-dir' files
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
              1. Default configuration file
              2. Troubleshooting
              3. OpenVPN 2.0 'net30' compatibility
              4. Allowed options in a 'client-config-dir' file
        6. Routing: subnets on both sides
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Masquerading
            2. Client-to-client subnet routing
          5. See also
        7. Redirecting the default gateway
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Redirect-gateway parameters
            2. Split tunneling
          5. See also
        8. Using an 'ifconfig-pool' block
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Configuration files on Windows
            2. Topology subnet
            3. Client-to-client access
            4. Using the TCP protocol
        9. Using the status file
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Status parameters
            2. Disconnecting clients
            3. Explicit-exit-notify
        10. Management interface
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Server-side management interface
          5. See Also
        11. Proxy-arp
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. User 'nobody'
            2. TAP-style networks
            3. Broadcast traffic might not always work
          5. See also
      9. 3. Client-server Ethernet-style Networks
        1. Introduction
        2. Simple configuration — non-bridged
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
              1. Differences between TUN and TAP
              2. Using the TCP protocol
              3. Making IP fowarding permanent
            3. See also
        3. Enabling client-to-client traffic
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
              1. Broadcast traffic may affect scalability
              2. Filtering traffic
              3. TUN-style networks
        4. Bridging — Linux
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
              1. Fixed addresses & the default gateway
              2. Name resolution
            3. See also
        5. Bridging — Windows
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. See also
        6. Checking broadcast and non-IP traffic
          1. Getting ready
          2. How to do it...
          3. How it works...
        7. External DHCP server
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
              1. DHCP server configuration
              2. DHCP relay
              3. Tweaking the /etc/sysconfig/network-scripts
        8. Using the status file
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Difference with TUN-style networks
            2. Disconnecting clients
          5. See also
        9. Management interface
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Client side management interface
          5. See also
      10. 4. PKI, Certificates, and OpenSSL
        1. Introduction
        2. Certificate generation
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        3. xCA: a GUI for managing a PKI (Part 1)
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        4. xCA: a GUI for managing a PKI (Part 2)
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        5. OpenSSL tricks: x509, pkcs12, verify output
          1. Getting ready
          2. How to do it...
            1. How it works...
        6. Revoking certificates
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. What is needed to revoke a certificate
          5. See also
        7. The use of CRLs
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        8. Checking expired/revoked certificates
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
        9. Intermediary CAs
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
        10. Multiple CAs: stacking, using --capath
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
              1. Stacking CRLs
              2. Using the --capath directive
      11. 5. Two-factor Authentication with PKCS#11
        1. Introduction
        2. Initializing a hardware token
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
              1. Public and private objects
              2. OpenSC versus Aladdin PKI Client driver
        3. Getting a hardware token ID
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. What about automatic selection?
            2. PKCS#11 libraries
        4. Using a hardware token
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. What is different?
            2. Using the OpenSC driver
        5. Using the management interface to list PKCS#11 certificates
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. See also
        6. Selecting a PKCS#11 certificate using the management interface
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
        7. Generating a key on the hardware token
          1. Getting ready
          2. How to do it...
            1. How it works...
        8. Private method for getting a PKCS#11 certificate
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
            3. See also
        9. Pin caching example
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
      12. 6. Scripting and Plugins
        1. Introduction
        2. Using a client-side up/down script
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Environment variables
            2. Calling the 'down' script before the connection terminates
            3. Advanced: verify the remote hostname
        3. Windows login greeter
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Spaces in filenames
            2. setenv or setenv-safe
            3. Security considerations
        4. Using client-connect/client-disconnect scripts
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. 'client-disconnect' scripts
            2. Environment variables
            3. Absolute paths
        5. Using a 'learn-address' script
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. User 'nobody'
            2. The 'update' action
        6. Using a 'tls-verify' script
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        7. Using an 'auth-user-pass-verify' script
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Specifying the username and password in a file on the client
            2. Passing the password via environment variables
        8. Script order
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
        9. Script security and logging
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        10. Using the 'down-root' plugin
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        11. Using the PAM authentication plugin
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
      13. 7. Troubleshooting OpenVPN: Configurations
        1. Introduction
        2. Cipher mismatches
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
        3. TUN versus TAP mismatches
          1. Getting ready
          2. How to do it...
            1. How it works...
        4. Compression mismatches
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        5. Key mismatches
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. See also
        6. Troubleshooting MTU and tun-mtu issues
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        7. Troubleshooting network connectivity
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        8. Troubleshooting 'client-config-dir' issues
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. More verbose logging
            2. Other frequent client-config-dir mistakes
          5. See also
        9. How to read the OpenVPN log files
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
      14. 8. Troubleshooting OpenVPN: Routing
        1. Introduction
        2. The missing return route
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
              1. Masquerading
              2. Adding routes on the LAN hosts
            3. See also
        3. Missing return routes when 'iroute' is used
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        4. All clients function except the OpenVPN endpoints
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
            3. See also
        5. Source routing
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        6. Routing and permissions on Windows
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        7. Troubleshooting client-to-client traffic routing
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        8. Understanding the 'MULTI: bad source' warnings
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
              1. Other occurrences of the 'MULTI: bad source' message
            3. See also
        9. Failure when redirecting the default gateway
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
            3. See also
      15. 9. Performance Tuning
        1. Introduction
        2. Optimizing performance using 'ping'
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
            3. See also
        3. Optimizing performance using 'iperf'
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
              1. Client versus server 'iperf' results
              2. Network latency
              3. Gigabit networks
        4. OpenSSL cipher speed
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        5. Compression tests
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Pushing compression options
            2. Adaptive compression
        6. Traffic shaping
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        7. Tuning UDP-based connections
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        8. Tuning TCP-based connections
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        9. Analyzing performance using tcpdump
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. See also
      16. 10. OS Integration
        1. Introduction
        2. Linux: using NetworkManager
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Setting up routes using NetworkManager
            2. DNS settings
            3. Scripting
        3. Linux: using 'pull-resolv-conf'
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        4. MacOS: using Tunnelblick
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Name resolution
            2. Scripting
        5. Windows Vista/7: elevated privileges
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        6. Windows: using the CryptoAPI store
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. The CA certificate file
            2. Certificate fingerprint
        7. Windows: updating the DNS cache
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
        8. Windows: running OpenVPN as a service
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Automatic service startup
            2. OpenVPN User name
          5. See also
        9. Windows: public versus private network adapters
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. See also
        10. Windows: routing methods
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
      17. 11. Advanced Configuration
        1. Introduction
        2. Including configuration files in config files
          1. Getting ready
          2. How to do it...
          3. How it works...
        3. Multiple remotes and remote-random
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Mixing TCP and UDP-based setups
            2. Advantage of using TCP-based connections
            3. Automatically reverting to the first OpenVPN server
          5. See also
        4. Details of ifconfig-pool-persist
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Specifying the update interval
            2. Caveat: the duplicate-cn option
            3. When 'topology net30' is used
        5. Connecting using a SOCKS proxy
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Performance
            2. Note #1 on SOCKS proxies via SSH
            3. Note #2 on SOCKS proxies via SSH
            4. SOCKS proxies using plain-text authentication
          5. See also
        6. Connecting via an HTTP proxy
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. http-proxy options
            2. Ducking firewalls
            3. Performance
          5. See also
        7. Connecting via an HTTP proxy with authentication
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. NTLM proxy authorization
            2. New features in OpenVPN 2.2
          5. See also
        8. Using dyndns
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Failover
            2. NetworkManager and 'ddclient'
          5. See also
        9. IP-less setups (ifconfig-noexec)
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
              1. Point-to-point and TUN-style networks
              2. Routing and firewalling
      18. 12. New Features of OpenVPN 2.1 and 2.2
        1. Introduction
        2. Inline certificates
          1. Getting ready
          2. How to do it...
          3. How it works...
        3. Connection blocks
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. Allowed directives inside connection blocks
            2. Pitfalls when mixing TCP and UDP-based setups
          5. See also
        4. Port sharing with an HTTPS server
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
        5. Routing features: redirect-private, allow-pull-fqdn
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
            1. The route-nopull directive
            2. The 'max-routes' directive
        6. Handing out the public IPs
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. There's more...
          5. See also
        7. OCSP support
          1. Getting ready
          2. How to do it...
          3. How it works...
          4. See also
        8. New for 2.2: the 'x509_user_name' parameter
          1. Getting ready
          2. How to do it...
            1. How it works...
            2. There's more...
              1. OpenVPN 2.1 behaviour