Virtual Private Network With Openvpn: Institut de Radioastronomie Millimétrique
Virtual Private Network With Openvpn: Institut de Radioastronomie Millimétrique
Virtual Private Network With Openvpn: Institut de Radioastronomie Millimétrique
Revision: 0
2005-02-03
Contact Author
Keywords: VPN
Owner Sebastien Blanchet ([email protected])
Change Record
REVISION DATE AUTHOR SECTION/PAGE REMARKS
AFFECTED
Content
1Introduction.............................................................................................................................................3
1.1IPSec ...........................................................................................................................................3
1.2SSL and user-space VPNs..........................................................................................................3
2IPSec ........................................................................................................................................................3
3 OpenVPN ................................................................................................................................................3
3.1Tun and Tap interface .................................................................................................................3
3.2How it works ................................................................................................................................4
3.3Installation....................................................................................................................................4
4Generate your own keys and certificates ...........................................................................................5
4.1Generate your Certificate Autorithy .............................................................................................6
4.2Generating a Certificate...............................................................................................................6
5Biography ................................................................................................................................................9
1 Introduction
Fundamentally, a VPN is a set of tools which allow network at different locations to be securely connected,
using a public network as the transport layer. VPNs use cryptography to provide protections against
eavesdropping and active attacks. VPNs are most commonly used today for telecommuting and linking
branch offices via secure WANs. The VPN concept is a cheap and secure alternative to a dedicated network
to link branch offices.
1.1 IPSec
IPSec was the first major effort to develop a standard for secure networking. Unfortunately traditional
IPSec implementations required a great deal of kernel code, complicating cross-plaform porting efforts.
IPSec is complex for new users.
IPSec's slow progress and complexity caused many to turn to other solutions:
SSL (Secure Socket Layer) runs in user space, simplifying implementation and administration. Contrary to
IPSEC, SSL matured quickly due to the heavy usage on the web.
The so-called SSL VPN is really just a web application that tries to give users the services they need
without a full VPN implementation.
2 IPSec
Openswan is an implementation of IPSec for Linux. Unfortunately it is difficult to configure, and finally it
never works. But I have learn many interesting things about digital certificates.
3 OpenVPN
By browsing the web to solve my IPSec problem, I have discovered the SSL VPN. I have chosen
OpenVPN because it seemed to be easy to configure and because OpenVPN runs on many operating
systems: Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris.
A tun interface is a virtual network adapter that looks like a point-to-point network hardware to the OS, but
instead of pushings bits out a wire, the tun driver pushes them to the user space. A user space program can
open the tun device just like a file and read and write IP packets from and to it.
A tap interface is also a virtual network adapter, but it only emulates the ethernet rather than point-to-point.
IP packets from tun or tap virtual network adapters are encrypted and encapsulated onto a UDP connection,
and sent ot a remote host over the internet. The remote host decrypts, authenticates and de-encapsulates the
IP packets, pumping then into a tun or tan virtual adapter at the other end.
The VPN is invisible to applications tunneling over it. One can apply routes or firewall rules to tun or tap
interfaces in the same way that you can apply them to ethernet interfaces.
3.3 Installation
Build OpenVPN:
# tar xvfz openvpn-2.0_rc6.tar.gz
# cd openvpn-2.0_rc6
# ./configure
# make
# make install
The command lines are valid for both Linux and Windows.
On pctcp72:
# openvpn --remote pctcp48.iram.fr --dev tun1 --ifconfig 10.4.0.2
10.4.0.1 --verb 9
On pctcp48:
# openvpn --remote pctcp72.iram.fr --dev tun1 --ifconfig 10.4.0.1
10.4.0.2 --verb 5 --secret key
On pctcp72:
# openvpn --remote pctcp48.iram.fr --dev tun1 --ifconfig 10.4.0.2
10.4.0.1 --verb 5 --secret key
on pctcp48.iram.fr
# openvpn --remote pctcp72.iram.fr --dev tun1 --ifconfig 10.4.0.1
10.4.0.2 --tls-client --ca tmp-ca.crt --cert client.crt --key
client.key --reneg-sec 60 --verb 5
on pctcp72.iram.fr
# openvpn --remote pctcp48.iram.fr --dev tun1 --ifconfig 10.4.0.2
10.4.0.1 --tls-server --dh dh1024.pem --ca tmp-ca.crt --cert server.crt
--key server.key --reneg-sec 60 --verb 5
Note on windows, you can run OpenVPN as a service, by creating configuration files in the configuration
directory. See the OpenVPN for additional details.
edit /usr/share/ssl/misc/CA
A pass phrase, i.e. a password to protect your CA is required. This password will be required every
time you want to sign a digital certificate.
# cd /var/sslca/
[root@pctcp48 sslca]# /usr/share/ssl/misc/CA -newca
CA certificate filename (or enter to create)
[root@pctcp48 sslca]#
Let's also generate a crl file, which you'll need on your gateway boxes:
You'll need to update this CRL file any time you revoke a certificate.
That's it, you now have your own certificate authority that you can use to generate certificates.
You will need to generate a certificate for every machine that will be making a secure connection. An
other pass phrase is required, to protect the certificate usage.
What we just did is generate a Certificate Request - this is the same type of request that you would send to
Thawte or Verisign to get a generally-accepted SSL certificate. For our uses, however, we'll sign it with our
own CA:
keyid:9C:80:2A:AE:C8:11:71:D8:A9:EF:EA:7F:2A:C4:EF:76:AF:EA:CC:90
DirName:/C=FR/ST=France/L=Saint Martin
DHeres/O=IRAM/OU=Computer Group/CN=pctcp48
serial:00
keyid:9C:80:2A:AE:C8:11:71:D8:A9:EF:EA:7F:2A:C4:EF:76:AF:EA:CC:90
DirName:/C=FR/ST=France/L=Saint Martin
DHeres/O=IRAM/OU=Computer Group/CN=pctcp48
serial:00
71:55:49:4a:98:b5:30:db:7b:ae:12:ab:bf:af:80:2d:50:0d:
9b:fc:dc:5d:96:74:65:de:c5:47:fd:c7:bd:1d:ba:4a:ab:d4:
a6:57:21:1b:13:bb:4a:0f:cc:df:57:4c:ee:45:a0:07:88:4e:
ad:fb:06:76:13:a3:9c:49:fe:5b:96:1e:f1:7f:8d:ee:13:4e:
13:9a
-----BEGIN CERTIFICATE-----
MIIDZTCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQQFADB2MQswCQYDVQQGEwJGUjEP
MA0GA1UECBMGRnJhbmNlMRwwGgYDVQQHExNTYWludCBNYXJ0aW4gREhlcmVzMQ0w
CwYDVQQKEwRJUkFNMRcwFQYDVQQLEw5Db21wdXRlciBHcm91cDEQMA4GA1UEAxMH
cGN0Y3A0ODAeFw0wNTAyMDIwODU0MjBaFw0xNTAxMzEwODU0MjBaMHoxCzAJBgNV
BAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxHDAaBgNVBAcTE1NhaW50IE1hcnRpbiBE
SGVyZXMxDTALBgNVBAoTBElSQU0xFzAVBgNVBAsTDkNvbXB1dGVyIEdyb3VwMRQw
EgYDVQQDEwtsaW51eGNsaWVudDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
1fWRj1zLMV30kO1FCLt8JBolrrjVrxeVhZyWQtGPSTBxOkSegGI3vJZ8c/OtL3XD
m7wVu50DgtnyQA3nUHzaxhbmpSw1JbcixpwAnQ22VfsxSredURWeKeQS0dlElgNb
YjwJ/U2PZ7Ff3k9kzruO04akEtiggxiorgMNpBrGGFUCAwEAAaOB/jCB+zAJBgNV
HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
Y2F0ZTAdBgNVHQ4EFgQUt0kUl8WnsFbqfJmxpuV226TRZJ4wgaAGA1UdIwSBmDCB
lYAUnIAqrsgRcdip7+p/KsTvdq/qzJCheqR4MHYxCzAJBgNVBAYTAkZSMQ8wDQYD
VQQIEwZGcmFuY2UxHDAaBgNVBAcTE1NhaW50IE1hcnRpbiBESGVyZXMxDTALBgNV
BAoTBElSQU0xFzAVBgNVBAsTDkNvbXB1dGVyIEdyb3VwMRAwDgYDVQQDEwdwY3Rj
cDQ4ggEAMA0GCSqGSIb3DQEBBAUAA4GBANiJGgr8qQT/oyfOAqKxDH++xGKwX4KG
wOqqpahxNT81wTxoC8bnq3vsTaCdOoacUYg207PlRXFVSUqYtTDbe64Sq7+vgC1Q
DZv83F2WdGXexUf9x70dukqr1KZXIRsTu0oPzN9XTO5FoAeITq37BnYTo5xJ/luW
HvF/je4TThOa
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
Next, move the output files to names that make a bit more sense for future reference.
5 Biography